Professional Documents
Culture Documents
Hello Peerlysters,
Today, we will take a look at one of the most popular opensource forensic tool, Autopsy (GUI frontend for
The Sleuth Kit). Perhaps, if you ever wanted to become a Digital Detective or get started with Digital
forensics and searched Google for "forensic tools", then you're sure to come across the term "The Sleuth
Kit". If you haven't yet, then don't worry. After you have reached the end of this article and have continued
reading all the other articles in this series, you will be able to use the tool for various different scenarios and
use it in your practical life as well as work. So, stay tuned.
As you might have guessed already while reading the above introduction that I aim to create a small course
on how to use Autopsy for conducting Forensic Investigations. We will cover everything from the very
ground up and I will help you to create a small lab for conducting experiments too. During the entire series, I
will create small practical scenarios and based on that we can conduct the investigation. I humbly request the
Peerlyst community to correct me whenever you feel I could have done it better. I will modify all content
accordingly and improve the article based on your suggestions.
Windows: You can download Sleuth Kit Windows Binaries from here.
Linux: One of the simplest ways to install sleuthkit is to open a terminal and run the following:
The second option is to download the latest source code and do a manual installation. You can read more
about it here.
How to use "The Sleuth Kit" and "Autopsy"
Another option is to use a Forensic Workstation like SIFT, or DEFT where it is preinstalled along with
hundreds of other forensic tools. In our training series, we will be using Autopsy and TSK from within SIFT
environment but it will be covered in a different article. Links to these workstations are given later in the
article.
About "Autopsy"
"Autopsy 庐 is an easy to use, GUI-based program that allows you to efficiently analyze hard drives and
smart phones. It has a plug-in architecture that allows you to find add-on modules or develop custom
modules in Java or Python." -- SleuthKit.org
Get Autopsy
Windows: You can download Autopsy Windows Binaries from here (x64) and here (x86).
Linux: Autopsy for Linux and OSX comes with a web interface and is no longer maintained. It was
supported up to Version 2. You can find more details about it here. However, if you would like to use this
and get some experience then you can opt for the forensic Workstations like SIFT or DEFT etc. In our series,
we will also cover the web interface but in a different article.
Forensic Workstations
Pre-configured Virtual Machines or Bootable ISO's loaded with hundreds of forensic tools at your disposal.
Most popular ones out there are:
You may look into the instructions for installation on their respective download pages. There are other
forensic distros out there but I prefer the above two.
You can get Windows VM from Microsoft until and unless you have them already from known or unknown
sources :D
I will be using Windows 7 bit for performing the analysis and testing Autopsy. Install Windows 7 normally
as you would in a VM and then install Autopsy too (Links are given above). In my setup, I have added an
extra 4 GB virtual disk with a FAT32 file system which we will be using to create a forensic image and
perform forensic analysis. The process for creating this drive is mentioned below.
3. Choose the Add option to add new Hard Disk. Click Next and next again on the second screen.
How to use "The Sleuth Kit" and "Autopsy"
How to use "The Sleuth Kit" and "Autopsy"
4. Choose "Create a new Virtual Disk". Next, add a name.
5. Finish and then play the virtual machine. Once the VM has started, go to Disk Management and you will
be able to see a 4 GB unallocated partition. Right-click and create a new Simple Volume.
How to use "The Sleuth Kit" and "Autopsy"
6. Now Simply follow the screenshots below one after the other.
How to use "The Sleuth Kit" and "Autopsy"
How to use "The Sleuth Kit" and "Autopsy"
7. The New FAT32 partition was created. Now you will be asked to perform a quick format to use the disk.
8. Format the disk and your new drive is ready for use.
How to use "The Sleuth Kit" and "Autopsy"
If you're wondering why we went through this entire process to create this drive, then here's the answer. This
partition will be your test partition. Infect it / Use it / Corrupt files in it / Lock It / Hide It etc then create a
forensic image and analyze it using Autopsy. I will be doing the same.
