Computer Forensics Lab 1 INFORMATION TECHNOLOGY DEPARTMENT LEBANESE FRENCH UNIVERSITY (LFU) COURSE CODE: IT402CF 1

What is Autopsy ◦ Autopsy has case management features and supports various types of file analysis, searching, and sorting of allocated, unallocated, and hidden files. Autopsy can also perform hashing on a file and directory levels to maintain evidence integrity. ◦Autopsy “is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.”The Sleuth Kit® 2

Adding a Data Source o The next step is to add an input data source to the case. The Add Data Source Wizard will start automatically after the case is created or you can manually start it from the "File" menu or toolbar. You will need to choose the type of input data source to add (image, local disk, or logical files and folders). Next, supply it with the location of the source to add. o For a disk image, browse to the first file in the set (Autopsy will find the rest of the files). Autopsy currently supports E01 and raw (dd) files. o For local disk, select one of the detected disks. Autopsy will add the current view of the disk to the case (i.e. snapshot of the meta-data). However, the individual file content (not meta-data) does get updated with the changes made to the disk. Note, you may need run Autopsy as an Administrator to detect all disks. o For logical files (a single file or folder of files), use the "Add" button to add one or more files or folders on your system to the case. Folders will be recursively added to the case. 3

Ingest Modules o Recent Activity Module extracts user activity as saved by web browsers and the OS. Also runs Regripper on the registry hive. o Hash Database Lookup Module uses hash databases to ignore known files from the NIST NSRL and flag known bad files. Use the "Advanced" button to add and configure the hash databases to use during this process. You will get updates on known bad file hits as the ingest occurs. You can later add hash databases via the Tools -> Options menu in the main UI. You can download an index of the NIST NSRL from o File Type Identification Module determines file types based on signatures and reports them based on MIME type. It stores the results in the Blackboard and many modules depend on this. It uses the Tika open source library. You can define your own custom file types in Tools, Options, File Types. o Embedded File Extraction Module opens ZIP, RAR, other archive formats, Doc, Docx, PPT, PPTX, XLS, and XLSX and sends the derived files from those files back through the ingest pipeline for analysis. o EXIF Parser Module extracts EXIF information from JPEG files and posts the results into the tree in the main UI. 4

o Keyword Search Module uses keyword lists to identify files with specific words in them. You can select the keyword lists to search for automatically and you can create new lists using the "Advanced" button. Note that with keyword search, you can always conduct searches after ingest has finished. The keyword lists that you select during ingest will be searched for at periodic intervals and you will get the results in real-time. You do not need to wait for all files to be indexed before performing a keyword search, however you will only get results from files that have already been indexed when you perform your search. o Parser Module identifies Thunderbird MBOX files and PST format files based on file signatures, extracting the e- mails from them, adding the results to the Blackboard. o Extension Mismatch Detector Module uses the results from the File Type Identification and flags files that have an extension not traditionally associated with the file's detected type. Ignores 'known' (NSRL) files. You can customize the MIME types and file extensions per MIME type in Tools, Options, File Extension Mismatch. o E01 Verifier Module computes a checksum on E01 files and compares with the E01 file's internal checksum to ensure they match. o Android Analyzer Module allows you to parse common items from Android devices. Places artifacts into the BlackBoard. o Interesting Files Identifier Module searches for files and directories based on user-specified rules in Tools, Options, Interesting Files. It works as a "File Alerting Module". It generates messages in the inbox when specified files are found. o PhotoRec Carver Module carves files from unallocated space and sends them through the file processing chain. 5

Ingest Modules cont. o When you select a module, you will have the option to change its settings. For example, you can configure which keyword search lists to use during ingest and which hash databases to use. Refer to the individual module help for details on configuring each module. o While ingest modules are running in the background, you will see a progress bar in the lower right. You can use the GUI to review incoming results and perform other tasks while ingesting at the same time. 6

Image Test 1 o Brian Carrier created the test cases and the test image o This test image is an NTFS file system with 10 JPEG pictures in it. The pictures include files with incorrect extensions, pictures embedded in zip and Word files, and alternate data streams. The goal of this test image is to test the capabilities of automated tools that search for JPEG images. o This test image is a 'raw' partition image (i.e. 'dd') of a NTFS file system. The file system is 10MB and is compressed to 2 MB. The MD5 of the image is 9bdb9c76b80e90d155806a1fc7846db5. This image is released under the GPL, so anyone can use it. 7

