Friday, December 14, 2012

4n6time Release Notice

After what feels like a year of “not having a life”… I am happy to announce 4n6time :-)

4n6time, formally "l2t_Review", is a free, cross-platform forensic tool for timeline creation and review. Since 4n6time is powered by Kristinn Gudjonsson’s amazing plaso engine, formally log2timeline, users can now create, with a mouse, a raw timeline storage file from a disk image. Once a timeline has been created, it can be outputted to a 4n6time database (sqlite). Using 4n6time, you can then start review with the ability to filter, highlight, sort, tag, bookmark, and search on common data fields. Also included are basic reporting features as well as the ability to export subsets of data back into the CSV and timeline storage files.

Here are some highlights of 4n6time:

  • Timeline creation wizard
  • Robust filtering
  • Event tagging, bookmarking, and (auto)highlighting like eDiscovery tools
  • Interactive graphical representation of events
  • File viewing, hashing, and exporting via data source (i.e. linking timeline to disk image or mount point)
  • Basic reporting and charting
  • Appending timelines from multiple data sources (cross-host timeline analysis)
  • Ability to save work product back into timeline storage files

For more information check out the work in progress UserGuide, my blog, or go download an OSX or Windows binary from the Google Code page. Binaries for Linux an SIFT will also be released soon.

Thursday, November 22, 2012

#DFIR things DavNads is Thankful for on Thanksgiving

I hope everyone has a great Thanksgiving. I am going to attempt to deep fry a Turkey tonight so I wanted to get a blog post up in case it’s my last words! There’s often discussion about how to get started in #DFIR or how to get to the next level for those already in the field. Therefore, I thought it be relevant on this day to take a few minutes to write about some things I am thankful for that have helped me be successful in my #DFIR career.

#Resources (aka weapons)

I like to use the analogy that the #DFIR battle ground is like a role playing video game. A new game provides your character with the essentials and through the course of your journey, you accumulate weapons to build your character's capabilities. 

No one starts in #DFIR with all the answers but knowing where to look for all the answers is possible (think game cheats). Having an arsenal of weapons including blogs, white papers, tools, and even contacts are what enables me on a daily basis to provide answers to questions, solve problems, and prepare for that next battle with the “SASPDT” – Sometimes Advanced, Sometimes Persistent, Definitely a Threat

I am confident that my arsenal of weapons is what has made me a valuable character on the #DFIR battleground similar to certain video game characters. The only difference is the "SASPDT" can’t steal the account credentials to ME unlike those pesty video game characters. For this I am again thankful of my arsenal of forensic weapons.


DFIR is not an easy career to “just get by” in. What makes it so difficult? Well I think there are a few factors including the constant changes in technology, process, and interpretation. One’s ability to not only adapt to these changes but help shape the changes are what (in my opinion) separates the button pressers from button builders. The notion of staying “cutting edge” is challenging because it requires time, passion, research, and sometimes even ability to develop. However, the reward of solving a challenge often outweighs the effort.

Personally, I have not always been an eager for challenges. Whether it was in the classroom or at gym I was always the one hiding not to be picked on. In fact I was even in Special Ed for a few years. I felt the my lack of confidence and belief in my abilities refrained me from just trying -- which I am sure many others can relate to.

One opportunity that I'll will always be thankful for was my first network intrusion project. Ed, my boss, my mentor, provided me with the challenge. I’ll never forget our special conversation in his office leading up to the experience. I literally tried to convince him in every way possible I was not qualified for this, and the only thing I was prepared to do was fail. I think I may have even asked him if he was stupid sending someone like me to do this type of project! Despite my thoughts, Ed believed in my abilities, and framed his response in a way that actually gave me confidence in myself, my abilities and most importantly the drive to try. 2 years later, after a very successful response, Ed gave me the opportunity to testify for the first time on the same project. Let's just say, I might have a little bit too much confidence now. I blame Ed for that.

Challenges are not easy. For most people like myself its important to surround yourself with people that support you, believe in you, and will push you. Don't be afraid to try something new, heck it may open your eyes to an entirely new passion -- network intrusions -- like it did for me. Today, I am thankful for challenges because they have shaped my career. 

#Role Models & Mentors

Something I did early on in my career was not only identify role models but identify what characteristic(s) made them role models to me. For instance, I have always looked up to all the SANS facility (Rob, Paul, Hal, Chad, Alissa, etc..) as role models. Not so much for their “know how” but their unique abilities to articulate and communicate technical knowledge.. that's something in my opinion that can be one of the most valuable skills. I rely on mentors (Jim, Brian, Steve, J, etc) to help guide me in following the footsteps of my role models.

