                  Autopsy Forensic Browser v1.71

                 http://www.sleuthkit.org/autopsy
                  http://autopsy.sourceforge.net

                Brian Carrier [carrier@sleuthkit.org]


Quick Overview
-----------------------------------------------------------------------------
The Autopsy Forensic Browser is a graphical interface to utilities
found in The Sleuth Kit, which are open source tools for the forensic
analysis of Microsoft and UNIX file systems.  It allows the allocated
and deleted files, directories, data units, and meta data of file
system images to be analyzed in a read-only environment.  Images
can be searched for strings and regular expressions to recover
deleted material.  It also allows one to create a detailed time
line of the Modified, Access, and Changed times of files.  Hash
databases are used to identify if a file is known to be good or
bad.  Files can also be organized based on their file type - instead
of just viewing them by directory listings.

Autopsy is HTML-based and uses a client-server model.  The Autopsy
server runs on many UNIX systems and the client can be any platform
with an HTML browser.  This enables one to create a flexible
environment with a central Autopsy server and several remote clients.
For incident response scenarios, a CD with The Sleuth Kit and
Autopsy can be created to allow the responder read-only remote
access to a suspect system from an HTML-browser on a trusted system.

Autopsy will not modify the original images and the integrity of the
images can be verified in Autopsy using MD5 values.



Case Management
-----------------------------------------------------------------------------
Starting with Autopsy 1.70, you can have multiple cases.  When
Autopsy is started, there is an Evidence Locker directory (specified
on the command line or at installation time).  This directory is
the base where all cases will be stored.

A CASE is any investigation and can have one or more hosts in it.
A list of investigators is assigned to each case.  Each case gets
a subdirectory of the evidence locker and there is a configuration
file for the case and the list of investigators.

A HOST is a subset of a CASE.  A host contains one or more file
system images that are analyzed.  Each host gets a subdirectory
in the case directory.  Each host has its own configuration file
that describes the files that it uses.  Each host also has five
directories in it:
  - images: for all the file system images - this should have strict
	permissions to prevent modification
  - output: for all output files from tools.  This includes unallocated
	disk space and data unit contents.  
  - logs: Audit logs and investigator notes are stored here
  - reports: All ASCII and HTML reports can be stored here
  - mnt: Can be used to mount the images in loopback mode



Main Functions
-----------------------------------------------------------------------------
FILE BROWSING:  Allows browsing the image as a file system.  This
gives a list of directories on the left, and files and file content
on the right hand side.  The output of each file can be seen as
ASCII or can be run through strings(1), if it exists.  

Since this analyzes directory entries, deleted file names can
still be seen and depending on the OS, the deleted file contents
can also be easily recovered.  If a file name has a check before it,
it has been deleted.  The directory contents listings can be resorted
based on name, size, times etc. by selecting the proper column
header.


META DATA BROWSING: Meta Data is descriptive data about a file.
This includes information such as times, owner id, and a list of
data unit pointers.  This mode allows one to view the contents of
the file system structures that hold these values.  In UNIX-based
file system these are typically called inodes, for FAT they are
directory entries, and for NTFS they are MFT entries.   In this
mode, one enters the address of the structure and the details are
shown.  The file(s) that are using the file will also be displayed
(even if they have been deleted for some OSes).

Meta data browsing can also be entered from within File browsing.
When the file's meta data address is selected, the browser switches
to meta data mode and displays the associated details.  The data
units that the file has allocated can be viewed using the data unit
browsing.


DATA UNIT BROWSING:   All file systems need to store file data some
where.  Typically, the file system space is organized into large
chunks of consecutive bytes.  These chunks have different names
depending on the file system type, so we will just refer to them
as data units.   For UNIX-based file system the chunks are fragments,
FAT are sectors or clusters, and NTFS are sectors.

This mode allows one to examine any data unit they want.  Just
enter the address and it is displayed in a variety of formats.
This is most useful when used with searching or meta data browsing.
The contents of the data unit can be displayed in ASCII, hexdump,
or by running the raw output through strings(1).  The meta data
structure that has allocated the unit will be displayed (if any)
along with the file name (if any).

There are two types of data unit addresses in Autopsy, regular and
unallocated.  The regular address is the unit number in a regular
image created from dd.  The unallocated address is the unit number
in an image created from the unallocated units in a regular image
(by using dls).  When unallocated addresses are entered, they are
converted to the regular address and the corresponding regular unit
is shown.   This is useful when using Autopsy along with foremost 
(http://foremost.sourceforge.net) or Lazarus (TCT).


KEYWORD SEARCHING:  Search an image using grep(1) for a given
string.  The result will be a list of data units that have this
string.  Selecting each unit brings the user into Data Unit mode
to view the contents.  Case insensitive searches and 'grep' regular
expression searches can also be performed.  To decrease the searching
time, a file can be generated with just the ASCII strings of the
image.  Also, the unallocated data can be extracted and searched
to make deleted data recovery more efficient.

The search.pl file contains predefined search values.  Autopsy
currently comes with a regular expression to identify date strings
and IP addresses.  Additional values can be added by the user.
The format is given in the file.


TIMELINE ANALYSIS: A timeline of file activity can be created and
viewed.  The timeline allows one to identify file and directory 
locations to examine.  The times associated with files can be easily
modified, so the time line should be used as reference only.  


IMAGE DETAILS: Details about the file system are displayed.  Examples
of this mode include the Volume name, last mount time, and the
physical layout of the data structures.  For FAT file systems, the
FAT contents are given and UNIX-based systems show the group layouts.


FILE TYPE ANALYSIS:  Data reduction is an important aspect of
digital forensics.  One way of doing data reduction is to exclude
known files and identify unknown files or categories.  The File
Type Analysis mode will examine all of the files in an image and
sort them based on their file type.  For example, all JPEG and GIF
files would be identified as 'images'.  This mode can also identify
files that have an extension that is different than its file type.
This uses the 'sorter' tool from The Sleuth Kit.  The hash databases
are used in this mode to exclude files that are known to be good
and identify 'known bad' files.


INVESTIGATOR NOTES: An investigator can add notes about any file, data
unit, or meta data structure.  The notes can be viewed through Autopsy
at the Main Menu or by any text editor.  The notes file is saved in the
'logs' directory.  When viewing through Autopsy, the location that the
note refers to can be easily viewed.


REPORT GENERATION:  Each of the above browsing techniques allows
a report to be generated.  This report lists the date, md5 value,
investigator, and other context information in a text format.  This
can be used for record keeping when deleted data units of data have
been found.


THE CELL:  In an ideal world, forensics should only be performed
on an air-gapped network.  In some cases, such as incident response
of critical systems, this is not possible.  For this reason and
because of a history of HTML-browser security issues, files in
Autopsy are not "interpreted" by your browser.  For example, an
HTML document by default will be shown as the raw HTML text.  If
an investigator wants to view the actual HTML output or an image,
they can do so in a sterilized environment that parses out embedded
scripts and off-site references.



Requirements
-----------------------------------------------------------------------------
Supported Platforms:
Autopsy will run on any system that is supported by The Sleuth Kit.

Autopsy needs the following software:

The Sleuth Kit (version 1.61 or above)
  http://www.sleuthkit.org/sleuthkit
  http://sleuthkit.sourceforge.net

PERL (5.002 or above)
  If large files will be used (larger than 2GB), Perl must be compiled
  to support Large Files.  The default version of Perl with most 
  Operating Systems does not support Large Files.  For example, the
  perl with Redhat 7.2 does not.  

HTML Browser:
  Any that supports frames and forms will do.  Some issues exist with
  some versions of Internet Explorer.  Netscape and Mozilla always work
  fine though.  Explorer will sometimes error when referencing 'localhost',
  but '127.0.0.1' will work.  

Recommended UNIX Utilities (most platforms already have these). The
default version that comes with some systems are not supported by Autopsy.
For example, the grep in Solaris and strings in Mac OS X.

  grep: http://www.gnu.org/software/grep/grep.html
  strings: http://www.gnu.org/software/binutils/binutils.html

NOTE: The strings in Mac OS X does not support the needed flags
that Autopsy needs.  Email me for a script that will fix it
(carrier@sleuthkit.org)


Regular Usage
------------------------------------------------------------------------------
To use Autopsy:
1. Ensure that the evidence locker directory has been created and start
Autopsy.  

