Sunday, February 12, 2012

Pulling timelines from unsupported filesystems.

The conference season is closing in and workload is finally easing up enough to put together a couple of blog posts. This one has been in draft status for months.

If you use timelines for investigative purposes as much as I do, you have no doubt run into occasions where fls does not support the filesystem you are working with.  I have been working a lot of E-commerce lately and bumping heads with several different variants of Linux filesystems.

Here's the list of filesystems supported by fls:

Notice that ext4, xfs and several others are not in the list.

I had to go digging for a way to do this for an xfs filesystem  that I was working with. Fortunately, I have a decent library of books on filesystems, forensics, security, etc.. I remembered reading about using the find command to generate timeline data and I was able to find it eventually in "Incident Response & Computer Forensics." (Mandia, Prosise & Pepe) Thanks guys!

They described the process of using the "find" command to generate the file but not all the steps to getting there.

The steps:

1.  mount your filesystem read-only. Here's the command on  a *nix box.  (this can be done for some filesystems in Windows with a range of different utilities)

mount –t xfs –o ro,loop,noexec /media/USB/image.001 /mnt/apachesdc

2. Change directories into your newly mounted fs:

 cd /mnt/apachesdc

3. Run your command and output it to a file for later use:

Find . –printf  ‘%T+ , %A+ , %C+ , %p \r’ > /path/to/output_file.csv

This may require a little massaging to get it to work with your particular distro. The man pages are your friend.

This find command will output Mtime, Atime, Ctime, full path and filename, as well as end each line with a carriage return. The commas in-between add a common delimiter, for later use with excel.

Using the capital T, A, and C with the find command allows you to specify the time/date output format you want. In this case I wanted  yy-mm-dd+hh:mm:ss . This format is natively understood by excel and makes the spreadsheet much easier to sort.

Open the csv file with excel and set “comma” as the delimiter. It will neatly organize each row with MAC and filename.  Add a row at the top and label each field, lock that row, and you have a spreadsheet that is sort able by M,A,C, or filename. 

You don’t get all the extras that you get from using fls and mactime. No GUID, *, *. But what you do get is a very functional timeline for multiple unsupported filesystems.

I've decided to write a talk that focuses a little heavier on E-commerce this year. My co-workers at Trustwave have the POS malware well covered and DEFCON/SECTOR were fantastic events last year.

My working title is "Ask me about hunting carders for fun and profit" and I plan to include some stupid hacker tricks, some malware, and a quick look at data reduction using the command line.

Stay tuned for a series of posts on some E-comm breaches. I have drafts in work.

On a more personal and non-technical note, my whole family has been involved with the St. Baldrick's charity for 5 years now. We co-organize a head shaving event to raise money for childhood cancer research. My little man has been shaving his head (totally voluntarily) since he was 4 years old. Do me a favor and take a look at the charity, see if there are any local events you can support or drop a couple bucks in one of our donation boxes.

My donation page.
Max's donation page.


No comments:

Post a Comment