This action might not be possible to undo. Are you sure you want to continue?
Volume 3(1), Jan 2010
Standard Operating Procedure of Physical Analysis on Ubuntu
by Muhammad Nuh Al-Azhar, MSc. (CHFI, CEI, MBCS)
Commissioner Police – Coordinator of Digital Forensic Analyst Team (DFAT) Forensic Lab Centre of Indonesian National Police HQ
In this journal, the image file is a dd file which is obtained from the acquisition process previously. After checking the hash value of the dd image file which must be identical with the evidence of storage media, the dd is then analysed in the following further actions. Method: Physical analysis with the use of Autopsy Autopsy is graphical interface form of The Sleuthkit (TST) created by Brian Carrier. TST is designed to be used in command lines on terminal, while Autopsy is a browser for running TST. As Autopsy is a browser, it provides an ease for digital forensic analyst to investigate the evidence. Both applications are reliable for forensic analysis like other commercial applications such as EnCase and Forensic Toolkit (FTK) running under Ms Windows OS. TST and Autopsy are used to analyse the file system of evidence in a non-intrusive way. As it does not rely on the operating system to examine the file system, it can show the deleted and hidden contents. According to the author as described in the Synaptic Package Manager, it allows the analyst to examine the layout of disks and other media. It supports DOS partitions, BSD partitions (disk labels), Mac partitions, and Sun slices (Volume Table of Contents). With these tools, the analyst can identify where partitions are located and extract them so that they can be analysed with file system analysis tools. It provides case management, image integrity, keyword searching, and other automated operations for investigative purposes. As explained in the Synaptic, autopsy starts the Autopsy Forensic Browser server on port 9999 and accepts connections from the localhost. If the -p port is given, then the server opens the port and if address is given, then connections are only accepted from that host. When the -i argument is given, then autopsy goes into live analysis mode. Step 1: Initiating the Autopsy browser Open terminal, and then type sudo autopsy in order to run the Autopsy browser. It will provide the link of http://localhost:9999/autopsy. Open this link with browsers such as Firefox. As to access the dd file requires online mode, go to File menu and then untick Work Offline.
Forensic Cop Journal
Volume 3(1), Jan 2010
Step 2: Configuring the case Click New Case and then it will provide Case Management Window. Enter the information related to the case, started from Case Name, Description and Investigator Names. On the Case Name, type letters, numbers and symbols or combination among them to name the case investigation. For instance, DF001 means DF standing for Digital Forensic and 001 showing the case number. On the Description, type the description of the case in one line only, while on the Investigator Names, type the names of all analysts involved in the evidence analysis. After filling them, click New Case to go to Creating Case window. On this window, the analyst must create a host for the case; therefore click Add Host. On the new windows, enter the name of computer which is being investigated on the Host Name and describe the name of the computer on the Description. Other items are Time zone, Timeskew Adjustment, Path of Alert Hash Database and Path of Ignore Hash Database. On the Time zone, if it is not given, it will set to the local time, while on the Timeskew Adjustment, it is an optional value to describe how many seconds this computer's clock was out of sync. On the Path of Alert Hash Database and Path of Ignore Hash Database, it is used for known bad and good files respectively. After entering the information needed, click Add Host to go to the next configuration. In the new window, click Add Image, and then click Add Image again in the subsequent window. In this window, on the Location enter the full path of the dd file stored, and on the Type, select disk or partition for the type of the image file. Meanwhile on the Import Method, the dd file can be imported from its current location by using Symlink, Copy or Move. After selecting this last item, click Next to go to the next window describing the Image File Details and File System Details. After ensuring the information related to the dd file, click Add; and then click OK. Step 3: Analysing the image On the new window, the analyst can select a volume to analyse. It could be raw file or in the form of file system. After selecting it, click Analyze to analyse the image. There are several features such as File Analysis, Keyword Search, File Type, Image Details, Meta data and Data Unit which are provided for the analyst to perform analysis. On the File Analysis, it is provided for the analyst to browse the image in order to seek the file containing the information needed including its time stamps such as written, accessed and created date; and its meta data. This feature also gives the information related to deleted files as well as directory seek and file name search. On the Keyword Search, the analyst can enter the keyword string or expression to search for as well as Extract Strings and Extract Unallocated. This feature gives an ease for the analyst to seek and find certain words in a bunch of files in the image. On the File Type, the Autopsy will examine allocated and
Forensic Cop Journal
Volume 3(1), Jan 2010
unallocated files and sort them into categories and verify the extension. This allows the analyst to find a file based on its type and find "hidden" files. However, this can be a time intensive process. On the Image Details, it gives any information related to the image in details such as file system information, meta data information, content information and file system contents (in sectors). On the Meta Data, the analyst can view the details about any Directory Entry in the file system which are the data structures storing the file details. On the Data Unit, the Autopsy provides the analyst to see the content on certain sectors in the forms of ASCII or Hex mode. Other action is to select File Activity Time Lines. On this feature, the analyst can collect data or files based on the date when it is created or deleted. With this feature, the analyst can easily seek the information on certain date and analyse it. Step 4: Closing the analysis To close the session of analysis, click Close, and then Close Host and Close Case. In the Case Gallery window, the Autopsy displays the Case Name including its Description, so that any time the analyst would like to analyse the image, just select the Case Name and then click OK. Go back to the terminal, and then hold the key Ctrl-C to terminate the Autopsy session. Bibliography ACPO. (2008). Good Practice Guide for Computer-Based Electronic Evidence. Available: http://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.p df. Last accessed 30 September 2009. Al-Azhar, M.N. (2009). Standard Operating Procedure of Acquisition on Ubuntu. Forensic Cop Journal. 2 (3). Available: http://forensiccop.blogspot.com. Last accessed 19 December 2009. Al-Azhar, M.N. (2009). Ubuntu Forensic. Forensic Cop Journal. 2 (1). Available: http://forensiccop.blogspot.com. Last accessed 19 December 2009. Carrier, B. (2004). Basic Media Analysis & The Sleuth Kit / Autopsy. Connectiva S/A and Vogt, M. (2009). Synaptic Package Manager 0.62.5. Ubuntu 9.04. Ferguson, I. (2008). Lab Session Guidance of CS936: Physical Searching. Glasgow: CIS Department of University of Strathclyde. US Department of Justice. (2001). Electronic Crime Scene Investigation: A Guide for First Responders. Available: http://www.ncjrs.gov/pdffiles1/nij/187736.pdf. Last accessed 30 September 2009.