Start of transcript. Skip to the end.

>> In last unit, we reviewed Linux/Unix file systems and used Sleuthkit as an
example to find
out how a forensic analysis tool retrieves data in Linux/Unix file systems.
This week we will study where data commonly hides in Linux/Unix file systems
and how to utilize forensic analysis technologies to find evidence for
investigation.
We will focus on Linux/Unix files such as password file, log files, history files,
hidden files, set UID/set GID files, recently modified binaries,
recently created and deleted files, among others.
I will also introduce analysis utilities, including keyword search,
hash analysis, and the data carving.
Remember, we will always work on image copies of the original drive.
We start an analysis by examining the partition table on a suspect drive
to learn how many partitions exist on the drive, whether each partition is mounted,
and if there are any data hidden in between the partitions.
We then examine all pertinent information, including files, deleted files, emails,
pictures, visited websites, etc. We will put the MACTIMEs in a timeline sequence
to tie events together, to get a better understanding of what has happened.
Whenever we have a keyword, for example, names of the suspects who are involved in
the case
or IP addresses that the suspect machine connected and communicated with,
we conduct a keyword search using these terms to search for clues.
There are many sophisticated forensic analysis tools to facilitate analysis.
Forensic investigation demands not only knowledge but also experience,
reasoning, and communication skills.
Before we directly dive into GUI-based advanced forensic analysis tools,
let's go through some basic tools and the steps to understand what is going
on behind this well-known GUI-based forensic tools.
When we seize a suspect machine or laptop, how do we know the drive has not been
swapped?
CyanLine LLC discovered that most of hard drives have a built-in self-monitoring
analysis
reporting tool, short for SMART.
They can reveal the exact number of times that the examined hard drive has been
turned on
and the exact number of hours that the suspect hard drive has been used inside
computer.
SMART was developed by hard drive manufacturers to help drive owners
to assess their drive's physical usage; however, it can provide computer forensic
examiners
with crucial information in some scenarios.
For example, assume you seize a two-year-old laptop and you found
that the hard drive disc does not contain a reasonable amount
of data for a two-year-old drive.
Although the suspect explained, "I reinstalled my computer," it becomes pretty
clear
that the owner had swapped out the hard drive if you use SMART tool.
We start our forensic analysis by identifying partitions from a drive image.
We could use the Linux/Unix tool FDISK to show the partition information; however,
FDISK displays the start and endpoint of a partition in the unit of cylinders.
In our example /dev/hda1 starts at the first cylinder and ends at 990 cylinder.
If we use dd to carve out this partition, you have to convert values
from cylinders to 512-byte sectors.
Media management LS or MMLS from Sleuthkit is designed
to display partition information in the unit of 512-bytes sector.
Given a disc image, MMLS will interpret MBR to display all the partition entries
information
that can be easily used by dd to carve out partitions.
It also works for the GUID partition table GPT.
Next we will mount partitions to start analysis.
Everyone should be familiar with the Linux/Unix command mount.
Here I will emphasize a couple of key options for forensic analysis purpose.
Assume my hda1.dd is a dd raw image file representing a partition.
The command shown here will mount my hda1.dd to a mount point /mnt/hacked.
The option read-only, ro, has to be used to prevent mount from modifying anything.
Since my hda1.dd is a file, not a device, we need to use the root back device
option.
Note that with most sophisticated forensic analysis tools,
mounting will be done automatically.

Start of transcript. Skip to the end.

>> We have talked about MACTIMEs in previous lessons.
In Linux/Unix file systems, MACTIMEs are the timestamp of the latest modification,
access,
and changing of inode content of a certain file.
More specifically, M means the last time the file's data block was changed.
A is the last time the file's data block was accessed.
C records the last time the file's inode content was changed.
Remember, in Windows, C means a file's creation time.
Please be aware that the keyword last, if you modify a file several times,
MACTIME will only show the last time the file was written or accessed.
In digital forensic analysis, we use MACTIMEs to create a timeline of activities.
Timeline analysis helps us reconstruct data to identify when activities occurred
on a computer and in what sequence.
For example, a root kit installation leaves a number of files with time stamps very
close
to one another; however, MACTIMEs can be easily changed by attackers.
The Linux/Unix command touch is able to change both access and modification times.
A free utility in Windows system called timestamp will change all three timestamps
in Windows files system.
MACTIMEs are sensitive to change within the system.
Running a single command, for example, copy will change the last access time of a
file;
therefore, you should always grab MACTIME's information before running other
commands
on a system.
Next let's look at utilities that create MACTIME lines for us.
MACTIME from Sleuthkit takes a data file as input and sorts the data to create a
timeline.
In general, creating a timeline takes two steps.
First, you should generate a data file as an input for MACTIME.
The data file contains timestamps, file name, and other information.
For example, both FLS and ILS can create such a data file, use -m option.
In an FLS command, the option -r is recursive; -m/ instructs FLS to display output
in a MACTIME input format with slash as the mount point of the image.
In ILS command, we use -m without slash since the output
from ILS does not have file name information.
Once we have the data file, we can run MACTIME to sort the files
to create a timeline, focusing on dates and times.
If you are only interested in a certain time range of timelines,
MACTIME will only display the files with MACTIME lines in the specified time range.
A timeline produced by MACTIME looks like this.
MACTIME sorts files based on date and time.
It starts by the day, in our case Saturday; followed by month, date, year,
and the time in hours, minutes, and seconds.
The next field is the file size, followed by a combination of three characters --
M, A, and C -- followed by permissions, UID, GID, and a file name.
When looking at the character after the file size, A indicates that the displayed
date
and the time is the last access time.
M indicates that displayed date time is the last modification time.
C indicates the last inode changing time.
Dot A dot means the timestamp is only for A time
and that the same file was last modified and changed at a later time.
In our example, file A was last accessed at sixteen forty twenty;
it was last modified at sixteen forty-five fifty-six.
Its inode content was changed also at sixteen forty-five fifty-six.
If the A time, M time, and C time's last changed time are all the same,
you will see MAC together.
In our example file B's MACTIMEs were last changed on Saturday, December 12,
2016 at sixteen forty-five fifty-six.
When you create a new file, you should always see the MAC combination.
You should also notice from the timeline that many files have the last MAC
timestamps
at the time of sixteen forty twenty-three -- that means some activity such as
downloading
or compiling occurred during that time since a human is not able to change
that many files within one second.
A forensic investigator will always look closely into these kind of gaps.
If we create data files using ILS or FLS,
deleted files are also included in the data files.
Here is an example of timelines created from FLS and MACTIME.
Each entry from that list contains timestamps, metatime information, and also file
names.
Please be aware that the timelines created from ILS
and MACTIME will not have the file name information.
In some entries you will see that deleted
or deleted reallocate was presented after the file name.
Deleted at the end indicates the file entry is a deleted file; therefore,
its content may be recoverable if the data blocks have not yet been overwritten.
Deleted reallocate indicates that the file's inode has already been assigned
to another file even though its file name and inode mapping has not yet been
overwritten.
In our example, we know that there is a file called file1.
Its metadata has been overwritten.
And we do not know where its data blocks are located
and whether the data block has been overwritten.
The third file is a normal file entry just like you normally see from ls-l output.

>> We have learned in this unit that MAC times are the timestamps
of the latest modification, access, and INODE changing time.
In first part of this demo, let's look at what actions will make MAC times change.
And then in the second part of this demo-- and I will use Sleuth Kit MAC time
command
to create the timeline of a file.
So, first, let's look into the MAC time.
Now, I'm inside of a temp directory, currently has nothing in the temp directory
and let me create a file and I can use touch to create a file.
Now, touch is an interesting command.
OK? If my file is a new file, if you touch it, it will create it
and with all the timestamps be the-- what the time--
the time when we-- I run this touch command.
If I touch an existing file and I will not change any of the existing file's
content,
but that file's modification and access time change to the current time.
Since my file is new, so we should now see it.
It's created.
Size is zero because touch does not really modify-- not touch upon the content.
So, for this one, the timestamp for LS list one of the timestamp by default.
By default is MAC time and then you can use LS--
you can use LS which was the other option to list the access time and changing
time.
But here I use stat.
OK. Use stat to show you all of the timestamps.
And normally I say there's three timestamps, sometimes they also add the fourth
one, born.
When was the file created?
OK. In Windows case, we will often see there's four timestamps.
I will talk about that later.
So, here both access time, modification time, change time, they are all same as
this.
