DOCSLIB.ORG

Digital Forensics: a Demonstration of the Effectiveness of the Sleuth Kit and Autopsy Forensic Browser

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Digital Forensics: a Demonstration of the Effectiveness of the Sleuth Kit and Autopsy Forensic Browser Digital Forensics: A Demonstration of the Effectiveness of The Sleuth Kit and Autopsy Forensic Browser Anthony Dowling A thesis submitted for the degree of Master of Science (Information Science) at the University of Otago, Dunedin, New Zealand Date: May 14, 2006 ii Abstract The Sleuth Kit is a collection of Linux tools that perform different aspects of a file system analysis. The Autopsy Forensic Browser is a graphical user interface that provides a user friendly interface to the command line tools contained within The Sleuth Kit. This research project investigates the use of The Sleuth Kit and Autopsy Forensic Browser as forensic investigation tools, with the aim of demonstrating the effectiveness of these tools in real world case studies as digital forensic tools. The research found that The Sleuth Kit and Autopsy Forensic Browser provide an effective file system analysis toolset. The flexibility of the tools contained within The Sleuth Kit often lead to complex command line strings, the complexity of which is overcome by the automation provided by the Autopsy Forensic Browser. Not only do The Sleuth Kit and Autopsy Forensic browser provide an effective toolset, they also offer an affordable alternative to expensive commercial or proprietary based toolsets. Digital Forensics is an area of increasing importance with an expanding field of coverage requiring many different tools to help perform varying functions. It is with this in mind that the focus of this research project is three case studies that are utilised to demonstrate the effectiveness of The Sleuth Kit and Autopsy Forensic Browser. The demonstration of The Sleuth Kit and Autopsy Forensic Browser contained within the case studies could serve as an introductory overview of a new toolset for investigators looking for an alternative or complementary Digital Forensics toolset. iii iv Preface The author would like to thank the following persons and institutions for the help and support they have given prior and during the writing of this thesis. • Kevin and Yvonne Dowling, for proof reading the thesis and giving helpful advice. • David Welch and Scott Williamson, for providing ideas and direction when trouble arose with the thesis process. • Brian Carrier, author of The Sleuth Kit and Autopsy Forensic Browser, whom was quick to respond to all queries regarding the toolset. • All the contributors to The Sleuth Kit Developer and User forums, whom were always quick to provide feedback and answers to any questions. v vi Table of Contents Abstract....................................................................................................................... iii Preface...........................................................................................................................v Table of Contents .......................................................................................................vii List of Tables ..............................................................................................................xv List of Figures............................................................................................................xxi Chapter 1 Introduction................................................................................................1 1.1 Research Objective ..............................................................................................3 1.2 Structure of Thesis ...............................................................................................4 Chapter 2 Digital Forensics: An Overview................................................................7 2.1 Digital Forensics Defined ....................................................................................7 2.2 Uses for Digital Forensics....................................................................................9 2.3 Examples of Digital Forensics in Action...........................................................11 2.3.1.1 Dr Colin Bouwer Case.........................................................................11 2.3.1.2 Paedophile Case...................................................................................11 2.3.1.3 Operation Troy Case............................................................................12 2.4 Summary............................................................................................................13 Chapter 3 Volatility of Information .........................................................................15 3.1 Order of Volatility..............................................................................................16 3.1.1 Registers......................................................................................................16 3.1.2 Main Memory .............................................................................................16 3.1.3 Network State..............................................................................................17 3.1.4 Running Processes ......................................................................................18 3.1.5 Hard Disk....................................................................................................18 vii 3.1.6 Removable Media .......................................................................................19 3.1.7 Paper Printouts............................................................................................19 3.2 Persistence of Data.............................................................................................20 3.2.1 Positive aspects for recovery of deleted information..................................21 3.2.2 Negative aspects for recovery of deleted information ................................22 3.2.3 Influential factors on longevity of deleted information ..............................22 3.3 Problems involved with collection and examination of evidence .....................24 3.3.1 Problems involved with collection and examination of volatile information ..............................................................................................................................24 3.3.2 General Problems involved with collection and examination of evidence.26 3.4 Live versus Dead Analysis.................................................................................28 3.5 Summary............................................................................................................30 Chapter 4 Hard Disk based Information.................................................................33 4.1 Introduction........................................................................................................33 