andreafortuna / autotimeliner Goto Github PK

View Code? Open in Web Editor NEW

121.0 16.0 23.0 13 KB

Automagically extract forensic timeline from volatile memory dump

License: MIT License

Python 100.00%

volatility dfir python forensics

autotimeliner's Introduction

AutoTimeliner

Automagically extract forensic timeline from volatile memory dumps.

Requirements

Python 3
Volatility
mactime (from SleuthKit)

(Developed and tested on Debian 9.6 with Volatility 2.6-1 and sleuthkit 4.4.0-5)

How it works

AutoTimeline automates this workflow:

Identify correct volatility profile for the memory image.
Runs the timeliner plugin against volatile memory dump using volatility.
Runs the mftparser volatility plugin, in order to extract $MFT from memory and generate a bodyfile.
Runs the shellbags volatility plugin in order to generate a bodyfile of the user activity. (suggested by Matteo Cantoni).
Merges the timeliner, mftparser and shellbags output files into a single bodyfile.
Sorts and filters the bodyfile using mactime and exports data as CSV.

Installation

Simply clone the GitHub repository:

git clone https://github.com/andreafortuna/autotimeliner.git

Usage

autotimeline.py [-h] -f IMAGEFILE [-t TIMEFRAME] [-p CUSTOMPROFILE]

optional arguments:
  -h, --help            show this help message and exit
  -f IMAGEFILE, --imagefile IMAGEFILE
                        Memory dump file
  -t TIMEFRAME, --timeframe TIMEFRAME
                        Timeframe used to filter the timeline (YYYY-MM-DD
                        ..YYYY-MM-DD)
  -p CUSTOMPROFILE, --customprofile CUSTOMPROFILE
                        Jump image identification and use a custom memory
                        profile

Examples

Extract timeline from TargetServerMemory.raw, limited to a timeframe from 2018-10-17 to 2018-10-21:

./autotimeline.py -f TargetServerMemory.raw -t 2018-10-17..2018-10-21

Extract timeline from all images in current directory, limited to a timeframe from 2018-10-17 to 2018-10-21:

./autotimeline.py -f ./*.raw -t 2018-10-17..2018-10-21

Extract timeline from TargetServerMemory.raw, using a custom memory profile:

./autotimeline.py -f TargetServerMemory.raw -p Win2008R2SP1x64

All timelines will be saved as $ORIGINALFILENAME-timeline.csv.

TODO

Better image identification
Better error trapping

autotimeliner's People

Contributors

Stargazers

Watchers

autotimeliner's Issues

Empty csv maybe due to the lack of right profile

Tried the tool with the VMEM stuxnet file and I always get an csv without results, I would guess due to the missing detection of the right profile:

autotimeline.py -f stuxnet.vmem

                _     _______ _                _ _
     /\        | |   |__   __(_)              | (_)
    /  \  _   _| |_ ___ | |   _ _ __ ___   ___| |_ _ __   ___ _ __
   / /\ \| | | | __/ _ \| |  | | '_ ` _ \ / _ \ | | '_ \ / _ \ '__|
  / ____ \ |_| | || (_) | |  | | | | | | |  __/ | | | | |  __/ |
 /_/    \_\__,_|\__\___/|_|  |_|_| |_| |_|\___|_|_|_| |_|\___|_|

- Automagically extract forensic timeline from volatile memory dump -

Andrea Fortuna - [email protected] - https://www.andreafortuna.org

*** Processing image stuxnet.vmem
-------
*** Starting image identification......
*** Creating memory timeline......done!
*** Creating shellbags timeline......done!
*** Creating $MFT timeline......done!
*** Merging and filtering timelines......done!
Timeline saved in stuxnet.vmem-timeline.csv

Also providing a fixed profile does not help:

autotimeline.py -f stuxnet.vmem -p WinXPSP2x86

                _     _______ _                _ _
     /\        | |   |__   __(_)              | (_)
    /  \  _   _| |_ ___ | |   _ _ __ ___   ___| |_ _ __   ___ _ __
   / /\ \| | | | __/ _ \| |  | | '_ ` _ \ / _ \ | | '_ \ / _ \ '__|
  / ____ \ |_| | || (_) | |  | | | | | | |  __/ | | | | |  __/ |
 /_/    \_\__,_|\__\___/|_|  |_|_| |_| |_|\___|_|_|_| |_|\___|_|

- Automagically extract forensic timeline from volatile memory dump -

Andrea Fortuna - [email protected] - https://www.andreafortuna.org

*** Processing image stuxnet.vmem
-------
*** Using custom profile: WinXPSP2x86
*** Creating memory timeline......done!
*** Creating shellbags timeline......done!
*** Creating $MFT timeline......done!
*** Merging and filtering timelines......done!
Timeline saved in stuxnet.vmem-timeline.csv

Any hints?

