/usr/share/autopsy/help/tl.html is in autopsy 2.24-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 | <HTML>
<HEAD><TITLE>Autopsy Timeline Analysis Help</TITLE></HEAD>
<BODY BGCOLOR=#CCCC99>
<CENTER><H2>Timeline Mode</H2></CENTER>
<H3>Overview</H3>
<P>
For some investigations, creating a timeline of activity can be
useful to identify places where the analysis should begin. Of
course file times can be easily modified by an attacker, so they
can not be 100% trusted. But, Autopsy can create timelines of
file activity.
<P>
Files have at least three times associated with them. The details of
each time varies with the file system type.
<P>
The following times exist for UNIX file systems (EXT2FS & FFS):
<UL>
<LI><B>Modified</B>: When the file data was last
modified. This time can be modified using the utimes()
function. This time is preserved in a 'tar' archive, so it is
possible to have M-times of files prior to when they were introduced
to the system.
<LI><B>Accessed</B>: When the file data was last
accessed. This time can be modified using the utimes() function.
<LI><B>Changed</B>: When the file status (inode data)
was last changed. This time can not be set using the utimes()
function in UNIX (but it will be set when utimes() is used to modify
other values).
</UL>
The EXT2FS file system also has a Deleted time, but it is not displayed
in the timeline.
<P>
A FAT File system has the following times:
<UL>
<LI><B>Written</B>: When the file was last written to.
It is the ONLY required time in the FAT file system.
<LI><B>Accessed</B>: When the file was last accessed. In
FAT, it is only accurate to the day (not minute). It is an optional
value, so some Operating Systems may not update it.
<LI><B>Created</B>: When the file was created. It is
also optional, so some Operating Systems may not update it. In fact,
many Windows installations have a C-Time of 0 for directories such as
<TT>C:\\Windows</TT> and <TT>C:\\Program Files</TT>.
</UL>
<P>
The NTFS File system has several times, four of which are
used in the timeline. These times are gathered from the
<TT>\$STANDARD_INFORMATION</TT> attribute.
<UL>
<LI><B>Written</B>: When the file was last written to.
<LI><B>Accessed</B>: When the file was last accessed.
<LI><B>Changed</B>: When the MFT entry was last modified.
<LI><B>Created</B>: When the file was created.
</UL>
<H3>How to Create a Timeline</H3>
Creating a timeline takes two steps. The first step extracts and
saves the needed data from each file system images. This step
stores the data from each specific file system in a generic format.
Historically (from TCT), this file was called the <TT>body</TT>
file. The second step takes the <TT>body</TT> file as input and
generates an ASCII timeline of file activity between two specified
dates. The resulting timeline can be viewed in Autopsy or using
a text editor.
<H3>Creating the Body File</H3>
The file meta-data must be extracted from the file system images and saved
to the <TT>body</TT> file. There are three major types of files that data
can be extracted for:
<UL>
<LI><B>Allocated Files</B>:
Files that are seen when doing an 'ls' or 'dir' in a directory. In
other words, these are the files that have an allocated file name
structure.
<LI><B>Unallocated Files</B>:
Files that have been deleted, but that TSK can still access.
Files in this category include orphan files, which are files that
no longer have a name, but whose metadata still exists.
If a deleted file name points to an allocated metadata structure,
then the name will say (realloc) next to it.
</UL>
<P>
To create the <TT>body</TT> file, select the images to analyze from
the list on top. Next, select which types of data that you want to
extract. By default all types are extracted. Lastly, identify the
name of the body file to create. The file will be created in the
<TT>output</TT> directory and an entry will be added to the host config
file. You will be given the option to calculate the MD5 value of
the new file.
<H3>Creating the Timeline</H3>
The next window allows one to create a timeline based on the newly
created <TT>body</TT> file. Or, one can select the option from
the left-hand side menu. The range of dates must be selected as
well as the name of the timeline file. The resulting timeline will
use the time zone for the host.
<P>
If the images are from a
UNIX file system, then the password and group files can be used to
change the UID and GID to actual names. If the partition from the
root directory exists in the host, select it from the pull down
list and Autopsy will find the <TT>/etc/passwd</TT> and
<TT>/etc/group</TT> file contents.
<P>
The timeline will be created in the <TT>output</TT> directory.
You will be given the option to calculate the MD5 hash value of
the new file.
<H3>Viewing the Timeline</H3>
The timeline can be viewed in Autopsy. Timelines tend to be very
large though and have thousands of lines. HTML browsers can not
handle tables of this size very well and typically have trouble
processing it. Therefore, Autopsy only allows you to view the
timeline one month at a time. It will likely be easier to open a
shell and examine the timeline in a text editor or pager such as
'less' or 'more'.
<P>
The 'summary' link will show a page that contains a monthly summary
of activity. It shows how many many events occured in that month
and links to the details. This allows one to get a high level
view of when a lot of activity last occured.
<P>
The following columns are in the timeline (in order):
<UL>
<LI><B>Date and time</B>of the activity. If no date is given,
then the activity occured at the same time as the previous entry
with a time.
<LI><B>Size</B>. The size of the file.
<LI><B>Entry Type</B>. The 'm', 'a', 'c', and 'b' letters will exist to
identify which of the activity types this entry corresponds to. 'm' is
for modified times, 'a' is for access times, 'c' is for change times, and
'b' is for created (or born) times.
<LI><B>Mode</B. The UNIX mode is shown.
<LI><B>UID</B>. The User Id or User name is shown. If a password
file was provided when the timeline was created, then the colunn should
only have names.
<LI><B>GID</B>. The Group Id or Group name is shown. If a group
file was provided when the timeline was created, then the colunn should
only have names.
<LI><B>Meta Data Address</B>. The inode or MFT entry address for the
associated file.
<LI><B>File Name</B>. The name of the file and the destination of a
symbolic link. Deleted entries will have '(deleted)' at the end and
deleted entries that point to an allocated meta data structure will
have '(realloc)'.
</UL>
<HR>
<FONT SIZE=0>Brian Carrier</FONT>
</BODY></HTML>
|