The Export option exports the entire file to an external file on the Linux system. The Add Note option brings up a window that lets you add a note about this particular file. The Written (i.e., modification), Accessed, and Created times, which appear in the upper right pane, are added to that note. Correlating these times can help trace the path of an intrusion.
Besides File Analysis, the toolbar at the top of Figure 5 contains several other items: Keyword Search, File Type, Image Details, Meta Data, and Data Unit. The Keyword Search function is fairly self-explanatory. You can specify whether to search the original image or the unallocated space by selecting the Load Original option or the Load Unallocated option, respectively. You can use grep regular expressions in your searches. For the experienced investigator, these expressions provide an excellent method for quickly obtaining pertinent results. Clicking grep cheat sheet gives you a quick rundown of possible regular expressions. You can also obtain information about grep regular expressions by running the command
man grep
The File Type function lets you sort all the files in the image by their file type. You simply click Sort Files by Type to bring up a series of check boxes outlining your options. I recommend that you keep the Extension and File Type Validation check box selected because Autopsy will then verify that the file signatures match their file types. When picture files (e.g., .jpg files) are renamed to .doc files, there tends to be an illicit reason. For searches against pictures, you can use the Thumbnail option, which can save a lot of time. Autopsy 1.75 displays the results of such a search in an alternative HTML file. Thus, to see the results, you need to copy the provided URL into your browser.
The Image Details, Meta Data, and Data Unit functions all provide low-level file-system information about the compromised disk being analyzed. (Clicking Image Details in Figure 5 doesn't lead you to the Image Details page in Figure 4, even though they use the same title.) Although useful, these functions produce abstruse output and are recommended for advanced analysts only. Thus, I won't cover these functions here. (If you're an experienced analyst and you'd like information about these functions, go to http:// www.sleuthkit .org.)
Host Manager Options
Now that you've looked at the analyses at the file-system level, let's explore the five options at the bottom of the Host Manager page:
Image Integrity. You can use the Image Integrity option at any time to verify your images. Click Image Integrity, then click the Validate button that's next to the image file you want to check. Autopsy then compares the original MD5 hash for that file against that file's current MD5 hash.
Hash Databases. The Hash Databases option lists whether any databases of Known Good or Known Bad hashes have been loaded and the location from which they were loaded.
View Notes. The View Notes option provides a list of all the notes that have been compiled for the host.
Event Sequencer. The Event Sequencer option provides an easy method for piecing together the clues in an investigation that involves more than one machine. Clicking this option brings you to a chronological list of events for that investigation. If any notes have been made specifying a file's Written, Accessed, or Created time, they're listed here as well.
The Event Sequencer can help you correlate the events of a break-in, but it requires accurate time on all machines involved. If you're simply preparing for the inevitable instead of actively responding to a breach, now is a good time to review your company's method of correlating time between machines. The small amount of time that it takes to install a Network Time Protocol (NTP) server will be invaluable.
File Activity Time Lines. The File Activity Time Lines option creates a complete time line of the Written, Accessed, and Created times for all the files on a compromised disk. This option provides an extremely detailed view of what occurred on the suspect machine. Again, correct times are crucial, but because all the times are from the same machine, the results are inherently more accurate than times from separate machines (unless the intruder has played with the system clock).
When you click File Activity Time Lines, you get a page with a new toolbar that has four options: Create Data File, Create Timeline, View Timeline, and View Notes. First, you must click Create Data File to create a metadata file that Autopsy can work with. Then, you select the image for which you want to calculate the time line and click OK. Next, you click Create Timeline, select the metadata file to use, and specify the starting and ending dates of the time line. Choosing none for both the starting date and the ending date prompts Autopsy to report on all the file-system data. Finally, you need to specify a pathname for the time line and click OK.
Clicking View Timeline gives you a month-by-month description of file-system events. You can click Summary for a list of all the months, the years, and the number of events. You can also page through the list with the links or enter a specific month or year. As Autopsy suggests, you can sometimes digest the data better with a text editor outside of Autopsy. You can find the file in the /evidence_locker_dir/case_dir/host_dir_output/filename directory, where filename is the name that you gave the time line.
In the time line, each line includes the date of the event, the size of the data, the entry type, the mode (e.g., read, write, execute), the User ID (UID), the group ID (GID), the metadata address, and the filename. (The UID and GID aren't applicable for FAT file systems.) The View Notes option brings up the notes screen so that you can quickly add or view a note if something interesting appears.
Power Tools
We've now examined the standard tools that come with Autopsy. Although their numbers are few, their power in the hands of an experienced investigator is amazing. The greatest difficulty in forensic analysis comes not in using the tools, but in knowing where to investigate and in sorting through the voluminous information that's gathered. Although these tools can't complete the arduous task of forensic analysis for you, they'll certainly lead you in the right direction.
End of Article
Prev. page
1
2
[3]
next page -->