Thank you to all my technical and non-technical role models and mentors. I have grown personally and professionally in my career in ways I could never accomplish individually. 


I am most thankful for an awesome #DFIR community. How many other communities out there have people and organizations so inclined to help others, contribute free tools, and advance capabilities? Also I can't even count how many new friends I have made thanks to this career path.

#Material things ; -)
  • RAM – Because the expensive tools don’t work without it.
  • SSD HDDS – So when the expensive tools crash my computer, I can reboot quickly!
  • New Log2timeline – Can you say super timeline analysis?
  • Volatility – When I thought I had enough to look at with hdds, now there’s even more with memory analysis.
  • Python – Because it’s better then Perl.
  • VMware Fusion – Allows me to literally swap with 4 fingers between 5 different Operating Systems.
  • Dual 24” inch monitors – Its the only type of realestate I can afford!!!!
  • DFIROnline and DFM – Webcasts and good reads
  • VSC toolset – Makes VSC analysis pretty easy!
  • Logicube Dossier – 5-7GB per minute 2 disk duplicator, need I say more?
  • TZworks stuff – Lots of great stuff. 
  • GitHub - Store all my code in the cloud.
  • SharePoint 2010 - Allows me to collaborate with teams on the same documents like Google docs.
  • - My favorite tech blog.
  • SANS 508 - I felt like this class really polished my skills. 
  • WFA Toolkit 3E - Great book and reference guide. Hope to have a iPad copy soon.
  • Sprint 4G LTE hotspot - Allows me to be connected anywhere just like I am in the office :)
  • ImDisk Virtual Disk Driver - great free image mounting tool
  • SQLite - Quick and dirty backend to little things here and there.
  • Dcode - Great decoder.
  • GREAT series of blog posts by by Patrick Olsen
Hopefully some of you share these appreciations and others find them resourceful. Now go eat
  some turkey or stand in line for something you don’t need that’s on sale!

Saturday, September 29, 2012

Dashboards, File Viewer, Hashing, and Date Plotter in l2t_Review #OMG

In my recent blog post titled Timeline Analysis - More of what's coming.. I introduced a method using l2t_Review to bring timelines to life with source data.

Given a mounted disk image of the evidence item you are reviewing and Universal Viewer installed, l2t_Review will allow you view source data. By simply right clicking on any file in the Data Grid pane, and selecting File Viewer, the file will be opened in Universal Viewer. This file viewer supports over 12 views including native, media player, text, hex and hundreds of file types. You can also specify in settings whether you want  File Viewer to invoke multiple instances of Universal Viewer or the same instance every time a file is opened. to be opened or every time you open a new file it will either open it in the same instance of Universal Viewer a new one.

Building on this existing capability..

Many times there is the reason to  hash a file, such as when having the need check VirusTotal for a suspicious executable in your timeline. Now, by right clicking on any file in the Data Grid View, and selecting Hash File, a dialog window will appear with the hash value of the file selected. Pretty cool, eh? Down the road will  be the ability to send it directly to VirusTotal.

Now lets look at two new visually stemming aspects...

First is a feature built into the main UI, which displays all (not paged) data from the Data Grid View subsequent to filtering. The X axis represents Date and Y axis represents the frequency of event(s) occurred on that Date. This feature is particularly useful for identifying dates with high or low activity. The timeline can be manipulated by zooming in and out and also saved as an image.

Second is a feature I am really exiting about and took me a really long time to do. Now there is the ability to view timeline data in an interactive dashboard subsequent to filtering. This allows you to understand visually what data types are being displayed in your timeline. If there is something that is specifically interesting to you, such as data from user “John”, if you click on “John” in the pie chart it will automatically redefine your results in the Data Grid View to only show data associated with the user “John”. All pie charts are interactive in the sense you can click on data points and filter the data. This is just the beginning as it relates to dashboard, expect a lot more down the road. 

I am sure some of you are sick of me saying it will be out soon.. honestly anyone who has asked for a copy I have sent them one. So just email me if you want a beta copy.. otherwise will be out one of days after I can find a conference to drop it at. I was hoping to present at the open source forensics conference but never heard back from them.

