After you enter all the host information, click Add Host. You'll see another verification screen, which shows you the actions Autopsy took. Click OK to go back to the Host Gallery page. Select the host you just added, then click OK to bring up the Host Manager page, which Figure 3 shows.
In Host Manager, click Add Image. Autopsy prompts you for the full path to the image. The path must start with a slash (/). Next, you need to select the method to import the image. The first option, Symlink to evidence locker, creates in the evidence locker a symbolic link, or symlink, to the image. (A symlink is the UNIX equivalent of a Windows shortcut to a file.) The image is kept in its original position but is read from the evidence locker as if it were there. The other two options—Copy and Move—are self-explanatory. I suggest you use the Copy option, unless time or space is at a premium. Using a symlink could potentially corrupt the original image, so using a copy is safer. And moving the file might be difficult because of UNIX permissions.
Autopsy also asks you to specify the compromised disk's file-system type (e.g., FAT32, FAT16) and original mount point to help correlate file-system activity later. For the original mount point, enter the drive letter (e.g., C:\, D:\). Finally, select the Calculate Now check box if you want Autopsy to create an MD5 hash for the image.
After you click Add Image, Autopsy adds the image and creates the MD5 hash if you selected that option. Back at the Host Manager page, you'll see that the image has been added. Now that you have an image, you can use the following five options at the bottom of the Host Manager page: File Activity Time Lines, Image Integrity, Hash Databases, View Notes, and Event Sequencer. You can also access some options through the details link on the Host Manager page after you've added an image. Let's see what the details link has to offer before discussing the other five options.
Image Details Options
Clicking an image's details link in the Host Manager page brings up the Image Details page, which Figure 4 shows. In addition to listing the information you previously entered when you added the image, this page provides you with two options: Extract Strings and Extract Unallocated. You should take advantage of both options in your forensic analysis.
Extract Strings. When you click Extract Strings, Autopsy searches the entire image file for anything that remotely looks like human readable strings and extracts those strings, saving them in the file specified by the File Name text box (in this case, usb-part.dd.str). After saving the strings, Autopsy lists the file's location in the Strings File entry in the box at the top of the Image Details page. In this case, the location would be output/usb-part.dd.str. If you append this path to the directory specified in the Host Directory entry, you can view the file from the command line by using a Linux command such as less. (The less command lets you view a text file's contents from the command line, without having to use an editor.) The file will contain lines of data such as: 188120 The files have been extracted successfully. The number listed is the logical address of the string's position in the image; the remainder of the line is the string. You can perform a keyword search to find suspicious strings. For example, a healthy system is unlikely to have a string such as W1nd0ze r00tk1t 2.0. Although an explanation is beyond the scope of this article, you can use the Sleuth Kit to extract for further analysis the file that contains a particular string.
Extract Unallocated. When you click Extract Unallocated, Autopsy extracts the unallocated sectors from the compromised disk and writes them to a file for string analysis. Sometimes you can find remnants of deleted files (and even complete yet deleted files) within these sectors. The unallocated sectors don't include slack space, which is the space allocated by the file system for a file that the file itself doesn't occupy. Every file system allocates space on a disk based on blocks of bytes. If a file doesn't use all the allocated space, the unused bytes are still readable by forensic software and might contain information from the file that previously occupied that location on the disk. For example, if the file system uses 8KB blocks and allocates one block for a file that's only 6KB, the remaining 2KB of data is the slack space. If an 8KB file originally occupied this space, the 2KB of slack space might contain data from that original file. After Autopsy writes the unallocated sectors to the file, you should run the Extract Strings option against that file to look for suspicious strings.
At the bottom of the Image Details page is a File System button. When you click this button, you get a page that provides information about the compromised disk's file system. As Figure 5 shows, the File Analysis page consists of a toolbar at the top and three panes. The left pane provides a directory listing. The upper right pane lists the directory's files, which are grouped by sector. Deleted files (or what can be gleaned from them) are included. Clicking a file, deleted or otherwise, prompts an ASCII version of that file to appear in the lower right pane. At the top of the lower right pane, information about the file type (if it's known) and a few options appear. The options are
- ASCII (display - report)
- Strings (display - report)
- Export
- Add Note
The ASCII display option is the default view of the file in its ASCII form. If you click the Strings display option, the strings in the file that you're viewing appear in the lower right pane. Clicking the ASCII report option adds the ASCII data to Autopsy's report for the case. Similarly, clicking the Strings report option adds the string data to the report. Note that when you use either report option, Autopsy includes the data from all three panes (not just the data from the lower right pane), so the information isn't succinct.
Prev. page
1
[2]
3
next page 