The current time.
OK. Now, I-- if I say more, my file, and we wait for a couple seconds because I
want
to see what-- second-- after a couple seconds and which timestamps change.
OK. That should be enough.
If I do more, so to read this file content, all right, to read this file content,
see whether I can change anything,
but now currently I don't have anything to read, but anyway I do more.
My file. Certainly, the content has nothing, but now if we do stat again,
let's compare the stat with the previous case.
All right.
So, the access time changed now.
The access time now is 43:21 and all the other ones, the modification time
and then the changing time remained the same.
Remained the same.
OK? So, those did not change.
So, if you read a file without modify anything and only the access time changed.
Only the access time changed.
Now let's do modified content.
OK. I'm going to do it in a lazy way and I say echo hello and append-- oops, not
too many.
Append that to my file.
So, I modified the content.
Now, original does nothing that current now.
If you look into that, I cannot do more because it will change timestamp.
So, now I did-- only did one action.
I said modify the content.
Let's do a stat again.
Now, in this case, the access time remained the same.
Remained the same as previous one when we did more.
OK? And then this-- the changing time
and the modification time changed after I do changing the content.
OK? So, that's how-- you can try all that at home to find
out which action really changed which timestamp.
All right?
And then how about I use touch?
If I use touch to the existing file, it will change two timestamps.
One is the modification and one is the access.
All right?
Those timestamps can be changed.
If you don't specify any data format, then it will change to current time,
but then attacker said I want to change to whatever the date time I want because
they want
to change-- go back to the date time to hide information.
To pretend this file has never been changed.
So, we know if you touch a file, existing file,
you will change the timestamp to be the current time.
For example, if I touch my file again and I do stat my file,
then all the timestamps will change to the current time.
Now, if attacker want to modify intentionally for a given timestamp, whether they
can do that.
Now, the best way is you use the main page.
Main. Touch to learn what is-- if commands the function.
Each function actually-- they do provide main instructions.
So, it tells you what is the touch and what are the options.
If you look into that, you can change the access time, use dash A. So,
if I only want to change the access time, then you change dash A
and then you can also change the-- dash M is the modification time.
OK? Dash M change only the modification time.
Touch does not allow you to change the changing time by providing a certain time,
so you can only intentionally change access time and the modification time.
You can even give out certain data format for the date and time you want to change.
All right.
Let's quit and come back to the touch command.
Now, if we do touch, we only want to change access time.
OK. And we want the time-- the date time looks like going back.
That's today, 17.
January 31st.
At certain time.
Whatever I make up.
OK? Certain time.
And to make this change for my file.
Now, if you do the stat again, you will see the access time intentionally changed.
Changed to the time I specified in the command.
And you can do that for dash M, modification time, as well.
But you cannot intentionally change the changing time.
OK. So, that's the first part.
And then next part-- let's get back to MAC time.
So, in the previous video demo, I create-- use FLS and ILS created two bodies
and when we run FLS and ILS and I intentionally use the dash M option,
which it says to create a body file for MAC time.
So, MAC time has to rely on a body file and it only sorts the body file to--
based on the times-- based on the time, that's why it's called the time-- back
times.
So, if you look at my desktop here, I have two files.
This file I created use FLS and ILS.
If you forgot how do I did-- how did I get those files,
you can go back to the Sleuth Kit command line demo to find out how did I get those
two files.
I will not repeat the process here.
So, now with those two files here, it is very easy for me to use the MAC time.
To use MAC time to sort this file.
OK. So, the command I run is MAC time and, once again,
if you don't know how this MAC time work, do a main MAC time.
OK? To understand how does-- how to run this MAC time.
The option is very simple because it requires have a body file.
So, dash B means body.
Then I grab in one here.
So, this is the body file I want to create.
Now, if I push enter, that will-- the output will be on the screen, but I want to
redirect.
And then one more option I would like to add is dash D, which says--
puts a deliminator [phonetic] as a comma separate.
It's for easy for me to read later on then I create a file called MAC time FLS.
I want to give myself meaningful information.
And I give it to be CSV and to be easy to open it up.
OK. So, let's create that.
OK. So, this file created, now let's open it.
So, if-- now if you look into it, it give you very clear information about this is
the time.
So, here this happened at the same time what happened.
