mercoledì 22 maggio 2013

A little bash script for discovering the Windows 7 activity

Often during the investigation on a computer we need to have quickly a response on the activity of the computer itself, so we need a tool says to us when the device was on and off.
If we can take the file System.evtx placed in
%SystemRoot%\System32\Winevt\Logs\System.evtx
We could export it in CSV format using some tools or simply the EventViewer of  our Windows.
Let’s see what we can obtain, this is a piece of the file called system7.csv:








We can see that the second field is filled by the timestamp (date and time) and the fourth field is filled by the EventId number.
At this point, we can think to read the EventId and the timestamp and make a sort of timeline choosing only the events of On, Off, Crash, Sleep and Awake.
We can do this using a Gnu/Linux OS or simply CygWin 
http://www.cygwin.com/
First of all we need to make a file containing the targets events:
$ echo ",12," > events.txt     ----- first entry needs only “>” operator.
$ echo ",13," >> events.txt    ----- following entries need “>>” append operator.
$ echo ",42," >> events.txt
$ echo ",1," >> events.txt
$ echo ",41," >> events.txt

EventID 13 is when the OS starts (ON)
EventID 12 is when the OS stops (OFF)
EventID 42 is when the OS is in sleeping mode (SLEEP)
EventID  1 is when the OS is awaked (AWAKE)
EventID 41 is when the OS crashed (CRASH)

Now, we can make our script:

cat system7.csv | grep -f events.txt | awk -F "," '{print $2,$4}' | sed 's/ 13$/ Off/'| sed 's/ 12$/ On/' | sed 's/ 42$/ Sleep/' | sed 's/ 1$/ Awake/'| sed 's/ 41$/ Crash/'

The cat command streams to the grep tool its content, the grep selects only the events listed into events.txt (13,12,42,1 and 41), the awk tool selects only the second and the fourth field using the symbol “,” as delimiter and finally the tool sedchanges the number of the EventId into a human readable event.
This is the output:

06/04/2013 08:04:07 On
05/04/2013 22:05:57 Off
05/04/2013 20:36:36 Awake
05/04/2013 20:36:31 Awake
05/04/2013 19:44:58 Sleep
05/04/2013 19:25:36 Awake
05/04/2013 19:25:31 Awake
05/04/2013 18:41:47 Sleep
05/04/2013 15:16:37 Awake
05/04/2013 15:16:31 Awake
05/04/2013 14:33:59 Sleep
05/04/2013 12:42:42 Awake
05/04/2013 12:42:37 Awake
05/04/2013 11:52:50 Sleep
05/04/2013 07:57:57 On
04/04/2013 20:53:35 Off

We can also to redirect the output to a csv file:

cat system7.csv | grep -f events.txt | awk -F "," '{print $2,$4}' | sed 's/ 13$/ Off/'| sed 's/ 12$/ On/' | sed 's/ 42$/ Sleep/' | sed 's/ 1$/ Awake/'| sed 's/ 41$/ Crash/'>events_results.csv




















This is a quick method to have a view on the timelines of the computer life during a period of time, after this first overview, naturally, it could be useful to have a detailed timeline using others forensics tools like TSK, Log2Timeline, etc.
Author:
Dr. Nanni Bassetti
http://www.nannibassetti.com