06 Januari 2015

Disable a Smart Phone's Geotagging Feature

Here are the steps to disable geotagging for the four major mobile operating systems. Note that manufacturer websites are largely silent on this issue; these tips are pulled from user experience, community blogs and how-to websites.

Android 4.2 phones
  1. Start camera application
  2. Hit the Settings button
  3. Scroll down and find the GPS Tag option and turn it off
In older versions, the option may be called “Store Location,” but is it essentially the same process.

BlackBerry 6.0 and 7.0
RIM suggests through the online documentation that disabling geotagging be done on BlackBerry Enterprise Server,  which would work from an admin’s point of view if an agency uses BES. If not, to turn the setting off on an individual BlackBerry  phone:
  1. Open Camera
  2. Set the Location icon to “Disabled”
For some earlier versions, hit the Menu and Option buttons before changing the setting.

iPhone 4 and 5
  1. Go to Settings
  2. Select General
  3. Select Location Services
  4. Set Camera to “Off”
For older versions users can’t really turn off geotagging for the camera without disabling it for all applications. But location warnings can be set to go off when an application is using them.

Windows Phone 7 and 8
  1. Go to Settings
  2. Navigate to Applications
  3. Scroll down to Pictures & Camera
  4. Set “include location (GPS) info in Pictures you take” to “Off”
This article was copied from http://gcn.com/Articles/2012/12/10/How-to-disable-smart-phone-geotagging-feature.aspx?Page=1

24 Desember 2014

Find the Location Where a Picture Was Taken

Many people nowadays more sensitive with the new technology especially when it was related with picture. We can see Instagram, Pinterest, and many other service that give free service to upload your photos and share with others. Many camera brand now put and bundled a lot of latest technology such as GPS into the camera to make the people who use it more sociable and they can share it as soon as they captured the moment.

Before you find the location of a photo, the photo has to be geotagged. Geotagged basically means that the longitude and latitude of the photo has been stored in the photo metadata. The metadata is the invisible part of the photo called EXIF data. Depending on the camera, EXIF data will store the current state of the camera when the photo was taken including date and time, shutter speeds, focal lengths, flash, lens type, location data, etc.

Of course, the only way you will see where a picture was taken is if the camera is GPS enabled. If you have a camera that doesn’t have any type of GPS option, then there won’t be any location data in the EXIF data. This is true of most SLR cameras. However, if the photo was taken with a smartphone and location services are enabled, then the GPS coordinates of the phone will be captured when you snap a picture.

To find the location where the above picture was taken, just follow the steps below:

1. Run the exiftool with GPS option.
Ex: exiftool file_name |grep GPS

The GPS position that shown is -7° 45′ 57.49″, +110° 22′ 18.33″

2. Go to Google Maps and then check the location based on GPS Position displayed through ExifTool. The result shows that the picture was taken in the Master of Information Technology of UGM.
You find the location via online, just go to http://regex.info/exif.cgi and then upload the picture or paste the link of the picture.The result shows as the following:

Useful links
GPS-Info: http://www.CDFinder.de/en/en/en/gpsinfo.html 
HoudahGeo: http://www.houdah.com/houdahGeo/
Locr Community: http://www.locr.com
Crosshairs for Google Earth:
myTracks: http://mytracks.sourceforge.net
GiSTEQ PhotoTrackr:
Bt747 How-To:
Solmeta DP-GPS N2:
Dawntech di-GPS Pro:
Geotag Icon Project:
Google Earth:

10 Desember 2014

Collective Intelligence Framework

CIF is a cyber threat intelligence management system. CIF allows you to combine known malicious threat information from many sources and use that information for identification (incident response), detection (IDS) and mitigation (null route). The most common types of threat intelligence warehoused in CIF are IP addresses, domains and urls that are observed to be related to malicious activity.
These are a list of interesting new feed sources for CIF:

