Game of Clue

Analyzing computer systems after a total failure (e.g., after an attack with malware) is the task of forensic specialists. With the appropriate tools, they can reconstruct log data, web history, or image data and detect so-called indicators of compromise. In this article, I introduce you to the Autopsy Sleuth Kit tool and show you how to use it for forensic analyses.

After immediately provisioning alternative systems to secure business operations, one important task after a cyber incident in the enterprise is to process the incident and analyze the affected systems. In addition to countless commercial tools for the analysis and reconstruction of logs and data, you can also find very good, freely available, open source tools – such as the Sleuth Kit tool collection and its associated graphical user interface, Autopsy [1].

Images Only

Before you start analyzing the content of a hard drive, you first need to create a complete image of the disk. In principle, you can also work with Autopsy directly on the running system or only analyze individual folders, but to be on the safe side and not destroy important data by accidentally writing to the drive, first connect to another system and create a corresponding image (e.g., with dd on Linux).

Whether you continue working with the hard disk or the image afterward depends a bit on the circumstances. Autopsy itself makes no distinctions and supports not only classic dd images, but also those in the expert witness format (EWF), a proprietary format belonging to EnCase software [2] from the software vendor OpenText, or virtual machine VMDK and VHD images.

If you are on Windows, you can download the latest version with all dependencies directly from the Sleuth Kit website and install it from the wizard. On Linux, use the package manager of the distribution you are using to install Sleuth Kit. After that, choose to download the Autopsy ZIP file from the website. After unpacking, run the autopsy program in the bin/ folder. If you receive the message that the Java JDK directory was not found, adjust the etc/autopsy.conf file. Remove the comment that assigns the directory to the jdkhome variable. After that, you will be able to launch Autopsy without any problems.

Source Analysis First

After starting Autopsy, use the New Case button to create a new case for processing. To begin, select a name and the working directory, and then enter your contact data. In the next step, select the first data source. If you want to work on a locally mounted hard drive on Windows, you will need to start Autopsy with administrative authorization.

Do so now, create a new processing case as before, then select Local Disk as the data source, and click Next . If you have selected an active hard drive, you have the option at this point to have Autopsy create an image of it in the form of a VHD file. After the first round, where it reads the data, the tool then works with this image, and you can remove the hard disk to be examined from the system again and store it safely.

In the next step, from the available modules, select the file types you want to consider for the analysis and start the analysis run. This step will take some time, so get yourself some drinks and snacks and wait until Autopsy shows you the content of the hard disk or image. During the search, you can observe how data is found in the different categories in the menu on the left. For example, if you select Web Cookies , you will see a list of cookies found for the different installed browsers (Figure 1).

Figure 1: Helpful data snippets such as cookies can be tracked down with Autopsy.

Targeted Knowledge Gain

If you press the Timeline link in the icon bar at top, you will see an overview of messages according to parameterizations. For older systems with many entries in the system log, creating a timeline of events takes a little time. In the upper area of the result window, you can change the display to show additional details about events besides the number of events. In the left pane, under Filters , you can reduce the number of events displayed. You can start the timeline while disk analysis is in progress. Autopsy then alerts you when new data is found and offers to refresh the display.

Indicators of compromise (IoCs), for example, can be modeled and exchanged in structured threat information expression (STIX) format [3]. Analysts create STIX documents according to the malware they analyze and describe the IoCs. If you receive STIX documents from partners or service providers (e.g., from platforms such as the threat sharing platform MISP [4]), you can test them immediately with Autopsy by pressing the Generate Report button, selecting the STIX reporting module, and clicking Choose file to select the STIX document. You can also select a whole folder of STIX documents; Autopsy will then check all the files it contains and take them into account during reporting. After the analysis, you will see all found items under the Interesting Items menu.