Forensic Blogs

An aggregator for digital forensics blogs

by

Tool Evaluation: Autopsy Blog

Introduction

For this intern project, we have chosen to research and analyze the digital forensics tool Autopsy. This tool is open source and the graphical interface for a set of command line tools called the Sleuth Kit. We chose Autopsy because neither of us were familiar with the tool, and we both wanted to learn more about it. By researching Autopsy, taking notes, and testing it out, we have become very familiar with the tool.

Personal Experiences Joint Experience

Before working on this Tool Eval project, neither of us had worked with Autopsy before. It was a completely new experience to use the open source tool and experiment with everything it could do. As we started to research and practice using Autopsy, we learned that it was one of the more user friendly tools based on design and a number of other features. Even if the tool didn’t have all of the exact same capabilities as a tool like EnCase v.8.07, it still got the job done. We found out that Autopsy is a shell for a set of command lines. This helps us because it makes the Sleuth Kit, which is a very useful tool, more accessible to the average person.

Lyall’s Personal Experience

As a Second Year (or Sophomore in the rest of the world) at Champlain College, I had encountered Autopsy only by name, having primarily used EnCase in my classes. Autopsy was totally different than what I was expecting. It offered a good layout, but kept the features in the same locations across the different versions. These locations also made sense as to where they were located in the entire program.

Since working on this project, I have downloaded Autopsy for my personal use to complete my assignments at home. This extra practice has really cemented the fact that Autopsy offers similar tools in a great format. The fact that it also provides different formats to get reports and saves evidence from an E01 format and a Dd/Raw format means that I can see the same data in whatever format I need in that moment.  

Right from the beginning, Autopsy provided me with a positive user experience. Without even using my notes, I was able to figure out how to use it appropriately the first time around. It’s really allowed me to become more familiar with how the digital forensics process works.

Madi’s Personal Experience

This is my first year at Champlain College. Before interning at the LCDI, I never touched a digital forensics tool. I did not even fully know what a forensic image was, or that there were certain file types associated with images. Having the opportunity to conduct independent research, as well as working with a partner, has allowed me to become very familiar with this tool in a short amount of time. My partner, Lyall, is on her second year at Champlain. With the help of someone who is more experienced in how these tools work, I have been able to learn by doing instead of being limited to YouTube guides and other online resources.

The Future

After doing extensive research on our tool, it is now time to get our hands dirty using Autopsy. As a larger group with the entire Tool Eval team, we have been working on creating a scenario to test our tools and put them through their own version of the Hunger Games. The past couple weeks have been dedicated to data generation and extensive research. Since generating that data, our next step is to analyze it using the forensic processes that we learned about from our research. The main goal will be to find out the full capabilities of our tools and compare them, since we already know what the data is. We look forward to sharing our results in the near future!

 

To learn more about this and other blogs of the LCDI visit us here: LCDI Blog.

Stay in the loop on our current and upcoming projects and events by following us on Facebook,  Twitter, or Instagram. 

The post Tool Evaluation: Autopsy Blog appeared first on The Leahy Center for Digital Investigation.

by

Python & Nmap

Automated Network Scanner! Team

 

Network Scanning Overview

So far, the Automated Network Scanning Team ! has learned about Python and Nmap. We are planning to use Python to create an automated network scanner and report generator with Nmap. To do this, we had to learn how to install various Python packages, such as libnmap, a package that enables the execution of Nmap. We also installed argparse, which allows users to change how a program runs without changing the code of the program, and smtplib, which allows Python to send emails from an SMTP server.

Python

The Python scanning portion will first take inputs from the command line using the argparse package, allowing the user to run it with different inputs, specify target IP’s, and identify the output destination of the email report. The team added these features  to the program. Which was intended to run remotely from a Raspberry Pi integrated into a network. After the user specifies these parameters, the program launches a scan utilizing the libnmap package. Unlike all the other packages, to install libnmap we had to learn how to use pip, a python package installation tool. This was a new experience for the team, but we successfully learned how to install packages using pip.

After the scan completes, it is re-organized for readability, and then the smtplib package is used to send the results in .csv file to the target destination. Throughout this process, we had to learn from the documentation of all three of these packages, which we had never worked with before. It improved our understanding of the Python language and sharpened our programming skills.

Network Mapper – Nmap

While using Nmap, we studied different types of scans to obtain all the information needed to compile a full report. We began by examining a ping scan, which scans through a range of IP’s for promising IP addresses to scan. A ping scan uses the same packets as a standard ping request. This scan was done first in our program in order to discover any viable hosts that were up and running, while being relatively fast compared to other host discovery scans. It also provided enough information to execute our next scans. The next scan that ran was the OS Fingerprinting scan.

This scan sent packets to a host, then ran dozens of tests on that host. After this, Nmap compared the results to a database of more than 2,600 OS fingerprints, trying to find a good match. We used this scan type to gather additional information on the target hosts/network.

Conclusion

One added feature of our automated network scanner is to find known vulnerabilities. We decided to scan for a cryptographic vulnerability, the Heartbleed Bug. This vulnerability allows the stealing of information encrypted with OpenSSL, a popular encryption protocol. There are Nmap scripts designed to scan for targets that are vulnerable to this bug. Nmap maintains a database of scripts that other users have found useful for security applications, and individual users can expand their nmap abilities by scripting to obtain new and different information.

Throughout the past few weeks, our Automated Network Scanning Team has learned about several Python packages, like libnmap, argparse, and smtplib. We have explored the functionalities of Nmap, bringing both together in our Python automated network scanner.

 

To learn more about this and other blogs of the LCDI visit us here: LCDI Blog.

Stay in the loop on our current and upcoming projects and events by following us on Facebook,  Twitter, or Instagram. 

The post Python & Nmap appeared first on The Leahy Center for Digital Investigation.

by

FTK Tool Evaluation Update

Introduction

In our tool eval team, we are researching and evaluating AccessData’s Forensic Toolkit. This program advertises itself as an all encompassing tool for extracting, analyzing, and compiling digital evidence into a readable format that is acceptable for use in a court of law. Our primary goal is to understand FTK in every aspect possible, with preference given to the searching and efficiency aspects of its use.

Current Progress

Over the past month, we spent a significant amount of time familiarizing ourselves with online FTK manuals and tutorials. We felt it was important to understand exactly which functions and features would help digital investigators the most before trying to run data through FTK’s systems. When we felt we were proficient in our knowledge, we set up our virtual machine with support from the LCDI helpdesk.

More recently, we have been participating in a multi-team effort to generate test data. To do this, we recreated digital footprints of a professor killing another for tenure. We knew that we had to make our test data as realistic as possible, so we threw searches of jazz musicians and golf tournaments into our fictional professor’s data stream. We plan to sift through the test data in Forensic ToolKit to discern how reliable the program is at catching criminal data in a stream of normal internet browsing.

We have been documenting our shift-to-shift progress on a website with updates in a shorter bullet point format. Along with the website, we have created and started maintenance of our twitter handle, @FTKToolEvalLCDI. We have also been researching any and all aspects of FTK that remain beyond the scope of our knowledge. This is a rather time consuming process, made much more difficult by the lack of guides and videos online. Regardless, we appear to be on track for a timely end to this project.

Conclusion

We have already accomplished a lot, but still have a long way to go. Once we get our data gen back, we can begin benchmark tests and can report with more hard data. Getting everything set up on the virtual machine was a small hurdle that we overcame. We are eager to continue our progress and report back with more concrete data on FTK.

After we complete our research, we plan to compare statistics of multiple digital forensic programs, such as Encase and Autopsy, to FTK. Our hope is to provide an accurate comparison of digital forensic tools so digital investigators all over the world can have accurate knowledge and preparation in their own ventures.

 

To learn more about this and other blogs of the LCDI visit us here: LCDI Blog.

Stay in the loop on our current and upcoming projects and events by following us on Facebook,  Twitter, or Instagram. 

The post FTK Tool Evaluation Update appeared first on The Leahy Center for Digital Investigation.