Monday, April 24, 2017

Using Autopsy Tool for Forensic Disk Analysis

Autopsy is a web based GUI interface for the Sleuthkit forensic investigation tool kit. It can be used for interesting forensic analysis works on images acquired from storage devices. In this blog post, I'm writing the basics steps to install and use Autopsy tool to analyze a disk image.

Since the usage of a real disk image taken from somebody's storage device raises privacy concerns, I'm preparing custom disk images by manually creating filesystems on binary files. So, first of all, let's create our testing disk image.

Creating a custom disk image:

(1) Creating a file of 500MB. 

  dd if=/dev/zero of=./mydisk.img bs=1M count=500

(2) Format the file with the FAT32 file system.

    sudo mkfs.vfat -F 32 mydisk.img

(3) Mount the filesystem.

    mkdir mount-point
  sudo mount mydisk.img ./mount-point/

(4) Create a text file and add some sample content.

    sudo touch mount-point/readme.txt
  sudo vim mount-point/readme.txt

    "This is just a text file for testing purposes."

(5) Now, delete the file you created.

    sudo rm mount-point/readme.txt

(6) Unmount the filesystem.

    sudo umount mount-point/

Using Autopsy tool for disk analysis:

It's time to analyse the disk image using Autopsy tool which is the GUI frontend for the Sleuthkit.

(1) Install Autopsy tool together with Sleuthkit on a Linux machine.

    sudo apt-get update
  sudo apt-get install autopsy

(2) Start Autopsy with root previleges.

    sudo autopsy

(3) Now, we can access the web interface using the following URL.


(4) Create a new case, a new host and finally give path to the above disk image. Once you reach the end of the creation of everything, you can see a button called "Analyze" in order to analyze the disk image.

(5) In this interface, click on the button for "File Analysis". Then you can see the files of the disk image. We can see our deleted text file in red color.

(6) In the above screen, you can see that there is a column called "META". Click the item of the deleted "readme.txt" file under this "META" column. Now you will see some meta data of the file.

(7) In the above screen, note that the file size is 47 bytes. Since the sector size of this disk image is 512 bytes, this file just resides in a single sector. That is the sector shown as "2038" in the above screenshot. Click on that sector number to view it.

 (8) On this new screen, we can view the content of the file in different formats such as ASCII and Hex.

(9) Click on the "Export Contents" button to export the deleted file and save it somewhere in your local storage.
It just saves as a raw file without the proper file extesion.

(10) We can check the file type of the exported file using various ways.

    file vol1-Sector2038.raw

(11) Let's rename the file to the correct file extension type.

    mv vol1-Sector2038.raw textfile.txt

(12) Finally, take a look at the file contents to see that is the file we created.

    cat textfile.txt

There are so many features in Autopsy tool which we can explore.




No comments:

Post a Comment