Une des étapes fondamentale lorsque nous faisons du forensic (et lorsque qu’on a le temps), c’est de faire une timeline.
Une timeline sert a retracer toute la vie d’un système du début à la fin, pour que l’on puisse suivre toutes les conséquences de n’importe quelle action.
Nous allons pour cela utiliser la suite d’outils Plaso: https://plaso.readthedocs.io
Encore une fois, nous allons partir d’un E01 que nous aurons préalablement monté dans /mnt/ewf1
root@forensiclab:~# log2timeline.py --process_archives --parsers linux -z Europe/London --status_view 'linear' -t TEXT /home/tsurugi/Desktop/l2t.txt /mnt/ewf1/ewf1Ici, nous demandons a log2timeline de travailler sur l’ensemble de notre disque monté, de parser les archives, et lui indiquons qu’il s’agit d’un système linux, le fuseau horaire de la machine et de créer un fichier l2t.txt sur le bureau.
Le reste des arguments sert à faire joli.
Une fois le travail terminé, on vérifie le résultat avec pinfo:
************************** Plaso Storage Information ***************************
Filename : l2t.txt
Format version : 20190309
Serialization format : json
--------------------------------------------------------------------------------
*********************************** Sessions ***********************************
8f6cae3f-ee59-49d4-831f-e14e4115b4b2 : 2020-01-04T15:11:31.372399Z
--------------------------------------------------------------------------------
**************** Session: 8f6cae3f-ee59-49d4-831f-e14e4115b4b2 *****************
Start time : 2020-01-04T15:11:31.372399Z
Completion time : 2020-01-05T19:06:40.746981Z
Product name : plaso
Product version : 20191203
Command line arguments : /usr/local/bin/log2timeline.py --process_archives
--parsers linux -z Europe/London --status_view
linear -t TEXT /home/tsurugi/Desktop/l2t.txt
/mnt/ewf1/ewf1
Parser filter expression :
apt_history,bash_history,bencode,binary_cookies,chrome_cache,chrome_preferences,czip/oxml,dockerjson,dpkg,esedb/msie_webcache,filestat,firefox_cache,gdrive_synclog,java_idx,msiecf,olecf,opera_global,opera_typed_history,plist/safari_history,pls_recall,popularity_contest,selinux,sqlite/chrome_27_history,sqlite/chrome_8_history,sqlite/chrome_autofill,sqlite/chrome_cookies,sqlite/chrome_extension_activity,sqlite/firefox_cookies,sqlite/firefox_downloads,sqlite/firefox_history,sqlite/google_drive,sqlite/skype,sqlite/zeitgeist,syslog,systemd_journal,utmp,vsftpd,xchatlog,xchatscrollback,zsh_extended_history
Enabled parser and plugins : apt_history, bash_history, bencode,
bencode/bencode_transmission,
bencode/bencode_utorrent, binary_cookies,
chrome_cache, chrome_preferences, czip, czip/oxml,
dockerjson, dpkg, esedb, esedb/file_history,
esedb/msie_webcache, esedb/srum, filestat,
firefox_cache, gdrive_synclog, java_idx, msiecf,
olecf, olecf/olecf_automatic_destinations,
olecf/olecf_default, olecf/olecf_document_summary,
olecf/olecf_summary, opera_global,
opera_typed_history, plist, plist/airport,
plist/apple_id, plist/ipod_device,
plist/macosx_bluetooth,
plist/macosx_install_history, plist/macuser,
plist/maxos_software_update, plist/plist_default,
plist/safari_history, plist/spotlight,
plist/spotlight_volume, plist/time_machine,
pls_recall, popularity_contest, selinux, sqlite,
sqlite/android_calls, sqlite/android_sms,
sqlite/android_webview,
sqlite/android_webviewcache, sqlite/appusage,
sqlite/chrome_27_history, sqlite/chrome_8_history,
sqlite/chrome_autofill, sqlite/chrome_cookies,
sqlite/chrome_extension_activity,
sqlite/firefox_cookies, sqlite/firefox_downloads,
sqlite/firefox_history, sqlite/google_drive,
sqlite/hangouts_messages, sqlite/imessage,
sqlite/kik_messenger, sqlite/kodi,
sqlite/ls_quarantine,
sqlite/mac_document_versions,
sqlite/mac_knowledgec, sqlite/mac_notes,
sqlite/mac_notificationcenter,
sqlite/mackeeper_cache, sqlite/safari_history,
sqlite/skype, sqlite/tango_android_profile,
sqlite/tango_android_tc, sqlite/twitter_android,
sqlite/twitter_ios, sqlite/windows_timeline,
sqlite/zeitgeist, syslog, syslog/cron, syslog/ssh,
systemd_journal, utmp, vsftpd, xchatlog,
xchatscrollback, zsh_extended_history
Preferred encoding : UTF-8
Debug mode : False
Artifact filters : N/A
Filter file : N/A
Number of event sources : 4307673
--------------------------------------------------------------------------------
************************* Events generated per parser **************************
Parser (plugin) name : Number of events
--------------------------------------------------------------------------------
apt_history : 78
dpkg : 10866
filestat : 14893123
olecf_default : 1
oxml : 22
pls_recall : 13
syslog : 1203346
utmp : 127
xchatscrollback : 7487
Total : 16115063
--------------------------------------------------------------------------------
************************ Warnings generated per parser *************************
Parser (plugin) name : Number of warnings
--------------------------------------------------------------------------------
<No parser> : 125838
utmp : 2
<No parser> : 10002
pls_recall : 3
xchatscrollback : 106
--------------------------------------------------------------------------------
************************* Pathspecs with most warnings *************************
Number of warnings : Pathspec
--------------------------------------------------------------------------------
31 : type: OS, location: /mnt/ewf1/ewf1
: type: RAW
: type: TSK_PARTITION, location: /p2, part index: 6, start
offset: 0x0ef00000
: type: TSK, inode: 41552429, location:
/root/pentes/hashcat/rules/toggles5.rule
30 : type: OS, location: /mnt/ewf1/ewf1
: type: RAW
: type: TSK_PARTITION, location: /p2, part index: 6, start
offset: 0x0ef00000
: type: TSK, inode: 41552428, location:
/root/pentes/hashcat/rules/toggles4.rule
25 : type: OS, location: /mnt/ewf1/ewf1
: type: RAW
: type: TSK_PARTITION, location: /p2, part index: 6, start
offset: 0x0ef00000
: type: TSK, inode: 41552427, location:
/root/pentes/hashcat/rules/toggles3.rule
15 : type: OS, location: /mnt/ewf1/ewf1
: type: RAW
: type: TSK_PARTITION, location: /p2, part index: 6, start
offset: 0x0ef00000
: type: TSK, inode: 41552426, location:
/root/pentes/hashcat/rules/toggles2.rule
5 : type: OS, location: /mnt/ewf1/ewf1
: type: RAW
: type: TSK_PARTITION, location: /p2, part index: 6, start
offset: 0x0ef00000
: type: TSK, inode: 41421685, location:
/root/smile/nickel_v2.zip
: type: ZIP, location:
/nickel/bower_components/bootstrap/dist/css/bootstrap.min.css
5 : type: OS, location: /mnt/ewf1/ewf1
: type: RAW
: type: TSK_PARTITION, location: /p2, part index: 6, start
offset: 0x0ef00000
: type: TSK, inode: 41421488, location:
/root/smile/caf_v2.zip
: type: ZIP, location: /caf/cc/vbv/vbvimg/bnp.jpg
5 : type: OS, location: /mnt/ewf1/ewf1
: type: RAW
: type: TSK_PARTITION, location: /p2, part index: 6, start
offset: 0x0ef00000
: type: TSK, inode: 41421488, location:
/root/smile/caf_v2.zip
: type: ZIP, location:
/caf/bower_components/jquery/src/event.js
5 : type: OS, location: /mnt/ewf1/ewf1
: type: RAW
: type: TSK_PARTITION, location: /p2, part index: 6, start
offset: 0x0ef00000
: type: TSK, inode: 41421488, location:
/root/smile/caf_v2.zip
: type: ZIP, location:
/caf/bower_components/font-awesome/fonts/fontawesome-webfont.svg
5 : type: OS, location: /mnt/ewf1/ewf1
: type: RAW
: type: TSK_PARTITION, location: /p2, part index: 6, start
offset: 0x0ef00000
: type: TSK, inode: 41421685, location:
/root/smile/nickel_v2.zip
: type: ZIP, location:
/nickel/bower_components/font-awesome/css/font-awesome.min.css
5 : type: OS, location: /mnt/ewf1/ewf1
: type: RAW
: type: TSK_PARTITION, location: /p2, part index: 6, start
offset: 0x0ef00000
: type: TSK, inode: 41421488, location:
/root/smile/caf_v2.zip
: type: ZIP, location:
/caf/bower_components/jquery/src/traversing/var/rneedsContext.js
--------------------------------------------------------------------------------
No analysis reports stored.
root@forensiclab:~# ls -alh /home/tsurugi/Desktop/l2t.txt
-rw-r--r-- 1 root root 6.9G Jan 5 19:07 /home/tsurugi/Desktop/l2t.txtVous avez bien lu…
Start time : 2020-01-04T15:11:31.372399Z
Completion time : 2020-01-05T19:06:40.746981Z
28h de traitement, le fichier final pèse près de 7Go…. Et c’est pas fini…
Il nous faut maintenant rendre ce fichier texte intelligible. Nous allons utiliser psort pour créer une belle timeline lisible…
root@forensiclab:/home/tsurugi/Desktop# psort.py -z Europe/London -o l2tcsv -w timeline.csv l2t.txt Nous demandons donc a psort de nous sortir un fichier timeline.csv, en précisant le fuseau horaire.
plaso - psort version 20191203
Storage file : l2t.txt
Processing time : 02:35:04
Events: Filtered In time slice Duplicates MACB grouped Total
0 0 330730 15784128 16115063
Identifier PID Status Memory Events Tags Reports
Main 1494 exporting 702.0 MiB 16115063 (1) 0 (0) 0 (0)
root@forensiclab:~# ls -alh /home/tsurugi/Desktop/timeline.csv
-rw-r--r-- 1 root root 2.5G Jan 5 22:13 /home/tsurugi/Desktop/timeline.csvNous nous retrouvons maintenant avec un fichier csv de 2.5Go à traiter…
Quoi faire ensuite? Cela dépend de ce que vous cherchez… Vive les greps ^^