Time: This activity should take you approximately 60 minutes to complete.
In this exercise, you will use Autopsy, a GUI-based front-end for Sleuthkit to analyze files. While Sleuthkit/Autopsy supports multi-platforms, you will use Autopsy for Windows. Download and install Autopsy on your Windows system or virtual Windows machine.
Autopsy downloadAutopsy User GuideYou will also use the data file image Linux Financial Case.001 used in Unit 3 activities. After you download an extract the image .zip file, validate both its md5 and sha1 hash values:
MD5 (Linux Financial Case.001) = 7b39de0ca146c89ad73d1d421c8f7a05SHA1 (Linux Financial Case.001) = c7b06f006ff79711e692bd2620aba4cc2a4426d2In this exercise, you will practice the forensic tool Autopsy and use it to examine files’ ownership and permissions given a device image.
You may want to review my demonstration video Autopsy Demo to learn the Autopsy basics before beginning this activity.
Mark Watson works as a Director of Finance at an advertising firm. He has been accused of illegally providing the annual financial report (Earnings.xls) to a contractor, Frank Lewis, to influence his next contract with the firm. Mark has denied sharing any document with Frank.
The IT administrator informed you that there is a Linux-based file server in the office where all employees save the official documents. Mark and Frank each have their own folders on this server.
You have been given the image of the hard drive, Financial Case.001, to find the evidence to prove that Frank has the permission to read the financial report Earnings.xls.
Create the case
Launch Autopsy from the Toolbox folder on the desktop.Select > Create New CaseName the case Financial Case.Use the default Base Directory (Desktop) where Autopsy will store the Case data in Desktop\Financial Case.Enter the Case Number as 1 and enter your name as Examiner.Click Finish. You will see the "Add Data Source" window.Select Data source type. Choose Disk Image or VM File. Browse and select the path to the file Linux Financial Case.001.Select your local time zone and click Next. You will see Ingest (processing) modules window.NOTE: When you acquire a computer as evidence it is important to make note of the computer's time and time zone, especially if you need to correlate evidence from different time zones. You should never assume the time or time zone on a computer is correct.Select the Ingest Modules. Leave all modules checked. Click Next, then click Finish.NOTE: Ingest modules analyze the data in a data source. They perform all of the analysis of the files and parse their contents.You will see "Analyzing files from Financial Case.001" status at the lower right corner of the Autopsy Screen.
NOTE: Once you have the case created, you can reopen it at any time in Autopsy using Open Existing Case, then choose Desktop\Financial Case\Financial Case.aut file.
Explore the image contents and answer questions about the case
The Tree Viewer shows the discovered folders by the data sources they come from, as well as a list of files in the folders. It is located on the left side of the Autopsy screen. Each folder in the tree on the left shows how many items are contained within it in parenthesis after the directory name.
You can see the Autopsy UI layout here.
Explore the "Data Sources" tree on the left side of the Autopsy screen. When you select a directory in the tree, the files in that directory are shown in the Table Viewer located on the top right of the Autopsy screen. It displays the files and their corresponding attributes such as time, path, size, checksum, etc.
Use that information to answer the Case Questions.
转载于:https://www.cnblogs.com/sec875/articles/10015644.html
相关资源:JAVA上百实例源码以及开源项目