Forensic Blogs

An aggregator for digital forensics blogs

by

Tool Evaluation Team – Autopsy Blog 3

Tool Evaluation Team – Autopsy Blog #3

Madi Brumbelow & Lyall Rogers

Testing Autopsy

For the last 3 months we’ve researched all about Autopsy: how to use it, comparing it to other tools, and mastering the art of forensic image analysis with our tool. Now, the results are in, results that you can see in our final report. We tested our tools based on time taken for analysis, user friendliness, and effectiveness in identifying artifacts, especially using keyword search. The team searched for keywords having to do with our scenario, and the main word searched was “cyanide”. Autopsy was effective in finding Web Artifacts, but deleted files having to do with cyanide did not show up. They could be found manually, unlike how they turned up automatically in the keyword searches for other tools, specifically EnCase.

A New Way to Search

Finishing the report wasn’t without its own surprises. As we were finishing up the search functions portion of the report, we took a final look at the tools section of Autopsy and discovered something peculiar. A new way to complete searches: File Search by Attributes.

File Search by Attributes does what you would expect from a keyword search; it goes through the entire image and finds what pertains to that specific keyword. In the case of this sample image, it was cyanide. We spent weeks trying to figure out why we couldn’t search anything outside of the web history, and low and behold, the answer was in the tools tab the entire time. Not only would it search the whole file, but it would give us the same number each and every single time we ran it. Unlike the normal keyword search, this tool had consistent results, but it was hard to find within the tool. Thankfully we found this before our report was finished, because now we are confident we truly know the ins and outs of Autopsy.

Reflection

Overall, we’re glad that we chose Autopsy to explore this semester. It’s an interesting tool, and very powerful considering it comes in at the low price of free! Our investment in the program has definitely paid off. Lyall is using it for personal use now, and Madi has to use it for her final project in a class. Turns out choosing a tool because its icon is a dog was the right path to take!

 

The post Tool Evaluation Team – Autopsy Blog 3 appeared first on The Leahy Center for Digital Investigation.

by

Automated Network Scanning % Success Over Error

Network Scanning Wrap Up Now That We’re Done

Welcome to the final installment of the Automated Network Scanning % team’s official blog. Our project is now over. The final tweaks are being made to our script, our scans are all shut down, and our team is beginning to finish their internship hours. A lot has happened since our last blog. We spent the majority of November running our scanner against different targets. The results we received from these scans were helpful in deciding what changes to make to our script. Despite our progress made on the scanner, there are a few things we could have done to make it better, if time permitted.

Testing Our Scanner

To test our scanner, our team used a combination of our VM, Pi, Pi network, and LCDI network. We began by targeting our Pi network that we made last month. First by running our scan on the VM. Then we believed that the superior power of the VM would make the scan run faster. Once we confirmed this, we would use our Pi scanner on the network. Our first scan was a smashing success. We used our VM to scan our pi network and it found all the servers we installed on the Pis. Now that we knew our script worked, we scaled up by testing our scan against the LCDI network.

The LCDI network scan performed without any errors. Our only issue was that it took too long. We made some improvements to the script that we believed would speed it up and then reran our test. This time the script worked much faster. This gave us much more confidence in our script, so we moved onto scanning off of our pi. As predicted, this scan was slower than the previous, but not beyond the realm of useable.

Error again

At this stage we decided to make another improvement to our scanner. We wanted to make our Pi run the script for the scan on boot. This meant that as the Pi was turning on ,it would automatically run our scanner. This process turned out to be more difficult than we thought, but eventually we got it working. In the meantime, we ran two more scans of the LCDI network that also worked. After these tests, the team felt comfortable to say our scanner worked without error.

Test results

The results that our scanner got were exactly what we were hoping to get. The first scan of the Pi network finished in 19.05 seconds. The scan found our ssh server, our http server, and both of the ports needed for our file server. We reran this scan to confirm our results and found that indeed our script worked. We then moved on to scanning the LCDI network. Our first scan of the LCDI network took 4 hours 25 minutes and 48 seconds. After adding our improvements, the scan only took 2 hours 28 minutes and 48 seconds. The three scans we did from the Pi averaged out to taking 3 hours 58 minutes and 48 seconds. This met our goal of being under four hours for a scan.

The picture above is a screenshot of the results from our third scan. The host IP’s and MAC addresses have been removed for security purposes. Using our scan results, we were able to identify multiple things about the LCDI network. The first thing we saw was the locations of both of the LCDI subnet’s. We also found a few IP’s that are up but not running any services.

What else could be done

The team is very happy with the work we have done here at the LCDI, but if we had some more time there are a few things that we would have improved. First, we would attempt to make the scanner faster. We met our goal of being under four hours, but we could still do better. We have some ideas of how to do this, like splitting the IP’s up into smaller groups and scanning these groups. Another improvement we would’ve liked to make was automatically identifying aspects of a targeted network. We could have coded in a function into our script that automatically identified subnets based off of our scan results. We also could have a function that identified IP’s that are up but not running any services, and give reasons as to why this is happening.

However, over all, our project was completed successfully.

The post Automated Network Scanning % Success Over Error appeared first on The Leahy Center for Digital Investigation.

by

FTK Tool Evaluation Update 2

Current Progress

After receiving our team-generated test data, we plugged our test scenario into Forensic ToolKit. It was intriguing to see what Forensic ToolKit would catch from our generated data.  

Data took a long time to load into FTK, but once it was in the system we could start evaluating processing speed and user friendliness.

In terms of hit processing speed, FTK had a lot of discrepancy which you can see form the table above. The number of hits and analyzed hits per second have a positive correlation, and our graph did not reach hit counts too large for the system to handle. That is why the keyword search for “e” has over 22 thousand analyzed hits per second, by far the highest indexed hits. The system analyzed more data per second based on the initial higher hit count. Moreover, FTK is shown to be a very powerful program as all the wait times were under 5 minutes.

FTK processing is fast and expansive, but in other fields of evaluation it rapidly falls behind.  One of those fields is user friendliness. We encountered a lot of user friendliness problems during our evaluation. FTK would unexpectedly crash or stop responding at least once every time we accessed it. The graphics of this program make the screen incredibly busy and confusing. To a beginner digital investigator, this program would be challenging to use because FTK tutorials are scarce, leaving the investigator on their own to figure out this visually busy program.

FTK’s graphics can be largely excused, because this program is made for functionality, not aesthetic. Lastly, it is important to note that FTK has crashed several times in regular use, usually when trying to do some sort of standard action. When trying to run an index search, for instance, the program will freeze and occasionally crash.  All of these factors put a dent in FTK’s overall user friendliness.

Conclusion

FTK is top performing in data collection but low performing in user friendliness. Our evaluation of FTK is almost complete, and the FTK intern team is currently starting drafts of our final report.

 

To learn more about this and other blogs of the LCDI visit us here: LCDI Blog.

Stay in the loop on our current and upcoming projects and events by following us on Facebook,  Twitter, or Instagram. 

 

The post FTK Tool Evaluation Update 2 appeared first on The Leahy Center for Digital Investigation.