ebook img

The Sleuth Kit v2.01 and Autopsy Forensic Browser Demonstration Anthony Dowling PDF

294 Pages·2006·6.44 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview The Sleuth Kit v2.01 and Autopsy Forensic Browser Demonstration Anthony Dowling

The Sleuth Kit v2.01 and Autopsy Forensic Browser Demonstration Anthony Dowling Date: June 02, 2006 ii Abstract The Sleuth Kit is a collection of Linux tools that perform different aspects of a file system analysis. The Autopsy Forensic Browser is a graphical user interface that provides a user friendly interface to the command line tools contained within The Sleuth Kit. This demonstration investigates the use of The Sleuth Kit and Autopsy Forensic Browser as forensic investigation tools, with the aim of providing an indication of the effectiveness of these tools in real world case studies as digital forensic tools. The Sleuth Kit and Autopsy Forensic Browser provide an effective file system analysis toolset. The flexibility of the tools contained within The Sleuth Kit often lead to complex command line strings, the complexity of which is overcome by the automation provided by the Autopsy Forensic Browser. Not only do The Sleuth Kit and Autopsy Forensic browser provide an effective toolset, they also offer an affordable alternative to expensive commercial or proprietary based toolsets. Digital Forensics is an area of increasing importance with an expanding field of coverage requiring many different tools to help perform varying functions. It is with this in mind that the focus of this demonstration is three case studies that are utilised to help give an indication of the effectiveness of The Sleuth Kit and Autopsy Forensic Browser. The demonstration of The Sleuth Kit and Autopsy Forensic Browser contained within the case studies could serve as an introductory overview of a new toolset for investigators looking for an alternative or complementary Digital Forensics toolset. iii iv Preface The author would like to thank the following persons and institutions for the help and support they have given prior and during the writing of this thesis. • Brian Carrier, author of The Sleuth Kit and Autopsy Forensic Browser, whom was quick to respond to all queries regarding the toolset. • All the contributors to The Sleuth Kit Developer and User forums, whom were always quick to provide feedback and answers to any questions. v vi Table of Contents Abstract.......................................................................................................................iii Preface...........................................................................................................................v Table of Contents.......................................................................................................vii List of Tables............................................................................................................xiii List of Figures............................................................................................................xix Chapter 1 Introduction..............................................................................................25 Chapter 2 The Sleuth Kit and Autopsy Forensic Browser....................................29 2.1 Introduction........................................................................................................29 2.2 The Sleuth Kit....................................................................................................31 2.2.1 File System Layer.......................................................................................32 2.2.2 Content Layer..............................................................................................33 2.2.3 Metadata Layer...........................................................................................33 2.2.4 Human Interface Layer...............................................................................34 2.2.5 Media Management Tools..........................................................................34 2.2.6 Image File Tools.........................................................................................35 2.2.7 Disk Tools...................................................................................................35 2.2.8 Other Tools.................................................................................................36 2.3 Autopsy Forensic Browser.................................................................................37 2.3.1 Case Management.......................................................................................38 2.3.2 Integrity Check............................................................................................39 2.3.3 Hash Databases...........................................................................................39 2.3.4 Notes...........................................................................................................41 2.3.5 Event Sequencer..........................................................................................42 2.3.6 File Activity Timelines...............................................................................43 vii 2.3.7 File Analysis...............................................................................................47 2.3.7.1 Directory List.......................................................................................47 2.3.7.2 Directory Contents...............................................................................49 2.3.7.3 File Contents........................................................................................50 2.3.8 Keyword Search..........................................................................................51 2.3.8.1 Entering the String...............................................................................51 2.3.8.2 Viewing the Results.............................................................................52 2.3.8.3 Previous Searches................................................................................52 2.3.8.4 Regular Expressions.............................................................................53 2.3.8.5 How Autopsy performs a Keyword Search.........................................53 2.3.8.6 Problems with Keyword Search Method.............................................53 2.3.9 File Category Type Analysis......................................................................55 2.3.9.1 Procedure.............................................................................................55 2.3.9.2 Hash Databases....................................................................................56 2.3.9.3 Output..................................................................................................57 2.3.10 Image Details............................................................................................58 2.3.10.1 FFS & EXT2FS..................................................................................59 2.3.10.2 FAT....................................................................................................59 