in Spanish
written by:
Alonso E. Caballero Quezada
Title: Autopsy in Spanish
Author: Alonso Eduardo Caballero Quezada
Version 1.1: Noviembe 7 of the year 2007
Version 1: September 3, 2007 (MD5: b47912d9c71c410f290f2b5c3195a944)
Creation date: August 2007
The reason for this writing
Most common at the end of some of my courses or exhibitions , is to request
information on the subject, and the vast majority of the time I refer to the people who
require it, to sources of information in the English language. And at the same time I perceive,
as for this "detail" of the language, some of them do not go deeper into the subject. It is
for this reason that I decided to make this translation; that now has the endorsement
of Brian Carrier; the author of Autopsy & Sleuth Kit; Free Code tools by
excellence for digital research analysis topics.
I try to fully respect the original contents. I include images with the
screenshots of the most recent version of Autopsy. Likewise, I include the
references that are made to 'The Sleuth Kit Informer'.
It is my wish; with this contribution; bring these very interesting topics closer to the
greater number of people. And it is obvious that they can distribute and copy for free the
present document.
Autopsy
Description
The Autopsy Forensic Browser is a graphical interface for the online command research
digital analysis tools contained in Sleuth Kit. Both united
can analyze UNIX and Windows disks, as well as file systems (NTFS, FAT,
UFS1 / 2 and Ext2 / 3).
Autopsy and Sleuth Kit are Open Source ( Open Source) and can be executed on
UNIX platforms. As Autopsy is based on HTML, it can be connected to the server
Autopsy from any platform using an HTML browser. Autopsy provides
a "File Manager" type interface, and shows details about deleted data and
file system structures.
Analysis Modes
An "At Rest" Analysis occurs when a dedicated system for analysis it is used
to examine the data of a suspect system. In this case, Autopsy and Sleuth Kit
are executed in a reliable environment, typically in a laboratory.
Autopsy and TSK support file formats AFF (Advanced Forensic Format), Expert
Witness, and raw (in gross)
Analysis "Live" occurs when the suspect system starts to be analyzed
while it is running. In this case, Autopsy and Sleuth Kit are executed from a
CD in an unreliable environment. This is frequently used during the response of the
incident while it is being confirmed. After confirmation, you can
acquire the system and perform an "At rest" analysis.
Evidence search techniques
File list: Analyze the files and directories, including the names of
deleted files and file names based on Unicode. See Figure 1.
Figure 1. List of Files with Autopsy
Sleuth Kit Informer # 1 / Jail
* Reference: Sleuth Kit Informer 1
Putting the HTML in a cage
One of the key concepts and better known the digital forensia and response of
incidents is to never trust the suspicious system. For this reason CDs
containing reliable binaries are used when the system is running and before performing
the acquisition system is typically shut down and restarted with a reliable kernel. The
same logic is applied to the executable files of the suspect system. They only need
to be executed in controlled environments so they can not destroy the
analysis station.
This concept has also been applied to Autopsy when viewing HTML files
from a browser cache by example. HTML files can cause
havoc in two ways during the investigation. First, they can contain harmful
scripts (java script or java for example), which can cause harm to a system of
vulnerable analysis. Second, HTML can cause the browser to connect to an
external site to get an image or another file. This can alert a person
of the investigation (in an ideal world, all forensic laboratories are isolated from
internet.)
By default Autopsy will not interpret the contents of files. For example, when
selects an HTML file, the tags and texts in ASCII will be displayed and not the
formatted document (provided an HTML browser is used). This is done
by setting the content type "content-type" to text (text) instead of html.
For certain types of files, we quote HTML and images, Autopsy allows the user
to view the data interpreted using a "view" link. This link will open by
defect the interpreter of file contents in a new "cell". The "cell" by
defect will interpret the HTML code and will render the scripts and enclaces without effect. This is
done by modifying the HTML in the following way:
. SRC = is changed by SRC = AutopsySanitized
. HREF = is changed to HREF = AutopsySanitized
. <script is changed to <AutopsySanitized-script
. BACKGROUND = is changed to BACKGROUND = AutopsySanitized
The Autopsy web server part is configured to replace the requests of
images that have "AutopsySanitized" with a defined graphic. This allows the
researcher to see the location where an image exists without connecting to an external site.
In addition, if the researcher visits a URL, Autopsy will report that the
investigator is not allowed to follow external links while in the cage. After checking the
content of an HTML page, the user can exit the cell using the
"Normal" button and it can be exported with the "Export Contents" button.
It is a good practice to disable the script languages in the browsers on the
workstations. Autopsy will alert if your browser has scripting enabled. The
cleanup that Autopsy performs when displaying HTML pages adds a layer of
additional protection in case the scripts are activated accidentally, in case
there is a vulnerability in the browser, or the system is connected to Internet.
After the researcher has identified the page as secure, it may be
displayed in its original format.
* End of reference: Sleuth Kit Informer 1
File Contents: The contents of files may be to be displayed raw
(raw), hexadecimal or in extracted ASCII strings.
When the data is interpreted, Autopsy sterilizes it to prevent damage to the local analysis system
. Autopsy does not use any script language on the client side. See
Figure 2.
Figure 2. Contents of Files
HASH Database: To quickly identify unknown files such as
reliable or damaged search operations are performed in a database of
] hashs. Autopsy uses NIST (National Software Reference Library "NSRL") and databases of
known or trusted file data created by users. See
Figure 3.
Figure 3. Autopsy using hash databases
Sorting by file type: To identify files of a known type, they
order the files based on their internal signatures. Autopsy can also extract
only graphic images (including thumbnails). The extension of a file can
be also compared to a file type to identify files that can
have their extension modified to hide them. See figure 4.
Figure 4. Sort by file type
Timeline of file activity: In some cases, having a line
of time from file activity can help identify areas of a file system
that could contain evidence. Autopsy can create timelines that
contain entries for the Modified, Access, and Change (MAC) times of assigned and unassigned files
. See figure 5.
Figure 5. File activity timeline
Keyword search: Keyword searches on an image of a
file system can be done using ASCII strings and expressions
regular. Searches can be carried out in the complete system image of
files or only in the unassigned space. You can create an index file for
a faster search. The searched strings can often be
easily configured within Autopsy for automated searches. See Figure 6.
Figure 6. Keyword Search
Meta Data Analysis: Meta Data structures contain details about
files and directories. Autopsy allows you to view details of any structure of
Meta Data in the file system. This is useful for content recovery
removed. Autopsy will search the directories to identify the full path of a
file that has the structure assigned to it. See figure 7.
Figure 7. Meta Data Analysis
Analysis of Data Units: Data units are the place where
stores the contents of the file. Autopsy allows you to view the contents of any
data unit in a variety of formats including ASCII, hexadecimal dump, and
strings. The file type is also provided and Autopsy will search the structures of
Meta Data to identify which data units are assigned. See figure 8.
Figure 8. Analysis of Data Units
Details of the image: The details of the file system can be visualized,
including the layout on the disk and activity times. This mode provides
information that is useful
from Nettech Post https://ift.tt/2QqM0SX
No hay comentarios:
Publicar un comentario