• Tracking of separate cases and multiple investigators• Viewing allocated and deleted files and directories • Accessing low-level file system structures • Generating a timeline of file
Trang 1• Tracking of separate cases and multiple investigators
• Viewing allocated and deleted files and directories
• Accessing low-level file system structures
• Generating a timeline of file activity
• Sorting by file categories and checking extensions
• Searching image data by keywords
• Identifying graphic images and creating thumbnails
• Looking up hash databases, including the forensic standards NIST NSRL and Hash Keeper
• Creating investigator notes
• Generating reports
Installing Sleuth Kit
1.Download and unzip the file from the book’s CD-ROM or the Web site
2.In the directory, type:
make The program automatically configures and compiles itself It may prompt you with
a few questions during the installation process
Installing Autopsy Forensic Browser
This program is the graphical interface counterpart to Sleuth Kit Using it with Sleuth Kit will make your life a whole lot easier and allow you to produce some nice graphical out-put You can still use the Sleuth Kit command line tools separately if you want to
1.Make sure you have Sleuth Kit installed before you start to install Autopsy
2.Get the Autopsy file from the Web site or from the book’s CD-ROM in the /autopsy directory
3.Untar and unzip it with the usual tar –zxvf command
4.Have the path to the Sleuth Kit program directory handy and think about where you want to put your “evidence locker”—the special directory where all your Sleuth Kit case data will reside
5.Type the make command This installs the program, and prompts you for your evi-dence locker directory and the directory that Sleuth Kit is installed in
Using Sleuth Kit and Autopsy Forensic Browser
1.To start the server program, type /autopsy& from the /autopsy directory This runs the server in the background on port 9999
2.Make a note of the URL that is displayed when it starts up You will need this to log into the server
Trang 23.To connect to the server, open a browser and enter the URL you copied from the location window in Step 2 It will look something like this:
http://localhost:9999/654378938759042387490587/autopsy The number between the slashes changes each time you run Sleuth Kit Once you enter the URL, the main screen displays (see Figure 11.1)
Creating and Logging Into a Case
The Sleuth Kit with Autopsy Forensic Browser lets you monitor separate cases so you can track different incidents and customers You will need to create a case for evidence files before you can work on them
1.From the main screen, click on Create Case
The Create a New Case screen displays (see Figure 11.2)
2.Enter a case name This will be the same directory that your evidence data is stored
in This directory is created under your main evidence locker directory specified at installation
Figure 11.1 Autopsy Forensic Browser Main Screen
Trang 33.If you want, you can give the case a full name to better describe it
4.You must create at least one investigator ID to have access to that case
You can see the power of this program here This feature allows you to have multi-ple peomulti-ple working on the case and track each one’s access and actions Click on New Case to finalize your input
5.Once your case is created, the Case Gallery displays This shows all the cases you have created You can see the details on each case, including which investigators are working on them Select your new case, click on OK, and log into your newly created case
You have now created a case and are logged in and ready to start working on it
Adding a Host
Once you have logged into your case, you need to define at least one host that you are going to examine This host represents the specific machine you are investigating
Figure 11.2 Create a New Case Screen
Trang 41.From the Case Gallery, click on Add Host The Add a New Host Screen displays (see Figure 11.3)
2.Enter a host name
3.If you want, enter a short description of the host
4.Enter a time zone and clock skew, which is any variance from the time stamp on the main case file so Sleuth Kit tracks it separately in terms of any timestamps This can be very important when reviewing multiple servers with different clock times
5.If you want, add the optional information requested
6.Click on Add Host to add the host and go back to the Case Gallery
7.Follow this procedure for each host you have data on
Adding an Image
You now need to add any data images for the hosts you have created Use the copy of data you created using dd, Norton Ghost, or some other data replication utility
Figure 11.3 Add a New Host Screen
Trang 51.Select the host from the Host Gallery screen and click OK.
