How to use "The Sleuth Kit" and "Autopsy"

How to use "The Sleuth Kit" and "Autopsy" | Part 1

Hello Peerlysters,

Today, we will take a look at one of the most popular opensource forensic tool, Autopsy (GUI frontend for
The Sleuth Kit). Perhaps, if you ever wanted to become a Digital Detective or get started with Digital
forensics and searched Google for "forensic tools", then you're sure to come across the term "The Sleuth
Kit". If you haven't yet, then don't worry. After you have reached the end of this article and have continued
reading all the other articles in this series, you will be able to use the tool for various different scenarios and
use it in your practical life as well as work. So, stay tuned.

As you might have guessed already while reading the above introduction that I aim to create a small course
on how to use Autopsy for conducting Forensic Investigations. We will cover everything from the very
ground up and I will help you to create a small lab for conducting experiments too. During the entire series, I
will create small practical scenarios and based on that we can conduct the investigation. I humbly request the
Peerlyst community to correct me whenever you feel I could have done it better. I will modify all content
accordingly and improve the article based on your suggestions.

Enough lecture and now let's get started (For Real)

About "The Sleuth Kit" (TSK)

"The Sleuth Kit 庐 is a collection of command line tools and a C library that allows you to analyze disk
images and recover files from them. It is used behind the scenes in Autopsy and many other open source and
commercial forensics tools." -- SleuthKit.org

Get Sleuth Kit

Windows: You can download Sleuth Kit Windows Binaries from here.

Linux: One of the simplest ways to install sleuthkit is to open a terminal and run the following:

sudo apt-get install sleuthkit

The second option is to download the latest source code and do a manual installation. You can read more
about it here.
How to use "The Sleuth Kit" and "Autopsy"
Another option is to use a Forensic Workstation like SIFT, or DEFT where it is preinstalled along with
hundreds of other forensic tools. In our training series, we will be using Autopsy and TSK from within SIFT
environment but it will be covered in a different article. Links to these workstations are given later in the
article.

About "Autopsy"
"Autopsy 庐 is an easy to use, GUI-based program that allows you to efficiently analyze hard drives and
smart phones. It has a plug-in architecture that allows you to find add-on modules or develop custom
modules in Java or Python." -- SleuthKit.org

Get Autopsy

Windows: You can download Autopsy Windows Binaries from here (x64) and here (x86).

Linux: Autopsy for Linux and OSX comes with a web interface and is no longer maintained. It was
supported up to Version 2. You can find more details about it here. However, if you would like to use this
and get some experience then you can opt for the forensic Workstations like SIFT or DEFT etc. In our series,
we will also cover the web interface but in a different article.

Forensic Workstations
Pre-configured Virtual Machines or Bootable ISO's loaded with hundreds of forensic tools at your disposal.
Most popular ones out there are:

1. SIFT: Download it from here.

2. DEFT: Download it from here.

You may look into the instructions for installation on their respective download pages. There are other
forensic distros out there but I prefer the above two.

Setting up your own Simple Workstation

This is kind of an optional step. If you really want to get your hands dirty with Autopsy then perhaps it's a
good idea to follow the instructions here. The setup I have shown here is for the purpose of learning and it
does not emulate a real forensic workstation.

We require the following tools:

1. VMWare / VirtualBox / Hyper - V (I will be using VMWare)

2. SIFT / DEFT (Links given above)

3. Windows 7 / 8 / 10 ISO or Pre-configured VMs.

4. External USB Drives (4/8/16 GB)

How to use "The Sleuth Kit" and "Autopsy"
I will assume everybody knows what is a Virtual Machine and how to use it. VMware Player is free for
non-commercial purposes and Virtual Box is an Open Source Software. You can choose any other
virtualization software of your choice.

You can get Windows VM from Microsoft until and unless you have them already from known or unknown
sources :D

I will be using Windows 7 bit for performing the analysis and testing Autopsy. Install Windows 7 normally
as you would in a VM and then install Autopsy too (Links are given above). In my setup, I have added an
extra 4 GB virtual disk with a FAT32 file system which we will be using to create a forensic image and
perform forensic analysis. The process for creating this drive is mentioned below.

1. Open Virtual Machine and Select your Windows 7 32 Bit installation.

2. Then click on Edit Virtual Machine Settings.

How to use "The Sleuth Kit" and "Autopsy"

3. Choose the Add option to add new Hard Disk. Click Next and next again on the second screen.
How to use "The Sleuth Kit" and "Autopsy"
How to use "The Sleuth Kit" and "Autopsy"
4. Choose "Create a new Virtual Disk". Next, add a name.

5. Finish and then play the virtual machine. Once the VM has started, go to Disk Management and you will
be able to see a 4 GB unallocated partition. Right-click and create a new Simple Volume.
How to use "The Sleuth Kit" and "Autopsy"

6. Now Simply follow the screenshots below one after the other.
How to use "The Sleuth Kit" and "Autopsy"
How to use "The Sleuth Kit" and "Autopsy"

7. The New FAT32 partition was created. Now you will be asked to perform a quick format to use the disk.

8. Format the disk and your new drive is ready for use.
How to use "The Sleuth Kit" and "Autopsy"
If you're wondering why we went through this entire process to create this drive, then here's the answer. This
partition will be your test partition. Infect it / Use it / Corrupt files in it / Lock It / Hide It etc then create a
forensic image and analyze it using Autopsy. I will be doing the same.

Alternative Solution/Approach

In case you want to perform all the testing on your main/host system you can opt for an external flash drive.
Use this flash drive as a test device and format it with different file systems to analyze it using Autopsy. We
will cover a bit of USB Device forensics much later and will be analyzing a USB drive and explore it
forensically.

Note: In a real scenario, you have to writeblock and clone the entire physical drive and not just a single
partition/flash drive. We will store the cloned raw image in another partition whereas in a practical
scenario you should be storing it in an external storage device.

Before, we proceed let me define a few forensic terms.

How to use "The Sleuth Kit" and "Autopsy"
4n6 Terminologies
Computer Forensics: The legally tested and approved restoration, collection, preservation, analysis, and
presentation of computer-related evidence. This digital evidence may be used to support, or disprove,
aspects of an investigation or litigation involving companies, individuals or law enforcement.

File signature: Information contained within a file that identifies its type, even though the file 鈥檚
extension may have been altered.

Forensic image/Forensic Copy: A forensically sound and complete copy of a hard drive or other digital
media, generally intended for use as evidence. Such copies include unallocated space, slack space, and boot
record. A forensic image is often accompanied by a calculated Hash signature to validate that the image is
an exact duplicate of the original.

Write blockers are devices that allow acquisition of information on a drive without creating the possibility
of accidentally damaging the drive contents. They do this by allowing read commands to pass but by
blocking write commands, hence their name.

The Above Terminologies have been taken from here. I will later create another post consisting of most of
the forensic and infosec terminologies (If it is not already published here.)

Brief Overview of The Sleuth Kit (TSK) CLI Tools

Now that we have a basic understanding of a few forensic terms, have the tools and a simple lab setup to test
things out in future. It's time to understand the specifics about the bunch of CLI tools that come with TSK.
At first, I will describe the functionality of every tool and later we will take practical examples based on
some scenarios and test images.

File System Information Tools

fsstat Displays details about the file system of the forensic image.

Block or Cluster Analysis Tools

blkcat Displays the contents of a disk block

blkls Lists contents of deleted disk blocks

blkcalc Maps between dd images and blkls results

blkstat Display allocation status of block

MetaData Analysis/Extraction Tools

ils Displays Inode Details

How to use "The Sleuth Kit" and "Autopsy"
istat Displays information about a specific inode

icat Displays contents of blocks allocated to an inode

ifind Determine which inode contains a specific block

Filename Layer Tools

fls Displays deleted file entries in a directory inode

ffind Find the filename that using the inode

Reference for the above taken from here.

Brief Overview of Autopsy's Automated Analysis Modules

Autopsy is a GUI frontend for the underlying rich TSK framework with lots of automation that makes the
life of a Forensic Analyst a little easier. Other than the built-in modules it also comes along with several 3rd
Party Modules / Plugins from other open source developers and forensic analysts. We will cover most of the
modules in our short course as well as some 3rd party modules to understand this forensic suite well. For
now, let us dive deeper into understanding the features of each module.

Module Name Description

Used to extracts user activity as saved by web browsers and

Recent Activity Module
the OS. Also runs Regripper on the registry hive.

It uses hash databases to ignore known files from the NIST

Hash Database Lookup Module
NSRL and flag known bad files.

Used to determines file types based on file signaturesand

File Type Identification Module
reports them based on MIME type.

Opens ZIP, RAR, other archive formats, Doc, Docx, PPT, PPTX,
Embedded File Extraction Module XLS, and XLSX and sends the derived files from those files
back through the ingest pipeline for analysis.

EXIF Parser Module Used to extract EXIF information from JPEG files

Uses keyword lists to identify files with specific words in

Keyword Search Module
them.

