Memory Timeline Analysis using Sleauthkit - mactime
mactime creates an ASCII timeline of file all activity. This tool can be used to detect anomalous behavior and be able to reconstruct events, its output is a .txt format that contains reconstructed activity.
Why Timeline?
Reconstructing the events can play an important role during the investigation, because it allows the investigator to rebuild the activities happened before and after the event was first detected. It allows the investigator to have a bird’s eye view of the activities done by a certain malware or a threat actors and used this to construct a systematize action.
To be able to use this tool, first we must install Perl.
On Strawberry Perl’s website, download perl that suits your Windows Architecture.
Next, download Sleauthkit. (As of, Sleauthkit’s version is currently 4.11.1)
Next, extract Sleauthkit.zip to C:\ drive.
Then, browse to the C:\Sleauthkit\bin directory and then copy it.
Now, go to Environment Variables and add the copied directory to Path variable.
In this demo, we will use a sample body file to be processed by mactime using the -b parameter.
Then, we save the output in a .txt format named mac_timeline.txt
Command: mactime.pl -b body.txt > mac_timeline.txt
