Forensics with BackTrack and Sleuth Kit
Sorting by File Type
In the Autopsy image analysis screen, you'll find several options. My favorite option is the File Type screen, but before clicking on Sort Files by Type, plan to wait a while.
This feature will scan the entire image file; extract files; sort them into various categories such as images, documents, executables, crypto-related files, etc.; and give you the option of copying the files out so you can further examine them.
An example of the output for crypto files is shown in Listing 3.
Crypto File Output
01 /home/secret/.pgp/secring.pgp 02 PGP key security ring 03 Image: /evidence/ddriveimage.dd Inode: 672945 04 Saved to: crypto/ddriveimage.dd-672945 05 06 /home/secret/.pgp/pubring.pgp 07 PGP key public ring 08 Image: /evidence/ddriveimage.dd Inode: 672959 09 Saved to: crypto/ddriveimage.dd-672959.pgp
Another benefit of Autopsy is the keyword search screen. Not only does the search handle regular expressions, with a link to a cheat sheet, it also offers a number of pre-configured searches such as credit card numbers, social security numbers, IP addresses, and dates. Search results are cached, so once you have done a search and waited for the results, you never have to wait again.
Sleuth Kit offers an incredibly powerful -- and free – set of utilities for electronic forensics, working not only on Linux but also on Windows and other forms of Unix. With the addition of the Autopsy web interface, the software is extremely easy to use, and getting results with it shouldn't take too long.
In my testing – using older testing machines with hard drives that have seen it all – I found information spanning several years, from old installations of Windows to documents I hadn't seen in ages. Sleuth Kit definitely deserves a place in any system administrator's or auditor's toolkit.
- BackTrack: http://www.remote-exploit.org/backtrack.html
- Sleuth Kit: http://www.sleuthkit.org/
- Write blockers: http://www.forensicswiki.org/wiki/Write_Blockers
- BackTrack download: http://www.remote-exploit.org/backtrack_download.html
- dcfldd: http://dcfldd.sourceforge.net/
- Linux LEO: http://www.linuxleo.com/
- "Defeating Forensic Analysis on Unix": http://www.phrack.org/issues.html?issue=59&id=6
Version 16 of the popular Linux desktop reveals new tools, edge-snapping, and performance improvements.
Symantec says Linux-Darlioz burrows in through PHP.
Dell renews its quest for the ultimate developer machine.
Innovative back door looks like normal SSH traffic.
One of CeBITs most successful forums opens the new year with a new name. The popular Open Source Forum continues in 2014 under the name Special Conference: Open Source. This year, the forum will be bigger and offer a wider range of possibilities for sponsors.
New release offers better graphics drivers and expands filesystem support.
New mail protocol will shut out the NSA and prevent snooping on metadata.
A new web application helps users visualize distributed denial-of-service attacks.
Ubuntu 13.10 takes a step toward convergence, with lots of mobility, but Mir only partly here.
Galileo board is targeted to embedded developers and educational institutions.