Viewing Regripper and TLN timelines in Sof-ELK
The following contains basic config files and minor tweaks that can be made to the Sof-Elk VM that allows for processing of files in the TLN format. TLNs are a forensic timeline format created by Harlan Carvey over a decade ago. TLNs are delimited by a pipe “|” and separated into five fields as in the example below:
Time|Source|System|User|Description
1588693524|REG|DES-59PO2L|Robobglob|[Uninstall] — Zoom v.4.6
The following steps can be taken to send TLN files to Sof-Elk:
Step 1:|
Download Sof-Elk and TLN config files:
https://github.com/philhagen/sof-elk
https://github.com/dfir-scripts/sof-elk-TLN-config-files
Step 2:
Start Sof-ELK and copy downloaded files to to following location:
/usr/local/sof-elk/configfiles/6609-tln.conf
/usr/local/sof-elk/configfiles/9309-output-tln.conf
/usr/local/sof-elk/lib/file-beat-inputs/tln.yml
/usr/local/sof-elk/lib/elasticsearch-tln-template.json
Step 3:
Create Symbolic Links and a TLN upload directory:
“ln -s /usr/local/sof-elk/configfiles/6609-tln.conf /etc/logstash/config.d/6609-tln.conf”
“ln -s /usr/local/sof-elk/configfiles/9309-output-tln.conf /etc/logstash/config.d/9309-output-tln.conf”
mkdir /logstash/tln
chmod 7777 /logstash/tln
reboot
Step 4: Import Index, Dashboard and visualizations
Open Sof-ELK Kibana Dashboard (i.e. http://192.168.80.156:5601/)
Click Kibana Icon > Saved Objects > Import
Import the file TLN-Dasboard.json from repository
Step 5:
Create TLNS using Regripper 3.0
Regripper 3.0 Windows executable rip.exe now includes the option (“-aT”) which outputs all TLN plugins for a given hive type. This method can quickly extract a single registry hive as TLN. The output contains header row for each plugin processed to assist in identifying partial results. This information is essential for complete analysis of output, but can cause problems when importing into Logstash. Lines that are not in the TLN format should be deleted before copying to Sof-ELK.
Recommended: Regripper 3.0 has the -d switch to check for unprocessed(dirty) transaction logs. The Regripper 3.0 readme recommends using “ Maxim Suhanov’s yarp + registryFlush.py or Eric Zimmerman’s rla.exe” tool to merge these files that can then be processed with regripper.
Step 6: Add different data types and automate TLN creation
Harlan Carvey has written a number of tools that can be used to automate and otherwise output TLNs. The repository for these tools can be found here:
https://github.com/keydet89/Tools
The processes for TLN creation is well documented and can be found in his books and online.
In addition the sof-elk-TLN-config-files repository contains the two files (rip_tlns.bat and rip_tlns.sh) that can also be used to test and automate the extraction and TLN formatting of multiple registry files for a given path.
Rip_tlns.bat is a Windows batch file that works with Regripper 3.0 that can be ran against any directory structure of offline registry files, searching for registry files by name (system, software, security, sam, ntuser.dat, amcache.hve, usrclass.dat). Two files are created, regripper.all.tln and regripper.sorted.tln. Regripper.all.tln is the complete regripper output and regripper.sorted.tln is TLN formatted so it can be directly copied to Sof-ELK.
One approach to getting the most information into the TLN would be to run rip_tlns.bat once at the location containing the Registry and Amcache files (.\Windows) and then running it for each NTUSER.DAT (e.g. .\Users\admin). This will allow you to populate the computer name (-s) and user name fields (-u) in the TLN for each NTUSER and usrclass.dat hive.
Rip_tlns.sh is a shell script that currently works with Regripper 2.8. The source can be the root of mounted disk image or any collection of offline registry files that maintain the original directory structure of a Windows system. After processing, output can be directly copied to and imported from the newly created /logstash/tln directory in Sof-ELK.
The “-p” switch is required to set the path to a mounted disk or a set of saved registry files. For mounted disks, dirty hives are processed, as is, and are not merged. Make sure rip.pl in Regripper2.8 has necessary modifications and supporting Perl modules are updated to work on a Linux systems.
One advantage of using rip_tlns.sh is that the computer name is detected using the regripper “compname” plugin and the user name is automatically populated in the TLN with the “Users” directory name that contains each NTUSER.DAT and USRCLASS.DAT hive.
Similar automated TLN creation can also be accomplished using SANS Sift and siftgrab. Siftgrab is due for an update but currently uses available open source tools and internal scripts to automate the csv and TLN timeline creation process for a number of different artifacts. The script outputs to Triage directory contains a file named:
Triage-Timeline-<computer-name>.TLN
This file may contain some lines with parsing errors and improperly formatted lines should be removed before copying to Sof-ELK.
Step 7: Copy TLN to sof-elk
Once the TLN(s) have been created, they can be uniquely named in a way that can be searched from Kibana. For instance, you could identify the computer owner, department or type of case.
Step 8: Open New Dashboard and Analyze Data
Open Dashboard TLN_DATA
View Data
Example: Drilling into Suspicious User Named “Disabled”
