by January 30, 2004 0 comments



Continuing our series on digital computer forensics, this month we will see how to manage more than one digital forensics’ case centrally and graphically with the help of a package called Autopsy. Autopsy is an add-on to SleuthKit, a computer forensics toolkit that we used last month to investigate a compromised machine (Sherlock is Back, page 100). Both SleuthKit and Autopsy require a long list of commands to be run for different jobs, but Autopsy is easier to use as it has a GUI. We will create a new case of a computer crime, search for some deleted files and trace as much data about those files as possible
using Autopsy. 

Installing Autopsy 
Since Autopsy needs the tools provided by SleuthKit as its back end, you must have SleuthKit installed in your home directory. We will use the convention ~/sleuthkit/ to represent its path. If you don’t have SleuthKit, you can get it from our last month’s PCQ Essential CD. To install SleuthKit, you can read our last month’s article. 

To start the installation, copy autopsy-1.75.tar.gz from this month’s PCQ Essential CD to your home directory and run the following commands.

#cp autopsy-1.75.tar.gz ~
#cd ~
#tar —zxvf autopsy-1.75.tar.gz

This will create a new directory called autopsy-1.75 in your home directory. Now go to the directory and run the following command.

#make all

Good and bad files
The NSRL (National Software Reference Library) has created a database called the hash database that contains a list of commonly used files, which it classifies as good or bad files. A good file is a known and common file (such as Windows dll files), while a bad file can be either an unknown file or a known virus, worm or Trojan file. By reducing the huge number of files to be reviewed by a forensic investigator, access to this database will reduce its workload.

NSRL has arrived at this list along with the US National Institute of Standards and Technology. For more on the hash database, go to www.nsrl.nist.gov. 

Now you’ll be asked some questions. First the installer will ask you where is the path of SleuthKit build directory. Enter ~/sleuthkit and press Enter. Next it will ask you whether you have downloaded Hash Values for known files from NSRL (National Software Reference Library), for more on NSRL see box. If you select ‘yes’, the installer will ask for the installed path for NSRL, once you provide that it will access the NSRL hash database. If you select ‘no’, the installer will continue without NSRL and you will have to analyze all files manually.

Now, the installer will ask for a directory path where it will store all the evidence, ie ‘evidence locker path’. Make sure this path is in a secure and remote place mounted on the compromised computer. Now once you hit Enter, the installation process will get completed.

Running Autopsy
Running Autopsy requires three steps: starting Autopsy, creating and hosting a case and performing the tests.


Step 1

Start Autopsy
Start Autopsy by running the command autopsy in its build directory as shown below.

#./autopsy port_number host_name

Here you can see the text of a deleted file, which is
recovered by autopsy

Replace the port_number with a valid and free port and host_name with your machine’s host name. For example ./autopsy 888 localhost, will start Autopsy on your localhost on port 888. If you run Autopsy without specifying any value, then it will by default start on your localhost on port 9999. When started, the command will return a URL address, something like http://localhost:9999/159564421310753 57218/autopsy. Copy this URL to your Web browser and hit Enter. This will open the main menu of Autopsy.

Step 2
Create case and host
In the main menu, click on the New Case button. On the next page enter a proper name and description of your case and add the investigators’ names. Click on New Case to open the Case Gallery. From here select your newly created case and click on Ok. You will be asked to add hosts. Click on the Add Host button and a new page will appear. Here, enter the folder name where all the case evidences will be kept (which will be created under the Locker Folder), and the time zone of the crime spot. You can also enter the Alert Hash Database path for known good and bad files here. Finally, click on Add Host to complete this process. 

From this window you are prompted to enter the details of the new case

Next, select your newly created host and an investigator from the drop-down menu and click on Ok. The interface will ask you to add an image on which the investigation is to be done. Click on Add Image and a new page will open. Enter the image location here. Below the image-location text field you will find three radio boxes asking whether you want to copy, move or create a link to the actual image file to your locker directory. The best option is to copy the entire image file to the locker directory. Now, in the drop-down list select the filesystem of the given image file and at the end, select whether you want to create an MD5 checksum of the image or not. It would be a good idea to create the checksum at this stage. Finally, hit the Add Image button. 

In the above fashion, you can add any number of images in a given host.

Step 3
Run tests
Now is the time to run the tests on the case you just created. To do so, from the Case Gallery, first select the case, host and image on which you want to run the tests. Now for example, if you want to know all the deleted files in the image, click on the File Analysis button and then hit on the ‘All Deleted Files’ button and it will show you the names and dates of all the deleted files.

To do a keyword search on the unallocated space, go to the Keyword Search button and enter your known string and click on Search. It will show you all the deleted files having this string in Hex as well ASCII format. You can also view a time line of the file activities in the image from here.

So, finally we have seen how you can do all of SleuthKit’s tasks with the help of this Web-based front-end. For more on Autopsy, go to www.sleuthkit.org/ autopsy. 

Anindya Roy

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<