ComputerSecurityStudent (CSS) [Login] [Join Now]




|FORENSICS >> Autopsy >> Current Page |Views: 121451

(Autopsy: Lesson 1)

{ Analyzing Deleted JPEGs }


Section 0. Background Information
  • What is Autopsy?
    • The Autopsy Forensic Browser is a graphical interface to the command line digital investigation tools in The Sleuth Kit. Together, they allow you to investigate the file system and volumes of a computer.
    • For more detailed information go to http://www.sleuthkit.org/autopsy/

  • Pre-Requisite Lab
    1. BackTrack: Lesson 1: Installing BackTrack 5 R1
      • Note: This is not absolutely necessary, but if you are a computer security student or a professional, you should have a BackTrack VM.

  • What is the dftt website?
    • Location:  http://dftt.sourceforge.net/
    • dftt stands for Digital Forensics Tool Testing Images.
    • This website contains file systems and disk images for testing digital (computer) forensic analysis and acquisition tools.

  • JPEG Search Test #1
    • This test image is an NTFS file system with 10 JPEG pictures in it. The pictures include files with incorrect extensions, pictures embedded in zip and Word files, and alternate data streams. The goal of this test image is to test the capabilities of automated tools that search for JPEG images.

  • Lab Notes
    • In this lab we will do the following:
      1. Download a test image
      2. Conduct an initial checksum on the test image
      3. Configure Autopsy
      4. Start a New Case
      5. Recovered Deleted Files
      6. Conduct an post checksum on the test image

  • Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2013 No content replication of any kind is allowed without express written permission.

     

Section 1: Configure BackTrack Virtual Machine Settings
  1. Start VMware Player
    • Instructions
      1. For Windows 7
        1. Click Start Button
        2. Search for "vmware player"
        3. Click VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player

     

  2. Edit the BackTrack5R1 VM
    • Instructions:
      1. Select BackTrack5R1 VM
      2. Click Edit virtual machine settings

     

  3. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button
Section 2: Play and Login to BackTrack
  1. Play the BackTrack5R1 VM
    • Instructions:
      1. Click on the BackTrack5R1 VM
      2. Click on Play virtual machine

     

  2. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  3. Bring up the GNOME
    • Instructions
      1. Type startx

 

Section 3: Preparing your image directory
  1. Start up a terminal window (On BackTrack)
    • Instructions:
      1. Click on the Terminal Window

     

  2. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • My IP address 192.168.1.112.
      • In your case, it will probably be different.

     

  3. Directory Preparation
    • Instructions
      1. mkdir -p /var/forensics/images
        • This command creates your directory.
      2. ls -ld /var/forensics/images
        • This command verifies the directory was created.

     

Section 4: Obtaining the JPEG Image
  1. Bring up your Firefox Web Browser
    • Instructions
      1. Applications --> Internet --> Firefox Web Browser

     

  2. Go to the "Digital Forensics Tool Testing Images" Website.

     

  3. Download the Image File
    • Instructions
      1. Under Download, click on the "zip" link.
      2. If the dftt website or zip link is down, click on the alternative link provided --> here.

     

  4. Saving the Image (Part 1)
    • Instructions
      1. Click on the Save File Radio Button
      2. Click on the OK button

     

  5. Saving the Image (Part 2)
    • Instructions
      1. Single Click on File System
      2. Double Click on var

     

  6. Saving the Image (Part 3)
    • Instructions
      1. Double Click on forensics

     

  7. Saving the Image (Part 4)
    • Instructions
      1. Double Click on images

     

  8. Saving the Image (Part 5)
    • Instructions
      1. Click on the Save Button

     

  9. Unzipping the Image
    • Instructions
      1. cd /var/forensics/images
      2. ls -lrta
      3. unzip 8-jpeg-search.zip
      4. cd 8-jpeg-search
      5. ls -lrta
        • Your image file ends in a ".dd"

 

Section 5: Image Integrity Check
  1. Conduct an initial image integrity check
    • Instructions
      1. Click on the terminal window
      2. cd /var/forensics/images/8-jpeg-search
      3. ls -l
      4. md5sum 8-jpeg-search.dd
    • Note(FYI):
      • Before using any tool to do an analysis on image, we need to have a way of showing the initial state of an unaltered image.
      • md5sum does a mathematical calculation of the jpeg image.
      • If Autopsy alters the image, this md5sum will change with our post Image Integrity Check.

