15-498 Lab #4: Timestamp Analysis

Lab #4: Timestamp Analysis

Dates

Assigned: April 26, 2011

Group Size

This lab is to be done in partnerships of two people. But, the work is not shared, instead it is duplicated. Each partner independently prepares a timestamp dump and provides it to her/his partner. Then, each person independently analyzes the dump that she/he received.
Obviously, good cooperation is here so one person doesn't get the other person behind. And, obviously, there is no cone of silence here. You can talk with your classmates, to be sure -- just "Do your own work". You know what that means.
You should provide your partner a separare file for each dump, e.g. one for each file system and one for each registry hive. But, you are more than welcome to communicate with your partner about what format you'd like the logs in, e.g. fixed width vs comma-delimited, the date format, etc. And, you can certainlt help others in the class, including your partner, learn how to do this, e.g. point them at appropriate man pages or documentation for appropriate flags.

The Assignment

This assignment asks you to anlayze timestamps on a system to determine

the work habits of the user(s) w.r.t when they work
scheduled automated processes
anythign turly anomalous, if such should happen to be present

To do this, you'll use the fls and mactime tools from the Sleuth Kit to get the timestamps from a file system. In the event that you have access to an actively used windows system, you should also get timestamps for the registry hives. I'd recommend using the regtime.pl script, rather than the one that comes with Sleuth Kit, just because of the output format. Another way of getting Sleuth Kit is via a live CD, such as Caine Live.
Once you have the timestamps, you probably want to merge them into one file and sort them. Somewhere along the way, you probably want to bring them into Excel or another spreadsheet, and do some analysis. I can imagine building a bunch of histograms, by day, by week, and by month. I can also imaging building some folded histograms, e.g. by hour of day, day of week, hour of day per day of week, etc.
In the end, you should write a report that documents what you believe you can determine about (a), (b), and (c) above. You should write a copy of this and give it to your partner as well as turn it in.
In addition, you should briefly comment on the accuracy of your partner's analysis (since you know the facts) and submit these comments.

Deliverables

A beautiful report, illustrated with figures and graphs, that describes your conclusions and reasoning
Your comments on your partner's report

Warning

Look at the stuff before you hand it to your partner. You -are- permitted to censor it. Delete anything that would cause you embarassment.
If you don't feel that you can be comfortable without destroying your partner's experience, please see me as soon as possible. We can probably arrange for you to do data collection on another system.

I'm Here to Help!

...Please let me know how I can be of service.