Abusechweb http://dnsbl.abuse.ch/webabusetracker.php
Arbor http://atlas-public.ec2.arbor.net/public/ssh_attackers
Autoshun http://www.autoshun.org/files/shunlist.csv
Badguys http://www.t-arend.de/linux/badguys.txt
Blacklisted http://www.infiltrated.net/blacklisted
Brawg http://www.brawg.com/hosts.deny
Danger http://danger.rulez.sk/projects/bruteforceblocker/blist.php
Denyhost http://stats.denyhosts.net/stats.html
Dshield http://www.dshield.org/ipsascii.html?limit=5000
Dynastop http://dynastop.tanaya.net/DynaStop.BleedingThreats.conf
Emergingthreats http://www.emergingthreats.net/rules/bleeding-compromised.rules
Evilssh http://vmx.yourcmc.ru/BAD_HOSTS.IP4
Geopsy http://www.geopsy.org/blacklist.html
Haleys http://charles.the-haleys.org/ssh_dico_attack_hdeny_format.php/hostsdeny.txt
Kidsclinic http://www.kids-clinic.jp/uni/ipaddress/new_log
Kolatzek http://robert.kolatzek.org/possible_botnet_ips.txt
Malekal http://www3.malekal.com/exploit.txt
Maldom http://mirror1.malwaredomains.com/files/domains.txt
Mdl http://www.malwaredomainlist.com/mdl.php?colsearch=All&quantity=All&search=
Prometheus http://downloads.prometheus-group.com/delayed/rules/modsec/domain-blacklist.txt
Skygeo http://sky.geocities.jp/ro_hp_add/ro_hp_add_hosts.txt
Sshbl http://www.sshbl.org/list.txt
Stopforumspam http://www.stopforumspam.com/downloads/bannedips.csv
Surriel rsync://psbl-mirror.surriel.com/psbl/psbl.txt


17 September 2014

Repost: Three new videos showcasing Volatility 2.4 features

The Volatility team have published three videos showing off new
features in the recently released Volatility 2.4 version. These videos
were originally shown at Black Hat Arsenal this past summer.

The first video shows how to locate and extract rootkit components from
process and kernel memory and then gather context for IDA:


The second shows how to uncover a number of artifacts of OS X user activity:


The last shows how to defeat True Crypt no matter how the user
configures the volumes or settings:


13 September 2014

Firefox Forensics

The most prevalent software applications in use today are probably Web browsers. They are used for viewing, retrieving, traversing, and presenting information resources obtained from the Web. Although browsers are complex software applications, they have common functionality regarding their main components. A simplified overview of their high level structure is as follows:
  • User Interface - the entire browser display except for its main window.
  • Browser Engine - takes the marked up content (XML, HTML, etc.) and formatting information (CSS, XSL, etc.) and displays it on the monitor’s screen.
  • Rendering Engine - responsible for displaying the requested content.
  • Networking - used for network calls (HTTP, etc.).
  • UI Backend - used for drawing widgets such as windows and combo boxes.
  • JavaScript Interpreter - software which interprets/executes JavaScript.
  • Data Storage - a persistence layer consisting of the data that the browser stores on the computer hard drive.
When a URL is entered into the address bar, the browser communicates with a name server to resolve it into an IP address. This allows the browser to connect to the appropriate Web server using HTTP. Once connected, HTTP commands then direct the Web server to retrieve and transmit data back to the browser. The browser reads the HTML and displays the information resources (HTML document, a .pdf file, an image, a video, etc.) which were identified by a Unified Resource Identifier (URI). The browser then saves the Web documents in its cache using Web caching technology. Caching of Web objects reduces the bandwidth usage and server load and allows the browser to retrieve the same Web page much faster when it is visited at a later time. It also allows recently viewed Web pages to be viewed offline and copied although some of the features such as Flash animations and “real time” objects found on the Web page may not function.

Web browser is an essential application program for accessing the Internet. If a suspect uses the Internet as a source of information, the evidence related to the crime would be saved in the log file of the Web browser. Therefore, the forensics examiner need to investigate the Web browser’s log file. However, the impediment of web browser forensics in the future is many of the artifacts of forensics interest probably will continue to change with each release and it will present a difficult technical challenges. 
Although the version changes, there remain several constants which facilitate the investigators. Due to the majority of the forensic information pertaining to the different versions of browser which normally resides in two directories which locate in the individual user accounts. 
In Firefox, the information reside in the following directories: 
Windows XP:
C:\Documents and Settings\[User]\Application Data\Mozilla\ Firefox\Profiles\xxxxxxxx.default\
C:\Documents and Settingd\[user]\Local Settings\Application Data\ Firefox\Profiles\xxxxxxxx.default\Cache\

Windows Vista, Windows 7, and Windows 8:


Mac OS X:
~/Library/Application Support/Firefox/Profiles/xxxxxxxx.default/
~/Library/Application Support/Mozilla/Extensions

Cache Location:

The Firefox cache contains both information about the various cache entries(metadata) and the cached items themselves (data) which can be of immense forensic importance. 
Windows Vista 7 and 8:
• C:\Users\[User]\AppData\Local\Mozilla\Firefox\Profiles\xxxxxxxx.default\jumplistCache
• C:\Users\[User]\AppData\Local\Mozilla\Firefox\Profiles\xxxxxxxx.default\OfflineCache
• C:\Users\[User]\AppData\Local\Mozilla\Firefox\Profiles\xxxxxxxx.default\startupCache

Windows XP:
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Mozilla\Firefox\Profiles\%PROFILE%.default\Cache\


There are four primary internal files beside the cache directory:
  • _CACHE_001_ : stores small metadata and data entries in 512-byte blocks.
  • _CACHE_002_ :stores medium-sized metadata and data items in 1024-byte blocks.
  • _CACHE_003_ : stores large metadata and data items in 4096-byte blocks.
  • _CACHE_MAP_ : contains the index to both the metadata and the data and links them together.  

Additionally, there may be any number of external directories/files which are used to store very large metadata items or data.

Viewing the Cache:
With the Firefox browser running, entering “about:cache” into the address field and pressing the Enter key on the keyboard will load the “Information about the Cache Service” screen. Information concerning the memory cache device, disk cache device, and offline cache device will be displayed and appear as follows:


Both “List Cache Entries” are hyperlinks. Clicking on either one will cause the cached files or objects to be displayed along with their original link location URLs. For instance, clicking on the link under “memory cache device” will display information regarding the key, data size, fetch count, last modified, and expires that is stored in memory. The information is searchable. Clicking on any of the entries will display the “Cache entry information” screen for that entry and provide a wealth of potential forensic information such as:
  • Key - the URL.
  • Fetch count – number of times accessed.
  • Last fetched – yyyy-mm-dd-hh:mm:ss.
  • Last modified – yyyy-mm-dd-hh:mm:ss.
  • Expires – yyyy-mm-dd-hh:mm:ss.
  • Data size – size of the file.
  • File on disk – none.
  • Security - document does not have any security information associated with it.
  • Client – HTTP.
  • Request method – GET (may or may not be present)
  • Response head – HTTP, server information, etc. (may or may not be present).
  • Charset - (may or may not be present).
  • Charset source - (may or may not be present).
Likewise, clicking on the link under “Disk cache device” and clicking on any of its entries will provide similar information. Clicking on one of the key entries should open the URL or provide other pertinent information. Note that the “File on disk” may point to the directory where it is stored on the hard drive!
The free Firefox add-on, CacheViewer, provides a GUI front end instead of having to use “about:cache.” In addition to providing a searching capability for both memory and disk cache files, it includes a sorting functionality to sort the key, size, MIME type, device, and last fetched columns. An additional feature is a preview pane for images and the ability to copy them for later examination. For instance, searching for “.jpg” will provide a list of all the URLs that contain a .jpg and clicking on one of the “key” URLs will display that .jpg image in the preview pane. Right clicking on the key URL will also provide “Open in Browser” and “Save as” functionalities for that .jpg. Alternately, the free standalone utility MozillaCacheView can be used to read the cache folder on a live system or pointed to the location of an external cache. It provides forensic information such as the URL, Content Type, Fetch Count, Last Fetched, Cache Name, Server Name, Server Time, and so forth. The information can be exported to a CSV/Tab-Delimited File or viewed as an HTML Report.
The majority of potential forensic information stores the SQLite Relational Database Management System (RDMS). Firefox typically includes a lot of SQLite databases, each of which performs a different function such as storing bookmarks, cookies, places visited, searches, and so forth. The database files are as follows:

1. addons.sqlite
There are six tables in the file. They are addon, sqlite-sequence, developer, schreenshot, compatibility_override and icon. The addon table cointains information such as the name of each add-on, version, creator, creatorURL, descriptions, fullDescriptions, developer comments, eula, homepageURL, supportURL, contributionURL, contributionAmount, averageRating, reviewCount, reviewURL, totalDownloads, weeklyDownloads, dailyUsers, sourceURL, repositoryStatus, size and updateDate. 

2. content-prefs.sqlite
There are three tables in the file, “groups,” “prefs,” and “settings.” A User can set site-specific preferences for browsers and content settings (page style, text zoom, etc.). Those preferences can remain persistent across browsing sessions and page visits. Along with browser history, this is an indicator of intentionally visited sites and not accidental or casual visits. The sites visited are maintained in the “groups” table.

3. cookies.sqlite
.When a user try to remove the cookies sometimes the cookies may and may not all be deleted. The alternative cookies storage location, the persistence and process of cookies can have an effect upon whether a cookie is deleted or not. The moz_cookies is the only tables in the cookies.sqlite. Therefore, data which useful can be found in the “baseDomain,” “host,” “lastAccessed,” and “creationTime” columns.
4. downloads.sqlite
Firefox stores a list of all files downloaded in the “moz_downloads” table which is used to populate the popup download queue. They remain in the table as long as the User does not clear the queue. Valuable forensic information can be found in the table. The names of all the files downloaded, their source, downloaded destination, and the start and end times of the download are all recorded. If the data in the “currBytes” and “maxBytes” columns is the same, that is indicative that the download completed successfully.

5. extensions.sqlite

The file stores data about installed extensions :
6. formhistory.sqlite
It contains all the historical data for every form that a user ever filled out while online is maintained in the file. 
7. permissions.sqlite
Permissions.sqlite contains a history of the permissions that are assigned to various sites. The data is stored in the file’s only table, “moz_hosts” and the sites are listed in the “host” column.
8. Places.sqlite
Places.sqlite contains a list of all Web sites visited, bookmarks, and attributes for those sites. Forensically, it is probably the most important file for investigators to examine. A User’s entire Web history, including all bookmarks, their properties, and favorite icons are maintained in the file. This information can be linked to the cookies.sqlite, formhistory.sqlite, and permissions.sqlite files to provide an overall view of a User’s Internet activity. The file contains thirteen tables:
  • moz_anno_attributes
  • moz_annos
  • moz_bookmarks
  • moz_bookmarks_roots
  • moz_favicons
  • moz_historyvisits
  • moz_hosts
  • moz_inputhistory
  • moz_items_annos
  • moz_keywords
  • moz_places
  • sqlite_sequence
  • sqlite_stat1
All bookmarks are stored in the “moz_bookmarks” table. The “title” column contains the name of the bookmark and the “dateAdded” column contains the timestamp information. Bookmarks can be linked to the URLs in the “moz_places” table since the “fk” column in “moz_bookmarks” contains the same values as those in the “id” column in the “moz_places” table.
Each time a User visits a Web page, an entry is recorded in the “moz_historyvisits” table. The date of the visit is recorded in the “history_date” column and how the User arrived at the site is recorded in the “visit_type” column. Values in this column can be very important forensically:
  • 1” the User followed a link.
  • 2” the User typed/allowed the autocomplete feature to complete the URL.
  • 3” indicates that the User clicked on an existing bookmark.
  • 4” an embedded URL.
  • 5” a permanent redirect.
  • 6” a temporary redirect.
URLs are maintained in the “moz_places” table under the “url” column. The “visit_count” column records the number of times each site was visited and the timestamp information for a site is recorded in the “last_visit_date” column. If the User typed the URL in the address bar, a value of “1” is noted in the “typed” column.