2.Click on Add Image The Add a New Image screen displays (see Figure 11.4)
3.Enter the location and details of your image file You have the option of copying the file into that host directory in your evidence locker or just creating a symbolic link to it Be careful when moving your image files around too much, especially larger files, as this can cause data loss if a problem occurs during transfer
4.Choose the file system type This determines how Sleuth Kit looks at the data in the image
5.Sleuth Kit automatically creates a hash file for you You can check the validity of the hash against the data in the file at any time This vastly increases the legitimacy
of your efforts in a court of law
6.You can add multiple images to each host For example, you might have had to break a large drive up into several image files Click on Add Image to add the image and return to the Main Case Gallery
Figure 11.4 Add a New Image Screen
Trang 6Analyzing Your Data
Now you are finally ready to begin your analysis This may seem like a lot of setup work, but you will appreciate Sleuth Kit when you have a large number of images to manipulate
or when you have to be able to produce a certain piece of data quickly Go to the Image Gallery and click on the image you want to analyze Table 11.5 lists the types of analysis you can perform on data images
Sleuth Kit with Autopsy Forensic Browser gives you a powerful tool for organizing and analyzing forensic data that is on par with any professional lab in the country This section has covered some of the basic functions, but whole books could be written about this great tool Many commands and functions are not covered here Read the online man-ual and other resources on the Web site for more details The site also offers a monthly newsletter with interesting articles and tips for those in the forensic field
Table 11.5 Sleuth Kit Analysis Types
Analysis
Types Descriptions
File Analysis Shows the image as files and directories that the file system would see Using
this, you can also see files and folders that might normally be hidden by the operating system
Keyword Search Lets you search the entire image for certain keywords This is useful if you
are after a certain program file or even the mention of particular thing Law-yers often use this type of feature when searching for incriminating evidence
of wrongdoing on a person’s hard drive It can help find a needle in a hay-stack quite quickly (see Figure 11.5)
File Type Sorts all the files by type or searches for a specific file type This comes in
handy if you are looking for all instances of a particular type of file, such all JPEGs or all MP3 files
Image Details Displays all the details on the image you are examining This can be useful in
data recovery jobs when you need to know where the data is physically laid out
MetaData Shows you the underlying directory and file structures in your image This
can be used to find deleted content and see other items the file system doesn’t normally show you
Data Unit Lets you delve deeper into any file you have found and look at the actual file
content, either in ASCII or hex
Trang 7The Forensic Toolkit is another great free program from the folks at Foundstone This collection of tools can help you examine Window-based file systems and gather informa-tion for your forensic investigainforma-tion Version 1.4 of the program is fully open source licensed under the GPL Version 2.0 is freeware and is usable for commercial purposes, but it has limitations on adding or changing the program and is not currently available in source form
Figure 11.5 Results of Keyword Search
T h e F o r e n s i c T o o l k i t : A C o l l e c t i o n o f F o r e n s i c T o o ls
f o r W i n d o w s
The Forensic Toolkit
Author/primary contact: Foundstone, Inc
Web site:
www.foundstone.com/index.htm?subnav=resources/navigation.htm&sub-content=/resources/freetools.htm
Trang 8Note that these tools work only on NTFS file systems If you want to examine any FAT32 partitions, you will have to use different tools
Installing Forensic Toolkit
1 Download the appropriate file from the Web site (either version 1.4 or 2.0,
depend-ing on whether you want the full open source version or not)
2 Unzip the file into its own directory This completes the installation.
Using Forensic Toolkit
The tools consist of various command line utilities that generate various statistics and information on the file system in question To execute a command, open up a command line window and type it (you must be in the appropriate directory) The following sections describe the individual tools
Afind This utility searches for files by their access time It does this without modifying any file access information, as the normal Windows utilities do The basic format is:
afind search_directory options where you replace search_directory with the directory to search and replace options with the appropriate search options Table 11.6 lists the basic options
Hfind This tool finds hidden files in the Windows operating system It shows files that have the hidden attribute bit turned on and those hidden using the Windows NT special directory/system attribute method The format is:
hfind path
Table 11.6 Basic Afind Search Options
-f filename Gives the access time information for filename.
