Super Timeline Using ELK Stack

DFIR
1
Avatar
Author

 

ELK Stack is a collection of three components – Elasticsearch, Logstash & Kibana

  • Logstash – This component is responsible for processing incoming data. It takes input from different sources, executes different transformations and stores the results in Elasticsearch or other formats
  • Elasticsearch – NoSQL database based on Apache Lucene’s search engine.
  • Kibana – Web based interface that is used to search and visualize logs

These three together form the ELK stack and are used largely now in Threat Hunting or Big Data Security Analytics for the sole role of log analytics and viz. ELK stack would be the open source alternative to Splunk

ELK can also be used for performing analytics and timelining of a forensic image

For this demo, I am using an Encase image of a Windows XP drive taken from ForensicKB

 

MOUNT the Image

In FTK Imager,

  • Select Image Mounting.
  • Select the Image file.
  • Change Mounting method to Block Device / Read Only.
  • Choose the drive letter.
  • Hit Mount.

Here I have mounted the WinXP2.E01 image as E:

 

 

 

Convert the IMAGE into a PLASO file

Plaso is the python based backend for the Log2Timeline Tool.

Plaso will allow us to extract information from the files and to create a plaso based SuperTimeline file.

This file can then be imported into ELK to perform analytics

You can download plaso 1.5.1 from here.

log2timeline.exe XP.plaso E:

Log2Timeline will then parse the entire image and create a file named XP.plaso

 

Detailed help on its GitHub page

 

 

Parse the PLASO file into ELK

I transferred the file to my ELK VM.

Before I run psort, I need to ensure Python is installed along with the pyelasticsearch libraries
We can install the libraries using pip

sudo pip install pyelasticsearch

 

psort is a tool that allows us to post-process plaso files and also to perform sorting & filtering on the files
We can see detailed help by using -h or --help

To see a list of supported outputs, use the -o list parameter
To specify the time zone using the -z TIMEZONE parameter
To view the analysis plugins, use the --analysis list switch

psort.py -o elastic --server 127.0.0.1 --port 9200 --raw_fields --index_name lionelforensics XP.plaso

 

 

Using KIBANA for Analytics

Load the Kibana Web Interface (localhost:5601) and create an index matching the index_name specified above. Map the time-field name with DateTime.

If we expand an event in Kibana, we can see there are different fields like

file_entry_type
filename
is_allocated
sha256_hash

 

On filtering for reset5, we can see there are some .exe and .dat files.

The SHA256 value can be submitted to Virus Total

 

Command Line summary
log2timeline.exe XP.plaso E:

sudo pip install pyelasticsearch

psort.py -o elastic --server 127.0.0.1 --port 9200 --raw_fields --index_name lionelforensics XP.plaso

 

 

 

 

 

 

Author

Related Tags:

1 comment

Tim Taylor
Reply

Mounting the image file is unnecessary as log2timeline can process the image file.

Leave a Reply

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

I agree to these terms.