4.1.1 Data Organisation .......................................................................................33 4.2 Volume Analysis................................................................................................36 4.2.1 General Theory of Partitions.......................................................................36 4.2.2 Usage of Volumes in UNIX and Microsoft Windows................................37 4.2.3 Sector Addressing .......................................................................................38 4.2.4 Analysis Basics ...........................................................................................39 4.2.4.1 Analysis Techniques ............................................................................39 4.2.4.2 Consistency Checks .............................................................................39 4.2.4.3 Extracting the Partition Contents.........................................................40 4.2.4.4 Recovering Deleted Partitions .............................................................41 4.3 DOS Partitions ...................................................................................................42 4.3.1 General Overview .......................................................................................42 4.3.1.1 Basic MBR Concepts...........................................................................42 4.3.1.2 Extended Partition Concepts................................................................44 4.3.1.3 Putting the concepts together...............................................................46 4.3.1.4 Boot Code ............................................................................................48 4.3.2 Data Structures............................................................................................48 4.3.2.1 MBR Data Structure ............................................................................48 4.3.2.2 Extended Partition Data Structures......................................................50 viii 4.3.3 Analysis Considerations..............................................................................51 4.4 File System Analysis..........................................................................................52 4.4.1 Important Issues..........................................................................................52 4.4.1.1 Clusters ................................................................................................52 4.4.1.2 Encrypted Files ....................................................................................52 4.4.1.3 Allocation Strategies............................................................................53 4.4.1.4 Wiping Techniques ..............................................................................54 4.4.1.5 Slack Space ..........................................................................................55
Load more

Recommended publications
  • DETECTING BOTS in INTERNET CHAT by SRITI KUMAR Under The
    DETECTING BOTS IN INTERNET CHAT by SRITI KUMAR (Under the Direction of Kang Li) ABSTRACT Internet chat is a real-time communication tool that allows on-line users to communicate via text in virtual spaces, called chat rooms or channels. The abuse of Internet chat by bots also known as chat bots/chatterbots poses a serious threat to the users and quality of service. Chat bots target popular chat networks to distribute spam and malware. We first collect data from a large commercial chat network and then conduct a series of analysis. While analyzing the data, different patterns were detected which represented different bot behaviors. Based on the analysis on the dataset, we proposed a classification system with three main components (1) content- based classifiers (2) machine learning classifier (3) communicator. All three components of the system complement each other in detecting bots. Evaluation of the system has shown some measured success in detecting bots in both log-based dataset and in live chat rooms. INDEX WORDS: Yahoo! Chat room, Chat Bots, ChatterBots, SPAM, YMSG DETECTING BOTS IN INTERNET CHAT by SRITI KUMAR B.E., Visveswariah Technological University, India, 2006 A Thesis Submitted to the Graduate Faculty of The University of Georgia in Partial Fulfillment of the Requirements for the Degree MASTER OF SCIENCE ATHENS, GEORGIA 2010 © 2010 Sriti Kumar All Rights Reserved DETECTING BOTS IN INTERNET CHAT by SRITI KUMAR Major Professor: Kang Li Committee: Lakshmish Ramaxwamy Prashant Doshi Electronic Version Approved: Maureen Grasso Dean of the Graduate School The University of Georgia December 2010 DEDICATION I would like to dedicate my work to my mother to be patient with me, my father for never questioning me, my brother for his constant guidance and above all for their unconditional love.
    [Show full text]
  • Attacker Chatbots for Randomised and Interactive Security Labs, Using Secgen and Ovirt
    Hackerbot: Attacker Chatbots for Randomised and Interactive Security Labs, Using SecGen and oVirt Z. Cliffe Schreuders, Thomas Shaw, Aimée Mac Muireadhaigh, Paul Staniforth, Leeds Beckett University Abstract challenges, rewarding correct solutions with flags. We deployed an oVirt infrastructure to host the VMs, and Capture the flag (CTF) has been applied with success in leveraged the SecGen framework [6] to generate lab cybersecurity education, and works particularly well sheets, provision VMs, and provide randomisation when learning offensive techniques. However, between students. defensive security and incident response do not always naturally fit the existing approaches to CTF. We present 2. Related Literature Hackerbot, a unique approach for teaching computer Capture the flag (CTF) is a type of cyber security game security: students interact with a malicious attacker which involves collecting flags by solving security chatbot, who challenges them to complete a variety of challenges. CTF events give professionals, students, security tasks, including defensive and investigatory and enthusiasts an opportunity to test their security challenges. Challenges are randomised using SecGen, skills in competition. CTFs emerged out of the and deployed onto an oVirt infrastructure. DEFCON hacker conference [7] and remain common Evaluation data included system performance, mixed activities at cybersecurity conferences and online [8]. methods questionnaires (including the Instructional Some events target students with the goal of Materials Motivation Survey (IMMS) and the System encouraging interest in the field: for example, PicoCTF Usability Scale (SUS)), and group interviews/focus is an annual high school competition [9], and CSAW groups. Results were encouraging, finding the approach CTF is an annual competition for students in Higher convenient, engaging, fun, and interactive; while Education (HE) [10].