I tested it on a SANS sift and another machine as well.

startdate/enddate optionals

If they are not specified: all the time

decode issue & Failed to import '/usr/lib/libyara.so'

Hello plz check my issue

└─# python3 autotimeline.py -f ./02_gitstack_memory.raw

            _     _______ _                _ _
 /\        | |   |__   __(_)              | (_)
/  \  _   _| |_ ___ | |   _ _ __ ___   ___| |_ _ __   ___ _ __

/ /\ | | | | / _ | | | | ' ` _ \ / _ \ | | ' \ / _ \ '|
/ ____ \ || | || () | | | | | | | | | / | | | | | / |
// __,|__/|| ||| || |_|_|||| ||_|_|

Automagically extract forensic timeline from volatile memory dump -

Andrea Fortuna - [email protected] - https://www.andreafortuna.org

*** Processing image ./02_gitstack_memory.raw

*** Starting image identification......Win7SP1x86_23418
*** Creating memory timeline......done!
*** Creating shellbags timeline......done!
*** Creating $MFT timeline......done!
*** Merging and filtering timelines...Traceback (most recent call last):
File "/home/clown/autotimeliner/autotimeline.py", line 127, in
main(args)
File "/home/clown/autotimeliner/autotimeline.py", line 94, in main
combine_timelines(filename)
File "/home/clown/autotimeliner/autotimeline.py", line 44, in combine_timelines
for line in infile:
File "", line 322, in decode
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xbc in position 853: invalid start byte

and like below log why this error shows up? (below error from shellbag.body)

pip2 install yara
pip2 install yara-python
apt-get install libyara-dev
i tried above commands but still Failed to import '/usr/lib/libyara.so' pops up

Failed to import '/usr/lib/libyara.so'
PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games;/usr/lib
*** Failed to import volatility.plugins.linux.malfind (OSError: /usr/lib/libyara.so: cannot open shared object file: No such file or directory)
Failed to import '/usr/lib/libyara.so'
PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games;/usr/lib;/usr/lib
*** Failed to import volatility.plugins.malware.timers (OSError: /usr/lib/libyara.so: cannot open shared object file: No such file or directory)
Failed to import '/usr/lib/libyara.so'
PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games;/usr/lib;/usr/lib;/usr/lib
*** Failed to import volatility.plugins.overlays.windows.win8 (OSError: /usr/lib/libyara.so: cannot open shared object file: No such file or directory)
Failed to import '/usr/lib/libyara.so'
PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games;/usr/lib;/usr/lib;/usr/lib;/usr/lib
*** Failed to import volatility.plugins.drivermodule (OSError: /usr/lib/libyara.so: cannot open shared object file: No such file or directory)
Failed to import '/usr/lib/libyara.so'
PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib
*** Failed to import volatility.plugins.overlays.mac.mac (OSError: /usr/lib/libyara.so: cannot open shared object file: No such file or directory)
Failed to import '/usr/lib/libyara.so'
PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib
*** Failed to import volatility.plugins.overlays.windows.win8_kdbg (OSError: /usr/lib/libyara.so: cannot open shared object file: No such file or directory)
Failed to import '/usr/lib/libyara.so'
PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib
*** Failed to import volatility.plugins.timeliner (OSError: /usr/lib/libyara.so: cannot open shared object file: No such file or directory)
Failed to import '/usr/lib/libyara.so'
PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib
*** Failed to import volatility.plugins.malware.apihooks (OSError: /usr/lib/libyara.so: cannot open shared object file: No such file or directory)
Failed to import '/usr/lib/libyara.so'
PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib
*** Failed to import volatility.plugins.multiscan (OSError: /usr/lib/libyara.so: cannot open shared object file: No such file or directory)
Failed to import '/usr/lib/libyara.so'
PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib
*** Failed to import volatility.plugins.dumpcerts (OSError: /usr/lib/libyara.so: cannot open shared object file: No such file or directory)
Failed to import '/usr/lib/libyara.so'
PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib
*** Failed to import volatility.plugins.tcaudit (OSError: /usr/lib/libyara.so: cannot open shared object file: No such file or directory)
Failed to import '/usr/lib/libyara.so'
PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib
*** Failed to import volatility.plugins.malware.devicetree (OSError: /usr/lib/libyara.so: cannot open shared object file: No such file or directory)
Failed to import '/usr/lib/libyara.so'
PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib
*** Failed to import volatility.plugins.overlays.windows.win10 (OSError: /usr/lib/libyara.so: cannot open shared object file: No such file or directory)
Failed to import '/usr/lib/libyara.so'
PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib
*** Failed to import volatility.plugins.malware.threads (OSError: /usr/lib/libyara.so: cannot open shared object file: No such file or directory)
Failed to import '/usr/lib/libyara.so'
PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib
*** Failed to import volatility.plugins.malware.idt (OSError: /usr/lib/libyara.so: cannot open shared object file: No such file or directory)
Failed to import '/usr/lib/libyara.so'
PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib
*** Failed to import volatility.plugins.mac.mac_yarascan (OSError: /usr/lib/libyara.so: cannot open shared object file: No such file or directory)
Failed to import '/usr/lib/libyara.so'
PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib;/usr/lib
*** Failed to import volatility.plugins.linux.netscan (OSError: /usr/lib/libyara.so: cannot open shared object file: No such file or directory)
Failed to import '/usr/lib/libyara.so'

Volatility 3 compatibility

Is in the horizon?
Thanks!

have a licence file

In order to be able to use / improve the code etc it would be good to have a licence file in this repo:

https://choosealicense.com/

Thx

Volatility shellbags

I'd add "shellbags" in addition to "timeliner" and "mftparser".

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.