Part of any digital analysis is putting together a timeline of activities of the digital media. Brian Carrier has developed a set of tools that can compile on many platforms, including the Mac, called The Sleuth Kit. The Sleuth Kit is available at SleuthKit.org. For this article, we will specifically be looking at 2 tools, ‘fls’ and ‘mactime’ to form our timeline of live devices or image files.
Installation
First download and install the Sleuth Kit on your Mac. Make certain you are installing version 3.1 or later. Installation is very easy. You MUST have Apple’s Developer Tools installed in order to successfully compile it. You can get this for free from developer.apple.com. You need to download XCode 3. (Every examiner should have this installed already. There are tools that are included in this free kit that allow us to look at other files.) Once XCode 3 is installed, you can continue with the install of Sleuth Kit. After you have downloaded the compressed source code for Sleuth Kit, you will use Terminal to compile and install it. Change directory into the folder of Sleuth Kit and type the following 3 commands:
./configure
sudo make
sudo make install
You should have installed Sleuth Kit if each of those commands finished successfully.
Usage
From the man pages:
fls - List file and directory names in a disk image.
mactime - Create an ASCII time line of file activity
Each of these tools has a series of options during runtime that makes them much more powerful than the description leads on. Let’s look at how we can use ‘fls’ first to create what is called the “bodyfile”.
‘fls’ will use a disk image or attached physical device on your Mac as a source. In this example, we will use /dev/disk5 as our live source.
Note: when using a live source, you should consider turning off Disk Arbitration so the device does not mount and your analysis remains forensically sound.
To use the live disk, we must know which “slice” the HFS+ partition exists on. For my example drive, /dev/disk5s2 or “slice 2” is where my HFS+ data source exists.
Output from ‘diskutil list’ command
Now that the data source has been determined, we can now look at the ‘fls’ command and dissect the options:
fls -z EST5EDT -s 0 -m '/' -f hfs -r /dev/rdisk5s2 > ~/Desktop/bodyfile
The above command will perform the following:
-z EST5EDT = eastern time zone -5 hours from Greenwich mean time
-s 0 = no time skew, no minutes added or subtracted to the times (used to fix a clock that is “off”)
-m ‘/’ = all paths to files will begin with /
-f hfs = the file system will be HFS/HFS+
-r = recursively follows directories
/dev/rdisk5s2 = raw disk 5 (instead of block device 5), slice 2
> ~/Desktop/bodyfile = direct the output to a file named “bodyfile” on the Desktop of the current user
Once the ‘fls’ command has completed, the ‘mactime’ command is ued to process the output into a usable file. In our example, we are going to create a CSV file for import into Excel.
mactime -b /Users/rkubasiak/Desktop/bodyfile -z EST5EDT -d > ~/Desktop/timeline.csv
The above command will perform the following:
-b /Users/rkubasiak/Desktop/bodyfile = the file to be processed
-z EST5EDT = eastern time zone -5 hours from Greenwich mean time
-d = output in CSV format
> ~/Desktop/timeline.csv = direct the output to a file named “timeline.csv”
Both commands will look like the following when executed properly:
Combined 2 commands to create our timeline in CSV format
The CSV file can be viewed with any application that can read text files. Even better, for this example, we can view the data within Excel because it is CSV data. Let’s focus specifically on a section of the data where I added events to iCal.
Timeline as viewed from Excel
The screen capture shows us specific dates and times of iCal entries being added to the user “ryankubasiak” iCal calendar. We know these are new entries because of the third column which has the entries “macb”. These stand for the following:
m - modified (metadata modified about the file)
a - accessed (file itself has been accessed)
c - changed (content of the file has been changed)
b - birth (file created)
When a file is first created, all of the times (macb) are set for the iCal events created for this account to the current time. If one of these events is later modified to have different data, the “c” time will change. Additionally, this iCal event would show in the timeline again at the moment in time that the change was made. Notice in the above screen capture, the file “Info.plist” has only “mc” times changing. This tells us that the Info.plist file already existed at “Saturday March 6, 2010 at 13:45:59”, and that the content of this file just changed, along with the metadata describing it.
This article only begins to touch on the power of ‘fls’ and ‘mactime’, and certainly doesn’t show off the other tools available with The Sleuth Kit. We would like to thank SANS and the SEC508 class for the instruction provided on this topic as well as Andrew Hoog from viaForensics for his assistance in developing timeline analysis on the Mac.
More information for all references:
SANS: http://www.sans.org/
The Sleuth Kit: http://www.sleuthkit.org/
viaForensics: http://viaforensics.com/services/iphone-forensics/