USING A SPREADSHEET PROGRAM TO BUILD A TIMELINE
Should you decide to perform a full dead analysis a complete timeline can be built using techniques described later in this book. At this stage of the investigation having a file list that can be sorted by modification, creation, and access times based on output from the script in the previous section can be helpful. While not as nice as a proper timeline that intertwines these timestamps, it can be created in a matter of minutes.
The first step is to open the log.txt file for the case in your favorite text editor on the forensics workstation. If you would like headers on your columns (recommended) then also cut and paste the comment from the send-fileinfo.sh script, minus the leading #, as indicated. Save the file with a .csv extension and then open it in LibreOffice Calc (or your favorite spreadsheet program). You will be greeted with a screen such as that shown in Figure 3.3. Click on each column and set its type as shown in the figure. Failure to do this will cause dates and times to be sorted alphabetically which is not what you want.
FIGURE 3.3
Importing a CSV file with file metadata into LibreOffice Calc. Note that each column type should be set to allow for proper sorting.
Once the file has been imported it is easily sorted by selecting all of the pertinent rows and then choosing sort from the data menu. The columns are most easily selected by clicking and dragging across the column letters (which should be A-M) at the top of the spreadsheet. The appropriate sort commands to sort by descending access time is shown in Figure 3.4.
FIGURE 3.4
Sorting file metadata by access time.
A similar technique can be used to sort by modification or creation time. It might be desirable to copy and paste this spreadsheet onto multiple tabs (technically worksheets) and save the resulting workbook as a regular Calc file. The easiest way to copy information to a new sheet is to click in the blank square in the upper left corner (above the 1 and to the left of the A), press Control-C, go to the new sheet, click in the same upper lefthand square, and then press Control-V.
The creation time tab of such a spreadsheet for our subject system is shown in Figure 3.5. The highlighted rows show that the suspicious /bin/false file was created around the time of our compromise and that the Xing Yi Quan rootkit has been installed. Note that some of the rootkit files have access timestamps around the time of the compromise, yet they have been created and modified later, at least according to the possibly altered metadata.
FIGURE 3.5
File metadata for the /bin directory sorted by creation timestamps. The highlighted rows show that /bin/false was altered about the time of our compromise and that the Xing Yi Quan rootkit appears to be installed.