The area of event reconstruction in computer forensics deals with
analyzing and evaluating data obtained from a system and use it to
determine what happened. The data recovery process is a well-covered
area within computer forensics, but little work has been done on how
to actually analyze and evaluate the data. Only very crude tools,
such as
mactimes or individual log analyzers, exist.
A comprehensive event reconstruction on a system that takes into
account data from various sources, such as file MAC times, system logs,
firewall logs, and application data, is mostly done manually by the
investigator. With storage capacities growing rapidly and systems permanently
being connected to global networks more and more, it is not uncommon
that the number of events recorded by a system easily goes into the
hundreds of thousands.
To provide an investigator a tool that helps him process this large amount
of data, we are developing a graphical time line editor. The tool should
allow the grouping of events into super-events.
The main data structure for the time line analyzer is the
event.
An event consists of a time span when the event took place, a source
to denote the origin of the event, and a description of the event.
An event can contain a list of sub-events and can also be part of
a super event's sub-list.
Starting with events at discrete times that were generated from the
system information, events that belong to the same ``action'' can thus
be grouped together into event hierarchies. For example, the three
events ``access program gcc'', ``access file x'' and ``access library y''
could be grouped together into a super event by an investigator labeled
``compile program x'', which in turn could be part of another super event
``install rootkit z''.
A graphical front-end should allow an investigator to manage the
events. Super events may be created based on selected
sub-events. Events may be moved around via drag-and-drop or directly
assigned to a super event hierarchy. The event hierarchy can be
displayed in a tree-like view allowing to collapse all or select
branches. This way, an investigator can concentrate on events only
relevant to his direct attention.
We have the following design objectives for the tool:
- Import events from various sources, such as system MAC times,
system and firewall logs, and application data
- Provide an easy to use and intuitive GUI to manage and classify the
events.
- Allow a fast retrieval of individual events or events that fall into
a certain time window.
- Support for many platforms
We are proud to present Zeitline, a tool written in Java. Please consult
the README file for details. Zeitline currently has a limited base
functionality: you can import events, display information about events,
group events together into super events (using menu actions, drag and
drop, or cut and paste), create new timelines (empty or from a selection
of events), perform a basic filtering of the events that are displayed by
keyword and/or time, save and load a project. We believe the program is
fairly stable at this point, but there are likely to be many errors left.
Also, performance can probably be improved quite a bit as well. Please
report any bugs, including a description and how to reproduce it to
zeitline@cerias.purdue.edu.
08/16/2005: Released version 0.1 of Zeitline.
07/06/2005: Zeitline has moved to Sourceforge. See
http://sourceforge.net/projects/zeitline for details. Downloads, forums, bug trackers, feature
requests, and more can be done from there.
04/04/2005: Zeitline is now available as source code. Zeitline is free and
open source. See
LICENSE for details.
See
CHANGELOG for changes for
the current version.
A mailing list on which we will announce new releases and other
information regarding Zeitline has now been set up. To subscribe, send an
e-mail to
zeitline-info-request@cerias.purdue.edu with "subscribe" in the body
of the message. You will have to confirm your subscription by following
the instructions in the follow-up mail you will receive. To unsubscribe,
send an e-mail to the above address with "unsubscribe" in the body.
If you are interested in working on Zeitline, we are always looking for
volunteers to help with the following:
- if you have GUI programming experience, we can use your help in
tweaking some of the widgets, improving the look and feel, and
working on drag and drop support.
- if you are good with data structures, we can use your help in
improving the data structures we use for our event hierarchy
(currently AVL balanced trees), reducing the memory requirements
of the data structures, and developing better indexing and searching
techniques.
- if you have good knowledge of UNIX or Windows systems, firewall
or IDS logs, or application logs, we can use your help in developing
new import filters that generate events for the tool.
- if you just like programming, we can always use help for the
development of new features for the tool.
Please contact
me if you
are interested in working on the project.
require './forensic_footer.php'; ?>