In "Performing Forensic Analyses, Part 1," June 2004, InstantDoc ID 42445, I showed you how to create a bootable CD-ROM that contains the Penguin Sleuth Kit and how to use that CD-ROM to create a digital copy, or image, of a compromised hard disk. Now let's look at how to perform a forensic analysis on that image by using the Penguin Sleuth Kit on your CD-ROM.
The Penguin Sleuth Kit includes two extremely useful utilities: the Sleuth Kit, which is a collection of forensic command-line tools, and Autopsy, which is the Web browser-based front end for the command-line tools. The Sleuth Kit and Autopsy use an evidence locker to store collected data and documentation. Thus, you need an external or writable hard disk for the evidence locker.
Forensic analysis is a time- and resource-intensive operation. If you'll be performing forensic analyses often, I recommend that you use a dedicated machine with Linux installed to do this work. However, if you'll be performing forensic analyses only on occasion, you can run the bootable CD-ROM from your workstation instead of installing Linux on a dedicated machine because the tools on the CD-ROM are Linux-based.
Getting Started
For the purpose of this article, let's assume that you're running the bootable CD-ROM from your Windows workstation, you're booted into Knoppix, your evidence locker is on an external USB disk, and you've created a forensic image. Now reboot the system with the command
root@ttyp1[/]# reboot
The Penguin Sleuth Kit will return you to the initial boot prompt, after which you should type
knoppix lang=us desktop=twm
screen=800x600
and press Enter. (Although the command appears on two lines here, you should enter it on one line. The same holds true for the other multiline commands in this article.) This command boots into Tab Window Manager (TWM), a minimal-resource GUI for Linux. The default GUI is the K Desktop Environment (KDE), which provides an interface similar to Windows but requires a large amount of RAM. All you need to run is a Web browser, so KDE is unnecessary. Open a command prompt and run the command
knoppix@ttyp0[knoppix]$
konqueror &
to start the Konqueror Web browser, which the Penguin Sleuth Kit includes.
Let's assume that your external USB disk is at /dev/sda1 and that the USB disk contains not only the evidence locker but also the image of the compromised disk. Plug in the USB disk and follow these steps:
- Mount the USB disk with the command
knoppix@ttyp0[knoppix]$
mount /dev/sda1 /mnt
- Create the /mnt/evidence_locker directory with the command
knoppix@ttyp0[knoppix]$
mkdir /mnt/evidence_locker
- Run the Autopsy command
knoppix@ttyp0[knoppix]$ autopsy
-d /mnt/evidence_locker
Figure 1 shows an example of what the Autopsy command's output might look like
- In the Konqueror Web browser, enter the URL that your Autopsy command output specifies.
Alternatively, you can keep Autopsy running on your workstation but perform the forensic analysis over the network through a different Web browser. This feature is useful if the system you're using doesn't have enough RAM to run even the TWM GUI. To use this alternative approach, you need to know the IP address for your workstation (if you attached a network cable). If you don't know your machine's IP address, you can use the command
knoppix@ttyp0[knoppix]$
/sbin/ifconfig
to obtain it. Then, replace the command in Step 3 with this command
knoppix@ttyp0[knoppix]$ autopsy
-d /mnt/evidence_locker
Port IPAddress
where Port is the number of the port to listen to and IPAddress is your workstation's IP address.
No matter which approach you use, after you enter the URL in the Web browser, the opening page for the Autopsy Web site appears, providing three links: Open Case, New Case, and Help. Select New Case because you haven't started working on a case yet. You'll be prompted to enter a name for the case and the names of the users who'll be using Autopsy. After entering this information, click New Case. The next page lists the actions that Autopsy took for verification purposes. Click OK to continue to the Case Gallery, which Figure 2 shows. The Case Gallery lists all the cases being investigated. Because you created only one case, you'll have just one case listed. Click OK.
On the next page, called the Host Gallery, some Autopsy-specific nomenclature comes into play. Every analysis is based on a case, which might include more than one disk image, each of which is called a host. For a simple analysis such as this one, the nomenclature might seem confusing, but it's useful when an investigation involves more than one suspect computer. Choose the Add Host option to add your digital image of the compromised disk. Autopsy prompts you for the host's name, a description, the time zone (for which you enter the standard time- zone abbreviation, such as EST), and the suspect machine's timeskew. Timeskew refers to the difference between the suspect computer's clock and the correct time (i.e., the time on the host computer's clock). The time zone and timeskew are necessary for Autopsy to correctly correlate time between computers and external incidents.
Finally, you can enter paths of databases that contain hashes or unique fingerprints of either files known to be malicious (i.e., Known Bad files, such as Trojan horses) or files known to be benign (i.e., Known Good files, such as standard Microsoft applications) so that you don't have as much chaff to sift through. Comprehensive (but by no means all-inclusive) databases are available from the National Institute of Standards and Technology (NIST) at http://www.nsrl.nist.gov. One particularly helpful database is NIST's database of known Trojan horses and hacking tools. Using such databases can greatly aid in diagnosing computer incidents. If you check your image against a database, any relevant information will be listed as Known Bad or Known Good when viewing it in Autopsy.
Prev. page
[1]
2
3
next page 
