Forensic Blogs

An aggregator for digital forensics blogs

by

Tool Evaluation Team – Autopsy Blog 3

Tool Evaluation Team – Autopsy Blog #3

Madi Brumbelow & Lyall Rogers

Testing Autopsy

For the last 3 months we’ve researched all about Autopsy: how to use it, comparing it to other tools, and mastering the art of forensic image analysis with our tool. Now, the results are in, results that you can see in our final report. We tested our tools based on time taken for analysis, user friendliness, and effectiveness in identifying artifacts, especially using keyword search. The team searched for keywords having to do with our scenario, and the main word searched was “cyanide”. Autopsy was effective in finding Web Artifacts, but deleted files having to do with cyanide did not show up. They could be found manually, unlike how they turned up automatically in the keyword searches for other tools, specifically EnCase.

A New Way to Search

Finishing the report wasn’t without its own surprises. As we were finishing up the search functions portion of the report, we took a final look at the tools section of Autopsy and discovered something peculiar. A new way to complete searches: File Search by Attributes.

File Search by Attributes does what you would expect from a keyword search; it goes through the entire image and finds what pertains to that specific keyword. In the case of this sample image, it was cyanide. We spent weeks trying to figure out why we couldn’t search anything outside of the web history, and low and behold, the answer was in the tools tab the entire time. Not only would it search the whole file, but it would give us the same number each and every single time we ran it. Unlike the normal keyword search, this tool had consistent results, but it was hard to find within the tool. Thankfully we found this before our report was finished, because now we are confident we truly know the ins and outs of Autopsy.

Reflection

Overall, we’re glad that we chose Autopsy to explore this semester. It’s an interesting tool, and very powerful considering it comes in at the low price of free! Our investment in the program has definitely paid off. Lyall is using it for personal use now, and Madi has to use it for her final project in a class. Turns out choosing a tool because its icon is a dog was the right path to take!

 

The post Tool Evaluation Team – Autopsy Blog 3 appeared first on The Leahy Center for Digital Investigation.

by

Intern Blog Series: About the Project

One of my four dogs, Nova!

Thanksgiving break was filled with good food and quality family time. I was thankful to go home and see my family, and very thankful to see my dogs! With break over and over thirty hours of driving behind me, it’s time to really start on final projects and finish up my internship at the LCDI. It was nice having a break, but the next few weeks are going to be stressful ones.

Using Autopsy

At this point in the internship, our project is almost done and all we need to finish is wrapping up the final report. As I’ve mentioned before, I’m on the Tool Evaluation team, specifically using the tool Autopsy. At the beginning of the project, all partnerships on the team picked a tool, and began researching it. Once everyone knew the ins and outs of their tool, we started generating data to test.

Using a murder scenario, we put ourselves in the mind of a killer: browsing the computer, doing searches, sending emails, and researching and shopping for poison. All of this was done within a virtual machine, which is basically an environment to run a “computer” within your own computer. A forensic image, or bit-for-bit copy of this machine, was taken and given to each set of partners. We have been analyzing these images and comparing results— seeing the limits, perks, and downfalls of each one. These results are currently being compiled into a report that we will be finalizing in the next week.

Final Weeks

The semester is going well so far, and the internship is still tying in nicely with all of my classes. My final project for my Intro to Cybercrime class is actually to analyze an image with Autopsy! Knowing a lot about this tool is definitely going to help with this, and I hope I can continue to apply the skills I’ve learned to explore it even more in this project. Right now, I feel behind on all my work (other than my internship), but that’s due to procrastination. This semester has been a hard lesson in time management, and I hope to develop and strengthen these skills in the future. But I am looking forward to pushing everything into high gear and finishing out the semester strong. 

The post Intern Blog Series: About the Project appeared first on The Leahy Center for Digital Investigation.

by

Tool Evaluation: Autopsy Blog Update 2

Introduction

Since our initial research phase, a lot of progress has been made on the tool evaluation project. Everyone within the Tool Evaluation team has their own Virtual Machine, also known as a VM, that their individual tool is on. A VM is software that can run an operating system and applications, acting like a normal desktop. It has access to some of the hardware on the computer that allows it to run, essentially making it a way to use a separate computer within another. 

Problem Solving with Our VM

We’ve been sifting through the data recently and have made a couple of interesting discoveries and accomplishments. We’ve successfully added the forensic image from our data generation to our VM, which took almost 2 hours. We ended up running the data through Autopsy seven different times to test for consistency, which was the longest part of using the tool. We spent the time it was running doing some extra research and figuring out extra quirks of Autopsy.

The VM was temperamental during this whole process. It would freak out and not let us type, and when it wasn’t doing that, it took complete control of the mouse and we couldn’t do anything in the system/program. After figuring out the quirks of typing in the VM, it was fairly easy to just watch as it loaded, keeping track of how long everything took to make sure that it was all still functioning.

We made a couple of predictions of how long it would take to process and tried to figure out one odd thing: Autopsy doesn’t like Mozilla Firefox. Anything from Mozilla Firefox was labeled as a zip bomb by the program. To date, we still don’t know why it wanted Firefox to be a zip bomb so badly, but we assume that it has something to do with the compression ratio that Firefox uses. Because of this, our tool did not pick up essential evidence contained within the Firefox App Data that other teams did.

Conclusion

So far, it has been fun and interesting to work through the hiccups of this project. We look forward to analyzing and comparing our results, and then sharing them with the world!

 

Stay tuned for more updates to come and follow us on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI.

The post Tool Evaluation: Autopsy Blog Update 2 appeared first on The Leahy Center for Digital Investigation.