Making Copies of Forensic Evidence 369 • Tracking of separate cases and multiple investigators • Viewing allocated and deleted files and directories • Accessing low-level file system structures • Generating a timeline of file activity • Sorting by file categories and checking extensions • Searching image data by keywords • Identifying graphic images and creating thumbnails • Looking up hash databases, including the forensic standards NIST NSRL and Hash Keeper • Creating investigator notes • Generating reports Installing Sleuth Kit 1. Download and unzip the file from the book’s CD-ROM or the Web site. 2. In the directory, type: make The program automatically configures and compiles itself. It may prompt you with a few questions during the installation process. Installing Autopsy Forensic Browser This program is the graphical interface counterpart to Sleuth Kit. Using it with Sleuth Kit will make your life a whole lot easier and allow you to produce some nice graphical out- put. You can still use the Sleuth Kit command line tools separately if you want to. 1. Make sure you have Sleuth Kit installed before you start to install Autopsy. 2. Get the Autopsy file from the Web site or from the book’s CD-ROM in the /autopsy directory. 3. Untar and unzip it with the usual tar –zxvf command. 4. Have the path to the Sleuth Kit program directory handy and think about where you want to put your “evidence locker”—the special directory where all your Sleuth Kit case data will reside. 5. Type the make command. This installs the program, and prompts you for your evi- dence locker directory and the directory that Sleuth Kit is installed in. Using Sleuth Kit and Autopsy Forensic Browser 1. To start the server program, type ./autopsy & from the /autopsy directory. This runs the server in the background on port 9999. 2. Make a note of the URL that is displayed when it starts up. You will need this to log into the server. Howlett_CH11.fm Page 369 Friday, June 25, 2004 12:33 AM 370 Chapter 11 • Forensic Tools 3. To connect to the server, open a browser and enter the URL you copied from the location window in Step 2. It will look something like this: http://localhost:9999/654378938759042387490587/autopsy The number between the slashes changes each time you run Sleuth Kit. Once you enter the URL, the main screen displays (see Figure 11.1). Creating and Logging Into a Case The Sleuth Kit with Autopsy Forensic Browser lets you monitor separate cases so you can track different incidents and customers. You will need to create a case for evidence files before you can work on them. 1. From the main screen, click on Create Case. The Create a New Case screen displays (see Figure 11.2). 2. Enter a case name. This will be the same directory that your evidence data is stored in. This directory is created under your main evidence locker directory specified at installation. Figure 11.1 Autopsy Forensic Browser Main Screen Howlett_CH11.fm Page 370 Friday, June 25, 2004 12:33 AM Making Copies of Forensic Evidence 371 3. If you want, you can give the case a full name to better describe it. 4. You must create at least one investigator ID to have access to that case. You can see the power of this program here. This feature allows you to have multi- ple people working on the case and track each one’s access and actions. Click on New Case to finalize your input. 5. Once your case is created, the Case Gallery displays. This shows all the cases you have created. You can see the details on each case, including which investigators are working on them. Select your new case, click on OK, and log into your newly created case. You have now created a case and are logged in and ready to start working on it. Adding a Host Once you have logged into your case, you need to define at least one host that you are going to examine. This host represents the specific machine you are investigating. Figure 11.2 Create a New Case Screen Howlett_CH11.fm Page 371 Friday, June 25, 2004 12:33 AM 372 Chapter 11 • Forensic Tools 1. From the Case Gallery, click on Add Host. The Add a New Host Screen displays (see Figure 11.3). 2. Enter a host name. 3. If you want, enter a short description of the host. 4. Enter a time zone and clock skew, which is any variance from the time stamp on the main case file so Sleuth Kit tracks it separately in terms of any timestamps. This can be very important when reviewing multiple servers with different clock times. 5. If you want, add the optional information requested. 6. Click on Add Host to add the host and go back to the Case Gallery. 7. Follow this procedure for each host you have data on. Adding an Image You now need to add any data images for the hosts you have created. Use the copy of data you created using dd, Norton Ghost, or some other data replication utility. Figure 11.3 Add a New Host Screen Howlett_CH11.fm Page 372 Friday, June 25, 2004 12:33 AM Making Copies of Forensic Evidence 373 1. Select the host from the Host Gallery screen and click OK. 2. Click on Add Image. The Add a New Image screen displays (see Figure 11.4). 3. Enter the location and details of your image file. You have the option of copying the file into that host directory in your evidence locker or just creating a symbolic link to it. Be careful when moving your image files around too much, especially larger files, as this can cause data loss if a problem occurs during transfer. 4. Choose the file system type. This determines how Sleuth Kit looks at the data in the image. 5. Sleuth Kit automatically creates a hash file for you. You can check the validity of the hash against the data in the file at any time. This vastly increases the legitimacy of your efforts in a court of law. 6. You can add multiple images to each host. For example, you might have had to break a large drive up into several image files. Click on Add Image to add the image and return to the Main Case Gallery. Figure 11.4 Add a New Image Screen Howlett_CH11.fm Page 373 Friday, June 25, 2004 12:33 AM 374 Chapter 11 • Forensic Tools Analyzing Your Data Now you are finally ready to begin your analysis. This may seem like a lot of setup work, but you will appreciate Sleuth Kit when you have a large number of images to manipulate or when you have to be able to produce a certain piece of data quickly. Go to the Image Gallery and click on the image you want to analyze. Table 11.5 lists the types of analysis you can perform on data images. Sleuth Kit with Autopsy Forensic Browser gives you a powerful tool for organizing and analyzing forensic data that is on par with any professional lab in the country. This section has covered some of the basic functions, but whole books could be written about this great tool. Many commands and functions are not covered here. Read the online man- ual and other resources on the Web site for more details. The site also offers a monthly newsletter with interesting articles and tips for those in the forensic field. Table 11.5 Sleuth Kit Analysis Types Analysis Types Descriptions File Analysis Shows the image as files and directories that the file system would see. Using this, you can also see files and folders that might normally be hidden by the operating system. Keyword Search Lets you search the entire image for certain keywords. This is useful if you are after a certain program file or even the mention of particular thing. Law- yers often use this type of feature when searching for incriminating evidence of wrongdoing on a person’s hard drive. It can help find a needle in a hay- stack quite quickly (see Figure 11.5). File Type Sorts all the files by type or searches for a specific file type. This comes in handy if you are looking for all instances of a particular type of file, such all JPEGs or all MP3 files. Image Details Displays all the details on the image you are examining. This can be useful in data recovery jobs when you need to know where the data is physically laid out. MetaData Shows you the underlying directory and file structures in your image. This can be used to find deleted content and see other items the file system doesn’t normally show you. Data Unit Lets you delve deeper into any file you have found and look at the actual file content, either in ASCII or hex. Howlett_CH11.fm Page 374 Friday, June 25, 2004 12:33 AM Making Copies of Forensic Evidence 375 The Forensic Toolkit is another great free program from the folks at Foundstone. This collection of tools can help you examine Window-based file systems and gather informa- tion for your forensic investigation. Version 1.4 of the program is fully open source licensed under the GPL. Version 2.0 is freeware and is usable for commercial purposes, but it has limitations on adding or changing the program and is not currently available in source form. Figure 11.5 Results of Keyword Search The Forensic Toolkit: A Collection of Forensic Tools for Windows The Forensic Toolkit Author/primary contact: Foundstone, Inc. Web site: www.foundstone.com/index.htm?subnav=resources/navigation.htm&sub- content=/resources/freetools.htm Platforms: Windows NT, 2000, XP Licenses: Version 1.4 GPL, Version 2.0 Freeware Versions reviewed: 1.4 GPL, 2.0 Freeware Howlett_CH11.fm Page 375 Friday, June 25, 2004 12:33 AM 376 Chapter 11 • Forensic Tools Note that these tools work only on NTFS file systems. If you want to examine any FAT32 partitions, you will have to use different tools. Installing Forensic Toolkit 1. Download the appropriate file from the Web site (either version 1.4 or 2.0, depend- ing on whether you want the full open source version or not). 