Email Parser Module Identifies Thunderbird MBOX files and PST format files based
on file signatures, extracting the e-mails from them, adding
How to use "The Sleuth Kit" and "Autopsy"
Module Name Description

the results to the Blackboard.

It uses the results from the File Type Identification and

Extension Mismatch Detector
flags files that have an extension not traditionally
Module
associated with the file's detected type.

Computes a checksum on EnCase E01 files and compares with

E01 Verifier Module
the E01 file's internal checksum to ensure they match.

Allows you to analyze SQLite and other files from an Android

Android Analyzer Module device. It works on Physical dumps from most Android
devices.

The Interesting Files module allows you to search for files

Interesting Files Identifier or directories in a data source and generate alerts when they
Module are found. You configure rules for the files that you want
to find.

Used to carve files from Unallocated spaces in a Forensic

PhotoRec Carver Module
Image

Reference is taken from Autopsy Documentation.

With this, we have reached the end of our first article. Congratulations! if you made it this far without
skipping a word and reading through this huge article. In the next article, we will begin exploring Autopsy
from a practical point of view by taking forensic images and observe the above modules in action.

A Soft Copy of the Article is now available for you to download. How to use TSK
& Autopsy Part 1

Quick Summary

1. We Learned About The Sleuth Kit.

2. We Learned About Autopsy.

3. We Learned About The Sleuth Kit CLI Tools and their functionality.

4. We Learned About Autopsy and the features of different ingest modules.

5. Setting up a small lab.

Conclusion
How to use "The Sleuth Kit" and "Autopsy"
I hope you enjoyed the article just as much as I enjoyed writing it. Stay tuned for the next article and give
me suggestions to improve as they will help me out in making this small course a success.
How to use "The Sleuth Kit" and "Autopsy"
How to use “The Sleuth Kit” and “Autopsy” | Part 2

Quick Overview
In the section we will learn about the following topics:

1. Creating a Sample Case for 4n6 Study.

2. Learning How to Use FTK Imager.
3. Start using Autopsy.
4. How to Create a Case using Autopsy, the Right way.
5. Do some Analysis.
6. Learning about 4n6 concepts as and when we encounter them while solving a case.

Download: sample-evidence Password: forensics

Introduction
In my previous article, I discussed Autopsy Forensics Suite and The Sleuth Kit Framework in general along
with all the tools and modules that are built into the framework. We also looked into the setting up a simple
partition in our Windows VM with the FAT32 file system to serve as our testing partition. We will create a
forensic clone of this drive and perform some tests. We have also discussed setting up proper forensic
workstations like SIFT and DEFT. I will be using SIFT in this article but you may opt for DEFT as well
since there shouldn’t be much difference between the two. I highly recommend you to read the first part of
this article series before proceeding any further.

In this part, we will explore the frameworks practically with hands-on examples so that you can learn the
tool in depth. I will try to cite as many examples as possible with proper screenshots. So, without any further
ado let’s get started.

Sample Forensic Image Construction

How to use "The Sleuth Kit" and "Autopsy"
Before we proceed any further it would be wise to create a sample forensic image on which we will perform
our testing.

An Important Note: The method we will use to investigate is not forensically rigorous. There are a lot of
intermediaries and legal procedures required before starting a proper investigation. We are skipping those
because we are more interested to learn how to use the tool in general and not get stuck in following rules &
regulations.

With that being said, let me continue with the drive preparation. So, I have come up with a very simple
scenario of financial fraud, blackmail, and threats.

The Background Story or Case Overview

Rajesh works in the Accounts department in a company named, XYZ Inc. One day he receives an email
from someone who calls himself his well-wisher and threatens Rajesh that he will expose Rajesh until and
unless he pays up. Rajesh is accused of financial fraud. After 8 days, Rajesh’s manager receives a
handwritten mail from someone anonymous and tips him of Rajesh’s cruel intentions.

The manager contacted’s you to perform a forensic investigation of Rajesh’s system and find verify this
story.

The manager tells you that Rajesh handles the companies “Social & Community Service Account” and all the
donations received by other employees on a voluntary basis. This money is donated monthly to an NGO
named as “Food4All Foundation.”.

Note: We make an assumption here and that is when we say Rajesh’s System we mean a single 4 GB
partition with FAT32 File System. Later, in some other part of this article, we will take a full blown
example.

How was the Evidence Drive prepared?

If you have read the previous article properly you should remember that we created added a new drive into
our Windows VM. I have used this very same drive.