    [Show full text]
  • Guidelines on Mobile Device Forensics
    NIST Special Publication 800-101 Revision 1 Guidelines on Mobile Device Forensics Rick Ayers Sam Brothers Wayne Jansen http://dx.doi.org/10.6028/NIST.SP.800-101r1 NIST Special Publication 800-101 Revision 1 Guidelines on Mobile Device Forensics Rick Ayers Software and Systems Division Information Technology Laboratory Sam Brothers U.S. Customs and Border Protection Department of Homeland Security Springfield, VA Wayne Jansen Booz Allen Hamilton McLean, VA http://dx.doi.org/10.6028/NIST.SP. 800-101r1 May 2014 U.S. Department of Commerce Penny Pritzker, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director Authority This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. § 3541 et seq., Public Law (P.L.) 107-347. NIST is responsible for developing information security standards and guidelines, including minimum requirements for Federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate Federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in Circular A- 130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in Circular A- 130, Appendix III, Security of Federal Automated Information Resources. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on Federal agencies by the Secretary of Commerce under statutory authority.
    [Show full text]
  • Filesystems HOWTO Filesystems HOWTO Table of Contents Filesystems HOWTO
    Filesystems HOWTO Filesystems HOWTO Table of Contents Filesystems HOWTO..........................................................................................................................................1 Martin Hinner < [email protected]>, http://martin.hinner.info............................................................1 1. Introduction..........................................................................................................................................1 2. Volumes...............................................................................................................................................1 3. DOS FAT 12/16/32, VFAT.................................................................................................................2 4. High Performance FileSystem (HPFS)................................................................................................2 5. New Technology FileSystem (NTFS).................................................................................................2 6. Extended filesystems (Ext, Ext2, Ext3)...............................................................................................2 7. Macintosh Hierarchical Filesystem − HFS..........................................................................................3 8. ISO 9660 − CD−ROM filesystem.......................................................................................................3 9. Other filesystems.................................................................................................................................3
    [Show full text]
  • Tomenet-Guide.Pdf
    .==========================================================================+−−. | TomeNET Guide | +==========================================================================+− | Latest update: 17. September 2021 − written by C. Blue ([email protected]) | | for TomeNET version v4.7.4b − official websites are: : | https://www.tomenet.eu/ (official main site, formerly www.tomenet.net) | https://muuttuja.org/tomenet/ (Mikael’s TomeNET site) | Runes & Runemastery sections by Kurzel ([email protected]) | | You should always keep this guide up to date: Either go to www.tomenet.eu | to obtain the latest copy or simply run the TomeNET−Updater.exe in your | TomeNET installation folder (desktop shortcut should also be available) | to update it. | | If your text editor cannot display the guide properly (needs fixed−width | font like for example Courier), simply open it in any web browser instead. +−−− | Welcome to this guide! | Although I’m trying, I give no guarantee that this guide | a) contains really every detail/issue about TomeNET and | b) is all the time 100% accurate on every occasion. | Don’t blame me if something differs or is missing; it shouldn’t though. | | If you have any suggestions about the guide or the game, please use the | /rfe command in the game or write to the official forum on www.tomenet.eu. : \ Contents −−−−−−−− (0) Quickstart (If you don’t like to read much :) (0.1) Start & play, character validation, character timeout (0.1a) Colours and colour blindness (0.1b) Photosensitivity / Epilepsy issues (0.2) Command reference
    [Show full text]
  • A Usability Analysis of the Autopsy Forensic Browser
    Proceedings of the Second International Symposium on Human Aspects of Information Security & Assurance (HAISA 2008) A Usability Analysis of the Autopsy Forensic Browser D.J. Bennett and P. Stephens Department of Computing (Academic), Canterbury Christ Church University, Canterbury, United Kingdom e-mail: {david.bennett, paul.stephens}@canterbury.ac.uk Abstract This paper reviews the usability of the Autopsy Forensic Browser. Two expert-based usability review techniques are used: Cognitive Walkthrough and Heuristic Evaluation. The results of the evaluation indicate that there are many areas where usability could be improved and these are classified into areas of eight overlapping areas. Examples from each area are presented, with suggestions as to methods to alleviate them. The paper concludes with a future work proposal to effect the changes suggested and retest the current and the replacement system with a user-based evaluation. Keywords Usability, Human-Computer Interaction, Interface Design, Autopsy Forensic Browser, The Sleuth Kit, Cognitive Walkthrough, Heuristic Evaluation 1. Introduction This paper reviews the usability of the Autopsy Forensic Browser tool. The reasoning for this is to improve future versions of the tool. In many ways forensic analysis tools are no different to any other mission critical software in terms of the need for usability. However, failure in usability in such tools could lead to outcomes which deny liberty to innocent persons, or enable criminals to continue with criminal activity should an investigation fail in some way. 1.1. Forensics and the Autopsy Forensic Browser Gottschalk et al. (2005) define computer forensics as the identification, preservation, investigation, and documentation of computer systems data used in criminal activity.
    [Show full text]
  • Booting and Installing the Operating System Grado En Inform´Atica2017/2018 Departamento De Computaci´On Facultad De Inform´Atica Universidad De Coru˜Na
    Booting and Installing the Operating System Grado en Inform´atica2017/2018 Departamento de Computaci´on Facultad de Inform´atica Universidad de Coru~na Antonio Y´a~nezIzquierdo Antonio Y´a~nezIzquierdo Booting and Installing the Operating System 1 / 85 ContentsI 1 Selecting and preparing installation media installing an O.S. installation media preparing the media 2 The boot process booting booting steps 3 Preparing the disks. Basic disk partitioning disks partitions 4 Sharing disks among O.S.s sharing disks among O.S.s 5 Boot loaders lilo grub Antonio Y´a~nezIzquierdo Booting and Installing the Operating System 2 / 85 ContentsII elilo syslinux using removable media Antonio Y´a~nezIzquierdo Booting and Installing the Operating System 3 / 85 Selecting and preparing installation media Selecting and preparing installation media Antonio Y´a~nezIzquierdo Booting and Installing the Operating System 4 / 85 Selecting and preparing installation media installing an O.S. Selecting and preparing installation media !installing an O.S. Antonio Y´a~nezIzquierdo Booting and Installing the Operating System 5 / 85 Selecting and preparing installation media installing an O.S. Installing an O.S. the most common use of O.S.s is having them \installed" onto computers, and being run from the computer's storage devices there are also some \live" O.S.s that don't require installation but usually have limitations concerning what users can do and what software can be added installing is the process by which we put the O.S. files in one (or more) of the storage units of the system, thus allowing the system to execute the OS directly Antonio Y´a~nezIzquierdo Booting and Installing the Operating System 6 / 85 Selecting and preparing installation media installing an O.S.
    [Show full text]
  • Partition-Rescue
    Partition-Rescue Revision History Revision 1 2008-11-24 09:27:50 Revised by: jdd mainly title change in the wiki Partition-Rescue Table of Contents 1. Revision History..............................................................................................................................................1 2. Beginning.........................................................................................................................................................2 2.1. What's in...........................................................................................................................................2 2.2. What to do right now?.......................................................................................................................2 2.3. Legal stuff.........................................................................................................................................2 2.4. What do I need to know right now?..................................................................................................3 3. Technical info..................................................................................................................................................4 3.1. Disks.................................................................................................................................................4 3.2. Partitions...........................................................................................................................................4 3.3. Why is
    [Show full text]
  • Introducción a Linux Equivalencias Windows En Linux Ivalencias
    No has iniciado sesión Discusión Contribuciones Crear una cuenta Acceder Página discusión Leer Editar Ver historial Buscar Introducción a Linux Equivalencias Windows en Linux Portada < Introducción a Linux Categorías de libros Equivalencias Windows en GNU/Linux es una lista de equivalencias, reemplazos y software Cam bios recientes Libro aleatorio análogo a Windows en GNU/Linux y viceversa. Ayuda Contenido [ocultar] Donaciones 1 Algunas diferencias entre los programas para Windows y GNU/Linux Comunidad 2 Redes y Conectividad Café 3 Trabajando con archivos Portal de la comunidad 4 Software de escritorio Subproyectos 5 Multimedia Recetario 5.1 Audio y reproductores de CD Wikichicos 5.2 Gráficos 5.3 Video y otros Imprimir/exportar 6 Ofimática/negocios Crear un libro 7 Juegos Descargar como PDF Versión para im primir 8 Programación y Desarrollo 9 Software para Servidores Herramientas 10 Científicos y Prog s Especiales 11 Otros Cambios relacionados 12 Enlaces externos Subir archivo 12.1 Notas Páginas especiales Enlace permanente Información de la Algunas diferencias entre los programas para Windows y y página Enlace corto GNU/Linux [ editar ] Citar esta página La mayoría de los programas de Windows son hechos con el principio de "Todo en uno" (cada Idiomas desarrollador agrega todo a su producto). De la misma forma, a este principio le llaman el Añadir enlaces "Estilo-Windows". Redes y Conectividad [ editar ] Descripción del programa, Windows GNU/Linux tareas ejecutadas Firefox (Iceweasel) Opera [NL] Internet Explorer Konqueror Netscape /
