Autopsy Forensic Browser http://www.sleuthkit.org/autopsy http://autopsy.sourceforge.net Brian Carrier [carrier@sleuthkit.org] Quick Overview ----------------------------------------------------------------------------- The Autopsy Forensic Browser is a graphical interface to utilities found in The Sleuth Kit (TSK). TSK is a collection of command line tools that allow you to investigate a Windows or Unix system by examining the hard disk contents. TSK and Autopsy will show you the files, data units, and metadata of NTFS, FAT, EXTxFS, and UFS file system images in a read-only environment. Autopsy allows you to search for specific types of evidence based on keywords, MAC times, hash values, and file types. Autopsy is HTML-based and uses a client-server model. The Autopsy server runs on many UNIX systems and the client can be any platform with an HTML browser. This enables one to create a flexible environment with a central Autopsy server and several remote clients. For incident response scenarios, a CD with The Sleuth Kit and Autopsy can be created to allow the responder read-only remote access to a live suspect system from an HTML-browser on a trusted system. Refer to the README-live.txt file for more details. Autopsy will not modify the original images and the integrity of the images can be verified in Autopsy using MD5 values. There are help pages for the main analysis modes and The Sleuth Kit Informer is a newsletter that adds additional documentation. This document provides an overview of how to use Autopsy and what it can do. http://www.sleuthkit.org/informer/ Case Management ----------------------------------------------------------------------------- Starting with Autopsy 1.70, you can have multiple cases. When Autopsy is started, there is an Evidence Locker directory (specified on the command line or at installation time). This directory is the base where all cases will be stored. A CASE is any investigation and can have one or more hosts in it. A list of investigators is assigned to each case. Each case gets a subdirectory of the evidence locker and there is a configuration file for the case and the list of investigators. A HOST is a subset of a CASE. A host contains one or more file system images that are analyzed. Each host gets a subdirectory in the case directory. Each host has its own configuration file that describes the files that it uses. Each host also has five directories in it: - images: for all the disk and partition images - this should have strict permissions to prevent modification - output: for all output files from tools. This includes unallocated disk space and data unit contents. - logs: Audit logs and investigator notes are stored here - reports: All ASCII and HTML reports can be stored here - mnt: Can be used to mount the images in loopback mode An IMAGE corresponds to a disk or partition image. Image files are imported into an Autopsy host. The image file must be a raw copy of a partition or disk. These can be created by the 'dd' tool. Issue 11 of The Sleuth Kit informer discussed how to make images using 'dd'. When importing an image, you have the option of moving the image to the evidence locker, copying the image to the evidence locker, or making a symbolic link from its current location to the evidence locker. You also have the option to calculate or add the MD5 hash value of the image. Main Functions ------------------------------------------------------------------------- After you have setup your case and imported the file system images, you can begin the investigation. The Host Gallery view provides a list of the imported file system images and you can select one of them to analyze. After you have selected it, you will enter the anlaysis view. The top of the window will have a series of tabs that represent different analysis modes. Each mode performs a different type of analysis. Choose the mode that will help you find the type of evidence you are looking for. If you are looking for a specifiic file, choose the File mode. If you have a specific keyword in mind, choose that mode. If you are looking for a specific file type, then choose that mode. You will now need to use your sleuthing skills to search for evidence. You may want to refer to some books dedicated to this topic if you have not done this before. I will now give an overview of each of the modes: FILE BROWSING: Allows browsing the image as a file system. This gives a list of directories on the left, and files and file content on the right hand side. The output of each file can be seen as ASCII or can be run through strings. Since this analyzes directory entries, deleted file names can still be seen and depending on the OS, the deleted file contents can also be easily recovered. If a file name has a check before it, it has been deleted. The directory contents listings can be resorted based on name, size, times etc. by selecting the proper column header. KEYWORD SEARCHING: Search an image using grep(1) for a given string. The result will be a list of data units that have this string. Selecting each unit brings the user into Data Unit mode to view the contents. Case insensitive searches and 'grep' regular expression searches can also be performed. To decrease the searching time, a file can be generated with just the ASCII strings of the image. Also, the unallocated data can be extracted and searched to make deleted data recovery more efficient. The search.pl file contains predefined search values. Autopsy currently comes with a regular expression to identify date strings and IP addresses. Additional values can be added by the user. The format is given in the file. TIMELINE ANALYSIS: A timeline of file activity can be created and viewed. The timeline allows one to identify file and directory locations to examine. The times associated with files can be easily modified, so the time line should be used as reference only. IMAGE DETAILS: Details about the file system are displayed. Examples of this mode include the Volume name, last mount time, and the physical layout of the data structures. For FAT file systems, the FAT contents are given and UNIX-based systems show the group layouts. FILE TYPE ANALYSIS: Data reduction is an important aspect of digital forensics. One way of doing data reduction is to exclude known files and identify unknown files or categories. The File Type Analysis mode will examine all of the files in an image and sort them based on their file type. For example, all JPEG and GIF files would be identified as 'images'. This mode can also identify files that have an extension that is different than its file type. This uses the 'sorter' tool from The Sleuth Kit. The hash databases are used in this mode to exclude files that are known to be good and identify 'known bad' files. Refer to issues 3, 4, and 5 of The Sleuth Kit Informer for more details. METADATA BROWSING: Metadata is descriptive data about a file. This includes information such as times, owner id, and a list of data unit pointers. This mode allows one to view the contents of the file system structures that hold these values. In UNIX-based file system these are typically called inodes, for FAT they are directory entries, and for NTFS they are MFT entries. In this mode, one enters the address of the structure and the details are shown. The file(s) that are using the file will also be displayed (even if they have been deleted for some OSes). Metadata browsing can also be entered from within File browsing. When the file's metadata address is selected, the browser switches to metadata mode and displays the associated details. The data units that the file has allocated can be viewed using the data unit browsing. DATA UNIT BROWSING: All file systems need to store file data some where. Typically, the file system space is organized into large chunks of consecutive bytes. These chunks have different names depending on the file system type, so we will just refer to them as data units. For UNIX-based file system the chunks are fragments, FAT are sectors or clusters, and NTFS are sectors. This mode allows one to examine any data unit they want. Just enter the address and it is displayed in a variety of formats. This is most useful when used with searching or metadata browsing. The contents of the data unit can be displayed in ASCII, hexdump, or by running the raw output through strings(1). The metadata structure that has allocated the unit will be displayed (if any) along with the file name (if any). There are two types of data unit addresses in Autopsy, regular and unallocated. The regular address is the unit number in a regular image created from dd. The unallocated address is the unit number in an image created from the unallocated units in a regular image (by using dls). When unallocated addresses are entered, they are converted to the regular address and the corresponding regular unit is shown. This is useful when using Autopsy along with foremost (http://foremost.sourceforge.net) or Lazarus (TCT). INVESTIGATOR NOTES: An investigator can add notes about any file, data unit, or metadata structure. The notes can be viewed through Autopsy at the Main Menu or by any text editor. The notes file is saved in the 'logs' directory. When viewing through Autopsy, the location that the note refers to can be easily viewed. REPORT GENERATION: Each of the above browsing techniques allows a report to be generated. This report lists the date, md5 value, investigator, and other context information in a text format. This can be used for record keeping when deleted data units of data have been found. THE CELL: In an ideal world, forensics should only be performed on an air-gapped network. In some cases, such as incident response of critical systems, this is not possible. For this reason and because of a history of HTML-browser security issues, files in Autopsy are not "interpreted" by your browser. For example, an HTML document by default will be shown as the raw HTML text. If an investigator wants to view the actual HTML output or an image, they can do so in a sterilized environment that parses out embedded scripts and off-site references. Refer to issue #1 of The Sleuth Kit Informer for more details. Requirements ----------------------------------------------------------------------------- Supported Platforms: Autopsy will run on any system that is supported by The Sleuth Kit. Autopsy needs the following software: The Sleuth Kit (version 2.00 or above) http://www.sleuthkit.org/sleuthkit http://sleuthkit.sourceforge.net PERL (5.8.0 or above) If large files will be used (larger than 2GB), Perl must be compiled to support Large Files. Most systems now ship with 5.8 with large file support. HTML Browser: Any that supports frames and forms will do. Some issues exist with some versions of Internet Explorer. Netscape and Mozilla always work fine though. Explorer will sometimes error when referencing 'localhost', but '127.0.0.1' will work. Recommended UNIX Utilities (most platforms already have these). The default version that comes with some systems are not supported by Autopsy. For example, the grep in Solaris. grep: http://www.gnu.org/software/grep/grep.html Regular Usage ------------------------------------------------------------------------------ To use Autopsy: 1. Ensure that the evidence locker directory has been created and start Autopsy. # ./autopsy Copy and Paste the URL into an HTML browser on the local system. It will look something like: http://localhost:9999/290263284571318993/autopsy 2. Select the 'Create Case' button and enter a name and list of valid investigator names. Note that both the case and investigator names must be valid directory names. 3. Select the case from the Case Gallery and then select 'Add Host' in the Host Gallery menu. Enter the host name, and time information such as the timezone and clock skew (if known). The timeskew is how many seconds fast or slow the original system was and the output times will be adjusted using it. For example, if the host was 3 seconds slow, this field would get a '-3'. 4. Select the host from the Host Gallery and then select 'Add Image' in the Host Manager menu. Copy the images to the directory shown on the screen. It is a subdirectory of the Evidence Locker for the new host and case that have been created. After the images are in the directory, press 'Refresh'. The images must be partition images in a raw format (i.e. dd). 5. Select the file system type and mounting information. By default, the MD5 value will be calculated for the image and saved for future integrity checks. If you already know it, select 'Add Known Value' and paste it in. 6. Continue to add images and hosts to the case. When done, select one of the images and using the different browsing modes. Common Configurations ------------------------------------------------------------------------- The basic usage is for a single user with the client and server on the same system. Autopsy 1.70+ can now handle more than one case at a time. The syntax is as follows for the server to run on port 9999 and only allow access from localhost: # ./autopsy To specify a different port number, use this: # ./autopsy -p 8888 To specify a different remote host, use this: # ./autopsy 10.0.0.1 To specify both a port and remote address use: # ./autopsy -p 8888 10.0.0.1 If more than one investigator is going to be using the same server, then just choose different ports: # ./autopsy -p 9000 10.0.0.1 and # ./autopsy -p 9050 10.0.50 You can also specify a new evidence locker location by providing the '-d' argument: # ./autopsy -d /usr/local/forensics2 Security Considerations ------------------------------------------------------------------------- The Autopsy server is a Perl program that only processes Autopsy urls. It offers easy access control restrictions by limiting access to the server to one host and uses a random numeric "cookie" to further authenticate a remote user. The random cookie is generated when the server starts and allows an investigator to use a multi-user machine. The recommended usage is to have the browser and autopsy running on the same single-user system, which is the default behavior. If a non-localhost system is specified, a cookie is automatically generated. If localhost is used, then a cookie is not used by default. The default behavior can be changed using the command line arguments. SSH forwarding can be used if encryption is needed over a network. File names must be very simple (letters, digits, -, _, and .). This allows fast and easy checking of file names passed in the URL and does not allow people to move out of the morgue directory. Symbolic links can be created between the simple names and more complex ones. Troubleshooting ------------------------------------------------------------------------------ Autopsy is complaining that it can't find X: Verify the variable settings in conf.pl (see the INSTALL file) Autopsy takes a very long time to display large directories: This occurs because directory contents are displayed as an HTML table, and many browsers are not very efficient at displaying large tables. So, it is not Autopsy that is slow, it is the browser. Autopsy hangs when opening directories: Same answer as previous question. Browsers don't like big tables. Autopsy is getting slower and slower: If you start an intensive operation, such as searching or making a strings file, and you hit the back button you will not stop the search or operation. There is no current way to stop these types of processes besides issuing a 'kill' command from a shell. Errors are generated by the 'strings' and 'grep' utilities: This occurs because you most likely do not have the GNU version and the flags are not working. Install the GNU grep and bin-utils and verify that Autopsy is pointing to them in conf.pl. Internet Explorer gives protocol and host errors: If you are accessing the localhost, then use the 127.0.0.1 IP address instead of the localhost name. A file system image doesn't show up on the menu: Make sure your version of Perl supports large files. Feedback ------------------------------------------------------------------------------ Please e-mail me with suggestions on what you would like to see done differently and new features. ------------------------------------------------------------------------------ Brian Carrier March 2005 CVS Date: $Date: 2005/10/13 17:02:33 $