2.3.10.3 NTFS..................................................................................................59 2.3.11 Metadata Analysis.....................................................................................60 2.3.11.1 Overview............................................................................................60 2.3.11.2 Input...................................................................................................60 2.3.11.3 Viewing..............................................................................................61 2.3.11.4 NTFS Notes.......................................................................................62 2.3.11.5 FAT Notes..........................................................................................62 2.3.12 Data Unit Analysis....................................................................................64 2.3.12.1 Input...................................................................................................64 2.3.12.2 Viewing..............................................................................................66 2.3.12.3 FAT Notes..........................................................................................66 2.4 Summary............................................................................................................67 Chapter 3 Case Studies..............................................................................................69 3.1 Introduction........................................................................................................69 3.2 Case Study 01....................................................................................................71 viii 3.2.1 Introduction.................................................................................................71 3.2.2 Background information.............................................................................71 3.2.3 Questions.....................................................................................................72 3.2.4 Analysis.......................................................................................................73 3.2.4.1 Creation of an Autopsy Case...............................................................74 3.2.4.2 Creation of Search Indexes..................................................................82 3.2.4.3 File Analysis........................................................................................87 3.2.5 Answers.....................................................................................................100 3.2.6 Discussion.................................................................................................102 3.3 Case Study 02..................................................................................................103 3.3.1 Introduction...............................................................................................103 3.3.2 Background information...........................................................................104 3.3.3 Questions...................................................................................................104 3.3.4 Analysis.....................................................................................................105 3.3.4.1 Creation of an Autopsy Case.............................................................106 3.3.4.2 Creation of Search Indexes................................................................106 3.3.4.3 File Analysis......................................................................................107 3.3.4.4 Image Details.....................................................................................108 3.3.4.5 Unallocated Directory Entries............................................................112 3.3.4.6 Data Extraction..................................................................................113 3.3.4.7 Foremost Data Retrieval....................................................................116 3.3.4.8 Steganography Check........................................................................120 3.3.5 Answers.....................................................................................................122 3.3.6 Discussion.................................................................................................123 3.4 Case Study 03..................................................................................................125 3.4.1 Introduction...............................................................................................125 3.4.2 Background information...........................................................................126 3.4.3 Questions...................................................................................................127 3.4.4 Analysis.....................................................................................................127 3.4.4.1 Creation of an Autopsy Case.............................................................128 3.4.4.2 Creation of Search Indexes................................................................134 3.4.4.3 Creation of Event Sequencer.............................................................135 3.4.4.4 Inspection of ‘/var/log/lastlog’ log file entries...................................137 3.4.4.5 Inspection of ‘/var/log/messages’ log file entries..............................140 ix 3.4.4.6 Inspection of the Swap Partition for Log Entries...............................148 3.4.4.7 Inspection of Swap Partition for Environment Info...........................151 3.4.4.8 Inspection of User Accounts..............................................................157 3.4.4.9 Creation of a Timeline.......................................................................166 3.4.4.10 Analysis of a Timeline.....................................................................171 3.4.5 Answers.....................................................................................................219 3.4.6 Discussion.................................................................................................221 3.5 Summary..........................................................................................................223 References.................................................................................................................225 Appendix A: Case Study 03 File Activity Timeline..............................................229 Nov 07 2000 04:02:03 -> Nov 08 2000 04:02:06..................................................229 Nov 08 2000 08:25:53 -> Nov 08 2000 22:10:01..................................................243 x

Description:
Sleuth Kit. This demonstration investigates the use of The Sleuth Kit and Autopsy Forensic. Browser as forensic investigation tools, with the aim of :'5p. OBpodC. /DpQDE. Fp3$G. Zqpkfr. :spMFt. Nov 8 08:59:52 inetd[408]: pid 2387: exit status 1. Table 48 Study 03 - Autopsy - ASCII String
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.