Forensic Blogs

An aggregator for digital forensics blogs

by

Tool Evaluation Team – Autopsy Blog 3

Tool Evaluation Team – Autopsy Blog #3

Madi Brumbelow & Lyall Rogers

Testing Autopsy

For the last 3 months we’ve researched all about Autopsy: how to use it, comparing it to other tools, and mastering the art of forensic image analysis with our tool. Now, the results are in, results that you can see in our final report. We tested our tools based on time taken for analysis, user friendliness, and effectiveness in identifying artifacts, especially using keyword search. The team searched for keywords having to do with our scenario, and the main word searched was “cyanide”. Autopsy was effective in finding Web Artifacts, but deleted files having to do with cyanide did not show up. They could be found manually, unlike how they turned up automatically in the keyword searches for other tools, specifically EnCase.

A New Way to Search

Finishing the report wasn’t without its own surprises. As we were finishing up the search functions portion of the report, we took a final look at the tools section of Autopsy and discovered something peculiar. A new way to complete searches: File Search by Attributes.

File Search by Attributes does what you would expect from a keyword search; it goes through the entire image and finds what pertains to that specific keyword. In the case of this sample image, it was cyanide. We spent weeks trying to figure out why we couldn’t search anything outside of the web history, and low and behold, the answer was in the tools tab the entire time. Not only would it search the whole file, but it would give us the same number each and every single time we ran it. Unlike the normal keyword search, this tool had consistent results, but it was hard to find within the tool. Thankfully we found this before our report was finished, because now we are confident we truly know the ins and outs of Autopsy.

Reflection

Overall, we’re glad that we chose Autopsy to explore this semester. It’s an interesting tool, and very powerful considering it comes in at the low price of free! Our investment in the program has definitely paid off. Lyall is using it for personal use now, and Madi has to use it for her final project in a class. Turns out choosing a tool because its icon is a dog was the right path to take!

 

The post Tool Evaluation Team – Autopsy Blog 3 appeared first on The Leahy Center for Digital Investigation.

by

VMWare Analysis Update 1

Introduction

The VMWare Analysis team is researching the differences between a Windows 7 machine and Windows 7 virtual machine (VM) as well as the changes between a Windows 10 machine and VM. The end goal for this project is a quad comparison between the both operating system versions and their respective VMs.  

VMWare/Physical Machines Used

Three VMs have been set up for this project: a Windows 7 VM; Windows 10 VM; and a SANS SIFT VM running Ubuntu. The SANS SIFT is a free VM built by SANS DFIR (Digital Forensics and Incident Response). It has a variety of Digital Forensics tools, such as Volatility and Bulk Extractor. This VM is being used for memory forensics analysis of the four machines. The VMWare Analysis team is going to be extracting, analyzing, and comparing Windows artifacts. These include Prefetch files, LNK files, Jump Lists, and Windows Memory.

Progress

Thus far, the team has completed datagen and analysis of the Windows 7 machine and Windows 7 VM. Both machines used the same data generation process to keep the results consistent. There are a few specific things that we analyze for the comparisons. One is network information within the registries. Another is what changes VMware tools makes to the virtual machine. And the last is general information on artifacts. This includes where the system stores them and what information they reveal about the system.

VMWare

The team was having troubles generating Prefetch data for Notepad, Notepad ++, and Adobe Reader. After a few minutes of troubleshooting, the team discovered that the Prefetch folder only allows up to 168 “.pf” files at one time. The folder had reached capacity and could not fit files for those applications.

Conclusion

So far, the only identified difference between the VM and the Machine is in the prefetch files. The Windows 7 Machine had 140 prefetch files, while the VM only had 114. It is also noted that the VM image contained a prefetch for VMware (VMTOOLSD.EXE-CD82EC13.pf). The physical machine did not.

VMWare

In the upcoming weeks, the VMware analysis team is planning on starting the Windows 10 physical machine and VM. Once we complete data generation and analysis, we’ll start comparing differences between the virtual machine and physical machine. We’ll also compare Windows 10 and Windows 7.

Like the Leahy Center for Digital Investigation (LCDI) on Facebook and follow us on Twitter to get notified of more project updates.

The post VMWare Analysis Update 1 appeared first on The Leahy Center for Digital Investigation.

by

Windows 10 Forensics – Project Introduction

Introduction In September of 2014, Microsoft announced the next version of Windows, Windows 10.  Unlike Windows 8, Windows 10 looks like it may be a popular release.  It will be returning many aspects of Windows 7 to the desktop and it will also be released to consumers, free.  There are dozens of new features being […]

The post Windows 10 Forensics – Project Introduction appeared first on Computer & Digital Forensics Blog.