Digital forensic analysis can quickly go out of hand as you start to get into the details of the attack’s forensic footprints. Varying time zones, confusing timestamps, and different logging standards can take a toll on an analyst. When we move past this problem by utilizing Plaso Log2Timeline to create a timeline, you’re restricted by limitations of Microsoft Excel (or a different spreadsheet tool) in parsing the output. Well, Gigasheet’s got you covered with its support for billions of cells worth of data for your exploration needs! Best of all, you can sign up for free.
We’ve covered this before in great detail - Excel can’t process more than 1,048,576 rows. Now, as a Forensic Analyst, just take a standard Plaso output and see how many rows it has. Our test runs never rendered a single CSV sheet which had rows less than Excel’s limit.
Traditionally, analysts would reduce the dataset or apply filters to get a reduced timeline. However, this approach isn’t scalable or feasible for analysis of workstations with terabytes worth of storage. For example, if I were to process a sample CSV sheet with more than the max rows, I’d get this error:
Excel's Error: Unable to Load Plaso's Timeline CSV
Data after the max row is automatically discarded. You’d have to either re-run Plaso (which takes hours over hours to generate a single timeline sheet) or split the sheet and have further inconvenience in analyzing the timeline. Or, you could simply upload your CSV sheet to Gigasheet and let it handle the processing for you.
Log2timeline (which uses Plaso as its processing engine) can generate CSV sheets containing over a million rows depending on the size of the target system’s disk image. In such cases, you’re better off on a reliable solution for your data processing needs. Gigasheet helps you process log2timeline CSV sheets and run your desired operations on top of them.
Let’s see it in action.
To generate a sample Plaso output, we’ll use the disk released by DFIR Madness under the “Stolen Szechuan Sauce” case. Once acquired, we’ll simply pass the Encase image through psteal (alternatively, you can also use log2timeline followed by psort which gives you more control) and let it do it’s magic. Here’s the command if you’d like to follow along:
psteal.py --source 20200918_0417_DESKTOP-SDN1RPT.E01 -o dynamic -w ~/20200918_0417_DESKTOP-SDN1RPT.csv
This process is going to take a few hours so relax. Once done, you’ll have a CSV with a timeline of the forensic image. Let’s check out its rows:
Number of Lines in Plaso's Timeline CSV
Alright, that’s a little over Excel’s limit. If you try to open it in Excel, you’re bound to get the same error we previously displayed. Now, let’s try analyzing it in Gigasheet. Log in to Gigasheet and press the “Upload” button once you’re at the “Your Files” page. Simply upload your log file. Gigasheet’s going to take care of the columns and whatever data you have inside as it has native support for parsing log2timeline and Plaso! That’s all you had to do and it’ll be processed - however large your file is.
"Your Files" on Gigasheet
Let’s take a look at the data now. We aren’t going to analyze the entire timeline to look for potential pivots or interesting events on the compromised system.
Gigasheet's View of Plaso's Timeline
Instead, I’ll cheat and take a look at the solution manual provided by DFIR Madness and see how the timeline can be potentially analyzed using pivots.
Applicable Pivots in Timeline
Looking at the pivots, several of these apply to our timeline. Let’s try and look for the coreupdater.exe process in our timeline. Filtering on the display_name field, we do get a few hits. Based on the timestamps, we can see how the binary was first written to disk and then a prefetch file was created - which points towards potential execution of the binary as well. Now that we have a timestamp from the timeline, 2020-09-19T03:40:00.000000+00:00, we can also pivot off of this to look for other events around the timestamp.
'coreupdater.exe' Logs in Timeline
Next, let’s also try and find a few archived files (.ZIPs) which might indicate signs of exfiltration on the compromised system. We can simply filter on .zip on the display_name column.
Applying Filters on Data in Gigasheet
We do have a few results here but none of them are applicable to us as they’re likely false positives (WinSxS folder holds libraries for issues related to DLLs and the rest are simply DLLs from the .NET framework).
.ZIP Files in Plaso's Timeline
Similarly, you can play around with other events around the date of execution of the suspected process, coreupdater.exe. That’s the greatness of a well-made forensic timeline - it can help you correlate events together in no time.
Still using Excel? Gigasheet’s the future of data processing. Zero configuration, data loss, or processing limitations. Get started with Gigasheet today and analyze your forensic timeline without any huddles. Click here to sign up, upload your timeline to the ‘Your Files’ page, and you’re ready to get your hands dirty with exploring your data!