The Autopsy Forensic Browser The Autopsy Forensic Browser is a graphical interface to the command line digital forensic analysis tools in The Sleuth Kit. Together, The Sleuth Kit and Autopsy provide many of the same features as commercial digital forensics tools for the analysis of Windows and UNIX file systems (NTFS, FAT, FFS, EXT2FS, and EXT3FS). The Sleuth Kit and Autopsy are both Open Source and run on UNIX platforms. As Autopsy is HTML-based, the investigator can connect to the Autopsy server from any platform using an HTML browser. Autopsy provides a "File Manager"-like interface and shows details about deleted data and file system structures. Features include: * Case Management: Investigations are organized by cases, which can contain one or more hosts. Each host is configured to have its own timezone setting and clock skew so that the times shown are the same as the original user would have seen. Each host can contain one or more file system images to analyze. Configuration files are stored in ASCII text files and standard directories are used to organize the cases. This makes it easy to incorporate other tools and customize the environment. * File Analysis: Analyze the file system image from the perspective of files and directories. This mode shows the file system contents in the same way that normal users see them. Because The Sleuth Kit is processing the image, the investigator is shown data that is normally hidden by the operating system, such as deleted file names. * File Content Analysis: The contents of files can be viewed in ASCII or by extracting the ASCII strings from binary files for basic executable analysis. Care is taken to ensure that the HTML-browser does not process the file content. For example, an HTML file would be shown as raw text and not the formatted version. When an investigator wants to view an HTML file, Autopsy has a 'Sanitized Cell' where it will edit the HTML so that the browser does not make connections to external servers or execute potentially malicious scripting code. Autopsy does not use any client-side scripting languages. * Hash Databases: When examining a system with thousands of files on it, it is useful to ignore files that are known to be good and identify files that are known to be bad. Hash databases allow one to easily identify if a file is known, even if it has been renamed. Autopsy uses the NIST National Software Reference Library (NSRL) to identify known and trusted files and a user created 'Ignore Database' of files that can be ignored. Autopsy also has a user created 'Alert Database' of files that should be identified if they are found (such as rootkits). * File Type: One technique of data reduction in file system analysis is to organize the files based on their type. Autopsy can examine each file in a file system image and ignore those found in the ignore and NSRL hash databases, raise an alert for those found in the alert hash database, and sort the remainder based on their type. Autopsy can extract only graphic images if they are the purpose of an investigation (including thumbnails). The extension of the file will also be compared to the file type to identify files that may have had their extension changed to hide them. * Timeline of File Activity: In some cases, having a timeline of file activity can help identify areas of a file system that may contain evidence. Autopsy can create timelines that contain entries for the Modified, Access, and Change (MAC) times of both allocated and unallocated files. * Keyword Search: Keyword searches of the file system image can be performed using ASCII strings and grep regular expressions. Searches can be performed on either the full file system image or just the unallocated space. An index file can be created for faster searches. Strings that are frequently searched for can be easily configured into Autopsy for automated searching. * Event Sequencer: Time-based events can be added from file activity or IDS and firewall logs. Autopsy sorts the events so that the sequence of incident events can be more easily determined. * Notes: Notes can be saved on a per-host and per-investigator basis. These allow an investigator to make quick notes about files and structures. The original location can be easily recalled with the click of a button when the notes are later reviewed. All notes are stored in an ASCII file. * Meta Data Analysis: Meta Data structures contain the details about files and directories. Autopsy allows one to view the details of any meta data structure in the file system. This is useful for recovering deleted content. Autopsy will search the directories to identify the full path of the file that has allocated the structure. * Data Unit Analysis: Data Units are where the file content is stored. Autopsy allows one to view the contents of any data unit in a variety of formats including ASCII, hexdump, and strings. The file type is also given and Autopsy will search the meta data structures to identify which has allocated the data unit. * Image Details: File system details can be viewed, including on-disk layout and times of activity. This mode provides information that is useful during data recovery. * Image Integrity: It is crucial to ensure that files are not modified during analysis. Autopsy, by default, will generate an MD5 value for all files that are imported or created. The integrity of any file that Autopsy uses can be validated at any time. * Reports: Autopsy can create ASCII reports for files and other file system structures. This enables the investigator to quickly make consistent data sheets during the investigation. * Logging: Audit logs are created on a case, host, and investigator level so that actions can be easily recalled. * Open Design: The code of Autopsy is open source and all files that it uses are in a raw format. All configuration files are in ASCII text and cases are organized by directories. This makes it easy to export the data and archive it. It also does not restrict one from using other tools that may solve the specific problem more appropriately. * Client Server Model: Autopsy is HTML-based and therefore the investigator does not have to be on the same system as the file system images. This allows multiple investigators to use the same server and connect from their personal systems. Autopsy is written in Perl and runs on the same UNIX platforms as The Sleuth Kit: Linux Mac OS X Open & FreeBSD Solaris The Autopsy homepage is located at: http://www.sleuthkit.org/autopsy/ Cryptographic signatures and checksums may be provided by the developers at the URL(s) above. Wiretapped recommends that users check these before use of the software/information.