 

Section 6: Start Up Autopsy
  1. Start Up Autopsy
    • Instructions
      1. Applications --> BackTrack --> Forensics --> Forensic Suites --> setup Autopsy

     

  2. License Question
    • Have you purchased or downloaded a copy of the NSRL (y/n) [n]
    • Instructions
      1. Press Enter

     

  3. Evidence Locker Question
    • Instructions
      1. Enter the directory that you want to use for the Evidence Locker:
        • /pentest/forensics/autopsy
      2. Press Enter

     

  4. Start Up Autopsy (Part 1)
    • Instructions
      1. ./autopsy
      2. Highlight and Right click on the web address
        • http://localhost:9999/autopsy
      3. Select Open Link

     

Section 7: Creating a New Case in Autopsy
  1. Create a New Case (Part 1)
    • Instructions
      1. Click on the New Case Button.

     

  2. Create a New Case (Part 2)
    • Instructions
      1. Case Name: JPEG-8-Inquiry
      2. Description: Search for Deleted Files
      3. Investigator Names: Your Actual Name Goes Here
      4. Click on the New Case Button

     

  3. Add Host (Part 1)
    • Instructions
      1. Click on the Add Host Button

     

  4. Add Host (Part 2)
    • Instructions
      1. Host Name: JPEG-HOST
      2. Click on the Add Host Button.

     

  5. Add Image (Part 1)
    • Instructions
      1. Click on the Add Image Button

     

  6. Add Image (Part 2)
    • Instructions
    • Bring Up a Terminal Window
      1. cd /var/forensics/images/8-jpeg-search
      2. ls -l
      3. ls $PWD/8-jpeg-search.dd
      4. Highlight and Right click on following string:
        • /var/forensics/images/8-jpeg-search/8-jpeg-search.dd
      5. Select Copy

     

  7. Add Image (Part 3)
    • Instructions
      1. Click on the Add Image File

     

  8. Add Image (Part 4)
    • Instructions
      1. Right Click in the Location Text Box.
      2. Select Paste
    • Note(FYI)
      • The following string should now appear in location text box.
      • /var/forensics/images/8-jpeg-search/8-jpeg-search.dd

     

  9. Add Image (Part 5)
    • Instructions
      1. Type: Select the Partition Radio Button.
      2. Import Method: Select the Symlink Radio Button.
      3. Select the Next Button

     

  10. Add Image (Part 6)
    • Instructions
      1. Data Integrity: Select the "Ignore the hash value for this image" Radio Button.
      2. Mount Point: C:
      3. File System Type: ntfs
      4. Click on the Add Button
    • Note(FYI):
      • Notice that Autopsy identified the File system type of the image as NTFS.

     

  11. Add Image (Part 7)
    • Instructions
      1. Select the OK Button.

     

  12. Conduct an Image Integrity Check
    • Instruction
      1. Click the Image Integrity Button

     

  13. Calculate the MD5 Check Sum.
    • Instruction
      1. Click the Calculate Button

     

  14. Viewing the MD5 Check Sum.
    • Note(FYI):
      • Notice the MD5 Check sum of the 8-jpeg-search.dd image is displayed below.
    • Instruction
      1. Verify the below check sum is the same as Section 5, Step 1.
      2. Click the Close Button

     

Section 8: Analyze Image with Autopsy
  1. Analyze JPEG Image with Autopsy
    • Instructions
      1. Select the Analyze Button

     

  2. Viewing Image Details with Autopsy
    • Instructions
      1. Select the Image Details Button

     

  3. Viewing General File System Details with Autopsy
    • Note(FYI):
      1. Your Image File System Type is NTFS
      2. If you made a backup of the original image, your Volume Serial Number should remain the same. 
        • This is important in a court of law, to demonstrate that the volume serial number of the image you analyzed is the same as the original copy.
      3. The Operating System Version of the Image is Windows XP.

     

  4. Viewing File Analysis Details with Autopsy
    • Instructions
      1. Click the File Analysis Button

     

  5. Viewing deleted files with Autopsy (Part 1)
    • Instructions
      1. Click the All Deleted Files Button in the bottom of the left frame.

