                  Autopsy Forensic Browser v1.60
            www.atstake.com/research/tools/index.html


               Brian Carrier [carrier@atstake.com]


Quick Overview
-----------------------------------------------------------------------------
The Autopsy Forensic Browser is a graphical interface to utilities
found in The @stake Sleuth Kit (TASK).  Autopsy is the only open source
graphical interface for the forensic analysis of Microsoft and UNIX
file systems.  It allows the allocated and deleted files, directories,
blocks, and inodes of file system images to be analyzed in a read-only
environment.  Images can be searched for strings and regular expressions
to recover deleted material.  It also allows one to create a detailed
time line of the Modified, Access, and Changed times of files.

Autopsy is HTML-based and uses a client-server model.  The Autopsy
server runs on many UNIX systems and the client can be any platform
with an HTML browser.  This enables one to create a flexible environment
with a central Autopsy server and several remote clients.  For incident
response scenarios, a CD with TASK and Autopsy can be created to allow the
responder read-only remote access to a suspect system from an HTML-browser
on a trusted system.

Autopsy will not modify the original images and the integrity of the
images can be verified in Autopsy using MD5 values.


Main Functions
-----------------------------------------------------------------------------
FILE BROWSING:  Allows browsing the image as a file system.  This
gives a list of directories on the left, and files and file content
on the right hand side.  The output of each file can be seen as
ASCII or can be run through strings(1), if it exists.  

Since this analyzes directory inode entries, deleted file names can
still be seen and depending on the OS, the deleted file contents
can also be easily recovered.  If a file name has a * before it,
it has been deleted.  The directory contents listings can be resorted
based on name, size, times etc. by selecting the proper column
header.


INODE BROWSING: Allows browsing by inode number.  Enter an inode
number and see the details of the entry.  The file(s) that are using
the file will also be displayed (even if they have been deleted for
some OSes).  Inode browsing can also be used when file browsing.
When the files inode value is selected, the browser switches to
inode mode and displays the inode details.  The blocks that the
inode has allocated can be viewed using block browsing.


BLOCK BROWSING: Allows browsing by block number.  This is most
useful when used with searching or inode browsing.  The contents
of the block can be displayed in ASCII, hexdump, or by running the
raw output through strings(1).  The inode that has allocated the
block will be displayed (if any) along with the file name (if any).
Block numbers can be entered in two formats, regular and unallocated.
The regular format is the block number in a regular image created
from dd.  The unallocated format is the block number in an image
created from the unallocated blocks in a regular image (by using
dls).  When blocks are entered in the unallocated format, they are
converted to the regular format and the corresponding regular block
is shown.   This is useful when using Autopsy along with the Lazarus
tool (in TCT).


KEYWORD SEARCHING:  Search an image using grep(1) for a given string.
The result will be a list of blocks that have this string.  Selecting
each block brings the user into block browsing mode to view the
contents.  Case insensitive searches and 'grep' regular expression 
searches can also be performed.  To decrease the searching time, a
file can be generated with just the ASCII strings of the image.  Also,
the unallocated data can be extracted and searched to make deleted data
recovery more efficient.  

The search.pl file contains predefined search values.  Autopsy currently
comes with a regular expression to identify date strings.  Additional
values can be added by the user.  The format is given in the file.  


TIME LINE ANALYSIS: A time line of file activity can be created and
viewed.  The time line allows one to identify file and directory 
locations to examine.  The times associated with files can be easily
modified, so the time line should be used as reference only.  


FILE SYSTEM DETAILS: Details about the file system are displayed.
Examples of this mode include the Volume name, last mount time, and the
physical layout of the data structures.


INVESTIGATOR NOTES: An investigator can add notes about any file, data
unit, or meta data structure.  The notes can be viewed through Autopsy
at the Main Menu or by any text editor.  The notes file is saved in the
'logs' directory.  When viewing through Autopsy, the location that the
note refers to can be easily viewed.


REPORT GENERATION:  Each of the above browsing techniques allows a report
to be generated.  This report lists the date, md5 value, investigator,
and other context information in a text format.  This can be used for
record keeping when deleted blocks of data have been found.



Requirements
-----------------------------------------------------------------------------
Supported Platforms:
Autopsy will run on any system that is supported by TASK (except CYGWIN).

Autopsy needs the following software:

The @stake Coroners Toolkit (TASK) 
  http://www.atstake.com/research/tools/task/index.html

PERL (5.002 or above)
  If large files will be used (larger than 2GB), Perl must be compiled
  to support Large Files.  The default version of Perl with most 
  Operating Systems does not support Large Files.  For example, the
  perl with Redhat 7.2 does not.  

HTML Browser:
  Any that supports frames and forms will do.  Some issues exist with
  some versions of Internet Explorer.  Netscape and Mozilla always work
  fine though.  Explorer will sometimes error when referencing 'localhost',
  but '127.0.0.1' will work.  

Recommended UNIX Utilities (most platforms already have these). The
default version that comes with some systems are not supported by Autopsy.
For example, the grep in Solaris and strings in Mac OS X.

  grep: http://www.gnu.org/software/grep/grep.html
  strings: http://www.gnu.org/software/binutils/binutils.html


NOTE: Autopsy 1.5 will not run using TCT and TCTUTILs.  If you are
still using TCT and TCTUTILs, then you must use Autopsy 1.01. 

NOTE: The strings in Mac OS X does not support the needed flags
that Autopsy needs.  Email me for a script that will fix it
(carrier@atstake.com)


Regular Usage
------------------------------------------------------------------------------
To use Autopsy:
1. Place drive images in the morgue directory.  They should be created
   using something like: dd if=/dev/rawdevice of=imagefile
   Note that the image names must be named with simple characters,
   letters, numbers, '-', '_', and '.'.  See Security Considerations for 
   more details.

2. Edit the fsmorgue file with new images.  The format is the image,
   a tab (or any white space), the file system type (i.e. openbsd),
   a tab, the directory that it was originally mounted on (i.e.
   /usr/), a tab, and the original timezone (i.e. EST5EDT).  i.e.:
	   
	   wd0e.dd    openbsd    /usr    EST5EDT
	   c.dd       ntfs       c:      EST5EDT

   You can also import the output of running 'strings -t d' on an
   image.  The syntax for the strings file of the wd0e.dd image is:

       wd0e.dd.str    strings    wd0e.dd

   Similarly, if you would like to import the output of running 'dls'
   on an image, the syntax is:

       wd0e.dls      dls       wd0e.dd

   To get a listing of supported file system types, start a TASK tool
   with no arguments.  Supported types will be printed.  The current
   types include: 
	 bsdi, fat, fat12, fat16, fat32, freebsd, linux-ext2, linux-ext3,
	 ntfs, openbsd, solaris

3. Start the Autopsy daemon

         # ./autopsy 8888 localhost

   To access from a remote location, replace 'localhost' with the IP 
   or hostname.  

4. Point your http browser to the location printed to stdout:
         host:port/cookie/autopsy


Common Configurations
-------------------------------------------------------------------------
The basic usage is for a single user with the client and server on the
same system.  When working on only one host, then conf.pl can be edited
to reflect the morgue directory and the following can be used:

          # ./autopsy 8888 localhost

When working on more than one host at a time, the morgue directory should
be specified on the command line:

        # ./autopsy -m /usr/local/forensics/host1/images 9000 localhost

			and

        # ./autopsy -m /usr/local/forensics/host2/images 9500 localhost

If more than one case is involved, you may also want to save the log and
cookie file in their own directory:

        # ./autopsy -m /usr/local/forensics/host1/images \
            -l /usr/local/forensics/host1/logs 9000 localhost

			     and

        # ./autopsy -m /usr/local/forensics/host2/images \
            -l /usr/local/forensics/host2/logs 9500 localhost

If more than one investigator is working on the same case, from different
machines, then the following would likely be best:

        # ./autopsy -m /usr/local/forensics/host1/images \
            -i "Alice" 9000 10.0.0.1

			    and

        # ./autopsy -m /usr/local/forensics/host1/images \
            -i "Bob" 9500 10.0.0.2

Another method of using Autopsy and TASK is on a CD.  Then it can be
inserted on a compromised system and the investigator can access the
raw disk devices on a live system.  To do this do the following:

  - Create a morgue directory on the CD that contains symlinks to the 
    raw devices.  Add the corresponding fsmorgue entries.
  - Edit conf.pl so that:
    - No logs or cookies are saved to disk
    - The TASK & morgue directory locations are accurate with respect to 
	  the CD mounting point.


Security Considerations
-------------------------------------------------------------------------
The Autopsy server is a Perl program that only processes Autopsy
urls.  It offers easy access control restrictions by limiting access
to the server to one host and uses a random numeric "cookie" to
further authenticate a user.  The random cookie is generated when
the server starts and must exist in the url.  This allows an
investigator to use a public machine, but refines access to only
them.  The recommended use is to restrict access from only localhost
so that no traffic is ever sent on the network.  SSH forwarding can be
used if encryption is needed.

File names in the morgue directory must be very simple (letters,
digits, -, _, and .).  This allows fast and easy checking of file
names passed in the URL and does not allow people to move out of
the morgue directory.  Symbolic links can be created between the
simple names and more complex ones.


Troubleshooting
------------------------------------------------------------------------------
Autopsy is complaining that it can't find X:
    Verify the variable settings in conf.pl  (see the INSTALL file)

Autopsy takes a very long time to display large directories:
    This occurs because directory contents are displayed as an HTML
    table, and many browsers are not very efficient at displaying
    large tables.  So, it is not Autopsy that is slow, it is the
    browser.

Autopsy hangs when opening directories:
    Same answer as previous question.  Browsers don't like big tables.

Autopsy is getting slower and slower:
    If you start an intensive operation, such as searching or making a
	strings file, and you hit the back button you will not stop the
	search or operation.  There is no current way to stop these
	types of processes besides issuing a 'kill' command from a
	shell. 

Errors are generated by the 'strings' and 'grep' utilities: 
	This occurs because you most likely do not have the GNU version and
	the flags are not working.  Install the GNU grep and bin-utils and
	verify that Autopsy is pointing to them in conf.pl.

Internet Explorer gives protocol and host errors:
	If you are accessing the localhost, then use the 127.0.0.1 IP 
	address instead of the localhost name.  

An image doesn't show up on the menu:
	Make sure your version of Perl supports large files.

------------------------------------------------------------------------------
Brian Carrier
June 19, 2002
