Forensics with SIFT-Workstation: How to mount and build a super timeline

Sunday, August 4, 2013

 The Sift Workstation is at its core a Ubuntu Linux distribution with pre-compiled forensic tools. Although SANS does not release new versions of the operating system frequently it is still an attractive option (especially to beginners) due to its ease of use (i.e. not having to worry about installing any software).  However, it is recommended to obtain a Linux distribution of one's choosing (I prefer Ubuntu) and install/compile the tools oneself. One would have the ability to keep tools up to date and not have to worry about incompatibilities or errors due to dependency issues. Note: If you decide to go the second route I recommend using log2timeline-SIFT over the regular log2timeline as it saves a lot of time.

This post is meant as a quick reference reminding one of how to mount and build a super-timeline using the SIFT-Workstation. There are many great tutorials posted by SANS on their forensics blog, be sure to check those out too.

Mounting an Image

Mounting an image allows forensicators to view the files within an image. The mount command is available on most if not all linux distros by default and even on apple operating systems. The following commands will mount the image under /mnt/windows_mount as read only.

Mounting a physical disk image

Use mmls on the disk image to determine the offset of the desired partition you wish to mount. In most NTFS cases this will be 32256.

Mounting a logical partition image

No offsets need to be calculated since this is a logical image.

Building the Super Timeline

The super timeline consists of combining the access, creation, or modified times for the registry, event logs and the file system. SIFT has made it easier for forensicators to create a super timeline by modifying the log2timeline command and creating the log2timeline-SIFT

It is not needed to mount a physical disk image to build a super timeline as log2timeline-SIFT will mount it for you (if not previously mounted). Note: Forensicators must first mount a logical partition image before using this command.

This will create a text file under the /cases/timeline-output-folder. The next step is to use l2t_process and build a csv file allowing one to easily sort and traverse through the entries.

Forensicators can also limit the entries by a date range as shown in the following example:

That's it! Happy Investigating!

No comments :

Post a Comment