9. signons.sqlite
The file contains three tables: moz_deleted_logins, moz_disabledHosts, and moz_logins. The moz_logins table is the repository for all the sites that a User has entered and saved their username and password. The information is usually persistent since many Users do not want to continually reenter their username and password each time they revisit the same site. The URLs are recorded in the hostname column. Although usernames and passwords are encrypted and maintained in the encryptedUsername and encryptedPassword columns respectively, they may be viewable in plain text in Firefox if no Master Password has been set. The table can be imported into an existing Firefox User’s profile on a forensic machine and the username and password possibly viewed by selecting edit → security-> Saved passwords . When the saved passwords dialog box appears, selecting show passwords the selecting Yes to confirm, then it should display the password and username as the following:
Time stamp information regarding when the username and password was created, last used, and last changed is stored in the “timeCreated,” “timeLastUsed,” and “timePasswordChanged” columns respectively. The number of times each site was visited is maintained in the “timesUsed” column.
10. webappsstore.sqlite
The file only contains one table, “webappstore2.” Firefox uses the table for storing its Web storage objects (software methodology/protocols used for storing data in a Web browser). Web storage types consist of local and session storage (somewhat analogous to persistent and session cookies respectively). Data is usually persistent and removing history, cookies, or form information may or may not remove the data.
 11. healthreport.sqlite

Some Caveats 

Much of this discussion and any potential forensic information contained in the Firefox database files are predicated upon the fact that the User did not change certain defaults in Firefox. For instance, Firefox automatically records browsing history. However, a User can browse the Internet and prevent Firefox from storing certain information by selecting the “Start Private Browsing” option from the main drop down menu. For that session, no additional data will be recorded in the history menu, no new passwords will be saved, no downloaded files will be listed in the downloads window, no data from forms filled out on-line will be saved, no cookies will be stored, any files opened in external applications will be cleared from the temporary folder, and no cached files will be saved. Any new bookmarks created, however, will remain. Most of this information would normally be stored in the various database files previously discussed. (Note: selecting this feature does not make a User anonymous. The sites visited and/or the IP provider can still track User activity). Selecting the “Stop Private Browsing” option from the main drop down menu will cause Firefox to begin recording any further browsing activity during that session.
Alternately, a User can permanently prevent Firefox from recording browsing history by selecting “Options” from Firefox’s main drop down menu and selecting the “Privacy” tab. The default is to “Remember history” and options are provided to manually “clear your recent history” and “remove individual cookies.” If the User selects the second option, “Never remember history,” Firefox will no longer record site visits and provides the User with the option to “clear all current history.” Additionally, a User can select a third option, “Use custom settings for history,” and then check “Always use private browsing mode” to prevent Firefox from tracking browsing history.
If the User manually chooses to clear all browsing history, then potentially valuable forensic information may be lost from many of the previously discussed database files. Fortunately for investigators, for convenience purposes, the overwhelming numbers of Users do not select the “Start Private Browsing” or the “Never remember history” options. Nor do they clear their history or cookies. If they did, then they would have to continually reenter their usernames and passwords, refill out on-line forms, and so forth each time they revisited the same site(s).


12 September 2014

Dementia : Defeating Windows memory forensics

Mostly, when the analysis forensic or investigators do the seizure of electronic evidence in the crime scene they have to search the live systems then doing triage forensics which help the investigators to find the computer-related crime. One of the triage forensics process is RAM Imaging. The Random Access Memory stores a lot of information of all the process and applications which are running on the system.

Besides RAM imaging, the forensic analysis and investigators also can obtain a lot of data on the live system. They can obtain the content of encrypted files, browser history, open files, recent files, contents searching, network connections, RAM mapping, USB history, password and etc.

Due to the sophisticated computer-related crimes and security measures that grow up, come up the softwares which preclude the investigators and forensics analysis to obtain the computer-related crimes data. One of the sophisticated software which precludes to reveal the data of RAM imaging is dementia-forensics.

Dementia is a proof of concept memory anti-forensic toolkit designed for hiding various artifacts inside the memory dump during memory acquisition on Microsoft Windows operating system.

By exploiting memory acquisition tools and hiding operating system artifacts (eg. processes, threads, etc.) from the analysis application, such as Volatility, Memoryze and others. Because of the flaws in some of the memory acquisition tools, Dementia can also hide operating system objects from the analysis tools completely from the user-mode.

