2008-06-01

Introducing Ex-Tip


In this post, I'd like to introduce a tool I've been working on called Ex-Tip. Begun as a GCFA Gold practical and developed in Perl, the code is very premature at this point. I intend to develop it through a Sourceforge site I've registered for that purpose, although I haven't yet uploaded the code. I will communicate updates through this blog.

Full disclosure: I do not consider myself to be a developer. The version 0.1 implementation was designed as a proof-of-concept to demonstrate the utility of an easily-extensible, multiple input-output timeline generation tool. It was not designed with memory nor computational efficiency in mind, and has many limitations that can be addressed via further development. Of course, I welcome any feedback, or solicitations for offers of help.

Here is the introduction section of the paper that this code was meant to accompany:

Tools exist to construct timelines based on modify, access, and create times of files on various filesystems to aid in forensic investigations. Sleuthkit's mactime in concert with fls or macrobber is a common example. However, in most investigations, the timeline needs of the forensic analyst have become far more encompassing than simple file activity. Investigations often necessitate a step-by-step recreation of events pulling time data associated with Windows registry entries, anti-virus logs, intrusion detection systems, and any other data available to supplement filesystem activity. At times, both in the lab and in the field, investigators find new time-stamped data that warrants inclusion in a timeline, such as custom application logs. As the digital forensics field matures, the list of critical data available grows longer, as does the number of timeline visualization tools available for data presentation. Adding to the complexity, the nature of these data sources is dynamic as software versions change.

All of this considered, one can see that a gap has emerged between the timeline data needed by analysts and flexible, portable tools available to easily consume this data - aggregation, normalization, and visualization, to be specific. This paper describes an extensible framework to achieve these ends, with plug-ins provided for common timeline data sources and output formats as proof-of-concept.

Image courtesy http://www.timemiser.com/

No comments: