                      Autopsy Forensics Browser v1.01
               www.cerias.purdue.edu/homes/carrier/forensics

Quick Overview
-----------------------------------------------------------------------------
The Autopsy Forensic Browser is a graphical interface to utilities found
in The Coroners Toolkit (TCT) and TCTUTILs.  It allows drive images to
be analyzed at a file, block, and inode level.  It also allows easy
searches for strings in images.

Since autopsy uses the fls(1) utility from TCTUTILs, deleted file names
are shown when browsing and some Operating Systems will allow easy
recovery of newly deleted files.


Main Functions
-----------------------------------------------------------------------------
FILE BROWSING:  Allows browsing the image as a file system.  This
gives a list of directories on the left, and files and file content
on the right hand side.  The output of each file can be seen as
ASCII or can be run through strings(1), if it exists.  

Since this analyzes directory inode entries, deleted file names can
still be seen and depending on the OS, the deleted file contents
can also be easily recovered.  If a file name has a * before it,
it has been deleted.  The directory contents listings can be resorted
based on name, size, times etc. by selecting the proper column
header.

INODE BROWSING: Allows browsing by inode number.  Enter an inode
number and see the details of the entry.  The file(s) that are using
the file will also be displayed (even if they have been deleted for
some OSes).  Inode browsing can also be used when file browsing.
When the files inode value is selected, the browser switches to
inode mode and displays the inode details.  The blocks that the
inode has allocated can be viewed using block browsing.

BLOCK BROWSING: Allows browsing by block number.  This is most
useful when used with searching or inode browsing.  The contents
of the block can be displayed in ASCII, hexdump, or by running the
raw output through strings(1).  The inode that has allocated the
block will be displayed (if any) along with the file name (if any).
Block numbers can be entered in two formats, regular and unallocated.
The regular format is the block number in a regular image created from
dd.  The unallocated format is the block number in an image created 
from the unallocated blocks in a regular image (by using unrm).  When
blocks are entered in the unallocated format, they are converted to the
regular format and the corresponding regular block is shown.   This is
useful when using Autopsy along with TCT's Lazarus tool. 

IMAGE SEARCHING:  Search an image using grep(1) for a given string.
The result will be a list of blocks that have this string.  Selecting
each block brings the user into block browsing mode to view the
contents.  Only strings are currently supported.   Hopefully, regular
expressions will be supported in the future.

REPORT GENERATION:  Each of the above browsing techniques allows a report
to be generated.  This report lists the date, md5 value, investigator,
and other context information in a text format.  This can be used for
record keeping when deleted blocks of data have been found.


Requirements
-----------------------------------------------------------------------------
Supported Platforms:
autopsy will run on any system that is supported by TCT and TCTUTILs.

autopsy needs the following software:

The Coroners Toolkit (TCT) (1.06 or above):
    www.fish.com/tct 
    www.porcupine.org/forensics/tct.html

TCTUTILs (1.01 or above):
    www.cerias.purdue.edu/homes/carrier/forensics

PERL (5.002 or above)


Regular Usage
------------------------------------------------------------------------------
To use autopsy:
1. Place drive images in the morgue directory.  They should be created
   using something like: dd if=/dev/rawdevice of=imagefile
   Note that the image names must be named with simple characters,
   letters, numbers, '-', '_', and '.'.  See Security Considerations for 
   more details.

2. Edit the fsmorgue file with new images.  The format is the image, 
   a tab (or any white space) and the directory that it was originally
   mounted on (i.e. /usr/).

3. Update the zoneinfo file in the morgue directory for time zone changes.
   For example, if the images are from a machine in CST (GMT-6) and they
   are being analyzed in EST (GMT-5), then zoneinfo should contain '-1';

4. Start the autopsy daemon
         # ./autopsy 8888 localhost

5. Point your http browser to the location printed to stdout:
         host:port/cookie/autopsy


Security Considerations
-------------------------------------------------------------------------
The autopsy server is a perl program that only processes autopsy
urls.  It offers easy access control restrictions by limiting access
to the server to one host and uses a random numeric "cookie" to
further authenticate a user.  The random cookie is generated when
the server starts and must exist in the url.  This allows an
investigator to use a public machine, but refines access to only
them.  The recommended use is to restrict access from only localhost
so that no traffic is ever sent on the network.

Filenames in the morgue directory must be very simple (letters,
digits, -, _, and .).  This allows fast and easy checking of file
names passed in the URL and does not allow people to move out of
the morgue directory.  Symbolic links can be created between the
simple names and more complex ones.


Troubleshooting
------------------------------------------------------------------------------
The Main Menu doesn't have my image:
    Update and verify the fsmorgue directory

The times that are displayed don't seem right:
    Verify the time zone file is correct (zoneinfo)

Autopsy is complaining that it can't find X:
    Verify the variable settings in conf.pl  (see the INSTALL file)

Autopsy takes a very long time to display large directories:
    This occurs because directory contents are displayed as an HTML
    table, and many browsers are not very efficient at displaying
    large tables.  So, it is not Autopsy that is slow, it is the
    browser.

Affiliation
------------------------------------------------------------------------------
This tool is not a result of Purdue University or CERIAS funded research. 


Author Info
------------------------------------------------------------------------------
brian carrier [carrier@cerias.purdue.edu]

May 29, 2001
