In this journal, the image file is a dd file which is obtained from the acquisition process previously. After checking the hash value of the dd image file which must be identical with the evidence of storage media, the dd is then analysed in the following further actions.
Method: Physical analysis with the use of Autopsy
Autopsy is graphical interface form of The Sleuthkit (TST) created by Brian Carrier. TST is designed to be used in command lines on terminal, while Autopsy is a browser for running TST. As Autopsy is a browser, it provides an ease for digital forensic analyst to investigate the evidence. Both applications are reliable for forensic analysis like other commercial applications such as EnCase and Forensic Toolkit (FTK) running under Ms Windows OS. TST and Autopsy are used to analyse the file system of evidence in a non-intrusive way. As it does not rely on the operating system to examine the file system, it can show the deleted and hidden contents.
According to the author as described in the Synaptic Package Manager, it allows the analyst to examine the layout of disks and other media. It supports DOS partitions, BSD partitions (disk labels), Mac partitions, and Sun slices (Volume Table of Contents). With these tools, the analyst can identify where partitions are located and extract them so that they can be analysed with file system analysis tools. It provides case management, image integrity, keyword searching, and other automated operations for investigative purposes.
As explained in the Synaptic, autopsy starts the Autopsy Forensic Browser server on port 9999 and accepts connections from the localhost. If the -p port is given, then the server opens the port and if address is given, then connections are only accepted from that host. When the -i argument is given, then autopsy goes into live analysis mode.
Method: Physical analysis with the use of Autopsy
Autopsy is graphical interface form of The Sleuthkit (TST) created by Brian Carrier. TST is designed to be used in command lines on terminal, while Autopsy is a browser for running TST. As Autopsy is a browser, it provides an ease for digital forensic analyst to investigate the evidence. Both applications are reliable for forensic analysis like other commercial applications such as EnCase and Forensic Toolkit (FTK) running under Ms Windows OS. TST and Autopsy are used to analyse the file system of evidence in a non-intrusive way. As it does not rely on the operating system to examine the file system, it can show the deleted and hidden contents.
According to the author as described in the Synaptic Package Manager, it allows the analyst to examine the layout of disks and other media. It supports DOS partitions, BSD partitions (disk labels), Mac partitions, and Sun slices (Volume Table of Contents). With these tools, the analyst can identify where partitions are located and extract them so that they can be analysed with file system analysis tools. It provides case management, image integrity, keyword searching, and other automated operations for investigative purposes.
As explained in the Synaptic, autopsy starts the Autopsy Forensic Browser server on port 9999 and accepts connections from the localhost. If the -p port is given, then the server opens the port and if address is given, then connections are only accepted from that host. When the -i argument is given, then autopsy goes into live analysis mode.
There are four consecutive steps related to physical analysis, namely:
Step 1: Initiating the Autopsy browser
Step 2: Configuring the case
Step 3: Analysing the image
Step 4: Closing the analysis
For full description on the steps above, please access http://www.scribd.com/doc/24695990/Forensic-Cop-Journal-3-1-2009-Standard-Operating-Procedure-of-Physical-Analysis-on-Ubuntu. On this link, the pdf version of this journal can be downloaded.
Good Luck...!
No comments:
Post a Comment