How to install and use Timesketch

[Brother]

In today's article, I'll show you how to install and use the Timesketch collaborative timeline analysis tool. As the initial data, we will have the Plaso file, which we obtained in the previous article "Collecting and analyzing system events using Plaso".

Timesketch is an open source project for collaborative analysis of event timelines. Under the hood, it houses a cool eight-cylinder elasticsearch (abbreviated ES). Key features: scalability, fault tolerance and high speed when searching among millions of events.

Installing Timesketch​

Set how can a release vari-ant and development-were-UIS. The second option allows you to make your own edits to the code, as well as add fresh commits. Keep in mind. The second option will help you run into fresh bugs.

In our example, we will install the release version on a virtual machine with Ubuntu and throw Kibana on top.

When dealing with elasticsearch projects it is always worth adding Kibana. This will help you understand the processes taking place inside the base and catch emergency situations.

It makes no sense to copy and paste the commands from the official instructions, so we will assume that we figured out the Timesketch installation. After installation, check with the command:

$ sudo docker ps -a

If installed correctly, we will see this:

Installing Timesketch.

Now let's open the ES docker container port so that Kibana can reach it.

$ sudo nano /opt/timesketch/docker-compose.yml

Add a section elasticsearch to the section ports with an indication of the forwarded port.

Installing Timesketch.

This config is suitable exclusively for its test version of ES, which no one has access to. ES does not have built-in authorization mechanisms, and everyone can easily access the database in this way. If you need a similar solution in production, use the X-Pack add -on .

It remains to roll Kibana. In our example, in the screenshot above, you can see what is used in the project elasticsearch-oss:7.10.2, therefore, Kibana is obliged to this version. Download and install kibana-oss:

$ wget https://artifacts.elastic.co/downloads/kibana/kibana-oss-7.10.2-linux-x86_64.tar.gz
$ tar -xzf kibana-oss-7.10.2-linux-x86_64.tar.gz
$ cd kibana-7.10.2-linux-x86_64

Let's fix the config to reach the Kibana interface:

$ nano config / kibana.yml

To do this, uncomment the parameter server.host and specify the IP address of the virtual machine. We launch Kibana and check that everything has started successfully.

$ / bin / kibana

Now let's create users - and you can log in to the system.

$ sudo docker-compose exec timesketch-web tsctl add_user --username user1

Using Timesketch​

First, create a new sketch (the New investigation button) and fill it with the data that was generated the previous time (the Upload timeline button). In our example, two sketches were created. After a short wait, let's take a look at Kibana, and in the section dev tools execute the command:

GET / _cat / indicies? V

Using Timesketch.

As you can see, a separate index is created for each sketch in ES, into which events from each loaded Plaso file fall, that is, the same Plaso file will be processed repeatedly when it is loaded into different sketches.

Let's see how the data is mapped in order to understand how to work with it effectively later.

GET / 9024dbca65494d1da2dc4758b169f1d9 / _mapping

All text data is mapped as follows:

{
    "type": "text",
    "fields" : {
        "keyword": {
            "type" : "keyword",
            "ignore_above" : 256
        }
    }
}

If you are a little familiar with ES, then you know that this is dynamic mapping. This scheme is used because the developers were too lazy to bother. Timesketch can load absolutely any sequence of events from various sources, and it is not so easy to provide a universal mapping scheme with a clear name for all fields.

But such a scheme allows you to perform both full-text search and aggregate and sort data for each field in the index, which undoubtedly provides many advantages if you know how to use it (and do not care about the disappearance of free gigabytes on your hard disk).

Let's move on to examining the patient. Let's see what tools we have for this.

Explore​

This tab is the main tool for finding events in the timeline, including using filters and graphs. You also have the ability to add comments to events of interest, create notes and save views for later use in Stories.

Since each sketch is a separate index in ES, you don't have to worry about damaging other people's comments or notes in another sketch while you work. This is extremely important in multi-user forensic systems. That is why this project does not use the most logical-seemingly data storage system (with repeated loading and duplication of stored data).

Let's not dig into individual events for now, but try to visually evaluate our sketch. To do this, move the chart slider to the "on" position under the line with the request and look at the constructed diagram of events.

The highest column means that the system at this time was very many events, which often indicates something curious in terms of Forain-physics of. Click on it - as a result, the time filter will be automatically applied and it will be possible to look in more detail at the processes occurring at this moment.

Curious! In just two clicks, we were able to discover the events from the previous article. Let me remind you: they indicate that our enemy, using an automatic tool, went around the contents of the disk in search of interesting things.

Now let's save this request by clicking the Save this search button and try to understand if the attacker found what he was looking for.

I think you are aware that users like to store (or forget to delete) all important information on the desktop, in the download folder and other similar places. In most cases, due to lack of time, cybercriminals collect personal information about the user in the same manner. That is, from the simplest and most common situations, they go to the complex and rare.

Now let's add 5 minutes from the top to the existing time filter (the hacker needs time to figure out which file to take from the computer), and in the search box, write the query:

* Documents * OR * Desktop * OR * Downloads *

At the output, we have 1266 events. Let's see what detailed information about the selected events is available to us.