OK? So, this is the-- at this particular time, those files changed.
This file changed MAC time.
Now, I have already talked about that, the MAC here,
and then now in this case it uses four timestamps, MAC and the birth.
OK? If there's a dot, means M. M does not change here.
M is changing later.
You will find the same file name and then modified later, but in this case, only
access.
Last access is here.
So, this file actually never be accessed again in the later
because that's the latest access time.
Late access time.
And then for this file, for example, last modified
and the last changed time is at this particular second.
That means it will never be modify and then change again later, but it is accessed
later.
It is accessed later.
So, that's why the A is missing.
OK. So, in this way, it's very easy to sort it on the-- based on the sec time--
date time and then back to seconds-- sort all of the information.
If you see the same seconds happen-- have a long, long chunk happened in the same
second,
that means some nonhuman action happened, like compile and all those actually
happened
and you should pay attention to it.
And, definitely, we also create last time--
we also created the ILS body and you can use MAC time the same way
to create CSV file and to look at the ILS body.
So, then for that file, the difference between FLS is this file does not--
the ILS body does not contain file name information.
That's the only difference.
All right.
So, I will stop here.
Hope for-- hopefully you enjoy it.

Start of transcript. Skip to the end.

>> Beside timeline analysis, examiners will closely examine files, especially
deleted
files, log files, and history files; emails; pictures;
etc. to find clues.
For example, they will identify files and inodes stored in abnormal locations.
For instance, /dev should mostly contain serial character or block special files.
Recently created regular files in /dev will receive an investigator's attention.
Also, inodes are usually allocated sequentially.
If a list of inodes are created at around the same time, the inode numbers should
be
close to one another; therefore, if you find a utility
or a file's inode number is out of place, you should investigate further.
Forensic examiners will use hash analysis to detect rootkits and any modifications
to binary files and configuration files.
Systems' binaries and configurations could be replaced or modified by malicious
rootkits.
Hackers modify these files to try to hide malicious network connections, processes,
users, etc.
Investigators use hash analysis to compare the current system's binaries hash
values
with a known good hash set of binaries to identify changes.
A malware hash set that contains no rootkits and a malware's hash values can be
used
to detect malware in the rootkits being stored on the system.
Simple commands such as find are used for analysis tools as well.
For example, to find hidden files in a directory that will start with dot
or space we use find command with the regular expressions to match these hidden
files.
To find all world-writable files in the directory, we use the find command with
-exec option.
Set UID sets a permission that allows the user to run an executable file
with the permissions of the file's owner.
To find all set UID/set GID files, we use find command
with set UID and set GID perm permission.
To find binary files that were modified in one day or files that were created in
less
than 24 hours, we use find option M time and B minute.
Sometimes forensic examiners encounter files that do not have file structures.
For example, deleted data file after running block LS myImage > unallocated.
The unallocated file gathers all raw data from all unallocated blocks without file
name
and metadata attributes; however, this file may contain .jpeg pictures, .pdf, or
other
files.
We can use data carving tools to try to recover these hidden files.
Data carving is done by analyzing the raw data and identifying hidden files such as
JPEG and mp3 by looking for headers.
For instance, every JPEG file has its own header, the hex value.
Some files may contain footers as well, marking the end of the file.
Data carving tools rely on the headers and the footers or other variable
information
such as size to carve out meaningful files.
They scan through a raw image, and when it finds a new header, it will start to
carve
data out until it hits a footer or another known
headers or the size.
The recovered file will not have file name information, certainly,
but it has an extension according to the header information.
There are several free carving tools you can try, such as Foremost, Scalpel, Magic
Rescue,
and Photorec, TestDisk, etc.
Foremost stores a list of known file types with their corresponding headers and
footer
information in the Foremost.conf file.
Users can modify this configuration file to add
or select what types of files they want to carve out.
You will see a demo of using Foremost in the next video.

Start of transcript. Skip to the end.

>> In this week's lecture, we talk about data carving function and the tools.
Now in this demo, I want to show you one of the popular tool
and it's free called Foremost
So before we start to do that, as I said, we can always start with main Foremost.
Okay then to see what's this function do and what are the options.
So as it described here, Foremost recover files using their headers,
footers in a data structures.
Okay. So in this case, even though without file system information,
without file system metadata information, in Foremost will simply look into the
data
and then try to search for the header.
And then once it find header it will start to carve out those data until it hits
the footer
if the footer's available or hits another header.
Another file's header or if the size limit is hit as well.
So those are the information used by Foremost to carve out data.
So Foremost to work, certainly you need to give out image.
Now that image can be an unallocated space data like [inaudible] kit
and collect all [inaudible] data together
because it's [inaudible] in data structure at all.
And it could be a memory dump because memory dump does not have data structure.
So any files you can give to that.
And then where do you know the header, footer information?
This is come from a configuration file and I will talk about that configuration
file shortly.
There's other options you might find out interesting to use.
And a dash T type [phonetic] means which type -- which file type you want to come
out?
Do you want to come out jpeg or other information?
And then there's -- let's move over.
We can see what other options I would like you to practice.
dash T is a good one because every time when you -- after it's done, dump outs
file,
it has -- it uses default's name.
Then you can only use once next time because it already exists, right?
So if you put the dash T there then the file name will be unique
because the file name will follow the [inaudible] time stamp.
So you can run Foremost many times so it's different outputs.
So dash T I often like to use.
Okay. So let's quit there and then we come back to practice Foremost.
Now we -- I mentioned about that it rely on the footer and the header information
but where does those information reside?
It is reside in the Foremost configuration file.
So now you probably will ask me, so where is the file?
And I said find it.
Okay? We can use find and I say look for it stop from the system root
and then the name is Foremost.com.
Okay? So I just wanted to go through from the system root because [inaudible] to
find what --
tell me what is you can find file name was at that Foremost.com for now.
And certainly it -- you'll hit lots of error message.
It said it's not permission -- permission denied.
Permission deny.
I don't want to see those noise.
So I said what about those error message which is specified by 2, okay?
And regular standout is different and then this is 2 [inaudible].
If you don't understand that's fine.
Basically don't say show me -- this -- 2 means order error messages dump to the
black hole.
I don't want to see it.
Dump out all those information to the black hole.
Don't show me it because I'm confident [inaudible] information by the way
but I'm confident I don't want to -- want that to ruin my output.
So now what I have seen a couple of things one is Foremost.com.
Okay. That's the one I copy.
Actually I copied paste on the desktop.
So this is this version.
It finds and then there's another one is ETC. So you have done --
you haven't done anything, you will find those entries.
Okay. Now let's look into why I want to copy a file on top of my desktop because if
you look
into the permissions for those files, let's see.
Let's look into the use of one.
So this will most likely we want to use this configuration file
and copy it and paste it here.
So we want to look at the permission information.
Oh this is a link file.
So actually this is a soft link.
I have already talked about soft link, right?
This is a soft link to [inaudible] Foremost configuration file.
Now even though the permission is everyone would write executable
but actually it is point to this exe [phonetic] file.
So now let's look into the permission of that exe file.
[ Background Sounds ]
So for this file, we are not [inaudible].
Okay. So we only have read permission.
That means that the Foremost.com, you can modify it.
So I create a copy.
Put it on my desktop and then save.
Actually save that file to my desktop and then I can have a modification.
Now why I want to modify that?
Once again, that's first look into this file.
Let's look into this [inaudible] file, Foremost.com file.
[ Background Sounds ]
So this is a configuration file.
And most of that -- most of it, it is the header and footer information.
So for example, it's a gif file and the header information
and the jpeg what are the header information, it's all comment.
It's all commented.
So it's not [inaudible].
So if you want to use it, you have to uncomment out.
If I want jpeg, then I need uncomment out those three lines.
All right.
So those are the jpeg headers.
Those are jpeg headers.
Similarly I included footers as well.
So some was [inaudible] but those are the jpeg headers.
Okay. So for you to use it and you need to modify the configuration file to remove
those
because with this character in front it's comment.
It's commented and so you have to remove that to be able to work.
Okay. And then if you look at my file here.
It's -- I made a copy and then I simply -- I simply make those header footers to
effective.
So when I run my Foremost, it will only look at those header footers.
That's all.
The other headers, footers all commented out for efficiency.
Okay? So that's why I need that.
With my own Foremost.com, let's try Foremost.
So let's do Foremost dash c configuration file and I want use my own configuration
file instead
of the user or exe because I -- my files currently on desktop.