    64-bit - note: 64-bit support has not been tested as widely as 32-bit, so bugs should be expected

Operating systems:
Dementia has been tested and known to work on the following operating systems: 

Microsoft Windows XP
        without SP
Microsoft Windows Vista
        without SP
    Microsoft Windows 7
        without SP

Memory acquisition applications

Dementia is able to hide artifacts inside the memory image produced by the following memory acquisition applications:

    Mandiant Memoryze
    Mantech MDD
    Moonsols Windows Memory Toolkit
    FTK Imager

Dump formats

    Raw dump format
    Crash dump format (as created by Moonsols Win32dd) 

Hiding methods and supported artifacts

  • User-mode hiding method (supports Mandiant Memoryze only)
    • Process hiding
      • Pro allocation deletion
      • _EPROCESS unlinking from the list of active processes
    • Thread hiding
      • Thr allocation deletion
      • _ETHREAD unlinking from the list of active threads
    • Connection hiding
      • _TCP_LISTENER allocation deletion
      • _TCP_ENDPOINT allocation deletion
      • _UDP_ENDPOINT allocation deletion
  • Kernel-mode hiding based on hooks
  • Kernel-mode hiding based on file system mini-filter driver
    • Process hiding
      • Pro allocation deletion
      • _EPROCESS unlinking from the list of active processes
      • _EPROCESS unlinking from the appropriate session list
    • Thread hiding
      • Thr allocation deletion
    • Memory allocations hiding
      • Vad/VadS/VadM allocation deletion
      • Deletion of the entire memory region if it is private for the target process or if it represents process EXE image
      • Deletion of the entire memory region if it is a shared section which is opened exclusively by the target process
        • Deletion of mapped files, if used (Fil allocation deletion)
    • Handle hiding
      • Obtb allocation deletion (process handle table)
      • _HANDLE_TABLE unlinking from the list of handle tables
      • Deletion of handles/objects opened exclusively by the target object
        • _HANDLE_TABLE_ENTRY deletion
        • Object allocation deletion
      • Decrementing handle counters for objects not opened exclusively by the target process
        • _HANDLE_TABLE_ENTRY deletion
      • Removing thread handle from the PspCidTable
      • Removing process handle from the PspCidTable
      • Removing process handle from the csrss.exe handle table
    • File objects hiding
      • Fil allocation deletion
    • Driver hiding
      • MmLd allocation deletion (_LDR_DATA_TABLE_ENTRY)
      • LDR_DATA_TABLE_ENTRY unlinking from the loaded modules list
      • Deletion of driver image in memory
For further details about Dementia, check the 29c3 presentation PDF or video below)



06 September 2014

AUTOPSY Forensic Browser

AUTOPSY is an essential tools for Linux forensics investigations and can be used to analyze Windows images.

1. Make sure autopsy and sleuthkit have installed. If not yet, let's install it now:
apt-get install autopsy sleuthkit

2. Start the Autopsy.

3. Open browser the input  http://localhost:9999/autopsy.
To Start new case
Click New Case. This will add a new case folder to the system and allow us to begin adding evidence.

4.  Enter the Case Name, Description and Investigators Names

After the case file created, we will see the message as displayed in step 5.

5. Note about the evidence directory is located.
It displays where the evidence is located on the system  and the case name is korupsaun

6.Add a host to the Case.

Click "Add Host" and we will be presented with a screen (above) that allows us to add the host and a description. As it states, the Timezone and skew can be configured. Also, we can add and use a list of known good or known bad hashes. This can be as complex as the NSRL lists or as simple as a hashed list of our own organizations "known good" files. Lists of known rootkits and other Malware can be added as a known bad list.
Where a time skew is known, can can also add this in advance.

7. Note the location of the host.
Next, add the disk image by pressing the Add Image button

8. Add an Image to Analyze

The "Add Image" screen allows us to import the image that we are going to analyze in Autospy.

9. Select the location of the Image to Analyze
This will allow us to import an image into our evidence locker. Rather than working on the original image, can can select the move option to copy the image to the analysis host and have a separate copy of the image for use in Autopsy.