One of the key fields of each event is parser, which allows you to understand where Plaso got it from. It is convenient to filter the type of events in the output by clicking on the button in the first or second column (meaning this is the use of logical AND or NOT in a query).

Let's apply this. Since we roughly represent the algorithm for searching for files of interest on the file system (specifically, this: going through all directories and subdirectories, getting a list of files from them, gaining access to files of interest), we can try to understand if any files have been stolen. Let's select any event with the parser:filestat and parameter and file_entry_type:directory add them to the filter with the AND and NOT parameters.

This will be equivalent to this query:

(* Documents * OR * Desktop * OR * Downloads *) AND parser: filestat AND NOT file_entry_type: directory

Voila! Before us are 17 events, including access to a file with user passwords my_passwords.rtf. You can send the user to change all passwords from all services.

The events we have collected have nothing to do with the logs, which were carefully cleaned up by the team clearevfrom Meterpreter.

Last time the user himself gave us a tip on the incident. And now, without the prompt “call a friend,” we will try to understand what lewdness led to the fact that the intruder opened the doors to the user's passwords. To do this, Plaso has an amazingly useful prefetch parser and a corresponding datatype:

data_type:windows:prefetch:execution

Prefetcher is one of the Windows components designed to optimize the launch of executable files on the system. For his work, he creates special data structures that he stores on disk in a directory Windows\Prefetch. On a par with the analysis of log files prefectch - a storehouse of information for computer Cree-ming-fox-ta.

We will use this data type as a filter, and for the first inspection, we will exclude from the output all executable files that were launched from the Windows or Program Files directories. The request in this case will look like this:

data_type: windows: prefetch: execution AND NOT path_hints: "WINDOWS" OR NOT path_hints: "Program"

Timesketch how to use. Explore tab.

With one simple request, in the very first 25 events, we saw that a file with a tempting name was launched from the Downloads folder.

Aggregate​

Now let's see how it happened that despite attempts to clean up information about their actions, the facts still came out. To do this, go to the Aggregate tab.

This tab allows you to group events of interest to you, display statistics on applied filters, build tables and graphs, and also find anomalies in groups of events.

Let's try to evaluate what events occurred at the moment when the search for the file of interest was launched on the file system. To do this, select the parser field as the grouping field and set the previously defined time frames.

We press the button, we get the result.

Indeed, as we assumed, the bulk refers to events extracted from the parser filestat, that is, these are events in the file system that clearev cannot be cleaned. The parser winreg/amcache was left out of work in this case due to the fact that the images were taken at different times. Accordingly, the events that get into amcache.hve are simply worn out with more recent ones. So the problem in this case is more in the purity of the experiment than in some miraculous capabilities of the Meterpreter.

It is noteworthy that you can click on the charts that are plotted in the current tab. When you click on an item of interest, the Overview tab opens, where the necessary filters will be immediately applied.

Also, the graphs that you have built and that deserve further attention can be saved for use in Stories by clicking the corresponding button.

Analyze​

Pay special attention to the Analyze tab. To be honest, in fact, most cases start with her. Timesketch comes with a large set of built-in analyzers, the use of which allows you to automatically tag various groups of events that the gallant DFIR fighters have long been recorded as clearly indicating something unusual, possibly requiring attention. All analyzers are located in the / timesketch / lib / analyzers directory and are written in Python. Analyzers are available immediately after installation for:

• work with search queries made in the browser (and it will be immediately visible where, what and when the user was looking for);
• detecting activity that does not fall into the user's usual working hours at the computer (which is also determined statistically);
• linking a sequence of events (for example, downloaded and running executables, copied and zipped files for exfiltration, and the like can be linked);
• search for traces of attempts to clean up the logs;
• analysis of RDP connections;
• detecting attempts to brute force passwords.

You can find the analysis results of the analyzers on the Overview tab. To do this, you need to click three vertical points on the timeline you are interested in and select Analyzer from the drop-down list.

If necessary, you can create a new analyzer yourself. To check its operability, test_tools there is a script in the directory analyzer_run.py, which needs to be input a CSV file with events and yours hello_world_analyzer.py.

Let's see how the built-in Chain linked events analyzer will help in our case. To do this, let's select our timeline, take the appropriate analyzer and start the process.

How to use Timesketch. Analyze Tab.

To view all related events in the search bar, type the query:

chains: *

Let's scroll down the answer a little and stumble upon an executable file downloaded and launched by a careless user.

Using Timesketch. Analyze Tab.

Each chain of events has its own identifier, which is stored in the ES field chains - accordingly, you can search for the required chains by these identifiers.

Stories​

The Stories tab allows you and your colleagues to describe the observed phenomena. The information gathered together will be complementary, if necessary, you can insert saved queries, built graphics and do all this using Markdown markup. Some analyzers automatically generate stories based on work results.

In fact, Stories are ready-made fragments of a future report based on the results of timeline analysis.

Conclusions​

We have met with you a very cool tool that allows you to turn boring analysis of CSV files into a detective investigation. In the next article, we will look at the new Sigma technology, support for which just recently appeared in Timesketch, learn how to write rules for it and try, as in a joke, "to make all this crap fly up."