Forensics with BackTrack and Sleuth Kit
Sorting by File Type
In the Autopsy image analysis screen, you'll find several options. My favorite option is the File Type screen, but before clicking on Sort Files by Type, plan to wait a while.
This feature will scan the entire image file; extract files; sort them into various categories such as images, documents, executables, crypto-related files, etc.; and give you the option of copying the files out so you can further examine them.
An example of the output for crypto files is shown in Listing 3.
Crypto File Output
01 /home/secret/.pgp/secring.pgp 02 PGP key security ring 03 Image: /evidence/ddriveimage.dd Inode: 672945 04 Saved to: crypto/ddriveimage.dd-672945 05 06 /home/secret/.pgp/pubring.pgp 07 PGP key public ring 08 Image: /evidence/ddriveimage.dd Inode: 672959 09 Saved to: crypto/ddriveimage.dd-672959.pgp
Another benefit of Autopsy is the keyword search screen. Not only does the search handle regular expressions, with a link to a cheat sheet, it also offers a number of pre-configured searches such as credit card numbers, social security numbers, IP addresses, and dates. Search results are cached, so once you have done a search and waited for the results, you never have to wait again.
Sleuth Kit offers an incredibly powerful -- and free – set of utilities for electronic forensics, working not only on Linux but also on Windows and other forms of Unix. With the addition of the Autopsy web interface, the software is extremely easy to use, and getting results with it shouldn't take too long.
In my testing – using older testing machines with hard drives that have seen it all – I found information spanning several years, from old installations of Windows to documents I hadn't seen in ages. Sleuth Kit definitely deserves a place in any system administrator's or auditor's toolkit.
- BackTrack: http://www.remote-exploit.org/backtrack.html
- Sleuth Kit: http://www.sleuthkit.org/
- Write blockers: http://www.forensicswiki.org/wiki/Write_Blockers
- BackTrack download: http://www.remote-exploit.org/backtrack_download.html
- dcfldd: http://dcfldd.sourceforge.net/
- Linux LEO: http://www.linuxleo.com/
- "Defeating Forensic Analysis on Unix": http://www.phrack.org/issues.html?issue=59&id=6
Buy this article as PDF
Spammers go low-volume, and 90% of IE browsers are unpatched.
Adobe scrambles to release patches for vulnerable Flash Player.
Four-inch-long computer on a stick lets you boot a full Linux system from any HDMI display device.
New statute would require companies to report break-ins to consumers.
Weird data transfer technique avoids all standard security measures.
FIDO alliance declares the beginning of the end for old-style login authentication.
The Linux New Media Awards have honored the most significant products, projects, people, and organizations for open source/Linux every year since 2000.
Legendary Uber-distro splits over the systemd controversy.
New LTS version offers many refinements for the Cinnamon and Mate desktops and significant improvement under the hood.
One of CeBIT’s most successful forums returns in 2015.