Forensic Blogs

An aggregator for digital forensics blogs

by

Intern Blog Series: About the Project

One of my four dogs, Nova!

Thanksgiving break was filled with good food and quality family time. I was thankful to go home and see my family, and very thankful to see my dogs! With break over and over thirty hours of driving behind me, it’s time to really start on final projects and finish up my internship at the LCDI. It was nice having a break, but the next few weeks are going to be stressful ones.

Using Autopsy

At this point in the internship, our project is almost done and all we need to finish is wrapping up the final report. As I’ve mentioned before, I’m on the Tool Evaluation team, specifically using the tool Autopsy. At the beginning of the project, all partnerships on the team picked a tool, and began researching it. Once everyone knew the ins and outs of their tool, we started generating data to test.

Using a murder scenario, we put ourselves in the mind of a killer: browsing the computer, doing searches, sending emails, and researching and shopping for poison. All of this was done within a virtual machine, which is basically an environment to run a “computer” within your own computer. A forensic image, or bit-for-bit copy of this machine, was taken and given to each set of partners. We have been analyzing these images and comparing results— seeing the limits, perks, and downfalls of each one. These results are currently being compiled into a report that we will be finalizing in the next week.

Final Weeks

The semester is going well so far, and the internship is still tying in nicely with all of my classes. My final project for my Intro to Cybercrime class is actually to analyze an image with Autopsy! Knowing a lot about this tool is definitely going to help with this, and I hope I can continue to apply the skills I’ve learned to explore it even more in this project. Right now, I feel behind on all my work (other than my internship), but that’s due to procrastination. This semester has been a hard lesson in time management, and I hope to develop and strengthen these skills in the future. But I am looking forward to pushing everything into high gear and finishing out the semester strong. 

The post Intern Blog Series: About the Project appeared first on The Leahy Center for Digital Investigation.

by

FTK Tool Evaluation Update 2

Current Progress

After receiving our team-generated test data, we plugged our test scenario into Forensic ToolKit. It was intriguing to see what Forensic ToolKit would catch from our generated data.  

Data took a long time to load into FTK, but once it was in the system we could start evaluating processing speed and user friendliness.

In terms of hit processing speed, FTK had a lot of discrepancy which you can see form the table above. The number of hits and analyzed hits per second have a positive correlation, and our graph did not reach hit counts too large for the system to handle. That is why the keyword search for “e” has over 22 thousand analyzed hits per second, by far the highest indexed hits. The system analyzed more data per second based on the initial higher hit count. Moreover, FTK is shown to be a very powerful program as all the wait times were under 5 minutes.

FTK processing is fast and expansive, but in other fields of evaluation it rapidly falls behind.  One of those fields is user friendliness. We encountered a lot of user friendliness problems during our evaluation. FTK would unexpectedly crash or stop responding at least once every time we accessed it. The graphics of this program make the screen incredibly busy and confusing. To a beginner digital investigator, this program would be challenging to use because FTK tutorials are scarce, leaving the investigator on their own to figure out this visually busy program.

FTK’s graphics can be largely excused, because this program is made for functionality, not aesthetic. Lastly, it is important to note that FTK has crashed several times in regular use, usually when trying to do some sort of standard action. When trying to run an index search, for instance, the program will freeze and occasionally crash.  All of these factors put a dent in FTK’s overall user friendliness.

Conclusion

FTK is top performing in data collection but low performing in user friendliness. Our evaluation of FTK is almost complete, and the FTK intern team is currently starting drafts of our final report.

 

To learn more about this and other blogs of the LCDI visit us here: LCDI Blog.

Stay in the loop on our current and upcoming projects and events by following us on Facebook,  Twitter, or Instagram. 

 

The post FTK Tool Evaluation Update 2 appeared first on The Leahy Center for Digital Investigation.

by

Tool Evaluation: Autopsy Blog

Introduction

For this intern project, we have chosen to research and analyze the digital forensics tool Autopsy. This tool is open source and the graphical interface for a set of command line tools called the Sleuth Kit. We chose Autopsy because neither of us were familiar with the tool, and we both wanted to learn more about it. By researching Autopsy, taking notes, and testing it out, we have become very familiar with the tool.

Personal Experiences Joint Experience

Before working on this Tool Eval project, neither of us had worked with Autopsy before. It was a completely new experience to use the open source tool and experiment with everything it could do. As we started to research and practice using Autopsy, we learned that it was one of the more user friendly tools based on design and a number of other features. Even if the tool didn’t have all of the exact same capabilities as a tool like EnCase v.8.07, it still got the job done. We found out that Autopsy is a shell for a set of command lines. This helps us because it makes the Sleuth Kit, which is a very useful tool, more accessible to the average person.

Lyall’s Personal Experience

As a Second Year (or Sophomore in the rest of the world) at Champlain College, I had encountered Autopsy only by name, having primarily used EnCase in my classes. Autopsy was totally different than what I was expecting. It offered a good layout, but kept the features in the same locations across the different versions. These locations also made sense as to where they were located in the entire program.

Since working on this project, I have downloaded Autopsy for my personal use to complete my assignments at home. This extra practice has really cemented the fact that Autopsy offers similar tools in a great format. The fact that it also provides different formats to get reports and saves evidence from an E01 format and a Dd/Raw format means that I can see the same data in whatever format I need in that moment.  

Right from the beginning, Autopsy provided me with a positive user experience. Without even using my notes, I was able to figure out how to use it appropriately the first time around. It’s really allowed me to become more familiar with how the digital forensics process works.

Madi’s Personal Experience

This is my first year at Champlain College. Before interning at the LCDI, I never touched a digital forensics tool. I did not even fully know what a forensic image was, or that there were certain file types associated with images. Having the opportunity to conduct independent research, as well as working with a partner, has allowed me to become very familiar with this tool in a short amount of time. My partner, Lyall, is on her second year at Champlain. With the help of someone who is more experienced in how these tools work, I have been able to learn by doing instead of being limited to YouTube guides and other online resources.

The Future

After doing extensive research on our tool, it is now time to get our hands dirty using Autopsy. As a larger group with the entire Tool Eval team, we have been working on creating a scenario to test our tools and put them through their own version of the Hunger Games. The past couple weeks have been dedicated to data generation and extensive research. Since generating that data, our next step is to analyze it using the forensic processes that we learned about from our research. The main goal will be to find out the full capabilities of our tools and compare them, since we already know what the data is. We look forward to sharing our results in the near future!

 

To learn more about this and other blogs of the LCDI visit us here: LCDI Blog.

Stay in the loop on our current and upcoming projects and events by following us on Facebook,  Twitter, or Instagram. 

The post Tool Evaluation: Autopsy Blog appeared first on The Leahy Center for Digital Investigation.