    # ./autopsy 

Copy and Paste the URL into an HTML browser on the local system.  It
will look something like:

    http://localhost:9999/290263284571318993/autopsy

2. Select the 'Create Case' button and enter a name and list of
valid investigator names.  Note that both the case and investigator
names must be valid directory names.

3. Select the case from the Case Gallery and then select 'Add Host' in
the Host Gallery menu.  Enter the host name, and time information
such as the timezone and clock skew (if known).  The timeskew is
how many seconds fast or slow the original system was and the output
times will be adjusted using it.  For example, if the host was 3
seconds slow, this field would get a '-3'.

4.  Select the host from the Host Gallery and then select 'Add Image'
in the Host Manager menu.  Copy the images to the directory shown on
the screen.  It is a subdirectory of the Evidence Locker for the new
host and case that have been created.  After the images are in the
directory, press 'Refresh'.  The images must be partition images
in a raw format (i.e. dd).

5.  Select the file system type and mounting information.  By default,
the MD5 value will be calculated for the image and saved for future
integrity checks.  If you already know it, select 'Add Known Value' and
paste it in.   

6.  Continue to add images and hosts to the case.  When done, select one
of the images and using the different browsing modes.


Common Configurations
-------------------------------------------------------------------------
The basic usage is for a single user with the client and server on the
same system.  Autopsy 1.70+ can now handle more than one case at a time.
The syntax is as follows for the server to run on port 9999 and only 
allow access from localhost:

          # ./autopsy

To specify a different port number, use this:

          # ./autopsy 8888

To specify both a port and remote address use:

          # ./autopsy 9999 localhost

If more than one investigator is going to be using the same server, then
just choose different ports:

        # ./autopsy 9000 10.0.01

			    and

        # ./autopsy 9050 10.0.50

You can also specify a new evidence locker location by providing
the '-d' argument:

       # ./autopsy -d /usr/local/forensics2


Security Considerations
-------------------------------------------------------------------------
The Autopsy server is a Perl program that only processes Autopsy
urls.  It offers easy access control restrictions by limiting access
to the server to one host and uses a random numeric "cookie" to
further authenticate a user.  The random cookie is generated when
the server starts and must exist in the url.  This allows an
investigator to use a public machine, but refines access to only
them.  The recommended use is to restrict access from only localhost
so that no traffic is ever sent on the network.  SSH forwarding can be
used if encryption is needed.

File names must be very simple (letters, digits, -, _, and .).
This allows fast and easy checking of file names passed in the URL
and does not allow people to move out of the morgue directory.
Symbolic links can be created between the simple names and more
complex ones.


Troubleshooting
------------------------------------------------------------------------------
Autopsy is complaining that it can't find X:
    Verify the variable settings in conf.pl  (see the INSTALL file)

Autopsy takes a very long time to display large directories:
    This occurs because directory contents are displayed as an HTML
    table, and many browsers are not very efficient at displaying
    large tables.  So, it is not Autopsy that is slow, it is the
    browser.

Autopsy hangs when opening directories:
    Same answer as previous question.  Browsers don't like big tables.

Autopsy is getting slower and slower:
    If you start an intensive operation, such as searching or making a
	strings file, and you hit the back button you will not stop the
	search or operation.  There is no current way to stop these
	types of processes besides issuing a 'kill' command from a
	shell. 

Errors are generated by the 'strings' and 'grep' utilities: 
	This occurs because you most likely do not have the GNU version and
	the flags are not working.  Install the GNU grep and bin-utils and
	verify that Autopsy is pointing to them in conf.pl.

Internet Explorer gives protocol and host errors:
	If you are accessing the localhost, then use the 127.0.0.1 IP 
	address instead of the localhost name.  

A file system image doesn't show up on the menu:
	Make sure your version of Perl supports large files.


Feedback
------------------------------------------------------------------------------
Please e-mail me with suggestions on what you would like to see done
differently and new features.  


------------------------------------------------------------------------------
Brian Carrier
Mar 31, 2003
