1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
Autopsy Forensic Browser
Live Analysis Mode
http://www.sleuthkit.org/autopsy
http://autopsy.sourceforge.net
Brian Carrier [carrier@sleuthkit.org]
What is Live Analysis?
--------------------------------------------------------------------
Live analysis is, in my mind, an investigation that occurs using
the software resources of the suspect system. An example scenario
of this is when a suspect system is found running, a CD is placed
into it, and commands are run. If the suspect system is powered
down and booted from a bootable Linux CD (or similar), then the
investigation is a dead analysis.
This is most commonly done when investigating a server or other
computer that is suspected of being compromised, but verification
is needed before it can be powered down. Using The Sleuth Kit and
Autopsy will prevent the access times on individual files from being
updated (although the raw device's A-time will be) and can bypass
most rootkits that hide files and directories.
What are the Issues with Live Analysis?
--------------------------------------------------------------------
Live analysis is not ideal because you are relying on the suspect
system, which can lie, cheat, and steal. In addition to the potential
of getting false information from the operating system you will
also overwrite memory and maybe swap space during the investigation.
If you are interested in examining the memory of the system, you
should probably acquire that before you begin a live analysis.
An issue with doing live analysis with Autopsy is that it requires
Perl, which is a large program and will likely need to depend on
libraries and other files on the suspect system.
How do I make a CD with Autopsy on it?
--------------------------------------------------------------------
You will want to have a trusted CD for a live analysis, and autopsy
makes that fairly easy. Compile autopsy as you would for a normal
dead analysis installation. Then execute 'make live' in Autopsy.
This script will make a 'live-cd' sub-directory in the autopsy directory,
which contains a copy of autopsy and copies of TSK executables, grep,
strings, perl etc:
# make live
Making base directory (./live-cd/)
Copying executables
Copying autopsy files
Creating configuration file using existing settings
Try the 'make static' with TSK to see if you can make static
executables for your platform.
The 'live-cd' directory has a 'bin' directory where additional
executables can be copied to and then the whole directory can be
burned to a CD.
How Do I Use the CD?
--------------------------------------------------------------------
After the CD has been created and there is a system suspected of
being compromised, then it is time to take advantage of the new
features. There are two scenarios for live analysis. The first
scenario uses a network share from a trusted system that you can
write to. In this case, autopsy is run as normal and you specify
the evidence locker directory as the mounted disk. The evidence
locker is specified with '-d':
# ./autopsy -d /mnt/ev_lock 10.1.32.123
The above would start autopsy, use '/mnt/ev_lock/' as the evidence
locker and would allow connections from 10.1.32.123 (where the
investigator would connect from using an HTML browser). Remember that
we do not want to write to the suspect system, so we should only use
a network share and not a local directory in this scenario.
The second scenario does not use an evidence locker and does not
intentionally write any data to disk. This scenario does not need
the network share and each of the devices (or partitions) that will
be analyzed are specified on the command line using the '-i' flags.
The '-i' flag requires three arguments: the device, the file system
type, and the mounting point. For example, to examine the '/dev/hda5'
and '/dev/hda8' partitions on a Linux system, the following could
be used:
# ./autopsy -i /dev/hda5 linux-ext3 / -i /dev/hda8 linux-ext3 /usr/ \
10.1.32.123
The file system type must be one of the types that are supported
by TSK. The remote IP address must also be given, otherwise you
will have to use a browser on the suspect system and that will write
data to the disk.
When you use the '-i' flag, then autopsy will start in the 'Host
Manager' view where you can select the image that you want to
analyze. You will skip the case and host configuration. The default
case name will be 'live', the default host name is 'local', and the
default investigator name is 'unknown'.
Additional Information
--------------------------------------------------------------------
I wrote a more detailed explanation of the live analysis mode of
Autopsy version 2.00 in the 13th issue of The Sleuth Kit Informer.
Some of this document is taken from the Informer issue.
http://www.sleuthkit.org/informer/sleuthkit-informer-13.html
--------------------------------------------------------------------
Copyright (c) 2004 by Brian Carrier. All Rights Reserved
CVS Date: $Date: 2005/01/17 23:24:20 $
|
