Analyzing an Image using MAC Systems Sleuth kit version 3.2.0 & Autopsy 2.
24
Page 325 from Guide to Computer Forensics and Investigations 4th edition
�MAC Forensic Tools
Sleuth Kit base program for Unix investigations. Uses a command-line interface. Autopsy Graphical User Interface (GUI) that sits on top of Sleuth Kit commandline interface. Allows access to Sleuth Kit functions via a GUI.
�Boot your MAC
Select number 2 on your KVM Switch Press the power button on the MAC Login in to the student account Password: $tudent1
�Starting Autopsy
At Terminal change the working directory by typing cd /autopsy-2.24/ without the quotes Now type sudo ./autopsy and enter the Student password Be sure to add spaces after cd and sudo Right-click on [Link] and select Open URL
�Autopsy Forensic Browser
Click on New Case
�Creating a new case
Enter the following information:
Case name: GCFI-CH8 Description: Superior Bicycle Investigation Investigator Names: a. Your Name Click New Case
�Creating a New Case
Click Add Host
�Creating a New Case
Enter the following information: Host Name: sb10 Description: Drive Image Time zone: EST Timeskew: 0 Click Add Host
�Creating a New Case
click Add Image
�Adding an Image
click Add Image File
�Adding a New Image
CaSe SeNsItIvE Location: /Forensics/CH8/ LX/GCFI* (entries are case sensitive) Type: Partiton
Import Method: Copy
click Next
�Adding a New Image
Make sure the image files are in the correct order
Click next
�Calculating Hash Values
Click the Calculate the hash value for this image Click Add This will take a few minutesso dont keep clicking the Add button
�Adding a New Image
Notice the blue bar in the URL, this means it is calculating the hash value Verify your hash value matches the value in the slide
After MD5 is calculated, click ok
�Analyzing the Image
Click Analyze
�Keyword Search
Click on Keyword search
�Keywords
Note the Magnifying glass under key word search. This is where you currently are Type martha in the search box Click Search You will not see a status so be patient and dont mash buttons
�Keyword Search
If case sensitive was selected typing Martha or martha would give you different results This search takes about 6 minutes Click link to results
�Viewing Keyword Search
Look for Fragment 236019, click on ASCII
Review other fragments using the ASCII & Hex links next to each fragment
�Viewing Keyword Search
Contents of a fragment can be exported for reports via clicking Export contents Notes about each fragment can be taken by clicking the Add Note
�Viewing Keyword Search
We now want to return to the Select a volume to analyze time lines Click Close to navigate back
�Timelines
Click File Activity Time Lines button
�Creating a Data File
Click Create Data File
�Creating a Data File
Select /1/ GCFILX.001-0-0
Type in GCFI-LXbody for the name of output file
Click OK This will take about 30 seconds to complete
�Creating a Data File
Click OK again
�Creating a Timeline
Select GCFI-LXbody
For starting date click specify and select Dec 1, 2006
For ending date click specify and select Jan 23, 2007 Click OK
�Creating a Timeline
The timeline will also take about 30 seconds to generate When the timeline is complete click OK
�Viewing a Timeline
Use the navigation buttons under the menus to select the dates to view You can also navigate to the text file by opening CIS POD, Forensics, EvLocker, GCFICH8, sb10, output and selecting [Link]
�Closing Sleuth Kit
Click the red x in the upper left corner of the browser Click inside the Terminal window and use ctrl -c to exit the process
You can then click the red x in the upper left corner to close Terminal
