This experiment was performed on December 2008 in order to support my statement on similarities of forensic applications running under between Ubuntu and Windows. From all experiments I carried out under Ubuntu, I can say that Ubuntu is excellent operating system, particulalry when it is used for forensic purposes.
One of requests which is often asked to the forensics investigators is deleted files recovery in order to obtain more evidence related to the case. When a file is deleted, so the clusters being occupied by the file will be marked by the OS as 'unallocated' in the file allocation table. It means the clusters can be used by the OS to store a new file which will then overwrite the deleted files. As long as the unallocated clusters are not occupied by another files yet, so the deleted files can be recovered perfectly, otherwise the deleted files can not be recovered but there is still possiblity to gain the partial data of deleted files as 'slack' which is started from the end of file to the end of cluster.
One of requests which is often asked to the forensics investigators is deleted files recovery in order to obtain more evidence related to the case. When a file is deleted, so the clusters being occupied by the file will be marked by the OS as 'unallocated' in the file allocation table. It means the clusters can be used by the OS to store a new file which will then overwrite the deleted files. As long as the unallocated clusters are not occupied by another files yet, so the deleted files can be recovered perfectly, otherwise the deleted files can not be recovered but there is still possiblity to gain the partial data of deleted files as 'slack' which is started from the end of file to the end of cluster.
For this reason, the experiments using Autopsy running under Ubuntu was performed in order to carry out unallocated sectors recovery. The object of this experiment is deleted files in the image file of partition1.dd from previous experiment I performed on forensics imaging.
After running 'sudo autopsy' command and typing 'http://localhost:9999/autopsy' in the Firefox internet browser and entering the input data such as case name, host name, image location and so on, it is displayed the Autopsy window containing choices for forensics investigators to perform such as file analysis, keyword search, file type, image details, metadata and data unit. In my point of view, the Autopsy is one of powerful forensics tools I know.
Through file analysis, in the 'c:\ExperimentMaterials\Documents' directory, it was found some deleted files including written date, accessed date, created date, size and metadata. The deleted files are 'Additional Papers for Strathclyde.doc', 'Alien Song.mpg', 'Analisa EnCase Cloned 1.ppt', 'CHFA v3 Module 01 Computer Forensics in Todays World.pdf' and so on. It was also found the deleted picture files in the directory 'c:\ExperimentMaterials\Pictures'. These deleted files which can be displayed in ASCII, Hex and ASCII Strings can be extracted to be saved in another place for further analysis.
Figure 1
Through Autopsy, the deleted files can be recovered including time stamps and metadata
Through Autopsy, the deleted files can be recovered including time stamps and metadata
The experiment results above is the same as the results I obtain when I run Forensic Toolkit (FTK) which is one of my favourite forensic tools for the prupose of deleted files recovery. Although the results are the same, but there is a big difference between them, namely Autopsy which is based on The Sleuthkit (TSK) is free, while FTK is commercial.
No comments:
Post a Comment