Using Splunk for Computer Forensics

I was talking to one of our Sales Engineers, Bert Hayes, the other day about using Splunk for computer forensics. Bert formerly was a Splunk customer at a large university in the southern U.S. where he used Splunk for security….he really knows his stuff in this area. Anyhow, Bert mentioned to me how he used to use Splunk for computer forensics and pointed me to a great blog that he found helpful on the topic. I found the blog post to be a great read and wanted to share it.

The blog is courtesy of Klein & Co, experts in computer forensics. In the posting they detail how to use Splunk to build a computer forensic timeline for analysis.  The link to their blog posting is:

http://kleinco.com.au/thoughts-events/item/forensic-timeline-splunking

Basically you use Sleuthkit and log2timeline (free tools) to extract file system and other temporal data from the computer in question as CSV files. Within these CSVs are the information needed to reconstruct the system and user activities on a computer. You then Splunk the CSVs. On the posting, Klein & Co.  even give you the props.conf and transforms.conf you can leverage to facilitate getting the data into Splunk with proper field extractions.

At this point, Splunk can build a detailed timeline of all the actions on the machine.  You can then easily run Splunk searches to answer questions like: What files did the user access in a certain time period? What files did the user put in the Recycle Bin during a certain time period? Did the user attach a file to a webmail message?  As Klein & Co. puts it, the searches you can run are “really up to your creativity and your understanding of the underlying data.”  Well put!

Anyhow, please read their posting for more detail, and happy Splunking for Security!

Joe

====

UPDATE December 2016

The Klein & Co link above is broken and I cannot find the page/info. So I will suggest an updated approach to using Splunk for Forensics which several of our customers are doing.

(1) Get the open-source tool of log2timeline/Plaso. log2timeline (mentioned above) is a tool designed to extract timestamps from various files found on a typical computer system(s) and aggregate them. Plaso is a Python-based backend engine for log2timeline. Use this tool to extract all events from the hard drive you need to examine. GitHub info and a good SANS article on log2timeline are at:

https://github.com/log2timeline/plaso

https://digital-forensics.sans.org/blog/2011/12/07/digital-forensic-sifting-super-timeline-analysis-and-creation

(2) Take the csv export from log2timeline and import it into Splunk where you can use it to build out timelines to be used for forensics. Splunk security ninja Dave Herrald has built a non-supported App and Technology Add-on to facilitate this:

https://github.com/daveherrald/SA_plaso-app-for-splunk

Also, even if you are not a paying Splunk customer, you can likely use the free version of Splunk for all of this because you probably will stay under the 500MB/day indexing limit on free Splunk. Get Splunk for free at:

https://www.splunk.com/en_us/download/splunk-enterprise.html

----------------------------------------------------
Thanks!
Joe Goldberg