Sorting by File Type

In the Autopsy image analysis screen, you'll find several options. My favorite option is the File Type screen, but before clicking on Sort Files by Type, plan to wait a while.

This feature will scan the entire image file; extract files; sort them into various categories such as images, documents, executables, crypto-related files, etc.; and give you the option of copying the files out so you can further examine them.

An example of the output for crypto files is shown in Listing 3.

01 /home/secret/.pgp/secring.pgp
02   PGP key security ring
03   Image: /evidence/ddriveimage.dd Inode: 672945
04   Saved to: crypto/ddriveimage.dd-672945
05
06 /home/secret/.pgp/pubring.pgp
07   PGP key public ring
08   Image: /evidence/ddriveimage.dd Inode: 672959
09   Saved to: crypto/ddriveimage.dd-672959.pgp

Keyword Search

Another benefit of Autopsy is the keyword search screen. Not only does the search handle regular expressions, with a link to a cheat sheet, it also offers a number of pre-configured searches such as credit card numbers, social security numbers, IP addresses, and dates. Search results are cached, so once you have done a search and waited for the results, you never have to wait again.

Conclusion

Sleuth Kit offers an incredibly powerful -- and free – set of utilities for electronic forensics, working not only on Linux but also on Windows and other forms of Unix. With the addition of the Autopsy web interface, the software is extremely easy to use, and getting results with it shouldn't take too long.

In my testing – using older testing machines with hard drives that have seen it all – I found information spanning several years, from old installations of Windows to documents I hadn't seen in ages. Sleuth Kit definitely deserves a place in any system administrator's or auditor's toolkit.