The drive contains several folders along with deleted data, spoofed content and an email thread. All or some
of which have some role to play. The email data does not contain any real information since part of it was
modified for the purpose of this tutorial. The primary evidence file/files are attached to this article at the
bottom.

Once the primary evidence and indications were formed, they were moved into the drive, copied and pasted
a few times, deleted, moved etc. to create the necessary forensic artifacts. There are a few more things that I
did but let's keep that a secret for now.

Some images from different locations and Google have been added and deleted to give a more natural feel to
it, or does it?

Other Assumptions

1. Read the one written above.

How to use "The Sleuth Kit" and "Autopsy"
2. Assume that Request For Service form was filled by the Manager representing XYZ Inc.
3. Assume Chain of Custody forms were filled properly and maintained by the Investigator.
4. All other procedures have been followed.

Forensic Image Cloning

Now we know the back story and also how the evidence was created for the purpose of testing. Therefore,
we will directly start our practicals now. The first step is to create a Bitstream image of Drive E.

We will use FTK Imager to create a bitstream image of the drive. Download FTK Imager from here. Follow
the steps below:

1. Open FTK Imager

2. File -> Add Evidence Item.

How to use "The Sleuth Kit" and "Autopsy"

3. Select “Physical Drive”

4. Now follow the screenshot below.

How to use "The Sleuth Kit" and "Autopsy"

5. Hit Finish and you will be able to see the physical drive.

6. Right Click on Physical Drive and select “Export Disk Image”

How to use "The Sleuth Kit" and "Autopsy"

7. We will create a RAW (dd) image clone. The other expert witness image types we will discuss in another
article.
How to use "The Sleuth Kit" and "Autopsy"

8. Fill the Case Details as shown below.

9. Add the location where you want to export the image. We will export it into the Documents directory but
in a real investigation, this would have been an external drive. Make a note that I have set the Image
Fragment Size to 0. What this basically does is that the image will not be split into multiple parts. In case if
the drive size was very large then splitting the image into multiple chunks is a good idea. In a real
environment, you might want to select the AD Image Encryption but we will skip it.
How to use "The Sleuth Kit" and "Autopsy"

10. Hit Finish and the cloning starts.

How to use "The Sleuth Kit" and "Autopsy"

11. When the image cloning is complete you should see something like the above. As you may have noticed
already, FTK also verifies the image integrity with MD5 and SHA1 hashes.

12. When you hit close. You shall see the creating image cloning completion dialog with Image Summary
button which display’s the image meta information as well as drive stats.

If you followed the steps properly then you should have three files created by FTK in the image destination
folder.
How to use "The Sleuth Kit" and "Autopsy"

Image Summary

For the sake of completion let me share the exact image summary below:

Created By AccessData® FTK® Imager 3.1.1.8 Case Information: Acquired using: ADI3.1.1.8 Case
Number: 4n6-Dept-00001 Evidence Number: 1 Unique description: Logical Partition on Suspects
Windows Machine. Examiner: Animesh Shaw Notes:
---------------------------------------------------------- Information for
C:\Users\Test2\Documents\4n6 Images\Drive-E-Image: Physical Evidentiary Item (Source)
Information: [Device Info] Source Type: Physical [Drive Geometry] Cylinders: 522 Tracks per
Cylinder: 255 Sectors per Track: 63 Bytes per Sector: 512 Sector Count: 8,388,608 [Physical
Drive Information] Drive Model: VMware, VMware Virtual S SCSI Disk Device Drive Interface
Type: SCSI Removable drive: False Source data size: 4096 MB Sector count: 8388608 [Computed
Hashes] MD5 checksum: 375017f7d1359e73b384246f15974c60 SHA1 checksum:
668089f11aa8626879aac2e00c72437f1a47ec0e Image Information: Acquisition started: Sun Feb
11 19:49:54 2018 Acquisition finished: Sun Feb 11 20:02:26 2018 Segment list:
C:\Users\Test2\Documents\4n6 Images\Drive-E-Image.001 Image Verification Results:
Verification started: Sun Feb 11 20:02:37 2018 Verification finished: Sun Feb 11 20:06:36
2018 MD5 checksum: 375017f7d1359e73b384246f15974c60 : verified SHA1 checksum:
668089f11aa8626879aac2e00c72437f1a47ec0e : verified

Primer Look

Now that the cloning process is complete let’s have a look at the file generated by FTK as a CSV file. You
can open the same on your end and have a look.

From the image above we observe a bunch of different files that have been deleted along with some files of
interest. We will take a deeper dive in the next section.

