Home Marty - A Windows Timeline Analysis Tool
Post
Cancel

Marty - A Windows Timeline Analysis Tool

Posted Feb 10, 2021 Updated Oct 27, 2022
By Andrew Clark IV
5 min read

Why?

This began when I was working with a forensic image of a Windows 10 machine on a Linux host. I wanted to quickly cross validate a simple finding, that a certain text file was edited on a certain date. The file edit occurred a few days prior to the imaging and thus there was probably an entry in the timeline database. I began searching for a tool to quickly search the timeline for it and get the timestamps. I realized that no tool really existed for this purpose, at least not on Linux. On Windows there are tools like Eric Zimmerman’s WxTCmd for parsing the database or kacos2000’s WindowsTimeline tool. WxTCmd dumps everything to a file and WindowsTimeline is a GUI based tool - both functional but suboptimal for the quick and simple verification I needed.

Marty.

So, I created Marty to be the tool I wanted and didn’t have at the time. A simple, fast, command line based, cross platform timeline database parser. It also forensically verifies the database before and after any operations on the database to ensure it is unchanged. For speed and platform compatibility, the tool is written in C and uses the Makefile build system. It only utilizes three non-standard libraries - json-c, sqlite3, and OpenSSL. The tool can be built relatively simply after installing and building the needed libraries on Mac OS and Linux. On Windows, CygWin is used to setup the environment and install sqlite3 and OpenSSL, after which json-c can be built. Once the setup is complete, a single Makefile can be used to successfully build Marty on any of the three platforms.

What can it do?

Running Marty with no arguments tells us what it can do.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

        [*] Marty Verion 0.2 - Alpha
"It's time to go back... in the Windows Timeline."


Marty is a Windows Timeline Analysis Program.

Commands:
        showallinfo              [-s, -l]               Print all information in the database.
        writeallinfo   FILE      [-s, -l]               Write all information in the database to FILE.
        showfilenames  NAME      [-s, -l]               Print all files found with NAME in the title.
        showprograms             [-s, -l]               Print all programs executed by the user found in the database.
        showextentions EXTENTION [-s, -l]               Print all files found with the EXTENTION.
        showclipboard            [-l]                   Print all clipboard data in the database.

Options:
        -l                                              Sort by the last modification time.
        -s                                              Sort by the last application or editior start time.

Windows Commands:
        showdatabasepath                                Print the path to the timeline database if on Windows.

To find databases:
        marty.exe showdatabasepath

Usage:
./marty "Database-Path" Command

Eamples:
./marty "ActivitiesCache.db" showtextfiles -l
./marty "ActivitiesCache.db" showextentions .docx -s

Marty, as of this writing, has six commands. If running on Windows, there is a seventh command: showdatabasepath. This command prints the location of any timeline databases found that can be used with Marty.

1
2
3
4
5
6
7
8
9
10

marty showdatabasepath

        [*] Marty Verion 0.2 - Alpha
"It's time to go back... in the Windows Timeline."

Profile Name: Starw
Timeline Path: C:\Users\Starw\AppData\Local\ConnectedDevicesPlatform\

[+] Found Timeline Database at: C:\Users\Starw\AppData\Local\ConnectedDevicesPlatform\a358a8546f8efe7e\ActivitiesCache.db
[+] Found Timeline Database at: C:\Users\Starw\AppData\Local\ConnectedDevicesPlatform\AAD.e2a38a8b-4445-4d58-ba19-965a144c6ae0\ActivitiesCache.db

On Linux, I could run a single command, showfilenames, to find the timestamp and file modification I was looking for.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

./marty 'a358a8546f8efe7e/ActivitiesCache.db' showfilenames 'Install Notes'

        [*] Marty Verion 0.2 - Alpha
"It's time to go back... in the Windows Timeline."

[*] a358a8546f8efe7e/ActivitiesCache.db MD5 Hash: 0ff9e7a4dd42e70b83b377764734b4bd

[+] Opened database successfully

[+] File Name: Install Notes.txt
[*] Path: C:\Users\Starw\Downloads\Install Notes.txt
[*] Modified Time: Mon 2021-02-08 23:09:12 EST
[*] Start time: Fri 2021-02-05 12:17:49 EST

[+] Operation completed successfully

[+] a358a8546f8efe7e/ActivitiesCache.db Unchanged (0ff9e7a4dd42e70b83b377764734b4bd:0ff9e7a4dd42e70b83b377764734b4bd)

But there are plenty of other useful commands such as showclipboard for printing all clipboard data and looking for a specific keyword the user may have copied.

1
2
3
4
5
6
7
8
9
10
11
12
13

 ./marty 'a358a8546f8efe7e/ActivitiesCache.db' showclipboard | grep security -B 2 -A 2

        [*] Marty Verion 0.2 - Alpha
"It's time to go back... in the Windows Timeline."

[+] Opened database successfully


[+] Clipboard data: c2VjdXJpdHkgY2xlYXJhbmNlLCBUUyBsZXZlbCBwcmVmZXJyZWQ=
[+] Clipboard data decoded: security clearance, TS level preferred
[+] Content type: Text
[*] Time: Wed 2021-02-10 14:42:57 EST
--

Most commands can take two arguments as well, -s and -l. -s sorts the output by the start time of the program opened or used to open a file. -l sorts by the last last program or file modification time. We can use to this to chronologically view files or programs opened by the user.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

./marty 'a358a8546f8efe7e/ActivitiesCache.db' showprograms -s

        [*] Marty Verion 0.2 - Alpha
"It's time to go back... in the Windows Timeline."

[*] a358a8546f8efe7e/ActivitiesCache.db MD5 Hash: 0ff9e7a4dd42e70b83b377764734b4bd

[+] Opened database successfully

[*] Sorting by StartTime.

[*] Program: Paint
[*] Display Text: Paint
[*] Start Time: Tue 2021-02-09 19:44:45 EST (Epoch: 1612917885)
[*] Last Modified Time: Tue 2021-02-09 19:44:45 EST (Epoch 1612973000)

[*] Program: Photos
[*] Display Text: cutaway.jpg
[*] Start Time: Tue 2021-02-09 19:44:52 EST (Epoch: 1612917892)
[*] Last Modified Time: Tue 2021-02-09 19:44:52 EST (Epoch 1612973000)

[*] Program: usbview
[*] Display Text: usbview
[*] Start Time: Tue 2021-02-09 20:23:10 EST (Epoch: 1612920190)
[*] Last Modified Time: Tue 2021-02-09 20:23:10 EST (Epoch 1612973001)

---

[+] Operation completed successfully

[+] a358a8546f8efe7e/ActivitiesCache.db Unchanged (0ff9e7a4dd42e70b83b377764734b4bd:0ff9e7a4dd42e70b83b377764734b4bd)

The showallinfo command prints all sorted data and joined tables in the database. writeallinfo writes the same information to a specified file.

Hacking, Windows
forensics
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents