Sleuth Kit: an open-source forensic tool used to analyze Disk Images and Restore Files

Sleuth Kit: an open-source forensic tool used to analyze Disk Images and Restore Files

SIFT is a Ubuntu-based forensic release provided by SANS. It contains many forensic tools, such as Sleuth kit/Autopsy. However, Sleuth kit/Autopsy can be directly installed on Ubuntu or Fedora without downloading the entire release version of SIFT.

Sleuth Kit/Autopsy is an open-source Electronic forensic investigation tool that can be used to restore lost files from Disk Images and perform disk image analysis for special events. The Autopsy tool is a webpage interface of sleuth kit and supports all functions of sleuth kit. This tool is available on both Windows and Linux platforms.

 

Install Sleuth kit

First, download the Sleuth kit software from the sleuthkit website. Use the following command to download the wget command on a virtual terminal. This process is displayed.

1. # wget http://cznic.dl.sourceforge.net/project/sleuthkit/sleuthkit/4.1.3/sleuthkit-4.1.3.tar.gz

Run the following command to unzip the sleuthkit-4.1.3.tar.gz and enter the directory after decompression:

1. # tar -xvzf sleuthkit-4.1.3.tar.gz

Before installing sleuth kit, run the following command to perform the required check:

1. # ./configure

Then use the Make command to compile sleuth kit:

1. # make

Finally, run the following command to install it in the/usr/local directory:

1. # make install

 

Install the Autopsy Tool

Sleuth kit has been installed. Now we will install the autopsy interface for it. Download the autopsy software from the sleuthkit Autopsy page. Use the following command to download the wget command on a virtual terminal. This process is displayed.

1. # wget http://kaz.dl.sourceforge.net/project/autopsy/autopsy/2.24/autopsy-2.24.tar.gz

Run the following command to unzip the autopsy-2.24.tar.gz and enter the directory after decompression:

1. # tar -xvzf autopsy-2.24.tar.gz

The autopsy configuration script will ask the path of the NSL (National Software Reference Library) and Evidence_Locker folders.

When a dialog box is displayed, enter "n" and create an Evidence name in the/usr/local directory.The Locker folder. Autopsy willThe Locker folder stores configuration files, audit records, and output files.

1. # mkdir /usr/local/Evidence_Locker
2. # cd autopsy-2.24
3. # ./configure

After adding the installation path of Evidence_Locker during the installation process, autopsy stores the configuration file and displays the following information to run the autopsy program.

Enter the./autopsy command in the virtual terminal to start the GUI of the Sleuth kit tool:

Enter the following address in the browser to access the autopsy interface:

1. http://localhost:9999/autopsy

The main page of the autopsy plug-in is displayed:

In the autopsy tool, click the new case button to start analysis. Enter the case name. The description of the survey and the name of the examiner are displayed as follows:

In the next page, the detailed information typed in the previous page is displayed. Click Add host to add detailed information about the machine to be analyzed.

Enter the host name, description, and time zone settings of the machine to be analyzed on the next page.

After adding a host, click Add image to add an image file for forensic analysis.

Click Add image file in the following webpage. It will open a new webpage to ask about the path of the image file, select the image type, and import methods.

As shown in, we have already typed the path of the Linux image file. In our example, the image file type is disk partition.

Click "Next" and select the option to calculate the hash value on the next page, which is displayed in. It also detects the type of the file system to which the image is sent.

The following figure shows the MD5 Hash Value of the image file before static analysis.

On the next page, autopsy displays the following information about the image file:

• Mount point of the image
• Image name
• File System Type of the given image

Click the details button to obtain more information about the image file. It also provides data information for exporting unallocated fragments and strings from the volume of the image file, which is displayed in.

In, click the analysis button to start the analysis. It will open another page, which contains multiple options for image analysis.

During image analysis, Autopsy provides the following functions:

• File Analysis
• Keyword Search
• File Type
• Image details
• Data Unit

It shows how to perform File Analysis on a given Linux partition image:

It extracts all files and folders from the given image. It also shows the extraction of deleted files:

 

Conclusion

I hope this article will help new users in the field of Static Analysis of Disk Images. Autopsy Is the web interface of sleuth kit. It provides the ability to extract strings, restore deleted files, analyze time series, and view network history in Windows and Linux Disk Images, keyword Search, email analysis, and other functions.

Via: http://linoxide.com/ubuntu-how-to/autopsy-sleuth-kit-installation-ubuntu/

Author: nido Translator: FSSlc Proofreader: wxy

This article was originally translated by LCTT and launched with the Linux honor in China

This article permanently updates the link address: