Transcription

[Splunk Forensics]04/26/2016175 Lakeside Ave, Room 300APhone: (802)865-5744Fax: (802)865-6446http://www.lcdi.champlain.edu

Disclaimer:This document contains information based on research that has been gathered by employee(s) of The SenatorPatrick Leahy Center for Digital Investigation (LCDI). The data contained in this project is submittedvoluntarily and is unaudited. Every effort has been made by LCDI to assure the accuracy and reliability of thedata contained in this report. However, LCDI nor any of our employees make no representation, warranty orguarantee in connection with this report and hereby expressly disclaims any liability or responsibility for lossor damage resulting from use of this data. Information in this report can be downloaded and redistributed byany person or persons. Any redistribution must maintain the LCDI logo and any references from this reportmust be properly annotated.ContentsIntroduction . 2Background: . 2Purpose and Scope: . 2Research Questions: . 2Terminology:. 2Methodology and Methods . 4Overview: . 4Equipment Used: . 4Data Generation: . 4Data Collection: . 5Analysis. 5Results . 6Windows: . 6Mac OS X: . 7Conclusion . 8Further Work. 9Appendix . 10Appendix 1 Windows Data Gen: . 10Appendix 2 Mac Data Gen: . 14Appendix 3 Windows Results: . 17Appendix 4 Mac Results: . 23References . 26Splunk ForensicsPage 1 of 27

IntroductionSplunk is a cybersecurity tool widely used by network administrators, typically for real time data monitoring. For thepurpose of our project, we wanted to determine if Splunk is a valid tool for temporal analysis in the realm of digitalforensics. A forensic timeline is simply a timeline of events on a suspect machine. It has numerous uses for a digitalforensic investigator ranging from temporal analysis to narrowing in on a specific time range for further investigation.Forensic timelines give the investigator a quick idea of when and what events happened on a particular system allowingthem to narrow the scope of their investigation.Many forensic tools offer timeline features both internally and with separate utilities. Some examples of software that cangenerate timelines include EnCase and Autopsy; however, these tools are not solely dedicated to the task, and usually fallshort in results, speed, and usability. The main benefit to using these tools is that they are built into the forensic softwareand allow for further analysis of file data and content.Background:Splunk is primarily used to analyze large amounts of network data and provide timely reports useful to networkadministrators. A blog post from Klein & Co. discussed creating and analyzing a forensic timeline through the use ofSplunk (Klein, 2011). We used this blog post as a starting point for our research. The blog outlines the step by stepprocess of how to create a forensic timeline using command line tools and then explains how to upload and analyze thetimeline using Splunk. This semester is the first time the LCDI has examined the option of using Splunk for digitalforensics.Purpose and Scope:The purpose of this report is to serve as a resource for using Splunk as a forensic tool and to represent the effectiveness ofSplunk in that capacity. The results of our research will be useful for investigators who are considering using Splunk tocreate a forensic timeline. Splunk is a commonly used program in the industry and may be able to assist investigators infuture forensic investigations.Research Questions:Through our research into this project we developed a list of questions that we aimed to answer and make a determinationon, including:1. Is Splunk a valid forensic timelineing tool?2. Is Splunk an effective forensic timelineing tool?3. What can Splunk accurately tell us about the data?Terminology:Acquisition – The process of copying data from a piece of evidence to another location in a forensically sound manner sothat the data may be analyzed at a later time. This is usually done by attaching some form of write blocking device to thestorage media, and creating a copy of the data. The goal is to leave the original media intact while working on a copy of it.This allows for evidence to be verified at a later date. There are two different types of data acquisition methods: Physicaland Logical.Artifacts – Any data generated by user interaction that can be collected and examined. Any user data retrieved from thebrowser is considered an artifact, including cookies, caches, geolocation, search history, etc.Body Files – This file format is the default file format of commands fls and log2timeline. The general format of thesefiles are data sets separated by a pipe “ .” The .body files are fed to the mactime command in order to create the .csv filesthat are needed for forensic timeline creation.Splunk ForensicsPage 2 of 27

