Time for an autopsy
The Forensic Browser Autopsy that Brian Carrie also developed provides a graphical user interface for the tools in the Sleuth Kit. When it is launched, Autopsy provides a secure HTML server that allows it to be operated via the Internet.
One advantage of this architecture is that multiple investigators can collaborate from different locations. To ensure forensic correctness, Autopsy integrates a comprehensive post and case management system and takes a log of all of the actions taken by investigator, medium, and case.
Furthermore, it can also perform comprehensive analyses of files, content, and file types. To this end, Autopsy provides a sort of file manager interface, where it presents details of deleted and hidden files in addition to internal file system structures.
High-performance tool kits such as Autopsy include file analysis and search functions.
Additional time-based events can be added to the activity timeline that Autopsy extracts from the file system; comments can also be added to these events, which is useful if you want to present the findings in court in a way that everyone can understand them. After working with the US government's hash database of known files, users can also integrate their own hash data and blacklist or whitelist items. An example would be a hash set from an installation of a clean, comparable system.
The integrated search function looks through the file system for specific strains, which can be entered as regular expressions as in grep. An index file generated beforehand speeds up this process considerably. Then, you can take a closer look at what you found using ASCII or the hex editor.
Knowing what to look for
The Open Source tool Foremost makes searches for specific types of files, such as images and videos, particularly efficient. Kendall and Kornblum, special agents of the U.S. Air Force, have given this tool the look and feel of the DOS program CarvThis from the US Defense Computer Forensic Labs. In addition to the original Linux version, there is now also a Windows version. Foremost can look through both physical data carriers and dd images. A configuration file specifies the header and footer signatures the files look for and the maximum file size. Then, Foremost automatically extracts all of the files that fit the search pattern. Unfortunately, that only works properly if the files are not fragmented. Otherwise, you may only get fragments of the original file. A log file records all of the parameters used, all of the actions taken, and the offsets of all of the findings.
The Open Source Tools presented here need not shy from comparison with commercial products. Furthermore, a number of extensions and independent tools are worth mentioning -- but we do not have space for them here. What is clear, though, is that open standards, transparent analyses, and truly independent experts offer more than just technical advantages in this sensitive area. (ju)
Holger Morgenstern is an official, certified IT expert in the field of computer forensics.
References
[1] Computer Forensic Tool Testing program of the US government
[2] Info on mounting via loopback
[3] Hash values of known files
Open Source Tools
Commercial tools
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
