BN309 Computer Forensics
Laboratory 7: Data Construction
Submission Due: End of laboratory class, submit the file on Moodle at least 10 minutes before the end of laboratory class.
Total Marks = 10 marks for 10 weeks (DIT and BNet)
= 5 marks for 10 weeks (GDNet and MNet)
Marks will be given only to students who attend and participate during 2 hours laboratory class. Submission on Moodle is mandatory as an evidence of participation.
Description of the laboratory exercise:
In this lab, you will use Sleuth Kit and Autopsy. You will find these software under “Software for Labs” folder in Moodle.
Activity 1: Installing Sleuth Kit and Autopsy
To begin using Sleuth Kit and Autopsy, you need to install them on a UNIX system, such as Linux, FreeBSD, or Macintosh OS X. Installing Sleuth Kit and Autopsy requires downloading and installing the most recent updates of these tools.
For the latest versions of Sleuth Kit and Autopsy Browser, download the most current source code from www.sleuthkit.org. The source code for these two tools is packaged into tarballs, which contain installation scripts you run from a terminal window with root privileges. After you have downloaded and extracted the source code and related files, read the README or INSTALL file for instructions explaining how to run the make command to complete the installation. The make command in the latest Sleuth Kit and Autopsy tarballs tests, compiles, and installs each tool.
To run Sleuth Kit and Autopsy Browser, you need to have root privileges. To start Autopsy, follow these steps:
1. If necessary, start your Linux computer and open a terminal window.
2. Change the default location to the Autopsy Browser directory. For example, if you installed Autopsy Browser in /usr/local/autopsy-2.08, type
cd usr/local/autopsy-2.08 and press Enter.
3. At the prompt, type su and press Enter. At the password prompt, enter the root
password and press Enter.
4. To start Autopsy, type ./autopsy and press Enter. Figure 8-13 show the results of this command.
5. Right-click the URL http://localhost:9999/autopsy, as indicated in the terminal window, and then click Copy.
6. Start your Web browser. Select the current URL in the Address text box, right-click the URL, click Paste to insert the Autopsy URL, and then press Enter. Figure 8-14 shows the Autopsy main window.
7. Leave your Web browser open for the next activity.
Activity 2: Examining a Case with Sleuth Kit and Autopsy
In this activity, you learn how to use Sleuth Kit and Autopsy Browser to analyze a Linux Ext2 and Ext3 file system. If you closed your Web browser with Autopsy, restart it.
Before starting the examination with Sleuth Kit and Autopsy, download the GCFI-LX.00n (with n representing a number from 1 to 5) image files from
https://drive.google.com/a/academic.mit.edu.au/file/d/0B1mNQzaOkGFubzV0ZmlEdmt3WFU/view?usp=sharing
and copy folder to the evidence locker, which is the folder designated as the working area for Autopsy when it was installed. Autopsy uses the evidence locker tosave results from examinations.
If you don’t recall the evidence locker path, navigate to the Autopsy
installation folder, open the conf.pl file, and look for the $LOCKDIR
parameter to see the current path setting. If you want to change the
evidence locker location, update the $LOCKDIR parameter with single
quotation marks at the beginning and end of the new path.
The following steps use Sleuth Kit 2.07 and Autopsy Browser 2.08. If
you’re using different versions, your screens and output might be different
from what’s shown in this activity.
To start the examination of an acquired image of a Linux disk, follow these steps:
1. In Autopsy’s main window, click the New Case button. When the Create A New
Case dialog box opens, enter the investigation data, using Figure 8-15 as a guide, and then click the New Case button to continue.
2. In the Creating Case dialog box, click Add Host to continue.
3. In the Add A New Host dialog box, enter your information, using Figure 8-16 as a guide, and then click Add Host.
4. In the Adding Host dialog box, click Add Image to continue.
5. In the Open Image dialog box, click Add Image File.
6. In the Add A New Image dialog box, type the complete path to the evidence locker in the Location text box, click the Partition and Move option buttons, and then click Next. (Remember that UNIX/Linux commands are case sensitive. If you enter a lowercase filename and the filename is uppercase, Autopsy can’t find and load the file.)
If you have multiple segment volumes that are sequentially numbered
or lettered (the dd command with the split option without the-d switch), use an asterisk as the extension (for example, GCFI-LX.*) so that all segments are read sequentially.
7. In the Split Image Confirmation dialog box, verify that all images are correctly
loaded; if they are, click Next. If not, click Cancel. (If this data is incorrect, it’s probably caused by an error in the pathname to the evidence locker or image files.)
