After everyone thought that the Jump List parser I released was part of RegRipper, it really showed me how much people pay attention to what they're downloading.
facepalm…maybe they were confusing shellbags for jump lists?
speaking of which im modifying your jumplist parser a bit more, i can either send it to you or post it up on google code
changed jl2.pl to output to tln format and also parse a whole autodest folder so that i can skim through all of them before adding the important ones to the timeline
After reading the links you shared and some others I am not confident I know how it would work off the top of my head with a disk image.
Well, the "normal" operation of devio with IMDISK is the following
on a "server" devio "exposes" a local device through a port
on a "client" IMDISK can connect to that port (at a given IP address) and mount the device as if it was local, giving it a drive letter or connecting it to a local mountpoint
But I misread your original post oops , you were using the network share as a "workaround" to make the $MFT "accessible" to the parser.
I don't think that devio will be of any help for this ( .
A convenient way (cannot say if applicable to your situation/scope) is to open the disk image with 7-zip.
In a "fake" folder called [SYSTEM] you will find all the NTFS filesystem structures as files, that you can thus "extract" as "normal" files.
jaclaz
facepalm…maybe they were confusing shellbags for jump lists?
No, apparently, it was much like what @davnads referred to…they saw ".pl" and just assumed it was a RegRipper plugin.
Speaking of shellbags, though, I presented at PFIC last year and was amazed at the number of folks who perform analysis, specifically of user activity, and do not touch the shellbags. At all. One guy admitted to doing shellbag analysis…in SANS training, but not after completing the course.
What I find to be very interesting is that there are only two tools that really get the majority of the available data, particularly when it comes to the user accessing connected devices. Interestingly, some devices show up in the shellbags, but not beneath the Enum\USBStor key. I mentioned this on two separate occasions in threads to this forum, both of which apparently went over like a bag of hammers.
speaking of which im modifying your jumplist parser a bit more, i can either send it to you or post it up on google code
changed jl2.pl to output to tln format and also parse a whole autodest folder so that i can skim through all of them before adding the important ones to the timeline
Thanks, I've already got that, but it's great that you're modifying the tools to meet your needs.
You have so many scripts its hard to keep track of them all
… you're not the first person to say that I have too many tools or scripts
I think it was a compliment rather than a criticism )
I think it was a compliment rather than a criticism )
Perhaps…but I didn't particularly take it as either.
However, when I've heard it, it's most often used as the reason why DFIR folks don't use the tools that I've made freely available…there are too many, it's hard to keep track of them, it's hard to create a timeline when you have all these different steps that you need to follow, etc.
However, when I've heard it, it's most often used as the reason why DFIR folks don't use the tools that I've made freely available…there are too many, it's hard to keep track of them, it's hard to create a timeline when you have all these different steps that you need to follow, etc.
Reminds me of
If something's hard to do, then it's not worth doing.
Not a great attitude for an examiner to have, although clearly we're all usually operating under some kind of resource constraint (e.g. of available time, cost etc). I consider that a key distinction of good examiners from bad ones is the ability to effectively balance cost and benefit we can't dive deep into everything on every examination, but we should all at least seek to be aware of the possibilities available to us and the circumstances when particular steps are likely to be valuable.
I'd certainly question an examiner's competence and/or sanity if they didn't see the value of investing some effort in generating a timeline if they're looking at a network intrusion.
Not a great attitude for an examiner to have, although clearly we're all usually operating under some kind of resource constraint (e.g. of available time, cost etc).
Agreed, but in my experience, it's self-imposed…we may have analysis goals and a time frame, but we end up spending too much time on the wrong thing.
I once sat with an examiner for another company we were sub'ing to, and had them walk me through the analysis they'd accomplished thus far. This examiner was very excited to show me what he'd found, but kept confusing the case he was showing me with another case, in part because he didn't keep case notes. He went through his description of what he'd found for almost a full hour, flipping back and forth between views in FTK and EnCase. At the end of the hour, I asked, "ok, this is all very interesting stuff, but what does it have to do with the goals of the exam?" He looked at me for a moment, and then simply said, "It doesn't."
The trip to his office for me was 40 min, one way. I had to wait about 15 min to be let in for a scheduled meeting, and in the hour he spent showing me what he'd found, we hadn't even started to address findings related to the goals of the exam.
I'd certainly question an examiner's competence and/or sanity if they didn't see the value of investing some effort in generating a timeline if they're looking at a network intrusion.
…or any exam that involved time (i.e., an event occurring at a specific time, etc.).
One of the issues I've been considering lately is the sufficiency of various tools. I recently encountered someone using a popular tool to create a timeline, and when they asked about the issue they were facing, I asked if they'd included specific data…their response was, "yes, it includes system and user activity." However, the tool that they used specifically does NOT incorporate the data in question…not by design, it simply doesn't parse it (yet).
So my thoughts are, when you're creating a timeline, are you incorporating _all_ data, the _right_ data, and/or sufficient data? How do you know?
I'd certainly question an examiner's competence and/or sanity if they didn't see the value of investing some effort in generating a timeline if they're looking at a network intrusion.
As someone who spends the majority of their time working on network intrusions.. feel free to question my competence and/or sanity. You might win on the sanity part but let's chat 😉
The types of cases I primarily work on can involve upwards of thousands of endpoints. Thus, my goal is to always work as efficiently and effectively as possible… kinda like that sang "work smarter not harder".
As it relates to timeline creation and review, my personal process is to press a few buttons and pop out a timeline I can filter and review in the same GUI. Also, by reducing the number of steps and reasons to interface with a command line it can exponentially reduce the window of error. This is important to me when I work on teams of various skill level.
btw, Harlan's methods of creating timelines is great and I employ them frequently for QC and targeted timeline creation. It's always important to have more then way of accomplishing a task.
Agreed, but in my experience, it's self-imposed…we may have analysis goals and a time frame, but we end up spending too much time on the wrong thing.
Well put.
As someone who spends the majority of their time working on network intrusions.. feel free to question my competence and/or sanity. You might win on the sanity part but let's chat 😉
Smiley emoticon aside, Dave, I think you misread the quote.
As it relates to timeline creation and review, my personal process is to press a few buttons and pop out a timeline I can filter and review in the same GUI.
This is kind of what I was alluding to in my previous comment. Given your creation of 4n6time, I'll have to assume that when you "press a few buttons and pop out a timeline", you're referring to either log2timeline or plaso…neither of which parses the AppCompatCache value data. If you're interested specifically in user activity, I seem to remember that it parses UserAssist data, but not other artifacts, such as Jump Lists, etc.
Now, don't think I'm deriding log2timeline…nothing could be further from the truth. I think Kristinn's done a fantastic job with both versions of the tools. This issue comes from analysts who espouse getting "everything", without knowing what their tools actually do and do not get.
And if your methodology works for you…great. I'd bet on an analyst who has a considered, reasoned approach over one who is just pushing buttons any day.
btw, Harlan's methods of creating timelines is great and I employ them frequently for QC and targeted timeline creation. It's always important to have more then way of accomplishing a task.
I'm not clear on what "methods" you're referring to. Also, I'm a bit surprised that you'd opt to use anything I developed or discussed.