Autopsy - Digital Forensic Analysis 1 PDF
Document Details
Uploaded by PrincipledCypress
Polytechnic of Leiria
2023
MCIF
Miguel Frade and Baltazar Rodrigues
Tags
Related
- Certified Cybersecurity Technician Computer Forensics PDF
- Fundamentals of Digital Forensics - Theory, Methods, and Applications PDF
- The Basics of Digital Forensics PDF
- King Fahd University of Petroleum & Minerals SEC524 Computer and Network Forensics Lectures 11 and 12 PDF
- Principles of Digital Forensics PDF
- Guide to Computer Forensics and Investigations 6th Edition PDF
Summary
This document is a past paper / course notes on Autopsy software for digital forensics from the Polytechnic Institute of Leiria. Notes are from school year 2023 – 2024.
Full Transcript
Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography MCIF – Digital Forensic Analysis 1 Autopsy...
Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography MCIF – Digital Forensic Analysis 1 Autopsy Miguel Frade and Baltazar Rodrigues Polytechnic Institute of Leiria School year 2023–2024 Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography 1 Introduction 5 Timelines Autopsy Views 2 Tips 6 Report 3 Data Processing Generation Ingest Modules Structured Threat Information Exchange 4 Content analysis 7 Evidences Manual content analysis Exporting Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 1 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography This topic 1 Introduction 5 Timelines Autopsy Views 2 Tips 6 Report 3 Data Processing Generation Ingest Modules Structured Threat Information Exchange 4 Content analysis 7 Evidences Manual content analysis Exporting Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 2 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Introductory Concepts url: http://www.sleuthkit.org/autopsy/ Autopsy is a graphical tool aimed at the digital investigation of images of storage media Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 3 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Introductory Concepts url: http://www.sleuthkit.org/autopsy/ Autopsy is a graphical tool aimed at the digital investigation of images of storage media It is developed in Java, mainly for Windows Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 3 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Introductory Concepts url: http://www.sleuthkit.org/autopsy/ Autopsy is a graphical tool aimed at the digital investigation of images of storage media It is developed in Java, mainly for Windows It is expandable (supports modules developed in Python for Java) Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 3 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Introductory Concepts url: http://www.sleuthkit.org/autopsy/ Autopsy is a graphical tool aimed at the digital investigation of images of storage media It is developed in Java, mainly for Windows It is expandable (supports modules developed in Python for Java) It has limited support for Android Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 3 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Autopsy Workflow Create Add a a Case Data Source Analyze with Ingest Modules Manual Report Analysis Generation Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 4 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Create a Case 1 Create a Case Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 5 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Create a Case 1 Create a Case Case information Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 5 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Create a Case 1 Create a Case Case information Case number, examiner Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 5 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Create a Case 1 Create a Case Case information Case number, examiner 2 Add a data source Raw (dd) or EnCase (E01) image Drives, files or local folders Virtual machine drives (vmdk, vhd) Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 5 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Create a Case 1 Create a Case Case information Case number, examiner 2 Add a data source Raw (dd) or EnCase (E01) image Drives, files or local folders Virtual machine drives (vmdk, vhd) 3 Time zone use Windows registry info: Name of standard time: Central Standard Time Standard time Bias: 360 min. from UTC Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 5 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography This topic 1 Introduction 5 Timelines Autopsy Views 2 Tips 6 Report 3 Data Processing Generation Ingest Modules Structured Threat Information Exchange 4 Content analysis 7 Evidences Manual content analysis Exporting Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 6 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Tips: make Autopsy run faster run it under Linux there are no anti-virus eating CPU each time a file is analyzed less processes running at the same time, so more CPU time for Autopsy however, some tools, such as optical character recognition (OCR), will not work on Linux Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 7 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Tips: make Autopsy run faster run it under Linux there are no anti-virus eating CPU each time a file is analyzed less processes running at the same time, so more CPU time for Autopsy however, some tools, such as optical character recognition (OCR), will not work on Linux give more memory to the Autopsy JVM on Windows OS you can change this value through the GUI of Autopsy from 4 GB to 8 GB should be enough for most situations the more CPU cores, the more RAM is needed Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 7 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Tips: make Autopsy run faster run it under Linux there are no anti-virus eating CPU each time a file is analyzed less processes running at the same time, so more CPU time for Autopsy however, some tools, such as optical character recognition (OCR), will not work on Linux give more memory to the Autopsy JVM on Windows OS you can change this value through the GUI of Autopsy from 4 GB to 8 GB should be enough for most situations the more CPU cores, the more RAM is needed give more memory to Solr (the indexing service that enables the search features) from 1 GB to 2 GB never give more than 2 GB for this JVM Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 7 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Tips: Autopsy install instructions on Ubuntu 1 Download snap package from github: https://github.com/sleuthkit/autopsy/releases 2 Install: sudo snap install --dangerous autopsy.snap snap connections autopsy | sed -nE 's/^[^ ]* *([^ ]*) *- *- *$/\1/p' | xargs -I{} sudo snap connect {} 3 run the first time: snap run autopsy --nosplash Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 8 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography This topic 1 Introduction 5 Timelines Autopsy Views 2 Tips 6 Report 3 Data Processing Generation Ingest Modules Structured Threat Information Exchange 4 Content analysis 7 Evidences Manual content analysis Exporting Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 9 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Automated Processing – With ingest modules Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 10 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Automated Processing Multi-core support Autopsy supports multi-thread execution of file ingest Aims to reduce the processing time Requires