    [Show full text]
  • Botnets, Zombies, and Irc Security
    Botnets 1 BOTNETS, ZOMBIES, AND IRC SECURITY Investigating Botnets, Zombies, and IRC Security Seth Thigpen East Carolina University Botnets 2 Abstract The Internet has many aspects that make it ideal for communication and commerce. It makes selling products and services possible without the need for the consumer to set foot outside his door. It allows people from opposite ends of the earth to collaborate on research, product development, and casual conversation. Internet relay chat (IRC) has made it possible for ordinary people to meet and exchange ideas. It also, however, continues to aid in the spread of malicious activity through botnets, zombies, and Trojans. Hackers have used IRC to engage in identity theft, sending spam, and controlling compromised computers. Through the use of carefully engineered scripts and programs, hackers can use IRC as a centralized location to launch DDoS attacks and infect computers with robots to effectively take advantage of unsuspecting targets. Hackers are using zombie armies for their personal gain. One can even purchase these armies via the Internet black market. Thwarting these attacks and promoting security awareness begins with understanding exactly what botnets and zombies are and how to tighten security in IRC clients. Botnets 3 Investigating Botnets, Zombies, and IRC Security Introduction The Internet has become a vast, complex conduit of information exchange. Many different tools exist that enable Internet users to communicate effectively and efficiently. Some of these tools have been developed in such a way that allows hackers with malicious intent to take advantage of other Internet users. Hackers have continued to create tools to aid them in their endeavors.
    [Show full text]
  • Partition.Pdf
    Linux Partition HOWTO Anthony Lissot Revision History Revision 3.5 26 Dec 2005 reorganized document page ordering. added page on setting up swap space. added page of partition labels. updated max swap size values in section 4. added instructions on making ext2/3 file systems. broken links identified by Richard Calmbach are fixed. created an XML version. Revision 3.4.4 08 March 2004 synchronized SGML version with HTML version. Updated lilo placement and swap size discussion. Revision 3.3 04 April 2003 synchronized SGML and HTML versions Revision 3.3 10 July 2001 Corrected Section 6, calculation of cylinder numbers Revision 3.2 1 September 2000 Dan Scott provides sgml conversion 2 Oct. 2000. Rewrote Introduction. Rewrote discussion on device names in Logical Devices. Reorganized Partition Types. Edited Partition Requirements. Added Recovering a deleted partition table. Revision 3.1 12 June 2000 Corrected swap size limitation in Partition Requirements, updated various links in Introduction, added submitted example in How to Partition with fdisk, added file system discussion in Partition Requirements. Revision 3.0 1 May 2000 First revision by Anthony Lissot based on Linux Partition HOWTO by Kristian Koehntopp. Revision 2.4 3 November 1997 Last revision by Kristian Koehntopp. This Linux Mini−HOWTO teaches you how to plan and create partitions on IDE and SCSI hard drives. It discusses partitioning terminology and considers size and location issues. Use of the fdisk partitioning utility for creating and recovering of partition tables is covered. The most recent version of this document is here. The Turkish translation is here. Linux Partition HOWTO Table of Contents 1.
    [Show full text]
  • Forensic Toolkit (FTK)
    Forensic Toolkit (FTK) User Guide | 1 AccessData Legal and Contact Information Document date: January 31, 2018 Legal Information ©2018 AccessData Group, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. AccessData Group, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, AccessData Group, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, AccessData Group, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, AccessData Group, Inc. reserves the right to make changes to any and all parts of AccessData software, at any time, without any obligation to notify any person or entity of such changes. You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside. AccessData Group, Inc. 588 West 400 South Suite 350 Lindon, UT 84042 USA AccessData Trademarks and Copyright Information The following are either registered trademarks or trademarks of AccessData Group, Inc. All other trademarks are the property of their respective owners. AccessData® AD Summation® Mobile Phone Examiner Plus® AccessData Certified Examiner® (ACE®) Discovery Cracker® MPE+ Velocitor™ AD AccessData™ Distributed Network Attack® Password Recovery Toolkit® AD eDiscovery® DNA® PRTK® AD RTK™ Forensic Toolkit® (FTK®) Registry Viewer® LawDrop® Summation® | 2 A trademark symbol (®, ™, etc.) denotes an AccessData Group, Inc.
    [Show full text]