.CSV Files – CSV or comma separated value files are files where each piece of information, or value, is separated by acomma. CSV files can generally be read by spreadsheet programs, such as Microsoft Excel, where each new line is a row,and each column separator is a column.File System – A file system is used to control how data is stored on a disk as well as retried off of a disk. Without a filesystem, the operating system would have no way of communicating directly with the disk. File systems store and organizethe data on a disk in different ways. Different operating systems will use different file systems.FTK Imager – A free extension of FTK 4.1. This is a powerful imaging program that can be used to create forensicimages of a drive, which can then be opened in most forensic software for examination. There are other functions thatallow this program to take images of specific files in a storage device as well as floppy disks, CDs, DVDs, and zip disks.FLS (Command) – FLS is a command utility built into The Sleuth Kit and allows the user to extract timeline data fromthe filesystem. The -m argument will export the data into a body file which can then be converted using the mactimecommand.HFS – HFS , also known as Hierarchical File System Plus, is the default file system for Mac OSX. HFS is alsoutilized on Apple’s portable devices and records metadata similarly to NTFS.Image – A copy of a hard drive, or disk image, which is compressed into a series of files. Physical images include allinformation (zeroes and ones) on the hard drive whether the space is being used or not, and ends up being close to thesame size as the actual hard drive itself. As opposed to a physical image, a logical image only acquires the parts of thehard drive that have active data and dismisses the rest of the drive. Compared to a physical image, the size can beextremely small or the same size as the drive depending on the amount of data stored.Log2timeline (Command) – Log2timeline is a command utility that allows the examiner to create a timeline usingartifacts and logs found on a system. Using the -o argument will export the data in the mactime format which can then beconverted into a csv file.MACB Times – MACB times refer to the timestamps on a file as they are given by the file system. MACB timescorrespond to Modified, Accessed, Created, and Birth respectively. Different File systems provide different timestampsand will change these timestamps in different ways.Mactime (Command) – This command converts file in the .body file format to the useful .csv file format. This commandcomes stock with The Sleuth Kit.NTFS – NTFS, also known as New Technology File System, is the default file system for Windows. NTFS supportsmetadata such as timestamps, improved performance, reliability, and more file extensions over older file systems. NTFSis one of the most common file systems seen today.Operating System (OS) – A suite of programs that controls signals to and from input devices (such as a mouse,keyboard, microphone), peripherals (hard disks, CD/DVD drives, printers, etc.), output devices (monitors, speakers, etc.),and performs the basic functions needed for a computer to operate. This entails input and output, memory allocation, filemanagement, task scheduling, etc. Having an OS is essential to operate a computer, as applications utilize the OS tofunction.Sift Workstation – SIFT, also known as SANS Investigative Forensic Toolkit, is a forensics VMware appliance runningoff of Ubuntu Linux and comes preconfigured with all the required tools for a forensic examination. The workstationcomes with the preinstalled tools Sleuth Kit and other commands such as log2timeline.Splunk ForensicsPage 3 of 27

The Sleuth Kit – The Sleuth Kit is a set of forensic command line utilities. This utility has many useful commands builtin such as the fls command and mactime. TSK is the command line version of Autopsy, the GUI supported version. TheSleuth Kit is compatible with many files systems ranging from NTFS to HFS to EXT4.Splunk – Splunk is a data analytics tool that can quickly analyze vast amounts of data and represent those results in adistinguishable format such as a chart. Splunk is widely used throughout the cybersecurity and networking industry andhas uses in the forensics field as well. Splunk accepts many types of data ranging from stagnant csv files to live networkreports.Virtual Machine (VM) – A virtual machine is a software-based computer that executes and runs programs like a physicalmachine. A virtual machine supports the execution of a complete operating system. VMs usually emulate an existingarchitecture and are built with the purpose of either providing a platform to run programs where the real hardware is notavailable for use, or of having multiple instances of virtual machines.VMDK – The file extension denoting a VMs virtual hard drive.Methodology and MethodsOverview:For this project we chose to examine two different file systems: NTFS and HFS . These two filesystems are the two mostcommonly used filesystem as they correspond to the two most commonly used operating systems. NTFS is the default filesystem for Windows and HFS is the default file system for Mac OS X.Equipment Used:Table 1: SoftwareSoftwareVersionVMware Fusion and VSphereMicrosoft Windows 7Mac OS XForensic Tool Kit ImagerSANS Sift Workstation7El Capitan3.4.2.2Splunk Enterprise6.4.0CommentsForensic workstation VM built bySANS. Comes prepacked with toolssuch as The Sleuth Kit.Used Splunk free trial twiceData Generation:In order to start researching this project we had to conduct dat