Alternative Solution/Approach
In case you want to perform all the testing on your main/host system you can opt for an external flash drive.
Use this flash drive as a test device and format it with different file systems to analyze it using Autopsy. We
will cover a bit of USB Device forensics much later and will be analyzing a USB drive and explore it
forensically.
Note: In a real scenario, you have to writeblock and clone the entire physical drive and not just a single
partition/flash drive. We will store the cloned raw image in another partition whereas in a practical
scenario you should be storing it in an external storage device.
File signature: Information contained within a file that identifies its type, even though the file 鈥檚
extension may have been altered.
Forensic image/Forensic Copy: A forensically sound and complete copy of a hard drive or other digital
media, generally intended for use as evidence. Such copies include unallocated space, slack space, and boot
record. A forensic image is often accompanied by a calculated Hash signature to validate that the image is
an exact duplicate of the original.
Write blockers are devices that allow acquisition of information on a drive without creating the possibility
of accidentally damaging the drive contents. They do this by allowing read commands to pass but by
blocking write commands, hence their name.
The Above Terminologies have been taken from here. I will later create another post consisting of most of
the forensic and infosec terminologies (If it is not already published here.)
fsstat Displays details about the file system of the forensic image.
Opens ZIP, RAR, other archive formats, Doc, Docx, PPT, PPTX,
Embedded File Extraction Module XLS, and XLSX and sends the derived files from those files
back through the ingest pipeline for analysis.
EXIF Parser Module Used to extract EXIF information from JPEG files
Email Parser Module Identifies Thunderbird MBOX files and PST format files based
on file signatures, extracting the e-mails from them, adding
How to use "The Sleuth Kit" and "Autopsy"
Module Name Description
With this, we have reached the end of our first article. Congratulations! if you made it this far without
skipping a word and reading through this huge article. In the next article, we will begin exploring Autopsy
from a practical point of view by taking forensic images and observe the above modules in action.
A Soft Copy of the Article is now available for you to download. How to use TSK
& Autopsy Part 1
Quick Summary
3. We Learned About The Sleuth Kit CLI Tools and their functionality.
Conclusion
How to use "The Sleuth Kit" and "Autopsy"
I hope you enjoyed the article just as much as I enjoyed writing it. Stay tuned for the next article and give
me suggestions to improve as they will help me out in making this small course a success.
How to use "The Sleuth Kit" and "Autopsy"
How to use “The Sleuth Kit” and “Autopsy” | Part 2
Quick Overview
In the section we will learn about the following topics:
Introduction
In my previous article, I discussed Autopsy Forensics Suite and The Sleuth Kit Framework in general along
with all the tools and modules that are built into the framework. We also looked into the setting up a simple
partition in our Windows VM with the FAT32 file system to serve as our testing partition. We will create a
forensic clone of this drive and perform some tests. We have also discussed setting up proper forensic
workstations like SIFT and DEFT. I will be using SIFT in this article but you may opt for DEFT as well
since there shouldn’t be much difference between the two. I highly recommend you to read the first part of
this article series before proceeding any further.
In this part, we will explore the frameworks practically with hands-on examples so that you can learn the
tool in depth. I will try to cite as many examples as possible with proper screenshots. So, without any further
ado let’s get started.
An Important Note: The method we will use to investigate is not forensically rigorous. There are a lot of
intermediaries and legal procedures required before starting a proper investigation. We are skipping those
because we are more interested to learn how to use the tool in general and not get stuck in following rules &
regulations.
With that being said, let me continue with the drive preparation. So, I have come up with a very simple
scenario of financial fraud, blackmail, and threats.
Rajesh works in the Accounts department in a company named, XYZ Inc. One day he receives an email
from someone who calls himself his well-wisher and threatens Rajesh that he will expose Rajesh until and
unless he pays up. Rajesh is accused of financial fraud. After 8 days, Rajesh’s manager receives a
handwritten mail from someone anonymous and tips him of Rajesh’s cruel intentions.
