Forensics with BackTrack and Sleuth Kit

Sorting by File Type

In the Autopsy image analysis screen, you'll find several options. My favorite option is the File Type screen, but before clicking on Sort Files by Type, plan to wait a while.

This feature will scan the entire image file; extract files; sort them into various categories such as images, documents, executables, crypto-related files, etc.; and give you the option of copying the files out so you can further examine them.

An example of the output for crypto files is shown in Listing 3.

Listing 3

Crypto File Output

 

Keyword Search

Another benefit of Autopsy is the keyword search screen. Not only does the search handle regular expressions, with a link to a cheat sheet, it also offers a number of pre-configured searches such as credit card numbers, social security numbers, IP addresses, and dates. Search results are cached, so once you have done a search and waited for the results, you never have to wait again.

Conclusion

Sleuth Kit offers an incredibly powerful -- and free – set of utilities for electronic forensics, working not only on Linux but also on Windows and other forms of Unix. With the addition of the Autopsy web interface, the software is extremely easy to use, and getting results with it shouldn't take too long.

In my testing – using older testing machines with hard drives that have seen it all – I found information spanning several years, from old installations of Windows to documents I hadn't seen in ages. Sleuth Kit definitely deserves a place in any system administrator's or auditor's toolkit.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • BackTrack

    The BackTrack live distribution lets you act like an intruder to test your network’s security.

  • Tracing Intruders Intro

    You don't need expensive proprietary tools to practice the craft of computer forensics.

  • OCFA

    Automate the forensics process with the Dutch police department's Open Computer Forensics Architecture.

  • Caine

    Caine is a Linux distribution based on Ubuntu 10.04 for forensic scientists and security-conscious administrators. Poised to do battle against IT ne’er-do-wells, Caine has a comprehensive selection of software, a user-friendly GUI, and responsive support.

  • On the DVD: BackTrack 5 R

    This issue’s DVD comes with the BackTrack 5 R1 [1][2][3] pen test distribution. BackTrack provides a great collection of pen testing and security auditing tools. You can boot into BackTrack Live from the DVD or install BackTrack permanently on your hard disk.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News