Autopsy Timeline Analysis Help

Timeline Mode

Overview

For some investigations, creating a timeline of activity can be useful to identify places where the analysis should begin. Of course file times can be easily modified by an attacker, so they can not be 100% trusted. But, Autopsy can create timelines of file activity.

Files have at least three times associated with them. The details of each time varies with the file system type.

The following times exist for UNIX file systems (EXT2FS & FFS):

Modified: When the file data was last modified. This time can be modified using the utimes() function. This time is preserved in a 'tar' archive, so it is possible to have M-times of files prior to when they were introduced to the system.
Accessed: When the file data was last accessed. This time can be modified using the utimes() function.
Changed: When the file status (inode data) was last changed. This time can not be set using the utimes() function in UNIX (but it will be set when utimes() is used to modify other values).

The EXT2FS file system also has a Deleted time, but it is not displayed in the timeline.

A FAT File system has the following times:

Written: When the file was last written to. It is the ONLY required time in the FAT file system.
Accessed: When the file was last accessed. In FAT, it is only accurate to the day (not minute). It is an optional value, so some Operating Systems may not update it.
Created: When the file was created. It is also optional, so some Operating Systems may not update it. In fact, many Windows installations have a C-Time of 0 for directories such as C:\\Windows and C:\\Program Files.

The NTFS File system has several times, four of which are used in the timeline. These times are gathered from the \$STANDARD_INFORMATION attribute.

Written: When the file was last written to.
Accessed: When the file was last accessed.
Changed: When the MFT entry was last modified.
Created: When the file was created.

How to Create a Timeline

Creating a timeline takes two steps. The first step extracts and saves the needed data from each file system images. This step stores the data from each specific file system in a generic format. Historically (from TCT), this file was called the body file. The second step takes the body file as input and generates an ASCII timeline of file activity between two specified dates. The resulting timeline can be viewed in Autopsy or using a text editor.

Creating the Body File

The file meta-data must be extracted from the file system images and saved to the body file. There are three major types of files that data can be extracted for:

Allocated Files: Files that are seen when doing an 'ls' or 'dir' in a directory. In other words, these are the files that have an allocated file name structure.
Unallocated Files: Files that have been deleted, but that TSK can still access. Files in this category include orphan files, which are files that no longer have a name, but whose metadata still exists. If a deleted file name points to an allocated metadata structure, then the name will say (realloc) next to it.

To create the body file, select the images to analyze from the list on top. Next, select which types of data that you want to extract. By default all types are extracted. Lastly, identify the name of the body file to create. The file will be created in the output directory and an entry will be added to the host config file. You will be given the option to calculate the MD5 value of the new file.

Creating the Timeline

The next window allows one to create a timeline based on the newly created body file. Or, one can select the option from the left-hand side menu. The range of dates must be selected as well as the name of the timeline file. The resulting timeline will use the time zone for the host.

If the images are from a UNIX file system, then the password and group files can be used to change the UID and GID to actual names. If the partition from the root directory exists in the host, select it from the pull down list and Autopsy will find the /etc/passwd and /etc/group file contents.

The timeline will be created in the output directory. You will be given the option to calculate the MD5 hash value of the new file.

Viewing the Timeline

The timeline can be viewed in Autopsy. Timelines tend to be very large though and have thousands of lines. HTML browsers can not handle tables of this size very well and typically have trouble processing it. Therefore, Autopsy only allows you to view the timeline one month at a time. It will likely be easier to open a shell and examine the timeline in a text editor or pager such as 'less' or 'more'.

The 'summary' link will show a page that contains a monthly summary of activity. It shows how many many events occured in that month and links to the details. This allows one to get a high level view of when a lot of activity last occured.

The following columns are in the timeline (in order):

Date and timeof the activity. If no date is given, then the activity occured at the same time as the previous entry with a time.
Size. The size of the file.
Entry Type. The 'm', 'a', 'c', and 'b' letters will exist to identify which of the activity types this entry corresponds to. 'm' is for modified times, 'a' is for access times, 'c' is for change times, and 'b' is for created (or born) times.
ModeUID. The User Id or User name is shown. If a password file was provided when the timeline was created, then the colunn should only have names.
GID. The Group Id or Group name is shown. If a group file was provided when the timeline was created, then the colunn should only have names.
Meta Data Address. The inode or MFT entry address for the associated file.
File Name. The name of the file and the destination of a symbolic link. Deleted entries will have '(deleted)' at the end and deleted entries that point to an allocated meta data structure will have '(realloc)'.

Brian Carrier