The manager contacted’s you to perform a forensic investigation of Rajesh’s system and find verify this
story.
The manager tells you that Rajesh handles the companies “Social & Community Service Account” and all the
donations received by other employees on a voluntary basis. This money is donated monthly to an NGO
named as “Food4All Foundation.”.
Note: We make an assumption here and that is when we say Rajesh’s System we mean a single 4 GB
partition with FAT32 File System. Later, in some other part of this article, we will take a full blown
example.
If you have read the previous article properly you should remember that we created added a new drive into
our Windows VM. I have used this very same drive.
The drive contains several folders along with deleted data, spoofed content and an email thread. All or some
of which have some role to play. The email data does not contain any real information since part of it was
modified for the purpose of this tutorial. The primary evidence file/files are attached to this article at the
bottom.
Once the primary evidence and indications were formed, they were moved into the drive, copied and pasted
a few times, deleted, moved etc. to create the necessary forensic artifacts. There are a few more things that I
did but let's keep that a secret for now.
Some images from different locations and Google have been added and deleted to give a more natural feel to
it, or does it?
Other Assumptions
We will use FTK Imager to create a bitstream image of the drive. Download FTK Imager from here. Follow
the steps below:
5. Hit Finish and you will be able to see the physical drive.
7. We will create a RAW (dd) image clone. The other expert witness image types we will discuss in another
article.
How to use "The Sleuth Kit" and "Autopsy"
9. Add the location where you want to export the image. We will export it into the Documents directory but
in a real investigation, this would have been an external drive. Make a note that I have set the Image
Fragment Size to 0. What this basically does is that the image will not be split into multiple parts. In case if
the drive size was very large then splitting the image into multiple chunks is a good idea. In a real
environment, you might want to select the AD Image Encryption but we will skip it.
How to use "The Sleuth Kit" and "Autopsy"
11. When the image cloning is complete you should see something like the above. As you may have noticed
already, FTK also verifies the image integrity with MD5 and SHA1 hashes.
12. When you hit close. You shall see the creating image cloning completion dialog with Image Summary
button which display’s the image meta information as well as drive stats.
If you followed the steps properly then you should have three files created by FTK in the image destination
folder.
How to use "The Sleuth Kit" and "Autopsy"
Image Summary
For the sake of completion let me share the exact image summary below:
Created By AccessData® FTK® Imager 3.1.1.8 Case Information: Acquired using: ADI3.1.1.8 Case
Number: 4n6-Dept-00001 Evidence Number: 1 Unique description: Logical Partition on Suspects
Windows Machine. Examiner: Animesh Shaw Notes:
---------------------------------------------------------- Information for
C:\Users\Test2\Documents\4n6 Images\Drive-E-Image: Physical Evidentiary Item (Source)
Information: [Device Info] Source Type: Physical [Drive Geometry] Cylinders: 522 Tracks per
Cylinder: 255 Sectors per Track: 63 Bytes per Sector: 512 Sector Count: 8,388,608 [Physical
Drive Information] Drive Model: VMware, VMware Virtual S SCSI Disk Device Drive Interface
Type: SCSI Removable drive: False Source data size: 4096 MB Sector count: 8388608 [Computed
Hashes] MD5 checksum: 375017f7d1359e73b384246f15974c60 SHA1 checksum:
668089f11aa8626879aac2e00c72437f1a47ec0e Image Information: Acquisition started: Sun Feb
11 19:49:54 2018 Acquisition finished: Sun Feb 11 20:02:26 2018 Segment list:
C:\Users\Test2\Documents\4n6 Images\Drive-E-Image.001 Image Verification Results:
Verification started: Sun Feb 11 20:02:37 2018 Verification finished: Sun Feb 11 20:06:36
2018 MD5 checksum: 375017f7d1359e73b384246f15974c60 : verified SHA1 checksum:
668089f11aa8626879aac2e00c72437f1a47ec0e : verified
Primer Look
Now that the cloning process is complete let’s have a look at the file generated by FTK as a CSV file. You
can open the same on your end and have a look.
