Digital Forensics: A Demonstration of the Effectiveness of The Sleuth Kit and Autopsy Forensic Browser Anthony Dowling A thesis submitted for the degree of Master of Science (Information Science) at the University of Otago, Dunedin, New Zealand Date: May 14, 2006 ii Abstract The Sleuth Kit is a collection of Linux tools that perform different aspects of a file system analysis. The Autopsy Forensic Browser is a graphical user interface that provides a user friendly interface to the command line tools contained within The Sleuth Kit. This research project investigates the use of The Sleuth Kit and Autopsy Forensic Browser as forensic investigation tools, with the aim of demonstrating the effectiveness of these tools in real world case studies as digital forensic tools. The research found that The Sleuth Kit and Autopsy Forensic Browser provide an effective file system analysis toolset. The flexibility of the tools contained within The Sleuth Kit often lead to complex command line strings, the complexity of which is overcome by the automation provided by the Autopsy Forensic Browser. Not only do The Sleuth Kit and Autopsy Forensic browser provide an effective toolset, they also offer an affordable alternative to expensive commercial or proprietary based toolsets. Digital Forensics is an area of increasing importance with an expanding field of coverage requiring many different tools to help perform varying functions. It is with this in mind that the focus of this research project is three case studies that are utilised to demonstrate the effectiveness of The Sleuth Kit and Autopsy Forensic Browser. The demonstration of The Sleuth Kit and Autopsy Forensic Browser contained within the case studies could serve as an introductory overview of a new toolset for investigators looking for an alternative or complementary Digital Forensics toolset. iii iv Preface The author would like to thank the following persons and institutions for the help and support they have given prior and during the writing of this thesis. • Kevin and Yvonne Dowling, for proof reading the thesis and giving helpful advice. • David Welch and Scott Williamson, for providing ideas and direction when trouble arose with the thesis process. • Brian Carrier, author of The Sleuth Kit and Autopsy Forensic Browser, whom was quick to respond to all queries regarding the toolset. • All the contributors to The Sleuth Kit Developer and User forums, whom were always quick to provide feedback and answers to any questions. v vi Table of Contents Abstract....................................................................................................................... iii Preface...........................................................................................................................v Table of Contents .......................................................................................................vii List of Tables ..............................................................................................................xv List of Figures............................................................................................................xxi Chapter 1 Introduction................................................................................................1 1.1 Research Objective ..............................................................................................3 1.2 Structure of Thesis ...............................................................................................4 Chapter 2 Digital Forensics: An Overview................................................................7 2.1 Digital Forensics Defined ....................................................................................7 2.2 Uses for Digital Forensics....................................................................................9 2.3 Examples of Digital Forensics in Action...........................................................11 2.3.1.1 Dr Colin Bouwer Case.........................................................................11 2.3.1.2 Paedophile Case...................................................................................11 2.3.1.3 Operation Troy Case............................................................................12 2.4 Summary............................................................................................................13 Chapter 3 Volatility of Information .........................................................................15 3.1 Order of Volatility..............................................................................................16 3.1.1 Registers......................................................................................................16 3.1.2 Main Memory .............................................................................................16 3.1.3 Network State..............................................................................................17 3.1.4 Running Processes ......................................................................................18 3.1.5 Hard Disk....................................................................................................18 vii 3.1.6 Removable Media .......................................................................................19 3.1.7 Paper Printouts............................................................................................19 3.2 Persistence of Data.............................................................................................20 3.2.1 Positive aspects for recovery of deleted information..................................21 3.2.2 Negative aspects for recovery of deleted information ................................22 3.2.3 Influential factors on longevity of deleted information ..............................22 3.3 Problems involved with collection and examination of evidence .....................24 3.3.1 Problems involved with collection and examination of volatile information ..............................................................................................................................24 3.3.2 General Problems involved with collection and examination of evidence.26 3.4 Live versus Dead Analysis.................................................................................28 3.5 Summary............................................................................................................30 Chapter 4 Hard Disk based Information.................................................................33 4.1 Introduction........................................................................................................33 4.1.1 Data Organisation .......................................................................................33 4.2 Volume Analysis................................................................................................36 4.2.1 General Theory of Partitions.......................................................................36 4.2.2 Usage of Volumes in UNIX and Microsoft Windows................................37 4.2.3 Sector Addressing .......................................................................................38 4.2.4 Analysis Basics ...........................................................................................39 4.2.4.1 Analysis Techniques ............................................................................39 4.2.4.2 Consistency Checks .............................................................................39 4.2.4.3 Extracting the Partition Contents.........................................................40 4.2.4.4 Recovering Deleted Partitions .............................................................41 4.3 DOS Partitions ...................................................................................................42 4.3.1 General Overview .......................................................................................42 4.3.1.1 Basic MBR Concepts...........................................................................42 4.3.1.2 Extended Partition Concepts................................................................44 4.3.1.3 Putting the concepts together...............................................................46 4.3.1.4 Boot Code ............................................................................................48 4.3.2 Data Structures............................................................................................48 4.3.2.1 MBR Data Structure ............................................................................48 4.3.2.2 Extended Partition Data Structures......................................................50 viii 4.3.3 Analysis Considerations..............................................................................51 4.4 File System Analysis..........................................................................................52 4.4.1 Important Issues..........................................................................................52 4.4.1.1 Clusters ................................................................................................52 4.4.1.2 Encrypted Files ....................................................................................52 4.4.1.3 Allocation Strategies............................................................................53 4.4.1.4 Wiping Techniques ..............................................................................54 4.4.1.5 Slack Space ..........................................................................................55
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages354 Page
-
File Size-