     

  6. Viewing deleted files with Autopsy (Part 2)
    • Note(FYI)
      • Notice Autopsy found two files in our image that has been deleted.
      • The file named file6.jpg is obviously a JPEG, but what is file7.hmm.
    • Instructions
      1. Click on the file named file6.jpg

     

  7. Viewing deleted files with Autopsy (Part 3)
    • Note(FYI):
      • Once you click on file6.jpg, the bottom frame displays a thumbnail of the JPEG.
    • Instructions
      1. Click on the Export link to save a copy of the deleted file named file6.jpg.

     

  8. Saving the deleted files with Autopsy (Part 1)
    • Instructions
      1. Click the Save File radio button
      2. Click the OK button.

     

  9. Saving the deleted files with Autopsy (Part 2)
    • Instructions
      1. Single Click on File System
      2. Double Click on the var directory
      3. Double Click on the forensics directory
      4. Double Click on the images directory
      5. Click the Save Button

     

  10. Add Note to file6.jpg (Part 1)
    • Instructions
      1. Click on Add Note

     

  11. Add Note to file6.jpg (Part 2)
    • Instructions
      1. Add the following information inside the Note Text Box
        • Your Actual Name, Current Date and Time, and a Comment
      2. Click the OK button.

     

  12. Verify Notes
    • Instructions
      1. Click the View Notes Button.

     

  13. Close the Child Window.
    • Instructions
      1. Click the "X" on the child window. (See Below)

     

  14. View Deleted File named file7.hmm
    • Instructions
      1. Click on the File Analysis Button
      2. Click on the All Deleted Files Button
      3. Click on file7.hmm

     

  15. Save Deleted File named file7.hmm (Part 1)
    • Note(FYI):
      • Notice the Blue Arrow. 
      • Autopsy identified the file type of file file7.hmm as a JPEG, even though the extension is ".hmm" instead of ".jpg".
      • Also, you can view the thumbnail.
    • Instructions
      1. Click on the Export Link to save the filename file7.hmm.

     

  16. Save Deleted File named file7.hmm (Part 2)
    • Instruction
      1. Click the Save File.

     

  17. Save Deleted File named file7.hmm (Part 3)
    • Instruction
      1. Click on File System.
      2. Navigate to the var directory.
      3. Navigate to the forensics directory.
      4. Navigate to the images directory.
      5. Click on the Save Button

     

  18. Add Note to file7.hmm (Part 1)
    • Instruction
      1. Click on the Add Note link.

     

  19. Add Note to file6.jpg (Part 2)
    • Instructions
      1. Add the following information inside the Note Text Box
        • Your Actual Name, Current Date and Time, and a Comment
      2. Click the OK button.

     

  20. Close Window
    • Instructions
      1. Click the X to close the Window.

     

Section 9: Conduct a Post-Image Integrity Check with Autopsy
  1. Analyze JPEG a Post-Image Integrity Check with Autopsy
    • Instructions
      1. Go to http://localhost:9999/autopsy in your BackTrack Firefox web browser.
      2. Click on the Open Case Button.

     

  2. Open Case
    • Instructions
      1. Make sure the JPEG-8-Inquiry radio button is selected.
      2. Click on the OK button.

     

  3. Image Integrity Check
    • Instructions
      1. Click on the Image Integrity Button.

     

  4. Image Integrity Check
    • Note(FYI):
      • Notice the "original" MD5 Check Sum immediately follows the 8-jpeg-search.dd image.
    • Instructions
      1. Click on the Validate Button.
      2. Below Autopsy compares the original MD5 Check Sum with the current MD5 Check Sum.
    • Note(Why are we doing this?)
      • In general, you want to make sure that your work did not compromise the image.
      • This is particularly important in a court of law, especially evidence law, when the both integrity and chain of custody is interrogated and scrutinized.

 

Section 10: Proof of Lab
  1. Close File System Images
    • Instructions
      1. Click on the Close Button.

     

  2. View Notes (Part 1)
    • Instructions
      1. Click on the View Notes Button.

     

  3. View Notes (Part 2)
    • Instructions
      1. John Gray should appear to have saved the files.
        • John Gray should be your name.
      2. Click the Close Button

     

  4. Open a Terminal Window
    • Instructions
      1. Click on the Terminal Window Icon

     

  5. Proof of Lab
    • Instructions:
      1. cd /pentest/forensics/autopsy/JPEG-8-Inquiry/JPEG-HOST/logs
      2. ls -l
      3. cat unknown.notes
      4. date
      5. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions:
      1. Do a PrtScn
      2. Paste into a word document
      3. Upload to Moodle

 



Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth