Transcription
FORENSIC INSIGHT SEMINARSuperTimeline Splunkdorumugshttp://malware.co.krAnd yet it does move
개요1. SIFT(SANS Investigate Forensic Toolkit)2. Install Splunk3. Create Timeline4. Splunk SuperTimelineforensicinsight.orgPage 2 / 40
SIFT(SANS Investigate Forensic Toolkit)forensicinsight.org-SIFT?-SIFT Download-SIFT InformationPage 3 / 40
SIFT(SANS Investigate Forensic Toolkit)SIFT? SIFT is Toolkit for forensic investigator.It has a lot of tools about forensics like dd, sleuthkit, autopsy and so on.SANS supports this OS for free.forensicinsight.orgPage 4 / 40
SIFT(SANS Investigate Forensic Toolkit)SIFT Download URL : oads#overYou can download a couple of SIFT version. VMware wnload-sift-kit/2.1 ISO wnload-sift-kit/2.1/iso Password SIFT Default Password : sansforensics / forensics PTK Default Password : admin / forensicsforensicinsight.orgPage 5 / 40
SIFT(SANS Investigate Forensic Toolkit)SIFT Download SIFT Default Password : sansforensics / forensicsforensicinsight.orgPage 6 / 40
SIFT(SANS Investigate Forensic Toolkit)SIFT Download PTK Default Password : admin / forensicsforensicinsight.orgPage 7 / 40
SIFT(SANS Investigate Forensic Toolkit)SIFT Information SIFT Layout /forensics Location of the files used for the Autopsy Toolset. /usr/local/src Source files for autopsy, The Sleuthkit, and other tools. /usr/local/bin Location of the forensic pre-compiled binaries. /cases Location of the images that were seized from your compromised system. /mnt Location of the mount points for the file system images.forensicinsight.orgPage 8 / 40
SIFT(SANS Investigate Forensic Toolkit)SIFT Information File system support Windows (MSDOS, FAT, VFAT, NTFS) MAC (HFS) Solaris (UFS) Linux (EXT2/3)Evidence Image Support Expert Witness (EO1) RAW (dd) Advanced Forensic Format (AFF)forensicinsight.orgPage 9 / 40
SIFT(SANS Investigate Forensic Toolkit)SIFT Information Software Includes: The Sleuth Kit (File system Analysis Tools) Rifiuti (Recycle Bin examination) log2timeline (Timeline Generation Tool) Volatility Framework (Memory Analysis) ssdeep & md5deep (Hashing Tools) DFLabs PTK (GUI Front-End for Sleuthkit) Foremost/Scalpel (File Carving) Autopsy (GUI Front-End for Sleuthkit) WireShark (Network Forensics) PyFLAG (GUI Log/Disk Examination) Vinetto (thumbs.db examination) 100s more tools - See Detailed Tool Listing Pasco (IE Web History examination)forensicinsight.orgPage 10 / 40
SIFT(SANS Investigate Forensic Toolkit)SIFT Information New in SIFT 2.13 iPhone, Blackberry, and Android Forensic Capabilities Registry Viewer (YARU) Compatibility with F-Response Tactical, Standard, and Enterprise PTK 2.0 (Special Release - Not Available for Download) Automated Timeline Generation via log2timeline Many Firefox Investigative Plugins Windows Journal Parser and Shellbags Parser ( jp and sbag) Many Windows Analysis Utilities (prefetch, usbstor, event log, and more) Complete Overhaul of Regripper Plugins (added over 80 additional plugins)forensicinsight.orgPage 11 / 40
SIFT(SANS Investigate Forensic Toolkit)SIFT Information SIFT shares folder \\SIFTWORKSTATIONforensicinsight.orgPage 12 / 40
Install Splunkforensicinsight.org-Splunk?-Splunk Download-Splunk InformationPage 13 / 40
Install SplunkSplunk? Indexes any data from any sourceForwards data from remote systemsCorrelates complex eventsEngineered for big rgPage 14 / 40
Install SplunkSplunk Download URL : http://www.splunk.com/download?r headerforensicinsight.orgPage 15 / 40
Install SplunkSplunk Download First Login : admin / changemeforensicinsight.orgPage 16 / 40
Install SplunkSplunk Information Free License limit Use Enterprise features for 60 days. Index up to 500megabytes of data per day. U can index data over 500megabytes for 6 days.http://www.splunk.com/product What’s New in Splunk 4.3 Mobile New non-Flash UI delivers the power of splunk anywhere. Dashboard Dashboards that business users can define and edit on the fly. More concurrent user & faster search Complex security policiesforensicinsight.orgPage 17 / 40
Make eating SuperTimelinePage 18 / 40
Create TimelineSuperTimeline? Timeline Wikipedia timeline is a way of displaying a list of events in chronological order, sometimes described asa project artifact. It is typically a graphic design showing a long bar labeled with datesalongside itself and (usually) events labeled on points where they would have S2011 nsicinsight.orgPage 19 / 40
Create TimelineSuperTimeline? Create Timeline Sleuthkit URL : http://www.sleuthkit.org/sleuthkit/download.php Timelineforensicinsight.org Command : fls -r -m mountpoint image/device Command : mactime options -b bodyfile date-rage -z timezone(Seoul/Asia)Page 20 / 40
Create TimelineSuperTimeline? Create Timeline Log2timeline URL : http://log2timeline.net/#download Timeline Find Partition starting sector» Extact MFT» log2timeline -p -r -f winxp -z Seoul/Asia /mnt/windows mount -w timeline.csvFilter and Keyword WhiteList»forensicinsight.orgmount -o ro,noexec,show sys files,loop,offset 32256 image.dd /mnt/windows mountCreate Comprehensive Timeline» log2timeline -f mft -z Seoul/Asia -m c: image.mft -w timeline.csvMount image for processing» icat -I raw -f ntfs -o 63 image.dd 0 image.mftConvert MFT to CSV» mmls image.ddl2t process -b timeline.csv -k keywords.txt MM-DD-YYYY.MM-DD-YYYYPage 21 / 40
Create TimelineSuperTimeline? Create Timeline SuperTimeline(SIFT) Script File that log2timeline is used URL : oads Timeline Create Comprehensive Timeline for partition» Create Comprehensive Timeline for disk» kedit whitelist.txt Content.IE5 Temporary\ Internet\ FilesFilter and Keyword WhiteList»forensicinsight.orgLog2timeline-sift -z Seoul/Asia -I disk.ddCreating a Whitelist» Log2timeline-sift -z Seoul/Asia -p 0 -I partition.ddl2t process -b timeline.csv -w whitelist.txt MM-DD-YYYY.MM-DD-YYYY timeline.csvPage 22 / 40
Create TimelineSuperTimeline? Create Timeline SuperTimeline(SIFT)forensicinsight.orgPage 23 / 40
Create TimelineSuperTimeline? Create Timeline SuperTimeline(SIFT) – Template Link template-for-log2timeline-output-files Download forensics/files/2012/01/TIMELINE COLOR TEMPLATE.zipPage 24 / 40
Create TimelineSuperTimeline? Create Timeline SuperTimeline(SIFT) – Template The way to import timeline in template 1) Download it - Open Timeline Color Template2) Switch to Color Timeline worksheet/tab3) Click on Cell A-14) Select 'DATA' Ribbon5) Import Data "FROM TEXT"6) Select log2timeline.csv file7) TEXT IMPORT WIZARD Will Start8) Step 1 - Select Delimited - Select NEXT9) Step 2 - Unselect Tab under Delimiters - Select Comma under Delimiters - Select NEXT 10) Step 3 - Select Finish11) Where do you want to put the data? Simply Select OK.12) Once imported View - Freeze Panes - Freeze Top Row13) Optional Hide Columns Timzone, User, Host, Short or Desc (keep one of these), Version14) Select HOME Ribbon15) Select all Cells "CTRL-A"16) In Home Ribbon - Sort and Filter - Filterforensicinsight.orgPage 25 / 40
Create TimelineSuperTimeline? Create Timeline SuperTimeline(SIFT) – Templateforensicinsight.orgPage 26 / 40
Splunk SuperTimelineforensicinsight.org-Splunk Configuration-Splunk SuperTimeline-Splunk QueriesPage 27 / 40
Splunk SuperTimelineSplunk Configuration Configuration files URL https://files.me.com/nick.klein/844rxi props.conf https://files.me.com/nick.klein/46lcln transforms.conf Copy C:\Program Files\Splunk\etc\system\local\props.conf C:\Program Files\Splunk\etc\system\local\transforms.conf Rerun splunk after copying above files.forensicinsight.orgPage 28 / 40
Splunk SuperTimelineSplunk SuperTimeline Data Importforensicinsight.orgPage 29 / 40
Splunk SuperTimelineSplunk SuperTimeline Data Importforensicinsight.orgPage 30 / 40
Splunk SuperTimelineSplunk SuperTimeline Data Importforensicinsight.orgPage 31 / 40
Splunk SuperTimelineSplunk SuperTimeline Data Importforensicinsight.orgPage 32 / 40
Splunk SuperTimelineSplunk SuperTimeline Data Importforensicinsight.orgPage 33 / 40
Splunk SuperTimelineSplunk SuperTimeline Data Importforensicinsight.orgPage 34 / 40
Splunk SuperTimelineSplunk Queries Column date - 02/21/2003 desc - C:/WINDOWS/system32/msvcr71.dll time - 4:42:22 version - 2 timezone - Asia/Seoul filename - C:/WINDOWS/system32/msvcr71.dll MACB - M.B inode - 10740 source - FILE notes - {SUSP ENTRY - second prec. SI sourcetype - NTFS MFT type - SI [M.B] time format - Log2t::input::mft user - - extra - host - - short - [M.B]}Page 35 / 40
Splunk SuperTimelineSplunk Queries Search 2011 Records Search 2011 year 11 month Records index case test MACB "*B" sort filenameSearch Birth time and sort filename descending index case test date year 2011 date month novemberSearch Birth time and sort filename ascending index case test date year 2011index case test MACB "*B" sort filename descSearch NTUSER.dat’s Record start time index case test type "time of launch" sort filenameforensicinsight.orgPage 36 / 40
Splunk SuperTimelineSplunk Queries Search PDF and Sort date descending index case test filename "*.pdf*" sort date year, date month, time descSearch administrator or user and dat extension and Sort date descending index case test (user "administrator" OR user "user") filename "*.dat" sortdate year, date month, time desc Search visited URL and Sort date descending index case test short "visited*" sort date year, date month, time descSearch all files in C drive and Sort date descending index case test filename "*c:\*" sort date year, date month, time descforensicinsight.orgPage 37 / 40
Splunk SuperTimelineSplunk Example index "case test" regex filename "(?i)\.exe" fields date,time,short searchdate "*" time "*" short "*" sort date year, date month, date day, time desc (?i) is case insensitive function. / date "*" time "*" short "*" is highlight function.forensicinsight.orgPage 38 / 40
Splunk SuperTimelineSplunk Queries Advantage Investigator can Search faster All data. Investigator can use splunk for free. Although it has limit by 500 megabyte. Splunk Maintains 500 megabyte over for 6 days. Disadvantage Splunk is very expensive for user. Investigator can research 10 records at the same time.forensicinsight.orgPage 39 / 40
Q&Aforensicinsight.orgPage 40 / 40
Splunk Download . forensicinsight.org Page 16 / 40 Install Splunk First Login : admin / changeme Splunk Download . forensicinsight.org Page 17 / 40 Install Splunk Free License limi