From the image above we observe a bunch of different files that have been deleted along with some files of
interest. We will take a deeper dive in the next section.
Follow the step by step approach to create a case using Autopsy and perform forensics.
2. Click on “Create New Case”. In the next screen, fill the necessary case details and set the location to
store case files.
How to use "The Sleuth Kit" and "Autopsy"
3. Now Enter Case Number and Name of the Investigator. You should assign a Case Number in such a way
that it should be recognizable easily and can be retrieved easily for future reference.
4. You will see that Autopsy started working on creating the database files and it might take a minute or two.
How to use "The Sleuth Kit" and "Autopsy"
5. Finally, you will be prompted to add the forensic evidence. Choose Disk Image.
6. In the next screen add your forensic image. Also set the time zone accordingly.
7. Now you will be asked to choose which Ingest modules to run on the current image. In the previous
article I have already mentioned the functionality and usage of each module and so look it up in case you
would like to cross-reference. Select the modules that I have chosen as shown in the image below.
How to use "The Sleuth Kit" and "Autopsy"
8. We could’ve chosen all the modules but then it would be a waste of time since the Automated Analysis by
Autopsy would drag longer unnecessarily. Often as an investigator time is of the essence and hence if you
can reduce the analysis surface to save time, DO IT!.But remember that you should look everywhere
however unreal it might be because you never know what you may unfold. Applying Occam’s Razor
Principle might yield good results in certain situations but don’t forget that it could also be considered as a
Principle of Limiting Thoughts, or at least that’s what I like to call it. Once you’ve configured the ingest
modules you will see that the clone image is being processed by Autopsy. It’s going to take sometime before
the entire analysis is over, so hold your horses.
How to use "The Sleuth Kit" and "Autopsy"
Once you’ve added the evidence files, autopsy works on it own to analyze the entire image and put them
into specific categories. You have the option to modify certain rules or modify the ingest modules but we
will cover that later and not in this part.
The Analysis will take some time to complete but again it depends on your computing resources. On my end,
it took roughly about 30-40 mins to analysis the entire 4 GB image.
a. The first things that strikes are the bunch of Email Addresses and EXIF Metadata from images. We will
begin by taking a look at the EXIF data extracted.
b. Every media file you select in autopsy you will be able to see the image in the media tab in the docked
tabbed section along with other sections like Hex, Strings, File Metadata, Results, Indexed Text, & Media.
Every tab has a different functionality, we will learn about them eventually. Media will display any form of
media file like GIF, Image formats, Videos. File Metadata section shows us the file metadata & EXIF data
(if any). Similarly, if you open the Thumbnails tab above it should show all the images of thumbnail size.
How to use "The Sleuth Kit" and "Autopsy"
c. If you double-click the image you will be taken to the location in the disk image where the file exists.
From the context menu for each image, you can get a bunch of other options, like extract the file from the
disk image, tag the file as an evidence open in a different viewer, etc. I would ask you to try out all the
different options. Though there are some which we will explore eventually later in some other case.
d. Viewing them in New Window will give you the entire details about the image in a new window.These
images are nothing special and they come by default with the windows installation. There’s a possibility that
there could be some steganographic information present within these images. But for now, we will skip that
possibility because we would have to move to a different tool and concept in all to cover that.
How to use "The Sleuth Kit" and "Autopsy"
e. Whenever you come across an image during a forensic investigation, looking at their MAC times ad EXIF
data might reveal a lot of information. For example, huge file size but medium resolution might indicate
Hidden data. Comments in an image might contain malicious code etc.
We will now look into another section to find out more about the case as well as learn more about Autopsy.
I will end this part here only. It's getting too big for an article. I will publish another article with the
continuation of this investigation in the next 2-3 days with a high-quality pdf version of this very same
article.
Please let me know what do you think about this article so far. Anything else that you would add?
What kind of cases would you like me to create and solve them? Let me know your ideas in the
comments below. Please share the article if you liked reading it.