Okay so I use my own configuration file and then I want to use dash T to create the
file --
files in the folder with timestamps.
Okay. So then I have dash I image.
I want to grab one image because this image definitely have some pictures there.
I know it can come out.
All right.
So we do it.
So now it creates -- now in my configuration file I uncommented
out gif file and the jpeg file.
Now I don't know about this doc file.
Somehow it's collected the doc file by default.
Okay. So it has documents.
It has gif files and then it has jpeg files.
Now it know the extensions that's for sure because it has a header.
Some even have footer information so it knows
with the header information it knows the file's extension.
It certainly does not know file name information because that meta data information
is --
cannot get it from -- by Foremost.
So Foremost only care about the -- only knows the header footer information.
So all the files it come out.
Some maybe even have file.
Now you didn't see this example here.
Some data -- they only come out half of the image possible.
And then it's -- put into that directory.
Now there's another method to say if I don't want to use this configuration file,
I use dash T. Let's move this away.
Let's just hide that into the temp so we will not see it anymore.
And then in that case, I use Foremost again and I said I'm only interested in jpeg
file type.
Okay. I'm not providing the Foremost.
It knows okay use jpeg.
Use jpeg and then again, I use dash T and then dash I.
And given this image itself.
Let's run that.
So because I have a dash capital T, so it create two folders unique folders
because it has a timestamp.
Otherwise, it will give you error message say hey did the file --
it's already created and then you don't want to override on that.
So -- that's why I use dash T. If you look at the second one, okay?
It only has jpeg now because I specifically say dash T jpeg.
Again this doc is somehow it's carved out.
So now you should get ideas, get ideas of how this Foremost work to base header,
sometimes or even include footer those information to carve data
out without using any file system information.
So this can be very powerful.
Right? That's why we mentioned about it can be used to look into memory data or
allocated data.
Hopefully you can try it and once again, if you use this sift
or virtual machine then you needn't install anything because it is installed by
default.
It -- you can try say which Foremost to find
out okay whether it's there or yeah, definitely it's there.
So hopefully you enjoy it.
Okay.
Start of transcript. Skip to the end.
>> Finally, let's look at some well-known open source and commercial forensic
analysis tools.
The Coroner's Toolkit or TCT was presented by Dan Farmer and Wietse Venema in 1999.
Most of the TCT functions have been replaced by Sleuthkit and Autopsy.
The free SANS Investigative Forensic toolkit, SIFT,
includes many cutting-edge open source tools
to conduct in-depth incidence response in forensic investigations.
Digital Forensics Framework or DFF is another well-known forensic analysis tool you
can try.
Bootable live CD's are often used by forensic examiners
for drive imaging and forensic analysis.
These CD's collect quite a complete list of forensic tools
for acquisition, preservation, and analysis.
When booting from a CD at the client side,
the suspect machine's internal hard disc is not touched.
Many commercial digital forensics tools have been developed since 1999.
Both Guidance Software's EnCase and the Access Data's Forensics Toolkit are among
the market's
leading commercial products.
I will use both EnCase and FTK later.
Most of these forensic tools have a user-friendly GUI and are easy to use.
They have built-in functionalities of deleted file recovery; keyword search; hash
analysis;
data carving; graphic view; and an email view among others.
I will show you several forensic tools later.
When using those tools, to start you will always create a new case
and add evidence items to the case.
Then you perform thorough analysis to obtain basic data.
Finally, you complete your report by their built-in reporting function.
A successful investigation relies on the examiner's knowledge
and experience, as well as the tools they use.
If you provide the same set of forensic tools to two investigators to solve the
same case,
you may end up getting two different conclusions.
I encourage you to go through an interesting forensic report written by Brian
Carrier,
the author of the Sleuthkit and Autopsy, to investigate the Honeynet Project Scan
29.
Please be aware that the report was written in 2003; at that time people have not
yet realized the importance of memory dump in the analysis.
This completes our look at Linux/Unix forensic analysis.
At this point you should be able to follow the computer forensic procedure
to investigate cases involving Linux/Unix systems.
In the next video I will show you how to use the Sleuthkit Autopsy
with a Windows version to analyze a Linux case study.

Start of transcript. Skip to the end.

>> In a previous video, I showed you how to use Sleuth Kit command lines to analyze
a Linux image.
In this video, I want to show Sleuth Kit's front end, which is called Autopsy.
Now, Autopsy Sleuth Kit, they support for multiplatforms,
so they have a version for Linux Unix.
In this demo, I show you a simple version, which is Autopsy for Windows.
I have Autopsy installed, my window, and open up.
Now Sleuth Kit Autopsy cannot only analyze Linux Unix images,
it also supports Windows file systems, so it can also be used for analyze Windows
cases.
When it's open up, okay, and you can choose from create new case, or open recent
case,
or open existing case, and since this is a new case, so we have to click on create
new
case.
After we save that, next time, if you want to continue work on that, you can open
it.
If it's recent, then they support for a couple of recent cases, or simply, you can
also say,
open existing one, then browsing through it, find your case.
So now, in this case, let's say, open a new case.
When we using Sleuth Kit command line, we look at one image, called Linux financial
case.
Let's look at the same image, okay?
So, we're given a name.
We can call it Linux financial case.
We want to give it a meaningful name for the case,
so if a investigator investigating multiple cases at the same time,
then you know which case we're talking about it.
So, it's, in here, it's stated default path, it will create it on the desktop and
in the
Linux financial case.
We just use the default, okay, we use the default setting.
Say, next, and the case number.
Can say whatever you like, and the examiner name.
Those are all the case information.
And then, we click finish.
So now, finish means it will create, it will try to create a case, now.
So, in a case, certainly what kind of image you want to analyze, you can choose
image,
you create it, or you can choose local disk, that's the live disc, or the local
files.
And, we have already created image, because we have that Linux financial case data,
001,
which the case I created use FTK imager, so I said yes, I want to use that image.
And then, you browsing through it.
That's on the desktop, so this the Linux financial case.001.
Let's open.
As I mentioned about that, so you have to first to choosing the time zone,
so if that case's time zone is New York time, and then we will just use New York
time, anyway.
We try to match the analysis machine zone with the image zone.
So here, we just use that New York time.
This one say, do you want to ignore orphan file now, then we leave it not checked,
okay?
So, next, pretty much, you can leave it as default.
And, those other things, when you create a case, and Autopsy Sleuth Kit will try
to organize those things for you, so if you checkmark that, that's a yes,
so recent activity, they want to check that.
Hash lookup, if you want hash lookup or not.
So, we leave that as default.
If you click on each of that, okay, if you can configure it more.
For example, I look at the keyword search.
Currently, only check on the email address search, and it did not check on other
search.
We just leave it as it, at this point.
When you have time to play by yourself, this is, Sleuth Kit Autopsy is free,
anyway,
so take your time and go through each one.
So, at this point, I will just leave it as-is, say next, and finish.
Now, we give image, okay, so now, if you look at the bar, here, it is analyzing
file to
see many of the checkmarks we checked earlier.
So, it is analyzing it.
Right now is 76% complete, so let's wait for a while for it to complete.
So, for those kind of GUI tool to work, it always create a case, add evidence,
and then once we'll wait until the case created, it's at 100%, so now, the case
created,
we can start to analyze it, okay?
So, if we look at here, this is the image, itself.
Volume one is unallocated, so this pane on the left side,
it is like Windows Explorer, tree structure.
We familiar with that.
You can expand, if it has a plus, then you can expand that.
On the right-hand side, table view and a thumbnail view, so if I open up something,
for example, for example, I say, this is a folder, has five files there,
the five means five individual file or subdirectories, there.
If you click on that, on the table view, you will see the information.
So, by default, the deleted file, it's tried to recover that for you.
The file with red checkmark is deleted file, and also has all the timestamps,
modification
time, change time, access time, and a born time,
because for Windows, there's a force time stamp.
Then, file size, whether this is unallocated is or allocated, and other
information,
the permissions, UID, GID, and all the other information.
And, we haven't create hash, yet.
If you create, if you checked to create hash, then the hash will filled up in here.
And, for example, this MD5 hash created, so the hash is also included that.
So, this table view gives you various types of metadata information, okay?
Now, let's look into some file, possibly, if I have, alright.
So, if I, we look at this file, called earning., XL file,
so this is allocated file, because there's no X this case.
Now, if you look at the bottom pane, let me make it larger.
