According to Locard's Exchange Principle, every interaction leaves a trace, a concept that applies equally well in digital forensics. In this field, timeline analysis plays a vital role in identifying a user's past activities. It can reconstruct the sequence of events on a machine, revealing what occurred and the actions taken, which is invaluable for tracking an adversary's presence within a system.
\nTimeline Analysis is a technique used in Digital Forensics or Incident Response with the help of a tool that provides insight into activities performed on a machine. It compiles and organizes various artifacts—such as registry entries, program executions, file system changes, file downloads, browser history, and other operating system artifacts—into a time-ordered sequence. This chronological arrangement of data enables investigators to trace user activities and understand the events that transpired in the system.
\nTimeline Analysis helps identify adversaries' footprints, detect the use of anti-forensic tools, and uncover other activities that occurred during an incident. This technique provides you very wealth of information at the same time timeline analysis is cumbersome as results will provide you with a lot of noise (System File Artifacts, Event Logs, etc) so it is the task of the investigator to remove system noise from the timeline results.
\nSo in this post, we are going to cover basic timeline analysis techniques using $USNJrnl Artifacts with the help of a fictional case study.
\n\n\n“The USN Journal (Update Sequence Number Journal), or Change Journal,[1] is a feature of the Windows NT file system (NTFS) which maintains a record of changes made to the volume.”
\n- Wikipedia
\n
It is a high-level summary of changes to files and directories, along with codes indicating the types of changes, is recorded. This information is also used by the Windows Backup Application to identify recently modified files and determine which files need to be backed up.
\nUSNJrnl Reason code will help the investigator analyze so one must be aware of this below-mentioned reason code to analyze the timeline activity using USNJrnl
\nUSNJrnl Location: $Extend$UsnJrnl
\nReason Code: https://learn.microsoft.com/en-us/windows/win32/api/winioctl/ns-winioctl-usn_record_v3
\nCase Study:
\nLEA have detained Hacker committed computer hacking and identity theft violations in conjunction with the theft and release of personally identifiable information (PII) of Government service members and federal employees. As alleged in the criminal complaint, also known by his hacking moniker “Jinmori,” is believed to be the leader of an internet hacking group called Elite Hunters Group.
\nAs per intelligence arrested person was working on Malware that Targets SCADA which was programmable logic controllers (PLCs) and he used Living off the Land Wipers to wipe the traces of Malware before arrest.
\nNow I'm going to use one of the best and my favourite tools by Eric Zimmerman.
\nThe tool used for the Analysis:
\nFTK Imager: It is used to extract the $USNJrnl from the file system
\nPECMD by Eric Zimmerman - prefetch parser (You can refer my previous post on prefetch for more details)
\nMFTECmd is also capable of parsing the $J, $Boot and $LogFile
\nTimeline Explorer - To Analyze the extracted Journal File.
\nHere is below procedure to analyze prefetch artifacts for more details on prefetch you can refer my previous article
\nWe can observe , the results fetched by the PECMD command for the SDELETE.EXE-A37B56B2.pf prefetch file concludes that SDelete has touched File's and Directory of the Stuxnet (Source Code Folder) within 10 seconds. SDelete application is Living off the Land Wipers which was used by user Jinmori to wipe Traces of Stuxnet Source Code.(i.e: SDelete has Wiped Stuxnet Source Code Folder which was saved in the Desktop)
\n\n\nStuxnet, a computer worm, discovered in June 2010, that was specifically written to take over certain programmable industrial control systems and cause the equipment run by those systems to malfunction, all the while feeding false data to the systems monitors indicating the equipment to be running as intended.
\n- britannica.com
\n
Now we know wiper name, we can further use timeline analysis technique using USNJrnl. We follow below process to extract USNJrnl and analyze it using MFTECmd and Timeline Explorer.
\nWe can observe from below figure MFT Entry which is assigned for the Stuxnet Source Code Folder is subjected to the renaming mentioned in the update reasons of the USNJRNL entries with successive alphabetic character naming scheme as mentioned in official Microsoft Page. This concludes the usage of the SDelete Tool to wipe the Source Code Folder of Stuxnet.
