Autopsy Forensics Browser www.cerias.purdue.edu/homes/carrier/forensics Quick Overview ----------------------------------------------------------------------------- The Autopsy Forensic Browser is a graphical interface to utilities found in The Coroners Toolkit (TCT) and TCTUTILs. It allows drive images to be analyzed at a file, block, and inode level. It also allows easy searches for strings in images. Since autopsy uses the fls(1) utility from TCTUTILs, deleted file names are shown when browsing and some Operating Systems will allow easy recovery of newly deleted files. Main Functions ----------------------------------------------------------------------------- FILE BROWSING: Allows browsing the image as a file system. This gives a list of directories on the left, and files and file content on the right hand side. The output of each file can be seen as ASCII or can be run through strings(1), if it exists. Since this analyzes directory inode entries, deleted file names can still be seen and depending on the OS, the deleted file contents can also be easily recovered. If a file name has a * before it, it has been deleted. The directory contents listings can be resorted based on name, size, times etc. by selecting the proper column header. INODE BROWSING: Allows browsing by inode number. Enter an inode number and see the details of the entry. The file(s) that are using the file will also be displayed (even if they have been deleted for some OSes). Inode browsing can also be used when file browsing. When the files inode value is selected, the browser switches to inode mode and displays the inode details. The blocks that the inode has allocated can be viewed using block browsing. BLOCK BROWSING: Allows browsing by block number. This is most useful when used with searching or inode browsing. The contents of the block can be displayed in ASCII, hexdump, or by running the raw output through strings(1). The inode that has allocated the block will be displayed (if any) along with the file name (if any). IMAGE SEARCHING: Search an image using grep(1) for a given string. The result will be a list of blocks that have this string. Selecting each block brings the user into block browsing mode to view the contents. Only strings are currently supported. Hopefully, regular expressions will be supported in the future. REPORT GENERATION: Each of the above browsing techniques allows a report to be generated. This report lists the date, md5 value, investigator, and other context information in a text format. This can be used for record keeping when deleted blocks of data have been found. Requirements ----------------------------------------------------------------------------- Supported Platforms: autopsy will run on any system that is supported by TCT and TCTUTILs. autopsy needs the following software: The Coroners Toolkit (TCT) (1.06 or above): www.fish.com/tct www.porcupine.org/forensics/tct.html TCTUTILs (1.0 or above): www.cerias.purdue.edu/homes/carrier/forensics PERL (5.002 or above) Regular Usage ------------------------------------------------------------------------------ To use autopsy: 1. Place drive images in the morgue directory. They should be created using something like: dd if=/dev/rawdevice of=imagefile Note that the image names must be named with simple characters, letters, numbers, '-', '_', and '.'. See Security Considerations for more details. 2. Edit the fsmorgue file with new images. The format is the image, a tab (or any white space) and the directory that it was originally mounted on (i.e. /usr/). 3. Update the zoneinfo file in the morgue directory for time zone changes. For example, if the images are from a machine in CST (GMT-6) and they are being analyzed in EST (GMT-5), then zoneinfo should contain '-1'; 4. Start the autopsy daemon # ./autopsy 8888 localhost 5. Point your http browser to the location printed to stdout: host:port/cookie/autopsy Security Considerations ------------------------------------------------------------------------- The autopsy server is a perl program that only processes autopsy urls. It offers easy access control restrictions by limiting access to the server to one host and uses a random numeric "cookie" to further authenticate a user. The random cookie is generated when the server starts and must exist in the url. This allows an investigator to use a public machine, but refines access to only them. The recommended use is to restrict access from only localhost so that no traffic is ever sent on the network. Filenames in the morgue directory must be very simple (letters, digits, -, _, and .). This allows fast and easy checking of file names passed in the URL and does not allow people to move out of the morgue directory. Symbolic links can be created between the simple names and more complex ones. Troubleshooting ------------------------------------------------------------------------------ The Main Menu doesn't have my image: Update and verify the fsmorgue directory The times that are displayed don't seem right Verify the time zone file is correct (zoneinfo) Autopsy is complaining that it can't find X Verify the variable settings in conf.pl (see the INSTALL file) Affiliation ------------------------------------------------------------------------------ This tool is not a result of Purdue University or CERIAS funded research. Author Info ------------------------------------------------------------------------------ brian carrier [carrier@cerias.purdue.edu] Mar 17, 2001