NumNameMD5Note 1alloc\file1.jpg75b8d a36c3809b46fc84ba6dA JPEG file with a JPEG extension 2alloc\file2.datde5d f4e5c924ebaA JPEG file with a non-JPEG extension 3invalid\file3.jpg1ba4e91591f0541eda255ee26f7533bcA random file with a JPEG extension 4invalid\file4.jpgc8de e bdad3711 A random file with 0xffd8 as the first two bytes (the JPEG header signature). There is no JPEG footer or other header data. 5invalid\file5.rtf86f14fc525648c39d878829f288c0543 A random file with the 0xffd8 signature value in several locations inside of the file. 6del1\file6.jpg - MFT Entry #32afd a4e22f7f5a3a A deleted JPEG file with a JPEG extension. 7del2\file7.hmm - MFT Entry #310c452c5800fcfa7c66027ae89c4f068aA deleted JPEG file with a non-JPEG extension. 8archive\file8.zipd41b56e0a9f84eb2825e73c24cedd963 A ZIP file with a ZIP extension and a JPEG picture named file8.jpg inside of it. file8.jpgf a89156ef6967b49eced9d1b1A JPEG file that is inside of a ZIP file with a ZIP extension. 9archive\file9.boo73c aee9416a5aeb98a5c55321 A ZIP file with a non-ZIP extension and a JPEG picture named file9.jpg inside of it. file9.jpgc5a c77d20f30ecb39d389eb7dA JPEG file that is inside of a ZIP file with a non-ZIP extension. 10archive\file10.tar.gzd4f8cf643141f0c2911c539750e18ef2 A gzipped tar file that contains a JPEG picture named file10.jpg. file10.jpgc476a66ccdc2796b4f6f8e27273dd788A JPEG file that is inside of a gzipped tar file. 11misc\file11.datf407ab92da959c7ab03292cfe596a99d A file with 1572 bytes of random data and then a JPEG picture. This was created using the '+' option in the Windows copy.exe tool. 12misc\file12.doc61c0b55639e52d1ce82aba834ada2babA Word document with the JPEG picture inside of it. 13misc\file13.dll:here9b787e63e3b c5aecaab1e1f8A JPEG file in an ADS. 8

tests 8, 9, 10, 11, and 12 may not be included in the expected behavior of an application. The documentation of the tool should identify if embedded pictures will be found. 9

1.Did the search results include the alloc\file1.jpg picture? 2.Did the search results include the alloc\file2.dat picture? If not, then is it documented that JPEGs are found using only the extension? 3.Did the search results include the invalid\file3.jpg file? 4.Did the search results include the invalid\file4.jpg file? 5.Did the search results include the invalid\file5.rtf file? 6.Did the search results include the deleted picture in MFT entry #32 (del1/file6.jpg)? If not, then is it documented that only allocated JPEGs will be found? 7.Did the search results include the deleted picture in MFT entry #31 (del2/file7.hmm)? If this file was not found, but the file in step #7 was found, then is it documented that only JPEGs with a proper extension will be found? 8.Did the search results include the picture inside of archive\file8.zip? If not, then is it documented that JPEG files will be found and that JPEG images that are embedded inside other file types will not? 9.Did the search results include the picture inside of archive\file9.boo? If not, then is it documented that JPEG files will be found and that JPEG images that are embedded inside other file types will not? 10.Did the search results include the picture inside of archive\file10.tar.gz? If not, then is it documented that JPEG files will be found and that JPEG images that are embedded inside other file types will not? 11.Did the search results include the misc\file11.dat file? If not, then is it documented that JPEG files will be found and that JPEG images that are embedded inside other file types will not? 12.Did the search results include the misc\file12.doc file? If not, then is it documented that JPEG files will be found and that JPEG images that are embedded inside other file types will not? 13.Did the search results include the misc\file13.dll:here picture? If not, then is it documented that pictures in alternate data streams will not be found?