Forensic Blogs

An aggregator for digital forensics blogs

by

Tool Evaluation Team – Autopsy Blog 3

Tool Evaluation Team – Autopsy Blog #3

Madi Brumbelow & Lyall Rogers

Testing Autopsy

For the last 3 months we’ve researched all about Autopsy: how to use it, comparing it to other tools, and mastering the art of forensic image analysis with our tool. Now, the results are in, results that you can see in our final report. We tested our tools based on time taken for analysis, user friendliness, and effectiveness in identifying artifacts, especially using keyword search. The team searched for keywords having to do with our scenario, and the main word searched was “cyanide”. Autopsy was effective in finding Web Artifacts, but deleted files having to do with cyanide did not show up. They could be found manually, unlike how they turned up automatically in the keyword searches for other tools, specifically EnCase.

A New Way to Search

Finishing the report wasn’t without its own surprises. As we were finishing up the search functions portion of the report, we took a final look at the tools section of Autopsy and discovered something peculiar. A new way to complete searches: File Search by Attributes.

File Search by Attributes does what you would expect from a keyword search; it goes through the entire image and finds what pertains to that specific keyword. In the case of this sample image, it was cyanide. We spent weeks trying to figure out why we couldn’t search anything outside of the web history, and low and behold, the answer was in the tools tab the entire time. Not only would it search the whole file, but it would give us the same number each and every single time we ran it. Unlike the normal keyword search, this tool had consistent results, but it was hard to find within the tool. Thankfully we found this before our report was finished, because now we are confident we truly know the ins and outs of Autopsy.

Reflection

Overall, we’re glad that we chose Autopsy to explore this semester. It’s an interesting tool, and very powerful considering it comes in at the low price of free! Our investment in the program has definitely paid off. Lyall is using it for personal use now, and Madi has to use it for her final project in a class. Turns out choosing a tool because its icon is a dog was the right path to take!

 

The post Tool Evaluation Team – Autopsy Blog 3 appeared first on The Leahy Center for Digital Investigation.

by

Update: rtfdump.py Version 0.0.9

This new version (actually, 0.0.8 and 0.0.9) brings the following changes:

All items can be selected now with -s a.

A warning is displayed when option -s (selecting) does not result in the selection of an item.

Option -A does a run-length encoded ASCII dump (cfr. -a).

JSON output is possible with option –jsonoutput.

Ad-hoc YARA rules can now also be hexadecimal (#x#) or regular expression (#r#).

And offsets in a cut expression can now be hexadecimal too (prefix 0x).

rtfdump_V0_0_9.zip (https)
MD5: 26BE358EC8D42BB7532B6C0C1EBAD1F2
SHA256: 3F6410AC7880116CDDE4480367D3F5AA534CCA3047B75FEA0F4BA1F5EAA97B07

by

Release: strings.py

I’ve been using my own Python implementation of command strings for 3 years now: time for a release (it was already available on my Beta github).

-L (–length) is an option I use often: it sorts the extracted strings from shortest to longest. When analyzing malicious documents and (binary) malware, often the interesting strings are rather long.

Like in this malicious Word document, where the longest string is the malicious PowerShell command.

It also supports JSON input.

For more options and information, take a look at the help (-h) and manual (-m):

 

strings_V0_0_3.zip (https)
MD5: DE008589A0B4B3C33B52BE3A171EB14D
SHA256: 9EBA69933B44DF41F4B51EE45B510E15FA85BCB38AD4CE45C863E8BBDAFED489