Friday, August 31, 2012

Timeline Analysis - More of what's coming..

So your kicking back in your chair, with your feet up in the air, reviewing some timeline data in M$ excel like a timeline bandit. Your filtering things, highlighting rows, making notes, and everything is just f$%ing fantastic.

Then out of no where .. Your boss walks into the room!! He pulls a chair up next to you.. kick back, and spark up some "conversational forensics". You enthusiastically tell them about all the amazing artifacts you have found in your timeline,  and then use this great opportunity to ask them some really hard questions. The conversation takes a turn to hands on the keyboard as Your boss  looks over your shoulder...

Your boss asks "pull up those 64 files on the screen that are highlighted as red in your timeline." There is an awkward pause in the conversation as you realize you forgot your Encase dongle at home. Next you feel your hands getting sweaty as you know you don't have SIFT installed either. Just before you start crying in fear of humiliation, you remember that  imdisk, a free image mounting utility, is installed on your computer.

As you take a deep breath of air and regain your composure your able to quickly mount the DD image in read-only mode. You start digging through the file system for the 64 files... Minutes go by and you finally find the first file. At this point you realize this process of looking up file paths in your timeline and opening files is a manual and time consuming effort..but you continue on because there is no way of automatically tieing items in your timeline to logical files in the mounted disk image (even if you did have SIFT, Encase, or some other fancy tool).

30 mins go by and your still looking for the last few files.. You notice your bosses eyes are starting to close. The next thing you know he's sleeping in his chair. He wakes up 15 mins later and says he had this dream that Dav Nads came up with this idea on how to mesh timelines, kittens, and data from hard disk images all together... and he was right .. well atleast not about the kittens part :-)


I hope you enjoyed my made up story. I am on vacation this week and REALLY bored without any DFIR going on. Lol. Anyways...

As alluded to in Timeline Analysis: The Hybird Approach there's many approaches to creating timeline data. Some prefer a "targeted" approach which only presents specific artifacts on a timeline and others prefer a more "kitchen sink" approach where many artifacts are presented.

Regardless of your flavor, when it comes to reviewing timelines, I am sure you, like me, find yourself jumping between reviewing timelines (e.g. Excel, l2t_Review) and forensic applications. A few reasons I personally do this are to:
  • Gain a better understanding of the artifacts displayed in my timeline
  • Confirm the accuracy of my timeline data
  • Look at the contents of a file
What drives me bananas is the fact I am constantly searching for artifacts in my forensic tools that I have highlighted in my timeline. Sometimes there is so much "back and forth" going on that I loose concentration and sight of the "big picture". Also it does not make it easier if you dont have multiple monitors or a large screen.

So extending on Timeline Analysis - What's missing & What's coming I decided to brainstorm ideas to address this frustration:
  • Timelines contains file name and full path information of source artifact - this is good!
  • You can mount disk images easily with imdisk or ftkimager - okay now I have access to the data where the source artifacts are stored
  • The absolute path/ drive letter (e.g. C:\windows) in the timeline will not typically match that of your mounted disk image (e.g. E:\) - Easy enough to hack a fix with some Python

My next challenge was to determine a means to review files.. Initially it occurred to me I could open files with their default viewer but as Corey Harrell (@corey_harrell) pointed out that's not such a good idea because then your exposed to clientside exploits tied to specific vulnerabilities in apps!

So I started searching for an open source Python based review module and came up dry. However I did come across a REALLY cool Windows-based application called Universal Viewer that suppports a sleuth of file types and modes including native, text, binary, and hex!

So as you can imagine I incorporated all of these ideas into the Windows version (working on equivlent capability in other OS versions) of my l2t_R tool!! 

Just three simple steps: 

1.) Mount disk image with tool of choice (e.g. imdisk, ftkimager, encase)

2.) Specify in l2t_Review what drive letter is assigned to the mounted disk image

Select mounted image path

    3.) Invoke File Viewer by Right Clicking on any line item in your timeline and selecting Open File Viewer

    4.) The File Viewer is automatically opened with the file. You can change default view mode (native, hex, text, etc.) using settings. You can also specify in settings whether you want multiple instance of file viewer to be opened simultaneously or not. So every time you open a new file it will either open it in the same instance or a new instance.

    File displayed in viewer in Hex mode. Can also view natively

     I will be posting details on how to download and start using l2t_R very soon!!! In the mean time if there is something you REALLY could use this on feel free to contact me for a beta version.