Hunting the Hunters: Creating Timelines with Plaso

Introduction

Timeline analysis is helpful for many types of investigations and is frequently used to answer questions about activities that happened before or after a given event. I typically use log2timeline or mactime.pl to create Super timelines for most occasions. I will always look for more efficient or effective ways to do things; consequently, I started utilizing Plaso. Plaso is the latest incarnation of Log2timeline and is also written and maintained by Kristinn Guðjónsson.

Plaso is the Python framework tool for building Super timelines and log2timelines. Plaso is able to parse many types of log files and digital forensics artifacts from malware, compromised computers or attacked systems. Additionally, it is a powerful tool with the ability to speed up digital forensics investigations. Although Plaso has a bit of a learning curve, most cyber forensics analysts and investigators eventually fall absolutely in love with it. Based on my experience, Plaso runs faster than log2timeline. Let me show you the test results of log2timeline and Plaso below. For log2timeline, we have to mount the Encase image file or hard disk image file by using ewfmount tool.

Horangi’s forensic environment of choice is SIFT workstation, developed and maintained by Rob Lee of the SANS institute. SIFT workstation comes installed with almost all the forensic tools an investigator needs to conduct analysis, including Plaso. Since Plaso is pre-installed on SIFT, this blog post will not cover installation or configuration of the tool. As a side note, we have added custom functionality to our own SIFT platform, which we are excited to share in future blog posts!

Plaso supports many different types of image file formats such as VHD, NTFS and FAT. Moreover, it also supports RAW image formats such as dd, img and raw. In this case, I am going to use Encase image file format. First, mount your forensics image using the EWF mount. EWF mount works perfectly with most E01 images. To mount, use the following mount_ewf.py python script.

What we should do next is create the Plaso storage file (i.e example.plaso) from the evidence image file. Then run the following command:

Log2timeline.py dir/case_name.plaso /mnt/ewf/ewf1

As I mentioned earlier, Plaso is Python-based engine for the tool log2timeline. We use Plaso’s log2timeline.py script with the log2timeline command, referring to log2timeline. Plaso will automatically calculate offsets for your mounted image and wants you to select a partition with the operating system. Log2timeline will create a plaso storage file which can be analyzed with psort and pinfo tools.

After running the command above, you are likely to see similar partitions options for a Windows system:

After you choose your desired option, you will see the following. (Note that this might take a long time depending on the size of your disk image.)

Once you have patiently waited for the process to finish, you will see remarkable results. This is especially true if you have ever manually created a super timeline or entered events from an unsupported log format. WOW! The workers did a great job ~

Your results will save as case_name.plaso storage file.

After creating the Plaso storage file we have two tools to conduct our analysis, psort and pinfo. In order to use psort, you need to type the following command:

Psort.py -o l2tcsv -w (Output CSV file) (Input plaso storage file)

This command creates a CSV file that can be opened with Microsoft Excel, which allows you to analyze system events. According to the screenshot below, we can assume that the attacker logged in to the system and dropped Searcher.dll malware within the Sat Feb 26, 2011 timeframe.

Clearly, timeline is useful when hunting malware.

Follow our blog to stay up to date with the latest features on how Horangi is innovating in cyber security solutions!