File Activity Time Line Creation
The @stake Sleuth Kit (TASK)
Creating a time line of file activity will give an investigator clues
regarding where to probe further. This document will describe how to
generate one using TASK.
BACKGROUND
=============================================================================
Many files and directories have times associated with them. The quantity
and description of which depend on the file system type. FFS file
systems have a Modified, Accessed, and Changed time associated with them.
EXT2FS file systems have a Modified, Accessed, Changed, and Deleted time.
FAT stores the Written, Accessed, and Created time, although by spec
the Created and Access times are optional and the Access time is only
accurate to the day.
CREATION
=============================================================================
The creation of a file activity time line in TASK has three phases.
- Gather file data. Using the 'fls' tool, the data associated with allocated
and some unallocated files can be gathered. To do this requires the '-m'
argument with the '-r' flag to gather all files. This needs to be done for
each partition image.
# fls -f openbsd -m / -r images/root.dd > data/body
# fls -f openbsd -m /var/ -r images/var.dd >> data/body
# fls -f openbsd -m /usr/ -r images/usr.dd >> data/body
NOTE: Some systems delete the link between deleted file names and meta
data, such as Solaris, so only information about allocated files will
be useful.
NOTE: This replaces the actions of 'grave-robber -m' in TCT. The
'mac-robber' tool (on the @stake web site) can also be used to gather
allocated file data on a mounted file system. 'mac-robber' is useful
for file systems where tools do not exist (such as AIX jfs).
- Gather unallocated meta data. Using the 'ils' tool, the data associated
with unallocated meta data can be gathered. When files are deleted,
the times associated with the file are updated. Although many times
we may not be able to link the original name to the meta data, it will
still give some clue with respect to when activity occurred.
This uses the '-m' flag of 'ils'. This is a new feature of TASK and
replaces the ils2mac script that was required with TCT.
# ils -f openbsd -m images/root.dd >> data/body
# ils -f openbsd -m images/var.dd >> data/body
# ils -f openbsd -m images/usr.dd >> data/body
NOTE: Because of the way that FAT stores time, the timezone is needed while
executing 'ils'. If you will be giving 'mactime' a timezone to use then
set the TZ environment variable before running 'ils'. For example:
# export TZ=GMT
- Format the data nicely. The 'body' file now needs to be run through the
'mactime' program to sort it and make it organized.
# mactime -b data/body 3/01/2002 > tl.03.01.2002
The above command generates a time line of file activity from the
previously created data/body file for all activity starting on March
If the /etc/passwd or /etc/group files are known, they can be specified
using the '-p' and '-g' flags. Otherwise the numerical values will be
displayed. The '-z' flag can be used to specify the time zone.
# mactime -b data/body -p data/passwd -g data/group 3/01/2002
> tl.03.01.2002
The output format has changed slightly since the 'mactime' in TCT. The
inode value is now displayed in a separate column. Previously it was
not displayed.
Some example outputs of mactime are now given. The next two entries are
for a deleted socket in an EXT2FS image. The first is the 'fls' entry
and the second is the corresponding entry from 'ils'. While it may
seem redundant to show both, many times 'fls' will not show the deleted
file name because the entry has been reallocated. Therefore, just the
'ils' dead entry will appear and the investigator will not know the
original path location.
Aug 23 2001 16:56:12 0 ..c s/srwxrwxr-x 500 500 127 /tmp/socket1 (deleted)
0 ..c srwxrwxr-x 500 500 127 <linux.dd-dead-127>
The first 0 is the file size. The "..c" string means that this entry
is for the "Change" value. The dots are replaced with 'm' or 'a'
for other entry types (deleted entries are not created for EXT2FS).
The next string is the file system mode. The entries from 'fls' will
have the directory entry type first, followed by a slash and the mode
from the inode entry. 'ils' entries will only have the inode mode.
The next two are the UID and GID (or names if the group and passwd file
are specified), followed by the inode. The final entry is the file name
(or <IMG-dead-#> for unallocated inodes).
The next two are for file that is deleted, but the inode that the
directory entry points to is deleted. This can be see because there
are both entries for the deleted file (tmp/file1) and the allocated file
(desktop), which have the same inode (34689). It can also be seen because
the deleted entry has different values for the file type (l and -).
Aug 23 2001 16:56:12 11 .a. l/-rw-r--r-- 0 0 34689 /tmp/file1 (deleted-realloc)
11 .a. -/-rw-r--r-- 0 0 34689 /etc/sysconfig/desktop
TIME SKEW
=============================================================================
New to the 1.51 version of TASK, the time skew of the system can be
taken info consideration. Using the '-s' argument to 'fls' and 'ils',
the intermediate body file can have the adjusted times so that the system
is consistent with other servers.
The argument reflects the skew in seconds. If the original system
was 100 seconds slower than NTP or some other 'main' server, then the
argument would be '-s -100'. If it were 145 seconds fast, then it would
be '-s 145'.
AUTOPSY
=============================================================================
The Autopsy Forensic Browser is a graphical interface to TASK and it can
automate the process of creating and viewing a time line.
-----------------------------------------------------------------------------
Brian Carrier
Sept 2002
distrib
>
Mandriva
>
9.1
>
ppc
>
media
>
contrib
>
by-pkgid
>
5e1cf60a1e92dccc53ea673ff3e4aa07
>
files
>
33