setting of the number of threads to use Tools → Options → Ingest → Settings Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 11 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Case 1: Hacking Computer Forensic Reference Data Sets (CFReDS) - NIST Lost PC On 20-09-2004 a computer was found abandoned and it is suspected that this computer was used for hacking purposes. The suspect, Greg Schardt, uses the nickname “Mr. Evil” and some of his associates have said that he would park his vehicle within range of Wireless Access Points where he would then intercept Internet traffic, attempting to get credit card numbers, usernames & passwords. Download the PC drive images from link available on Moodle Create a new case in Autopsy Start automated processing Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 12 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Module: Recent Activity Extracts information from the last 7 days Internet usage (including searches) Installed programs Connected devices (USB) Processes the Registry hive The information is displayed in Results → Extracted Content Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 13 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Module: Hash Lookup Computes hash values of all found files and compares them with an existing database of MD5 hashs Known bad hashsets Files that must be validated Known good hashsets Files that can be ignored Known hashsets Files that can be good or bad (depending on the context) Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 14 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Module: Hash Lookup – Hash sets Mainly available only for police forces (i.e. hash sets of child pornography pictures) List of hash can be good, bad or just known Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 15 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Module: Hash Lookup – Hash sets Mainly available only for police forces (i.e. hash sets of child pornography pictures) List of hash can be good, bad or just known National Software Reference Library (NSRL) from NIST URL: http://www.nsrl.nist.gov/ URL: http://sourceforge.net/projects/autopsy/files/NSRL/ Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 15 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Module: Hash Lookup – Hash sets Mainly available only for police forces (i.e. hash sets of child pornography pictures) List of hash can be good, bad or just known National Software Reference Library (NSRL) from NIST URL: http://www.nsrl.nist.gov/ URL: http://sourceforge.net/projects/autopsy/files/NSRL/ VirusShare URL: https://virusshare.com/hashes.4n6 (Short version available on MEGA shared folder) Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 15 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Module: Hash Lookup – Hash sets Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 16 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Module: File Type Identification Checks the file type according to its characteristics and collects meta data Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 17 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Module: File Type Identification Checks the file type according to its characteristics and collects meta data Uses Tika (http://tika.apache.org/) Indexing module without its own output Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 17 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Module: File Type Identification Checks the file type according to its characteristics and collects meta data Uses Tika (http://tika.apache.org/) Indexing module without its own output Generates information for other modules Extension Mismatch Detector Keyword Search Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 17 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Module: Embedded File Extraction Uncompress files (ZIP, RAR) or embedded files (DOC, DOCX, PPT, PPTX, XLS and XLSX), processing them again. Enables analysis of files included in these files Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 18 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Module: Embedded File Extraction Uncompress files (ZIP, RAR) or embedded files (DOC, DOCX, PPT, PPTX, XLS and XLSX), processing them again. Enables analysis of files included in these files Results are displayed in File types → Archives Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 18 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Module: EXIF Parser Extracts EXIF (Exchangeable Image File Format) information stored on images Geolocation, date and time Camera model, setup (exposure, resolution,... ) Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 19 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Module: EXIF Parser Extracts EXIF (Exchangeable Image File Format) information stored on images Geolocation, date and time Camera model, setup (exposure, resolution,... ) Results are displayed in Extracted content → EXIF Metadata Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 19 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Module: Keyword Search Search by keywords during initial or on-demand processing Extracts text from the files being processed and adds them to an index (Solr) Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 20 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Module: Keyword Search Search by keywords during initial or on-demand processing Extracts text from the files being processed and adds them to an index (Solr) Supports several formats (Text, MS Office, PDF, Emails) Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 20 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Module: Keyword Search Search by keywords during initial or on-demand processing Extracts text from the files being processed and adds them to an index (Solr) Supports several formats (Text, MS Office, PDF, Emails) For non-supported formats String Extraction algorithm Is able to identify encodings and languages Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 20 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Module: Keyword Search Default lists Autopsy includes a set of predefined lists of common expressions Web addresses (URLs) IP addresses Phone numbers E-mail addresses Unfortunately they generate a huge amount of false positives Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 21 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Module: Email Parser Identifies and processes e-mail program files (MBOX, PST) Extract contained e-mails Processes its attachments Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 22 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Module: Extension Mismatch Detector Identifies files that have a file pattern that doesn’t matches the filename extension Attempts to identify camouflaged files may generate some false positives Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 23 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Module: E01 Verifier Verifies the hash value of the data stored in EWF files Calculates the hash and compares it with the values stored in the E01 metadata Aims to identify corrupted EWF files and prevents its automated process Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 24 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Module: Interesting Files Identifier Generate alerts when it detects files and folders with certain characteristics Type (file / folder) Size, extension Name, path MIME type Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 25 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Module: PhotoRec Carver Extract files from unallocated spaces Supports multiple file types Allows the discovery of recently deleted files Allows custom addition of file patterns “Process Unallocated Space” option must be selected Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 26 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Module: Virtual Machine Extractor Identifies virtual machine disks and adds them directly as new data sources Supports VMWare (vmdk) and Microsoft Virtual Hard Drives (vhd) files Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 27 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Module: Virtual Machine Extractor Identifies virtual machine disks and adds them directly as new data sources Supports VMWare (vmdk) and Microsoft Virtual Hard Drives (vhd) files FTK Imager can read also virtual disks files and convert them to E01 Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 27 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Case 1: Hacking Computer Forensic Reference Data Sets (CFReDS) - NIST Lost PC On 20-09-2004 a computer was found abandoned and it is suspected that this computer was used for hacking purposes. The suspect, Greg Schardt, uses the nickname “Mr. Evil” and some of his associates have said that he would park his vehicle within range of Wireless Access Points where he would then intercept Internet traffic, attempting to get credit card numbers, usernames & passwords. Exercise Answer the questions available on Moodle Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 28 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography This topic 1 Introduction 5 Timelines Autopsy Views 2 Tips 6 Report 3 Data Processing Generation Ingest Modules Structured Threat Information Exchange 4 Content analysis 7 Evidences Manual content analysis Exporting Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 29 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Manual content analysis Autopsy graphic interface Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 30 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Manual content analysis Tree viewer Tree viewer indexes information resulting from automated processing and gives access to four large areas: Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 31 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Manual content analysis Tree viewer Tree viewer indexes information resulting from automated processing and gives access to four large areas: Data sources: Indicates the data source, allowing navigation within the respective file systems Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 31 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Manual content analysis Tree viewer Tree viewer indexes information resulting from automated processing and gives access to four large areas: Data sources: Indicates the data source, allowing navigation within the respective file systems Views: Shows the found files under multiple views (type, size, state). The same file can appear here several times (in different views). Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 31 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Manual content analysis Tree viewer Tree viewer indexes information resulting from automated processing and gives access to four large areas: Data sources: Indicates the data source, allowing navigation within the respective file systems Views: Shows the found files under multiple views (type, size, state). The same file can appear here several times (in different views). Results: Shows the results found by the several modules. Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 31 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Manual content analysis Tree viewer Tree viewer indexes information resulting from automated processing and gives access to four large areas: Data sources: Indicates the data source, allowing navigation within the respective file systems Views: Shows the found files under multiple views (type, size, state). The same file can appear here several times (in different views). Results: Shows the results found by the several modules. Reports: Indicates the several produced reports, either manually or automatically by the modules. Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 31 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Tree viewer Views The Views area has: File type: Sorts files by extension or MIME type. Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 32 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Tree viewer Views The Views area has: File type: Sorts files by extension or MIME type. Recent files: Files accessed in the last 7 days. Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 32 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Tree viewer Views The Views area has: File type: Sorts files by extension or MIME type. Recent files: Files accessed in the last 7 days. Deleted files: Deleted files deleted, it tries to recover their original name. Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 32 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Tree viewer Views The Views area has: File type: Sorts files by extension or MIME type. Recent files: Files accessed in the last 7 days. Deleted files: Deleted files deleted, it tries to recover their original name. File size: Sorts files by size. Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 32 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Image gallery Useful when image analysis is relevant to the case under consideration. It is available in the Tools Group images by folder, compressed file Allows viewing of images when detected Functionality can be activated / deactivated in the options Allows cataloging of images (for child pornography and similar tasks) Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 33 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography File Search Useful when searching for a file with specific characteristics. It is available in the Tools menu Name Size MIME type Date Good/Bad Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 34 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography This topic 1 Introduction 5 Timelines Autopsy Views 2 Tips 6 Report 3 Data Processing Generation Ingest Modules Structured Threat Information Exchange 4 Content analysis 7 Evidences Manual content analysis Exporting Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 35 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Timelines After indexing events, Autopsy allows you to create timelines based on the dates on which such events occurred Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 36 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Timelines Events Autopsy recognizes events, such as Files (modification, access, creation, change) Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 37 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Timelines Events Autopsy recognizes events, such as Files (modification, access, creation, change) Internet access (downloads, cookies, bookmarks, searches, browser history) Others (messages, phone calls, e-mails, GPS tracks,... ) Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 37 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Timeline visualization Histogram Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 38 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Timeline visualization Detailed view Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 39 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Timeline visualization Filters Autopsy allows to reduce the number of elements in a timeline using filters Filter known files Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 40 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Timeline visualization Filters Autopsy allows to reduce the number of elements in a timeline using filters Filter known files Filter by text Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 40 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Timeline visualization Filters Autopsy allows to reduce the number of elements in a timeline using filters Filter known files Filter by text Event type Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 40 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Timeline visualization Filters Autopsy allows to reduce the number of elements in a timeline using filters Filter known files Filter by text Event type Time windows Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 40 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography This topic 1 Introduction 5 Timelines Autopsy Views 2 Tips 6 Report 3 Data Processing Generation Ingest Modules Structured Threat Information Exchange 4 Content analysis 7 Evidences Manual content analysis Exporting Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 41 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Labeling Tag results with labels Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 42 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Labeling Tag results with labels Items for future reference Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 42 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Labeling Tag results with labels Items for future reference Enables the marking of files or results Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 42 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Labeling Tag results with labels Items for future reference Enables the marking of files or results Tag name set by investigator Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 42 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Labeling Tag results with labels Items for future reference Enables the marking of files or results Tag name set by investigator Tags appear as a sub-area of Results Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 42 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Report generation Several types of reports are available Results: Applies to the items of the results view, Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 43 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Report generation Several types of reports are available Results: Applies to the items of the results view, can be filtered Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 43 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Report generation Several types of reports are available Results: Applies to the items of the results view, can be filtered Tagged: Applies to the tagged items Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 43 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Report generation Several types of reports are available Results: Applies to the items of the results view, can be filtered Tagged: Applies to the tagged items Files: List of files under analysis Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 43 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Report generation Several types of reports are available Results: Applies to the items of the results view, can be filtered Tagged: Applies to the tagged items Files: List of files under analysis KML: List of GPS coordinates in Google Earth format Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 43 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Report generation Several types of reports are available Results: Applies to the items of the results view, can be filtered Tagged: Applies to the tagged items Files: List of files under analysis KML: List of GPS coordinates in Google Earth format TSK: MAC timeline list of all files Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 43 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Report generation Several types of reports are available Results: Applies to the items of the results view, can be filtered Tagged: Applies to the tagged items Files: List of files under analysis KML: List of GPS coordinates in Google Earth format TSK: MAC timeline list of all files STIX: Compares the results obtained with a threat file Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 43 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Structured Threat Information Exchange (STIX) structured language for describing cyber threat information so it can be shared (XML) Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 44 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Structured Threat Information Exchange (STIX) structured language for describing cyber threat information so it can be shared (XML) Accepts indicators like: IP address, URL, Names TCP, UDP connections Filenames, hashs... Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 44 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Structured Threat Information Exchange (STIX) structured language for describing cyber threat information so it can be shared (XML) Accepts indicators like: IP address, URL, Names TCP, UDP connections Filenames, hashs... More information: https://stix.mitre.org/ Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 44 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Structured Threat Information Exchange (STIX) Example: IP address... Known IP address IP Watchlist 192.168.1.111 Potentially dangerous equipment!... Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 45 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Case 1: Hacking Computer Forensic Reference Data Sets (CFReDS) - NIST Lost PC On 20-09-2004 a computer was found abandoned and it is suspected that this computer was used for hacking purposes. The suspect, Greg Schardt, uses the nickname “Mr. Evil” and some of his associates have said that he would park his vehicle within range of Wireless Access Points where he would then intercept Internet traffic, attempting to get credit card numbers, usernames & passwords. Try the sample STIX file available on Moodle Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 46 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography This topic 1 Introduction 5 Timelines Autopsy Views 2 Tips 6 Report 3 Data Processing Generation Ingest Modules Structured Threat Information Exchange 4 Content analysis 7 Evidences Manual content analysis Exporting Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 47 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Exporting evidences Autopsy allows to export files to: Analyse with other tools Compare Archive Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 48 Overview Introduction Tips Data Processing Content analysis Timelines Report Evidences Bibliography Bibliography and Credits Bibliography Autopsy User’s Guide, Autopsy User Documentation (version 4.7) https://github.com/sleuthkit/autopsy/tree/release-4.7.0/docs/doxygen-user Autopsy Forensic Browser User Guide, Julia Keffer, 2013 https://juliakeffer.files.wordpress.com/2013/06/autopsy_user_guide.pdf Credits The original author of these slides is António Pinto Translated, adapted and updated by Miguel Frade Miguel Frade and Baltazar Rodrigues MCIF – Digital Forensic Analysis 1 49
