Saturday, September 29, 2012

Dashboards, File Viewer, Hashing, and Date Plotter in l2t_Review #OMG

In my recent blog post titled Timeline Analysis - More of what's coming.. I introduced a method using l2t_Review to bring timelines to life with source data.

Given a mounted disk image of the evidence item you are reviewing and Universal Viewer installed, l2t_Review will allow you view source data. By simply right clicking on any file in the Data Grid pane, and selecting File Viewer, the file will be opened in Universal Viewer. This file viewer supports over 12 views including native, media player, text, hex and hundreds of file types. You can also specify in settings whether you want  File Viewer to invoke multiple instances of Universal Viewer or the same instance every time a file is opened. to be opened or every time you open a new file it will either open it in the same instance of Universal Viewer a new one.

Building on this existing capability..

Many times there is the reason to  hash a file, such as when having the need check VirusTotal for a suspicious executable in your timeline. Now, by right clicking on any file in the Data Grid View, and selecting Hash File, a dialog window will appear with the hash value of the file selected. Pretty cool, eh? Down the road will  be the ability to send it directly to VirusTotal.

Now lets look at two new visually stemming aspects...

First is a feature built into the main UI, which displays all (not paged) data from the Data Grid View subsequent to filtering. The X axis represents Date and Y axis represents the frequency of event(s) occurred on that Date. This feature is particularly useful for identifying dates with high or low activity. The timeline can be manipulated by zooming in and out and also saved as an image.

Second is a feature I am really exiting about and took me a really long time to do. Now there is the ability to view timeline data in an interactive dashboard subsequent to filtering. This allows you to understand visually what data types are being displayed in your timeline. If there is something that is specifically interesting to you, such as data from user “John”, if you click on “John” in the pie chart it will automatically redefine your results in the Data Grid View to only show data associated with the user “John”. All pie charts are interactive in the sense you can click on data points and filter the data. This is just the beginning as it relates to dashboard, expect a lot more down the road. 

I am sure some of you are sick of me saying it will be out soon.. honestly anyone who has asked for a copy I have sent them one. So just email me if you want a beta copy.. otherwise will be out one of days after I can find a conference to drop it at. I was hoping to present at the open source forensics conference but never heard back from them.