8. In the Image File and File System Detail dialog box, click the Calculate the hash value for this image option button, and then click Add. In the Calculating MD5 message box, click OK.
9. In the Select a volume to analyze or add a new image file dialog box, click Keyword Search to initiate a search for keywords of interest to the investigation.
10. In the Keyword Search dialog box, type the name martha in the text box, as shown in Figure 8-17, and then click Search.
11. When the search is finished, Autopsy displays a summary of the search results (see Figure 8-18). To see detailed search results, click the link to results link at the upper left.
12. Examine the search results by scrolling through the left pane, and then click the
Fragment 236019 “Ascii” link to view details of the search. Repeat this examination by clicking other ASCII and Hex links for the remaining hits. When you’re finished examining the search hits, close the Searching for ASCII and Searching for Unicode dialog box to return to the Select a volume to analyze or add a new image file box. Leave this program open for the next activity.
Next, you learn how to use the File Activity Time Lines function, which is useful for identifying what files were active at a specific time. This function displays files that might have been corrupted or accessed so that you can examine them further. Follow these steps to see how this function works:
To analyze the timelines of the evidence, you need to navigate back to the Select a volume to analyze or add a new image file dialog box, shown in Figure 8-19.
Click the File Activity Time Lines button.
In the File Activity Time Lines dialog box, click Create Data File. In the Create Data File dialog box, click the /1/ gcfi-lx.001-0-0 ext check box, type GCFI-LX-body for the name of the output file, and click OK.
In the Running fls and Running ils dialog box, click OK.
5. In the next dialog box, click the GCFI-LX-body option button. Enter the starting date, click the Specify option button, and change the date to Dec 1, 2006. Then enter the ending date, click the Specify option button, and change the date to Jan 23, 2007 (see Figure 8-20). Then click OK.
Activity 3:
The purpose of this project is to become more familiar with Sleuth Kit and Autopsy. The best way to learn a tool, especially one that isn’t well documented,
is to explore its functions. You’re encouraged to work in teams for this project and share your findings with other students. For this project, you convert the image file GCFI-datacarve-FAT.eve from Chapter 4 to a raw dd image by using ProDiscover Basic, and then analyze it with Sleuth Kit and Autopsy.
You need the following:
• A PC running Windows with ProDiscover Basic installed
• A Linux or UNIX system with Sleuth Kit and Autopsy installed
• Disk storage of at least 200 MB to convert the .eve file to a dd file
• Instructions on using the computer forensics tools in this chapter and
Chapters 2 and 4
Follow these steps:
1. Start ProDiscover Basic with the Run as administrator option. To convert
the GCFI-datacarve-FAT.eve file to GCFI-datacarve-FAT.dd on a PC, click
Tools, Image Conversion Tools from the menu and then click Convert
ProDiscover Image to ‘DD’. In the Convert ProDiscover Image to ‘DD’
Image dialog box, click the Browse button, navigate to and click the location
in your work folder where you saved GCFI-datacarve-FAT.eve, and
then click OK. Exit ProDiscover Basic.
2. Copy the converted file to a Linux or UNIX system with Sleuth Kit and
Autopsy installed. Start Sleuth Kit and Autopsy, as you did earlier in this
chapter. In the main window, click New Case. In the Create A New Case
dialog box, fill in your information (using GCFI-datacarve-FAT for the
case name), and then click New Case.
3. In the Creating Case dialog box, click Add Host, and in the Add A New
Host dialog box, enter your information, and click Add Host.
4. In the Adding Host dialog box, click Add Image to continue. In the Open
Image dialog box, click Add Image File. In the Add A New Image dialog
box, type the full pathname and the GCFI-datacarve-FAT.dd image filename
in the Location text box, click the Partition option button, click the
Copy option button for the import method, and then click Next.
5. In the Image File and File System Detail dialog box, click Add, and in the
Test Partition dialog box, click OK. In the Select a volume to analyze or
add a new image file dialog box, click the Analyze button.
6. In the Analysis dialog box, click File Analysis, and then click Generate
MD5 List of Files. In the MD5 results window, save the list as
GCFI-datacarve-FAT-MD5.txt in your work folder, and close the MD5
results window.
7. Next, in the Analysis dialog box, click File Type, click Sort Files by Type,
and then click OK. When the analysis is finished, print the Results Summary
frame of the Web page. Click Image Details, and in the General File System Details dialog box, print the frame containing the results.
9. Write a report describing the information each function asks for and what
information it produces so that you can begin building your own user
manual for this tool.
The post End of laboratory class,
