Forensic Blogs

An aggregator for digital forensics blogs

by

SIFT Update 3

Introduction

As we are coming to an end working at the Senator Leahy Center for Digital Investigation, we are closer to completing our final report. Our last post was about recovering artifacts and keyword searches. Due to time issues and inexperience, our team couldn’t recover deleted files.

Experience

Throughout the semester, working at the LCDI with the SIFT-workstation has been a refreshing challenge. Coming into the Center has always been a fun and engaging experience. We’ve learned vital information, especially in regards to digital forensics. We’ve even been exposed to the Linux Command Line.

Researching the SIFT-workstation from SANS  also exposed us to quite a bit of information about SANS. The more we have learned, the more we have realized how exciting the digital forensics field can be. From a first year student’s perspective, technical jargon and new information can be daunting. With the amount of easy-to-read information that SANS has put out, our team agrees that learning becomes simpler.

In regards to the Linux Command Line, our team was subjected to the experience of learning syntax, system commands, and other programs. Both my partner and I have heard from our professors that these skills are integral as investigators. Having that experience is important to us as aspiring students.

Since we are nearing the end of our time on this project, our team has focused on learning how to generate timelines and search clusters. We’ve also looked into bulk extraction and learned that these are typical and required tasks in this field.

Conclusion

In the end, our experience at the LCDI has been overwhelmingly positive and beneficial. We were exposed to and learned from largely important topics which is an opportunity we’ll always be grateful for. Although our team didn’t meet every expectation we had, we still experienced much more than we expected out of the internship.

The post SIFT Update 3 appeared first on The Leahy Center for Digital Investigation.

by

Automated Network Scanner! The Final Blog

Testing Our Script

Automated Network Scanning ! team has successfully completed their project by capping off the testing phase. The testing phase was divided into four phases. As we had configured our script to execute on boot, we would start each cycle by rebooting the Raspberry Pi. To implement this, we enabled auto-login on boot with the raspi-config command. In the process of booting to command line, Raspbian runs the commands stored in the .bashrc file. We used the .bashrc to start a bash script on boot. This bash script uses the cat command to read a file in the system that contained the network’s connectivity status and launched the scan when appropriate, moving our test cycle to the next step.

Flowchart of scan cycles

Once our team entered the scan running portion of the scanning cycle, our team would log into the Raspberry Pi with PuTTY, an SSH client. SSH clients allow remote control of computers through a command line. Although interacting solely through a command line may be considered an inconvenience, we were quite comfortable with the Linux Command line. To check if our scan was running, we used htop, a command line process viewer. Our team would inspect the htop window for a python3 process running our script and an nmap process. If both were present, as shown below, we could be sure that our script was running.

htop, a process manager service operated from the command line on our Raspberry Pi

Once our script finished, the report was automatically sent to an email address, alerting our team, no matter where they were, that the scan had finished. Our team would read through the report and would then move onto changing the scanner’s settings on the Raspberry Pi. Through PuTTY we were able to remotely interface with the Raspberry Pi. Once we finished this, we rebooted the Pi to start the cycle again.

 

Conclusion

Throughout this iterative cycle, we became intimately familiar with the function of an SSH client, and learned about several tools that allow operating Linux systems through command line to become easier, such as htop, a process manager, and ranger, a file explorer.  Overall, in this semester, we learned much more about the process of maintaining security on a network through mapping the network.

The post Automated Network Scanner! The Final Blog appeared first on The Leahy Center for Digital Investigation.

by

Tool Evaluation Team – Autopsy Blog 3

Tool Evaluation Team – Autopsy Blog #3

Madi Brumbelow & Lyall Rogers

Testing Autopsy

For the last 3 months we’ve researched all about Autopsy: how to use it, comparing it to other tools, and mastering the art of forensic image analysis with our tool. Now, the results are in, results that you can see in our final report. We tested our tools based on time taken for analysis, user friendliness, and effectiveness in identifying artifacts, especially using keyword search. The team searched for keywords having to do with our scenario, and the main word searched was “cyanide”. Autopsy was effective in finding Web Artifacts, but deleted files having to do with cyanide did not show up. They could be found manually, unlike how they turned up automatically in the keyword searches for other tools, specifically EnCase.

A New Way to Search

Finishing the report wasn’t without its own surprises. As we were finishing up the search functions portion of the report, we took a final look at the tools section of Autopsy and discovered something peculiar. A new way to complete searches: File Search by Attributes.

File Search by Attributes does what you would expect from a keyword search; it goes through the entire image and finds what pertains to that specific keyword. In the case of this sample image, it was cyanide. We spent weeks trying to figure out why we couldn’t search anything outside of the web history, and low and behold, the answer was in the tools tab the entire time. Not only would it search the whole file, but it would give us the same number each and every single time we ran it. Unlike the normal keyword search, this tool had consistent results, but it was hard to find within the tool. Thankfully we found this before our report was finished, because now we are confident we truly know the ins and outs of Autopsy.

Reflection

Overall, we’re glad that we chose Autopsy to explore this semester. It’s an interesting tool, and very powerful considering it comes in at the low price of free! Our investment in the program has definitely paid off. Lyall is using it for personal use now, and Madi has to use it for her final project in a class. Turns out choosing a tool because its icon is a dog was the right path to take!

 

The post Tool Evaluation Team – Autopsy Blog 3 appeared first on The Leahy Center for Digital Investigation.