Lead Image © Tomasz Pacyna, 123RF.com

Lead Image © Tomasz Pacyna, 123RF.com

Forensic analysis with Autopsy and Sleuth Kit

Game of Clue

Article from ADMIN 64/2021
By
Forensic admins can use the Autopsy digital forensics platform to perform an initial analysis of a failed system, looking for traces of a potential attack.

Analyzing computer systems after a total failure (e.g., after an attack with malware) is the task of forensic specialists. With the appropriate tools, they can reconstruct log data, web history, or image data and detect so-called indicators of compromise. In this article, I introduce you to the Autopsy Sleuth Kit tool and show you how to use it for forensic analyses.

After immediately provisioning alternative systems to secure business operations, one important task after a cyber incident in the enterprise is to process the incident and analyze the affected systems. In addition to countless commercial tools for the analysis and reconstruction of logs and data, you can also find very good, freely available, open source tools – such as the Sleuth Kit tool collection and its associated graphical user interface, Autopsy [1].

Images Only

Before you start analyzing the content of a hard drive, you first need to create a complete image of the disk. In principle, you can also work with Autopsy directly on the running system or only analyze individual folders, but to be on the safe side and not destroy important data by accidentally writing to the drive, first connect to another system and create a corresponding image (e.g., with dd on Linux).

Whether you continue working with the hard disk or the image afterward depends a bit on the circumstances. Autopsy itself makes no distinctions and supports not only classic dd images, but also those in the expert witness format (EWF), a proprietary format belonging to EnCase software [2] from the software vendor OpenText, or virtual machine VMDK and VHD images.

If you are on Windows, you can download the latest version with all dependencies directly from the Sleuth Kit website and install it from the wizard. On

...
Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Forensic Tools

    Criminals often focus on browsers for various attacks because they are a worthwhile, attractive, and often easy target. However, admins can investigate such attacks with forensic tools that provide the ability to reconstruct browser sessions.

  • Comparison of forensic toolkits for reconstructing browser sessions
    Criminals often focus on browsers for various attacks because they are a worthwhile, attractive, and often easy target. However, admins can investigate such attacks with forensic tools that provide the ability to reconstruct browser sessions.
  • Diving into infrastructure security
    How to deal with threat intelligence on the corporate network when the existing security tools are not effective.
  • Maintaining Android in the enterprise
    No matter how insecure Android might appear, you can't escape the "bring your own device" philosophy in today's corporate environment. In this article, we show how admins can use on-board tools in Android phones to regain a little control.
  • Security in the network with Kali Linux
    Thanks to its huge choice of security tools, Linux is perfectly suited to securing heterogeneous networks. With a specialized distro like Kali Linux, you can quickly locate and eliminate security vulnerabilities.
comments powered by Disqus