Time Travel with Timeline Explorer: Exposing Insider Threats

Malik Girondin 11/09/2024
Time Travel with Timeline Explorer: Exposing Insider Threats

Picture this: a trusted employee has been leaking sensitive information for months—without your knowledge. Now, your organization is at risk, and the damage is done. This scenario, sadly, is not uncommon.

Introduction

An Insider Threat, as defined by the Cybersecurity and Infrastructure Security Agency (CISA), “is the potential for an insider to use their authorized access or understanding of an organization to harm that organization.” These are a significant concern in the cybersecurity field, and detecting them early can save organizations from catastrophic consequences. Hence, the reason the Insider Threat Matrix (ITM) was developed. ITM was created by James Weston, and Joshua Beaman from Security Blue Team—to help Digital Investigators investigate instances of computer-enabled insider threats in organizations of any size.

Insider Threat Matrix Framework

Insider Threat Matrix Framework

Enter Timeline Explorer, a feature-rich Excel replacement created by Eric Zimmerman. This GUI-only tool can help expose insider threats by analyzing data in past time. This blog will guide you through how Timeline Explorer works and how it can be a game-changer in undercover activities within your organization.

Understanding Insider Threats

As mentioned above, insider threats are cybersecurity risks that come from within the organization. These threats can come from current or former employers, contractors, or partners who have access to sensitive information or systems. For example, look at Edward Snowden—a former IT contractor who provided services to the US Intelligence Agencies. Some may call him a whistleblower, hero, or even a traitor, but in the cybersecurity community: he is an insider threat by definition. He leaked classified documents revealing the existence of global surveillance programs. In a more recent example, security firm KnowBe4 hired a software engineer for its internal AI team who turned out to be a North Korean threat actor, which quickly began loading malware onto his company-issued workstation. As you can see, whether old or recent, insider threats are still threats.

Let’s broadly categorize insider threats into two types:

Malicious Insiders: Individuals who intentionally harm the organization. Their motives can vary from financial gain to revenge or espionage.

Negligent Insider: Employees who unintentionally cause harm through carelessness, such as falling victim to phishing scams or mishandling sensitive data.

To summarize: regardless of the intent, insider threats can lead to significant financial and reputational damage, making it crucial for organizations to detect and mitigate them promptly.

Introduction to Timeline Explorer

Timeline Explorer is a versatile tool used in digital forensics to analyze event logs (more information below) and other data sources, creating a detailed timeline of user activities. By organizing data chronologically, Timeline Explorer can help cybersecurity professionals detect anomalies that could indicate malicious activities—especially in the past (i.e., time travel).

Logs are extremely important in cybersecurity. In our technical demo below, we will showcase why. Think of them as a historical record that is invaluable for analysis. You will not be monitoring applications, systems, or end-user devices 24/7. No, that is why having some sort of log record, and being able to parse through it with tools like Timeline Explorer, is so important. You are effectively reviewing things in the past from the present—again time traveling!

Now, let's cover some key features :

Data Visualization: The tool provides a clear, chronological view of events.

Filtering and Sorting: The tool allows users to filter events based on specific criteria, such as time range, event type, or user account—especially via preset columns.

Integration: The tool allows you to import data from various sources—in a CSV or Excel format.

Using Timeline Explorer to Detect Insider Threats

Gathering Logs and Data Sources

The first step in using Timeline Explorer is collecting the relevant logs and data. I will utilize a Master File Table (MFT) file from a compromised Windows PC. Very popular in forensic investigations, it is a database in the Windows operating system that stores information about files and directories on a computer’s hard drive—even if deleted.

$MFT in File Explorer

$MFT in File Explorer

There is just one problem: we can’t import this version of the MFT in Timeline Explorer. So, we are going to utilize another forensic software—created by the same person—called MFTECmd. This will allow us to parse $MFT files from NTFS file systems into a CSV format which Timeline Explorer will accept. Let’s run the following command below:

MFTECmd.exe -f $MFT --csv InsiderThreat.csv

MFTECmd.exe CLI

MFTECmd.exe CLI

Importing Data into Timeline Explorer

Now that we have the CSV file (InsiderThreat.csv in my case), we can import it into Timeline Explorer by dragging the CSV file into the tool (once opened) or clicking the File -> Open in Timeline Explorer. I chose the latter:

InsiderThreat.csv | Timeline Explorer

InsiderThreat.csv | Timeline Explorer

Investigating Suspicious Activities

In this scenario, the PC was allegedly used to spread malware to internal computers. In this case, the malware goes by the file name scanner.exe. Here is its SHA256 hash if you want to further research it: a879d2c1608c4b5cf801c2ab49b54b4139aa13f636fc6495fcaf940591713905. Here are its Virus Total results:

Scanner.exe | Virus Total

Scanner.exe | Virus Total

Ok, let’s filter for the name “scanner.exe” in Timeline Explorer:

Scanner.exe | Timeline Explorer

Scanner.exe | Timeline Explorer

As you can see, we have three lines out of 357,981 that are visible. Let’s dissect this a bit further. First, look at the Parent Path. This column displays the directory path of the parent folder where the malware file was located, and it provides the employee's name: Boris Johnson. Good, we have further confirmation that the malware was on his PC. Let’s move on to the other columns.

You might not see it at first, but the File Name column provides a wealth of information. I know there are three instances of scanner.exe, but each one is different—according to the Extension column. The .exe tells us when the file was first added to the file system—look at the Created0x10 column to get the exact date: 2023-01-31 09:33:41. Let’s jump to the second instance.

If you noticed, there is a file named scanner.exe:SmartScreen. Windows Defender SmartScreen is a security feature from Microsoft that helps protect users from downloading or running potentially malicious software. When a file is downloaded or accessed, SmartScreen checks it against a database of known threats, which can then warn the user or block the file from running. We can probably conclude that the user clicked “Run anyway” by looking at the next (and final) instance of scanner.exe.

The extension .pf is called Prefetch Files. Windows creates a prefetch file when an application is run from a particular location for the first time. These are used to help speed up the loading of applications. The common format is this: the name of the application, then an eight-character hash of the location when the application was run, followed by the .pf extension. Here is our current example in this demo: SCANNER.EXE-74DCCE11.pf. Now the evidence of program execution can be valuable for us as investigators. Even if the program has been deleted, a prefetch may still exist on the system to provide evidence of execution. In this example, the malware bypassed SmartScreen—probably due to user intervention—and was launched 42 seconds after it was downloaded. Here is the exact time: 2023-01-31 09:34:23.

In summary, this is a good example of utilizing Timeline Explorer to look back in time to find clues from insider threats. We managed to gather the following: the user’s full name, malware download time, and malware run time. With this information, we can correlate it with our network logs (or other events) around this scenario, to see if any other devices were affected, as mentioned at the beginning of the scenario..

Extra Practice

If you enjoyed this demo, look out for the new investigation dropping on our Blue Team Labs Online (BTLO) platform soon. It will have you analyze MFT from an insider threat named Lukas Knight. The lab is called BTLO - Cipher 0. A prequel to our insider threat lab BTLO - Cipher, but it is more technical. If you are up for it, give it a shot! The lab will have you utilize Timeline Explorer and the ITM Framework to answer multiple questions regarding insider threats.

BTLO - Cipher 0 | Easy DF Lab

BTLO - Cipher 0 | Easy Digital Forensics Lab

Conclusion

Insider threats are a significant challenge for organizations but with tools like Timeline Explorer, post-analysis can help fill in the clues for past incidents, helping mitigate these risks for the future. By creating a detailed timeline of activities, you can understand the full picture and correlate events across different logs (e.g., MFT log, Network log, and Activity log). All of this provides a comprehensive view of an insider threat’s action.

About SBT

Security Blue Team (SBT) is a leading online education and training provider, specializing in cybersecurity courses and programs for over 100,000 students worldwide. With a solid commitment to delivering an exceptional experience to each user, we have implemented a robust infrastructure to support our operations.

About Malik Girondin

Malik Girondin

Malik has experience with both technical and educational roles within cybersecurity, and is here to share his knowledge on both! Areas he writes on are careers advice and mentorship.