10. Image file Details

 11. The Case Gallery

12. File analysis
 13. Keyword Search

14. Deleted File Recovery Mode

15. Anallocated(JPG file)

 16. Not Allocate(PDF File) 

 17. Image Details:
We can use foremost to recovery deleted files  #foremost -v -i /root/Forensics/usb1.dd

The Evidence Analysis Techniques in Autopsy
The primary modes and functions of the Autopsy Forensic Browser are to act as a graphical front end to the Sleuth Kit and other related tools in order to provide the capabilities of analysis, search and case management in a simple but comprehensive package. This collection of tools creates a simple, yet powerful forensic analysis platform.

Analysis Modes in Autopsy

A dead analysis occurs when a dedicated analysis system is used to examine the data from a suspect system. When this occurs, Autopsy and The Sleuth Kit are run in a trusted environment, typically in a lab. Autopsy and TSK provides support for raw, Expert Witness, and AFF file formats.

A live analysis occurs when the suspect system is being analyzed while it is running. In this case, Autopsy and The Sleuth Kit are run from a CD in an untrusted environment. This is frequently used during incident response while the incident is being confirmed. Following confirmation, the system is acquired and a dead analysis performed.

Evidence Search Techniques
The Autopsy Browser provides the following evidence search functionality:

  • File Listing: Analyze the files and directories, including the names of deleted files and files with Unicode-based names.
  • File Content: The contents of files can be viewed in raw, hex, or the ASCII strings can be extracted. When data is interpreted, Autopsy sanitizes it to prevent damage to the local analysis system. Autopsy does not use any client-side scripting languages.
  • Hash Databases: Lookup unknown files in a hash database to quickly identify it as good or bad. Autopsy uses the NIST National Software Reference Library (NSRL) and user created databases of known good and known bad files.
  • File Type Sorting: Sort the files based on their internal signatures to identify files of a known type. Autopsy can also extract only graphic images (including thumbnails). The extension of the file will also be compared to the file type to identify files that may have had their extension changed to hide them.
  • Timeline of File Activity: A timeline of file activity can help identify areas of a file system that may contain evidence. Autopsy can create timelines that contain entries for the Modified, Access, and Change (MAC) times of both allocated and unallocated files.
  • Keyword Search: Keyword searches of the file system image can be performed using ASCII strings and grep regular expressions. Searches can be performed on either the full file system image or just the unallocated space. An index file can be created for faster searches. Strings that are frequently searched for can be easily configured into Autopsy for automated searching.
  • Meta Data Analysis: Meta Data structures contain the details about files and directories. Autopsy allows us to view the details of any meta data structure in the file system. This is useful for recovering deleted content. Autopsy will search the directories to identify the full path of the file that has allocated the structure.
  • Data Unit Analysis: Data Units are where the file content is stored. Autopsy allows us to view the contents of any data unit in a variety of formats including ASCII, hexdump, and strings. The file type is also given and Autopsy will search the meta data structures to identify which has allocated the data unit.

  • Image Details: File system details can be viewed, including on-disk layout and times of activity. This mode provides information that is useful during data recovery.
Case Management Autopsy provides a number of functions that aid in case management. In particular, investigations started within autopsy are organized by cases, which can contain one or more hosts. Each host is configured to have its own time zone setting and clock skew so that the times shown are the same as the original user would have seen. Each host can contain one or more file system images to analyze. The following functions within Autopsy are specifically designed aid in case management:

  • Event Sequencer: Time-based events can be added from file activity or IDS and firewall logs. Autopsy sorts the events so that the sequence of incident associated with an event can be easily determined.
  • Notes: Notes can be saved on a per-host and per-investigator basis. These allow the investigator to make quick notes about files and structures. The original location can be easily recalled with the click of a button when the notes are later reviewed. All notes are stored in an ASCII file.
  • Image Integrity: Being that one of the most crucial aspects of a forensics investigation involves ensuring that data is not modified during analysis; Autopsy will generate an MD5 value for all files that are imported or created by default. The integrity of any file that Autopsy uses can be validated at any time.
  • Reports: Autopsy can create ASCII reports for files and other file system structures. This enables investigator to promptly make consistent data sheets during the course of the investigation.
  • Logging: Audit logs are created on a case, host, and investigator level so that all actions can be easily retrieved. The entire Sleuth Kit commands are logged exactly as they are executed on the system.

Source: http://digital-forensics.sans.org