Forensic Blogs

An aggregator for digital forensics blogs

by

Intern Blog Series: About the Project

One of my four dogs, Nova!

Thanksgiving break was filled with good food and quality family time. I was thankful to go home and see my family, and very thankful to see my dogs! With break over and over thirty hours of driving behind me, it’s time to really start on final projects and finish up my internship at the LCDI. It was nice having a break, but the next few weeks are going to be stressful ones.

Using Autopsy

At this point in the internship, our project is almost done and all we need to finish is wrapping up the final report. As I’ve mentioned before, I’m on the Tool Evaluation team, specifically using the tool Autopsy. At the beginning of the project, all partnerships on the team picked a tool, and began researching it. Once everyone knew the ins and outs of their tool, we started generating data to test.

Using a murder scenario, we put ourselves in the mind of a killer: browsing the computer, doing searches, sending emails, and researching and shopping for poison. All of this was done within a virtual machine, which is basically an environment to run a “computer” within your own computer. A forensic image, or bit-for-bit copy of this machine, was taken and given to each set of partners. We have been analyzing these images and comparing results— seeing the limits, perks, and downfalls of each one. These results are currently being compiled into a report that we will be finalizing in the next week.

Final Weeks

The semester is going well so far, and the internship is still tying in nicely with all of my classes. My final project for my Intro to Cybercrime class is actually to analyze an image with Autopsy! Knowing a lot about this tool is definitely going to help with this, and I hope I can continue to apply the skills I’ve learned to explore it even more in this project. Right now, I feel behind on all my work (other than my internship), but that’s due to procrastination. This semester has been a hard lesson in time management, and I hope to develop and strengthen these skills in the future. But I am looking forward to pushing everything into high gear and finishing out the semester strong. 

The post Intern Blog Series: About the Project appeared first on The Leahy Center for Digital Investigation.

by

Tool Evaluation: Autopsy Blog Update 2

Introduction

Since our initial research phase, a lot of progress has been made on the tool evaluation project. Everyone within the Tool Evaluation team has their own Virtual Machine, also known as a VM, that their individual tool is on. A VM is software that can run an operating system and applications, acting like a normal desktop. It has access to some of the hardware on the computer that allows it to run, essentially making it a way to use a separate computer within another. 

Problem Solving with Our VM

We’ve been sifting through the data recently and have made a couple of interesting discoveries and accomplishments. We’ve successfully added the forensic image from our data generation to our VM, which took almost 2 hours. We ended up running the data through Autopsy seven different times to test for consistency, which was the longest part of using the tool. We spent the time it was running doing some extra research and figuring out extra quirks of Autopsy.

The VM was temperamental during this whole process. It would freak out and not let us type, and when it wasn’t doing that, it took complete control of the mouse and we couldn’t do anything in the system/program. After figuring out the quirks of typing in the VM, it was fairly easy to just watch as it loaded, keeping track of how long everything took to make sure that it was all still functioning.

We made a couple of predictions of how long it would take to process and tried to figure out one odd thing: Autopsy doesn’t like Mozilla Firefox. Anything from Mozilla Firefox was labeled as a zip bomb by the program. To date, we still don’t know why it wanted Firefox to be a zip bomb so badly, but we assume that it has something to do with the compression ratio that Firefox uses. Because of this, our tool did not pick up essential evidence contained within the Firefox App Data that other teams did.

Conclusion

So far, it has been fun and interesting to work through the hiccups of this project. We look forward to analyzing and comparing our results, and then sharing them with the world!

 

Stay tuned for more updates to come and follow us on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI.

The post Tool Evaluation: Autopsy Blog Update 2 appeared first on The Leahy Center for Digital Investigation.

by

Encase Tool Evaluation

Introduction:

Over the past five weeks we have been researching and gathering information on Opentext software EnCase 8, readying ourselves to begin dissecting evidence in our mock investigation. As the EnCase 8 intern team, we have been spending large amounts of time watching YouTube videos and diving deep into the manual provided by Opentext software. Most recently, we have spent time running through our mock story, completing final checks of the data generation and finally starting our data generation in the VM. We are a team of two first year interns trying to get our foot in the door of the digital forensic world. This is our story….

Our Story: 

Since day one, we have been slowly figuring out the ins and outs of EnCase 8 and its usability in our investigation. Hours have been spent watching “how to” videos and trying to replicate the actions in EnCase on a flash drive full of files. We have also been doing a heavy amount of reading from the manual, taking notes, and highlighting important commands that will become necessary when using EnCase. One of the main features we needed to know how to do first was imaging drives. To learn how to image a drive, we used a write blocker hooked up to a hard drive and then we followed our notes to image the drive. This was just one of the many important features we will be using with Encase.

Upon completion of our never ending quest to better understand EnCase, we begin to familiarize ourselves with the story we generated as a team of 8 that we’d be using for our investigation. This involved reading through the story day by day and testing the actions from the script that we wrote. Once this was all completed, our team member Matt was the first to run the final data generation in the VM for the first time. He started with opening the tool evaluation VM and began to work his way through the day one script for our mock investigation. Matt followed the script closely while taking detailed notes of anything he added to the script to beef up day one of our data generation. He also took detailed notes on what was displayed on the screen including the time and action that occurred.

Conclusion:

Next up, we will begin to use EnCase by doing keyword searches and gathering artifacts.We are very excited to get our hands on the mock evidence and truly begin our professional digital forensic experience. Expect us to slowly but surely harness the powers of EnCase 8 and dive head first into this investigation evaluating Encase as we go. We will take detailed notes and begin the process of compiling our report on EnCase 8. Stay tuned to hear more about our ups, downs, and everything in between here at the Leahy Center for Digital Investigation. Check in on Instagram @champforensicslcdi and Twitter @ChampForensics!

 

To learn more about this and other blogs of the LCDI visit us here: LCDI Blog.

Stay in the loop on our current and upcoming projects and events by following us on Facebook,  Twitter, or Instagram. 

The post Encase Tool Evaluation appeared first on The Leahy Center for Digital Investigation.