Automated Forensics with the Sleuth Kit Framework Eamonn Saunders Principal Software Engineer, Digital Forensics Basis Technology Basis Technology – Open Source Digital Forensics Conference 2012 1 What is the framework?
• Infrastructure distributed with The Sleuth Kit • Supports development of Tools Modules pluggable modules • Benefits Sleuth Kit Framework – End to end solution – Automation Sleuth Kit Core – Simplifies module and tool development
Basis Technology – Open Source Digital Forensics Conference 2012 2 Framework Phases
Basis Technology – Open Source Digital Forensics Conference 2012 3 Framework Concept: Blackboard
• Blackboard – Supports inter-module communication – Stores results generically – Modules can post their own results – Modules can read previously posted results – e.g. Hash calculation, lookup
Basis Technology – Open Source Digital Forensics Conference 2012 4 Blackboard Artifacts and Attributes
Basis Technology – Open Source Digital Forensics Conference 2012 5 Blackboard Bookmarks Example
Basis Technology – Open Source Digital Forensics Conference 2012 6 Available Modules
Module Name Example Use Case(s) Hash Calcula�on/Hash Lookup Find all known (e.g. NSRL) or notable files. Entropy Find poten�ally encrypted files. File Type Iden�fica�on Find files of a par�cular type or iden�fy files whose extension does not match type. Exif Extrac�on Iden�fy loca�on, device make/model, author informa�on for JPEG images. Zip Extrac�on Circumvent a�empts to hide data in zip files. Interes�ng Files Find Skype database files (main.db, *.dbb) or all mul�media content (*.mpg/wmv/avi etc.) SaveInteres�ngFiles Extract all mul�media content for further analysis. RegRipper Analyze system registry files. SummaryReport Present results of analysis modules.
Basis Technology – Open Source Digital Forensics Conference 2012 7 Using the framework
• Framework is a foundation • Incorporate framework into other tools • tsk_analyzeimg – Sample implementation for testing – Extracts files from disk image into SQLite – Runs file analysis and post processing pipelines tsk_analyzeimg.exe C:\Images\testimage.E01
Basis Technology – Open Source Digital Forensics Conference 2012 8 Using the framework (contd.)
• Configure modules in pipeline_config.xml
Basis Technology – Open Source Digital Forensics Conference 2012 9 What does a module look like?
• TskModule::Status ini�alize(const char * args) – Called when the framework loads the module • TskModule::Status run(TskFile * pFile) – Called by file analysis pipeline for each file • TskModule::Status report() – Called by post processing pipeline • TskModule::Status finalize() – Called when the framework unloads the module h�p://www.sleuthkit.org/sleuthkit/docs/framework-docs/ index.html
Basis Technology – Open Source Digital Forensics Conference 2012 10 What’s next?
• We will continue to support TSK framework • Call for developer participation – https://github.com/sleuthkit/sleuthkit/issues – Add new modules to Wiki page • http://wiki.sleuthkit.org/index.php? title=TSK_Framework_3rd_Party_Modules – More platforms: (Linux, Mac) – … • Ideas and contributions are always welcome.
Basis Technology – Open Source Digital Forensics Conference 2012 11 Thank you!
For more information: Visit www.basistech.com Write to [email protected] Call 617-386-2090 or 800-697-2062
Basis Technology – Open Source Digital Forensics Conference 2012 12