\n\n\nTo overwrite file names of a file that you delete, SDelete renames the file 26 times, each time replacing each character of the file's name with a successive alphabetic character. For instance, the first rename of \"foo.txt\" would be to \"AAA.AAA\".
\n\n
Using timeline analysis with USNJrnl, we were able to prove that the Sdelete application was used to wipe the Stuxnet source code. This is a brief example of how timeline analysis can aid forensic experts in identifying patterns of the perpetrators.
\nIn the future, we'll explore more on timeline analysis and delve into supertimeline concepts.
","excerpt":"According to Locard's Exchange Principle, every interaction leaves a trace, a concept that applies equally well in digital forensics. In this field…","frontmatter":{"date":"August 19, 2024","slug":"/Timeline_Analysis_using_UsnJrnl","title":"Timeline Analysis using $UsnJrnl (Living off the land Wipers - Stuxnet Casestudy)","description":"This blog is dedicated to law enforcement agencies (LEA) and focuses on timeline analysis using USNJrnl with Eric Zimmerman's tools. It includes a case study where a living-off-the-land wiper was used to erase malware.ddet, uncovering the wiper's patterns.","featuredImage":{"childImageSharp":{"gatsbyImageData":{"layout":"fullWidth","backgroundColor":"#080808","images":{"fallback":{"src":"/static/b7105a7f9b788c5b09977b889b9a6ba0/afa5c/timeline-analysis-using-usnjrnl-living-off-the-land-wipers-stuxnet-casestudy-.png","srcSet":"/static/b7105a7f9b788c5b09977b889b9a6ba0/0dee1/timeline-analysis-using-usnjrnl-living-off-the-land-wipers-stuxnet-casestudy-.png 750w,\n/static/b7105a7f9b788c5b09977b889b9a6ba0/8beaa/timeline-analysis-using-usnjrnl-living-off-the-land-wipers-stuxnet-casestudy-.png 1080w,\n/static/b7105a7f9b788c5b09977b889b9a6ba0/d079a/timeline-analysis-using-usnjrnl-living-off-the-land-wipers-stuxnet-casestudy-.png 1366w,\n/static/b7105a7f9b788c5b09977b889b9a6ba0/afa5c/timeline-analysis-using-usnjrnl-living-off-the-land-wipers-stuxnet-casestudy-.png 1920w","sizes":"100vw"},"sources":[{"srcSet":"/static/b7105a7f9b788c5b09977b889b9a6ba0/a66aa/timeline-analysis-using-usnjrnl-living-off-the-land-wipers-stuxnet-casestudy-.webp 750w,\n/static/b7105a7f9b788c5b09977b889b9a6ba0/65dd5/timeline-analysis-using-usnjrnl-living-off-the-land-wipers-stuxnet-casestudy-.webp 1080w,\n/static/b7105a7f9b788c5b09977b889b9a6ba0/4fad6/timeline-analysis-using-usnjrnl-living-off-the-land-wipers-stuxnet-casestudy-.webp 1366w,\n/static/b7105a7f9b788c5b09977b889b9a6ba0/c512e/timeline-analysis-using-usnjrnl-living-off-the-land-wipers-stuxnet-casestudy-.webp 1920w","type":"image/webp","sizes":"100vw"}]},"width":1,"height":0.5625}}}}}},"pageContext":{"id":"1ea4a452-ffb7-5660-aee0-15bdd251ec7f","previous":{"id":"68f022ee-3390-5c2f-b713-debd47df9843","frontmatter":{"slug":"/How-Windows-Artifact-Prefetch-Can-Help-in-Digital-Forensics-Investigations-in-Windows-11-Machine","template":"blog-post","title":"Uncovering Hidden Clues: How Windows Artifact Prefetch Can Help in Digital Forensics Investigations in Windows 11 Machine"}},"next":{"id":"851abebc-cf90-596f-8e7b-53d94ebf92d3","frontmatter":{"slug":"/Memory-Forensics-with-Volatility-3-Recovering-Monero-Wallet-Addresses-from-Tor-in-Dark-Web-Investigations","template":"blog-post","title":"Memory Forensics with Volatility 3: Recovering Monero Wallet Addresses from Tor in Dark Web Investigations"}}}}, "staticQueryHashes": ["228695001","2744905544","358227665"]}