2. Unzip the file into its own directory. This completes the installation. Using Forensic Toolkit The tools consist of various command line utilities that generate various statistics and information on the file system in question. To execute a command, open up a command line window and type it (you must be in the appropriate directory). The following sections describe the individual tools. Afind This utility searches for files by their access time. It does this without modifying any file access information, as the normal Windows utilities do. The basic format is: afind search_directory options where you replace search_directory with the directory to search and replace options with the appropriate search options. Table 11.6 lists the basic options. Hfind This tool finds hidden files in the Windows operating system. It shows files that have the hidden attribute bit turned on and those hidden using the Windows NT special directory/system attribute method. The format is: hfind path Table 11.6 Basic Afind Search Options Options Descriptions -f filename Gives the access time information for filename. -s X Finds files that were accessed within X seconds. -m X Finds files that were accessed within X minutes. -d X Finds files that were accessed within X days. -a d/m/y-h:m:s Finds files that were accessed after the date and time indicated. Howlett_CH11.fm Page 376 Friday, June 25, 2004 1:09 PM Making Copies of Forensic Evidence 377 where path is replaced with the path you want to search. It lists the hidden files and their last date and time of access. Be careful of searching the whole hard drive as this could take a while. Sfind This tool finds hidden datastreams on the hard disk. These are different from hid- den files in that they won’t be seen on the hard disk when you click on the option to view hidden files. Hidden datastreams are an NTFS feature that allows certain programs to access alternate datastreams. The files are linked to a parent file, which is visible, but may not be deleted when the file system deletes the parent file. They may be used to hide data or malware. The format of the sfind command is: sfind path where path is the path you want to search. Again, this may take quite some time if you are searching the root directory of a large drive. FileStat This command creates a full listing of file attributes, including security infor- mation. It only works on one file at a time. You can pipe the output into a text file for fur- ther processing. This command generates quite a lot of information, including a lot of file descriptor information you don’t normally see. Listing 11.5 shows a sample of this infor- mation for a file called test.txt. Listing 11.5 FileStat Output Creation Time - 01/10/2004 03:18:40 Last Mod Time - 01/10/2004 03:18:40 Last Access Time - 01/10/2004 03:18:40 Main File Size - 11 File Attrib Mask - Arch Dump complete Dumping C:\temp\test.txt SD is valid. SD is 188 bytes long. SD revision is 1 == SECURITY_DESCRIPTOR_REVISION1 SD's Owner is Not NULL SD's Owner-Defaulted flag is FALSE SID = TONYVPRDESKTOP/Tony Howlett S-1-5-21 181663460ó SD's Group-Defaulted flag is FALSE SID = TONYVPRDESKTOP/None S-1-5-21 181663460 953405037- SD's DACL is Present SD's DACL-Defaulted flag is FALSE ACL has 4 ACE(s), 112 bytes used, 0 bytes free ACL revision is 2 == ACL_REVISION2 SID = BUILTIN/Administrators S-1-5-32-544 ACE 0 is an ACCESS_ALLOWED_ACE_TYPE ACE 0 size = 24 ACE 0 flags = 0x00 ACE 0 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS -TAKE_OWN Howlett_CH11.fm Page 377 Friday, June 25, 2004 12:33 AM 378 Chapter 11 • Forensic Tools SID = NT AUTHORITY/SYSTEM S-1-5-18 ACE 1 is an ACCESS_ALLOWED_ACE_TYPE ACE 1 size = 20 ACE 1 flags = 0x00 ACE 1 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS - TAKE_OWN SID = TONYVPRDESKTOP/Tony Howlett S-1-5-21 181663460- ACE 2 is an ACCESS_ALLOWED_ACE_TYPE ACE 2 size = 36 ACE 2 flags = 0x00 ACE 2 mask = 0x001f01ff -R -W -X -D -DEL_CHILD -CHANGE_PERMS - TAKE_OWN SID = BUILTIN/Users S-1-5-32-545 ACE 3 is an ACCESS_ALLOWED_ACE_TYPE ACE 3 size = 24 ACE 3 flags = 0x00 ACE 3 mask = 0x001200a9 -R -X SD's SACL is Not Present Stream 1: Type: Security Stream name = ?? ?? Size: 188 Stream 2: Type: Data Stream name = ?? ?? Size: 11 Stream 3: Type: Unknown Stream name = ?? ?? Size: 64 Hunt This tool can be used to generate a lot of information on a system using the Win- dows NULL session capabilities. Depending on the permissiveness of your system, it could generate significant information such as users lists, shares, and services running. The command takes the following format: hunt system_name where system_name represents the proper Windows host name of the system you want to run hunt on. Listing 11.6 represents an example of this output. Listing 11.6 Hunt Output share = IPC$ - Remote IPC share = print$ - Printer Drivers share = SharedDocs - Howlett_CH11.fm Page 378 Friday, June 25, 2004 12:33 AM . Present Stream 1: Type: Security Stream name = ?? ?? Size: 188 Stream 2: Type: Data Stream name = ?? ?? Size: 11 Stream 3: Type: Unknown Stream name = ?? ?? Size: 64 Hunt This tool can be used to generate. 25, 2004 1 2:3 3 AM 376 Chapter 11 • Forensic Tools Note that these tools work only on NTFS file systems. If you want to examine any FAT32 partitions, you will have to use different tools. Installing. Search The Forensic Toolkit: A Collection of Forensic Tools for Windows The Forensic Toolkit Author/primary contact: Foundstone, Inc. Web site: www.foundstone.com/index.htm?subnav=resources/navigation.htm&sub- content=/resources/freetools.htm Platforms: