Forensics with BackTrack and Sleuth Kit
Sorting by File Type
In the Autopsy image analysis screen, you'll find several options. My favorite option is the File Type screen, but before clicking on Sort Files by Type, plan to wait a while.
This feature will scan the entire image file; extract files; sort them into various categories such as images, documents, executables, crypto-related files, etc.; and give you the option of copying the files out so you can further examine them.
An example of the output for crypto files is shown in Listing 3.
Crypto File Output
01 /home/secret/.pgp/secring.pgp 02 PGP key security ring 03 Image: /evidence/ddriveimage.dd Inode: 672945 04 Saved to: crypto/ddriveimage.dd-672945 05 06 /home/secret/.pgp/pubring.pgp 07 PGP key public ring 08 Image: /evidence/ddriveimage.dd Inode: 672959 09 Saved to: crypto/ddriveimage.dd-672959.pgp
Another benefit of Autopsy is the keyword search screen. Not only does the search handle regular expressions, with a link to a cheat sheet, it also offers a number of pre-configured searches such as credit card numbers, social security numbers, IP addresses, and dates. Search results are cached, so once you have done a search and waited for the results, you never have to wait again.
Sleuth Kit offers an incredibly powerful -- and free – set of utilities for electronic forensics, working not only on Linux but also on Windows and other forms of Unix. With the addition of the Autopsy web interface, the software is extremely easy to use, and getting results with it shouldn't take too long.
In my testing – using older testing machines with hard drives that have seen it all – I found information spanning several years, from old installations of Windows to documents I hadn't seen in ages. Sleuth Kit definitely deserves a place in any system administrator's or auditor's toolkit.
- BackTrack: http://www.remote-exploit.org/backtrack.html
- Sleuth Kit: http://www.sleuthkit.org/
- Write blockers: http://www.forensicswiki.org/wiki/Write_Blockers
- BackTrack download: http://www.remote-exploit.org/backtrack_download.html
- dcfldd: http://dcfldd.sourceforge.net/
- Linux LEO: http://www.linuxleo.com/
- "Defeating Forensic Analysis on Unix": http://www.phrack.org/issues.html?issue=59&id=6
The Raspberry Pi Foundation has announced an even smaller version of the tiny computer that will fit into a DIMM slot.
A new class of problems lets a malicious app pre-configure an invisible privilege update.
New Hack language adds static typing and other conveniences.
New crypto policy system will offer easier configuration and more uniform security.
Ubuntu founder denounces insecurity in proprietary, close-source software blobs.
Vulnerability affects many Linux web servers
The Bavarian capital shuns Microsoft, Google, and other alternatives to implement an open source groupware solution.
Phone vendor partnerships bring Mark Shuttleworth's dream of Ubuntu on a phone a step closer to reality.
Donors will get to vote on new features for the free video editor.
Debian project puts init out to pasture and says no to Ubuntu's Upstart.