-a d/m/y-h:m:s Finds files that were accessed after the date and time indicated
Trang 9where path is replaced with the path you want to search It lists the hidden files and their last date and time of access Be careful of searching the whole hard drive as this could take
a while
Sfind This tool finds hidden datastreams on the hard disk These are different from hid-den files in that they won’t be seen on the hard disk when you click on the option to view hidden files Hidden datastreams are an NTFS feature that allows certain programs to access alternate datastreams The files are linked to a parent file, which is visible, but may not be deleted when the file system deletes the parent file They may be used to hide data
or malware The format of the sfind command is:
sfind path where path is the path you want to search Again, this may take quite some time if you are searching the root directory of a large drive
FileStat This command creates a full listing of file attributes, including security infor-mation It only works on one file at a time You can pipe the output into a text file for fur-ther processing This command generates quite a lot of information, including a lot of file descriptor information you don’t normally see Listing 11.5 shows a sample of this infor-mation for a file called test.txt
Listing 11.5 FileStat Output
Creation Time - 01/10/2004 03:18:40
Last Mod Time - 01/10/2004 03:18:40
Last Access Time - 01/10/2004 03:18:40
Main File Size - 11
File Attrib Mask - Arch
Dump complete Dumping C:\temp\test.txt
SD is valid
SD is 188 bytes long
SD revision is 1 == SECURITY_DESCRIPTOR_REVISION1
SD's Owner is Not NULL
SD's Owner-Defaulted flag is FALSE
SID = TONYVPRDESKTOP/Tony Howlett S-1-5-21 181663460ó
SD's Group-Defaulted flag is FALSE
SID = TONYVPRDESKTOP/None S-1-5-21 181663460 953405037-SD's DACL is Present
SD's DACL-Defaulted flag is FALSE
ACL has 4 ACE(s), 112 bytes used, 0 bytes free
ACL revision is 2 == ACL_REVISION2
SID = BUILTIN/Administrators S-1-5-32-544
ACE 0 is an ACCESS_ALLOWED_ACE_TYPE
ACE 0 size = 24
ACE 0 flags = 0x00
ACE 0 mask = 0x001f01ff -R -W -X -D -DEL_CHILD
Trang 10SID = NT AUTHORITY/SYSTEM S-1-5-18
ACE 1 is an ACCESS_ALLOWED_ACE_TYPE
ACE 1 size = 20
ACE 1 flags = 0x00
ACE 1 mask = 0x001f01ff R W X D DEL_CHILD CHANGE_PERMS -TAKE_OWN
SID = TONYVPRDESKTOP/Tony Howlett
ACE 2 is an ACCESS_ALLOWED_ACE_TYPE
ACE 2 size = 36
ACE 2 flags = 0x00
ACE 2 mask = 0x001f01ff R W X D DEL_CHILD CHANGE_PERMS -TAKE_OWN
SID = BUILTIN/Users S-1-5-32-545
ACE 3 is an ACCESS_ALLOWED_ACE_TYPE
ACE 3 size = 24
ACE 3 flags = 0x00
ACE 3 mask = 0x001200a9 -R -X
SD's SACL is Not Present
Stream 1:
Type: Security
Stream name = ? ? ?? Size: 188
Stream 2:
Type: Data
Stream name = ? ? ?? Size: 11
Stream 3:
Type: Unknown
Stream name = ? ? ?? Size: 64
Hunt This tool can be used to generate a lot of information on a system using the Win-dows NULL session capabilities Depending on the permissiveness of your system, it could generate significant information such as users lists, shares, and services running The command takes the following format:
hunt system_name where system_name represents the proper Windows host name of the system you want to run hunt on Listing 11.6 represents an example of this output
Listing 11.6 Hunt Output
share = IPC$ - Remote IPC
share = print$ - Printer Drivers