If we look at the bottom pane, it have multiple views.
This is text view, so this file actually contains that text,
and certainly you can view it hex or string.
Now, metadata is interesting.
We use many of Sleuth Kit tools in that demo to show you all the information, like
inode,
and then data block.
How do I get from inode to the get to data block information?
And, many of this information, it's list in metadata, here.
So, here is the file name, type, size, is it allocated, and followed by time stamp
and
MD5.
Okay, hash lookup, if you try to match for some known hashes currently is unknown.
And now, interestingly, if we look at here, that's the inode.
Hopefully, you still remember that I did a demo for Sleuth Kit command line demo
used
46082.
That's the inode, and again, from group six, and all the information.
The inode time.
Now, followed by the data block.
If you still remember, we use that data block, as well, okay?
So, this is all the metadata information.
It's reside here, so, in this view, if you click current, you look at this content,
and then with the content view, and then metadata view,
and all those information reside here.
We did data carving before, so this one, here, the tool automatically did carving
for you,
so there's a ext file, and those are all from unallocated spaces, actually,
honestly,
I even don't know what are those files.
Some are, looks familiar, so if you click on that, I remember,
this is one of the lab I had maybe leftover on that USB,
and it recovered from it, so there's a text.
>> Interestingly, it's grab a lots of things which I don't even realize it's there.
It's data carved 30 file, 31 files data carved out automatically for you.
Now, the other information, if I just randomly click and then see, look at a view,
and it's based on a file type, this image is too simple.
There's no image.
Otherwise, if I have a image, then it will categorize, put into the image, images,
and then if there's videos, then it will put in the videos,
and audios it will put into the audio files.
Again, there's executables in the documents, so there's some of the Office
documents here.
It's all categoried, all make it categorized, here, including allocated and
unallocated,
deleted, recovered file, as well.
So, there are lots of information.
It's organized for you, and when you have a time, just go into that one by one to
look.
And, the deleted file, certainly, it gathering all the deleted files from this
image,
together, put into, under this category.
Now, looking to the keyword search, remember early on, I told you, I said, yeah,
they did only checkmark on the email address keyword search, so it did find lots of
emails.
Yeah, interestingly, lots of emails.
I even don't know, this is most likely is from unallocated space, so if you click
on
that, it tells you, where does it find this email
address, okay?
So, it located many, 93 emails from this image, without my, this, was actually,
I don't even know that those emails are there, since from unallocated space.
And again, if you look at here, keyword search, if you look at here, those are the
default
ones.
You can check whether you want to do it.
So, if you look at a phone number, this is the regular expressions
to match for the phone number.
This is the IP address, regular expression, title matching, and then here,
this is the regular expression for email address and URLs.
So, those are the one that's built in, if you want to check, say,
previously I only checked email address.
Now, I want to search IP address.
Then, it even tell you file indexed, automatically indexed it as 66 indexed files,
and then you can search through it.
If you search, then you can find.
Okay.
In all, if I don't want to do anything, okay.
So, if you said, "I want to do something beyond that," and then I can do keyword
search,
then you can either search exact match, just match for strings,
for regular expression match, then you can match for patterns.
And, you can do a substring match, you can search, the search through this email.
So, keyword search, almost every modern forensic analysis tool supports that.
Beside that, you can do hash sets, hash set check, and then,
if you did hash match, or being the hash hits.
Now, there's other thing I did not see is a thumbnail.
A thumbnail is for images, but since we don't have images in this Linux image,
so it actually doesn't, there's nothing there.
Later, in the later tools, and I will show you that thumbnail.
Alright, and then, they also have generate report,
so I just give you a very brief basic view to look into how to analyze using Sleuth
Kit
and Autopsy, and later on, you will see most forensic analysis tools follow pretty
much
the similar patterns.
On the left hand is the tree structure, and then on the right hand, certainly,
there's a table view or graphic view, and then if you click on each file,
then there's a content view on the bottom.
It is very similar.
And then, they also support other features, like a keyword search, hash analysis,
and
much more.
Now, report, generate report, most of the tool also support that.
We will cover that later.
So, I think this is enough for you.
If you have your own USB image created, and you can, any image, yeah,
just dump into it, and create case.
You will find surprise information in that, in your image.
It's fun.
I hope you feel it's fun, too.