최근 사용자 행위 (TimeLine) 분석 / Windows Activity Timeline

침해사고 분석 대응과 관련하여 저장장치 사용, 웹 활동 등 사용자들의 일반 행위들을 시간순으로 확인
어플리케이션 실행 , 웹 활동(인터넷 검색 등), 자주 열어본 파일 등을 시간 순으로 표시

 

Window + TAB 키를 치면 표시되는 데이터들이며 이 정보는 "Windows 에서 PC의 내 활동을 수집하도록 허용" 
옵션을 선택 활성화해야 수집이 되며 현재를 기준으로 최대 30일 동안 사용자의 활동을 확인할 수 있습니다.

분석 내용
응용프로그램 실행 이력
인터넷 검색 등 웹 활동 이력
자주 열어본 파일이나 최근 접근 파일 확인
사용자의 과거 활동 이력 추적
사건 발생 전후 생성, 수정, 삭제, 접근한 파일 분석

파일 경로
Users\AppData\Local\ConnectedDevicesPlatform\L.\ActivitiesCache.db <- SQLite DB Format
예제
C:\Users\chohb\AppData\Local\ConnectedDevicesPlatform\c0fe10dddb98dd4b\ActivitiesCache.db

 

분석
Last Activity View

From : https://www.nirsoft.net/utils/computer_activity_view.html

실행중인 시스템의 다양한 소스에서 정보를 수집하고 사용자 행위 및 이벤트의 로그를 표시하는 도구

수집 데이터에는 exe 파일 실행, 열기/저장 대화 상자 열기, 탐색기 또는 기타 소프트웨어에서 파일/폴더 열기,
소프트웨어 설치, 시스템 종료/시작, 응용 프로그램 또는 시스템 충돌, 네트워크 연결/연결 끊기 등이 포함

Actions/Events List
The following actions and events are currently supported by LastActivityView:

• Run .EXE file: .EXE file run directly by the user, or by another software/service running in the background.
• Select file in open/save dialog-box: The user selected the specified filename from the standard Save/Open dialog-box of Windows.
• Open file or folder: The user opened the specified filename from Windows Explorer or from another software.
• View Folder in Explorer: The user viewed the specified folder in Windows Explorer.
• Software Installation: The specified software has been installed or updated.
• System Started: The computer has been started.
• System Shutdown: The system has been shut down, directly by the user, or by a software that initiated a reboot.
• Sleep: The computer has been placed into sleep mode.
• Resumed from sleep: The computer has been resumed from sleep mode.
• Network Connected: Network connected, after previously disconnected.
• Network Disconnected: Network has been disconnected
• Software Crash: The specified software has been crashed.
• Software stopped responding (hang): The specified software stopped responding.
• Blue Screen: Blue screen event has been occurred on the system.
• User Logon: The user logged on to the system.
• User Logoff: The user logged off from the system. This even might caused by a software that initiated a reboot.
• Restore Point Created: Restore point has been created by Windows operating system.
• Windows Installer Started
• Windows Installer Ended
• Wireless Network Connected: Windows connected to a wireless network, the connection information is displayed in the 'More Information' column.
• Wireless Network Disconnected: Windows disconnected from a wireless network, the connection information is displayed in the 'More Information' column.

GUI

CLI

C:\>LastActivityView.exe /sort "~ action time" /sxml C:\temp\LastActivity.xml

 

필드명 조회

C:\>logparser.exe -h -i:xml "C:\temp\LastActivity.xml" -headerrow:on

Fields:

  action_time (S)      description (S)    filename (S)    full_path (S)

  more_information (S) file_extension (S) data_source (S)

 

조회

C:\>logparser.exe -stats:off -i:xml "select action_time, filename, description, data_source from 'C:\temp\LastActivity.xml'"

 

WxTCmd
Wxtcmd는 ActivitiesCache.db 의 테이블 중 Activity테이블과  Activity_PackageIDs테이블을 파싱하여
tsv형태로 저장해준다.

F:\>WxTCmd.exe -f "C:\Users\chohb\AppData\Local\ConnectedDevicesPlatform\c0fe10dddb98dd4b\ActivitiesCache.db" --csv f:\temp\activitiescache

 

F:\tool\forensic\WxTCmd>dir f:\temp\activitiescache
2020-03-06  오전 10:15         1,547,408 20200306101553_Activity.tsv
2020-03-06  오전 10:15         4,452,590 20200306101553_Activity_PackageIDs.csv

F:\>LogParser.exe -h -i:tsv "f:\temp\activitiescache\20200306101553_Activity.tsv"
Fields:
 Filename (S)
 RowNumber (I)
 Id|Executable|DisplayText|ContentInfo|StartTime|EndTime|LastModifiedTime|ExpirationTime|CreatedInCloud|LastModifiedOnClient|OriginalLastModifiedOnClient|ActivityType|IsLocalOnly|ETag|PackageIdHash|PlatformDeviceId|Duration (S)

F:\>LogParser.exe -i:tsv "select * from f:\temp\activitiescache\20200306101553_Activity.tsv"

F:\>LogParser.exe -i:tsv "select * from 'F:\temp\activitiescache\20200306101553_Activity_PackageIDs.csv'"

SQLite
F:\>sqlite3.exe C:\Users\chohb\AppData\Local\ConnectedDevicesPlatform\c0fe10dddb98dd4b\ActivitiesCache.db

sqlite> .database
main: C:\Users\chohb\AppData\Local\ConnectedDevicesPlatform\c0fe10dddb98dd4b\ActivitiesCache.db

sqlite> .table
Activity            Activity_PackageId  DataEncryptionKeys  Metadata
ActivityOperation   AppSettings         ManualSequence      SmartLookup

sqlite> pragma table_info(Activity); 
0|Id|GUID|1||1
1|AppId|TEXT|1||0
2|PackageIdHash|TEXT|0||0
3|AppActivityId|TEXT|0||0
4|ActivityType|INT|1||0
5|ActivityStatus|INT|1||0
6|ParentActivityId|GUID|0||0
7|Tag|TEXT|0||0
8|Group|TEXT|0||0
9|MatchId|TEXT|0||0
10|LastModifiedTime|DATETIME|1||0
11|ExpirationTime|DATETIME|0||0
12|Payload|BLOB|0||0
13|Priority|INT|0||0
14|IsLocalOnly|INT|0||0
15|PlatformDeviceId|TEXT|0||0
16|CreatedInCloud|DATETIME|0||0
17|StartTime|DATETIME|0||0
18|EndTime|DATETIME|0||0
19|LastModifiedOnClient|DATETIME|0||0
20|GroupAppActivityId|TEXT|0||0
21|ClipboardPayload|BLOB|0||0
22|EnterpriseId|TEXT|0||0
23|OriginalPayload|BLOB|0||0
24|OriginalLastModifiedOnClient|DATETIME|0||0
25|ETag|INT|1||0
26|UserActionState|INT|0|0|0
27|IsRead|INT|0|0|0
28|GroupItems|TEXT|0||0
29|DdsDeviceId|TEXT|0||0

sqlite> select * from Activity;