Let’s Do an Autopsy – Gui Version

How to use "The Sleuth Kit" and "Autopsy"
Now let’s move to the section for which you have been waiting for a long time I guess but anyhow
preparation is important. Hence, let’s get started with it already. At first, we will take a look at the GUI
version of The Sleuth Kit (TSK) framework, Autopsy, but later, we will take a look at the Browser Version
of Autopsy in SIFT as well as the TSK CLI tools. Let’s get started.
How to use "The Sleuth Kit" and "Autopsy"
Creating A Case Using Autopsy

Follow the step by step approach to create a case using Autopsy and perform forensics.

1. Open Autopsy. I have Autopsy installed inside my Win VM.

2. Click on “Create New Case”. In the next screen, fill the necessary case details and set the location to
store case files.
How to use "The Sleuth Kit" and "Autopsy"

3. Now Enter Case Number and Name of the Investigator. You should assign a Case Number in such a way
that it should be recognizable easily and can be retrieved easily for future reference.

4. You will see that Autopsy started working on creating the database files and it might take a minute or two.
How to use "The Sleuth Kit" and "Autopsy"
5. Finally, you will be prompted to add the forensic evidence. Choose Disk Image.

6. In the next screen add your forensic image. Also set the time zone accordingly.

7. Now you will be asked to choose which Ingest modules to run on the current image. In the previous
article I have already mentioned the functionality and usage of each module and so look it up in case you
would like to cross-reference. Select the modules that I have chosen as shown in the image below.
How to use "The Sleuth Kit" and "Autopsy"

8. We could’ve chosen all the modules but then it would be a waste of time since the Automated Analysis by
Autopsy would drag longer unnecessarily. Often as an investigator time is of the essence and hence if you
can reduce the analysis surface to save time, DO IT!.But remember that you should look everywhere
however unreal it might be because you never know what you may unfold. Applying Occam’s Razor
Principle might yield good results in certain situations but don’t forget that it could also be considered as a
Principle of Limiting Thoughts, or at least that’s what I like to call it. Once you’ve configured the ingest
modules you will see that the clone image is being processed by Autopsy. It’s going to take sometime before
the entire analysis is over, so hold your horses.
How to use "The Sleuth Kit" and "Autopsy"

Analyzing The Forensic Image

Once you’ve added the evidence files, autopsy works on it own to analyze the entire image and put them
into specific categories. You have the option to modify certain rules or modify the ingest modules but we
will cover that later and not in this part.

The Analysis will take some time to complete but again it depends on your computing resources. On my end,
it took roughly about 30-40 mins to analysis the entire 4 GB image.

Now that we have all setup, it time to make observations.

How to use "The Sleuth Kit" and "Autopsy"
Observations

We can make the following observations.

Image EXIF Data

a. The first things that strikes are the bunch of Email Addresses and EXIF Metadata from images. We will
begin by taking a look at the EXIF data extracted.

b. Every media file you select in autopsy you will be able to see the image in the media tab in the docked
tabbed section along with other sections like Hex, Strings, File Metadata, Results, Indexed Text, & Media.
Every tab has a different functionality, we will learn about them eventually. Media will display any form of
media file like GIF, Image formats, Videos. File Metadata section shows us the file metadata & EXIF data
(if any). Similarly, if you open the Thumbnails tab above it should show all the images of thumbnail size.
How to use "The Sleuth Kit" and "Autopsy"
c. If you double-click the image you will be taken to the location in the disk image where the file exists.
From the context menu for each image, you can get a bunch of other options, like extract the file from the
disk image, tag the file as an evidence open in a different viewer, etc. I would ask you to try out all the
different options. Though there are some which we will explore eventually later in some other case.

d. Viewing them in New Window will give you the entire details about the image in a new window.These
images are nothing special and they come by default with the windows installation. There’s a possibility that
there could be some steganographic information present within these images. But for now, we will skip that
possibility because we would have to move to a different tool and concept in all to cover that.
How to use "The Sleuth Kit" and "Autopsy"

e. Whenever you come across an image during a forensic investigation, looking at their MAC times ad EXIF
data might reveal a lot of information. For example, huge file size but medium resolution might indicate
Hidden data. Comments in an image might contain malicious code etc.

We will now look into another section to find out more about the case as well as learn more about Autopsy.

I will end this part here only. It's getting too big for an article. I will publish another article with the
continuation of this investigation in the next 2-3 days with a high-quality pdf version of this very same
article.

Please let me know what do you think about this article so far. Anything else that you would add?
What kind of cases would you like me to create and solve them? Let me know your ideas in the
comments below. Please share the article if you liked reading it.