FORENSICS WITH AUTOPSY AND PALADIN 7
Petter Anderson Lopes
Abstract: The purpose of this article is to provide an overview of forensic data acquisition and analysis with the Paladin 7 Linux distribution and the Autopsy analysis tool. As such, the presentation does not have the objective of exhausting the subject. The presentation passes to an example forensic acquisition procedure using the Toolbox tool of the Paladin 7 distribution, after the Autopsy tool is used to analyze the Windows 10 Operating System. These procedures represent the steps that the Forensic Expert addresses to answer the proposed technical questions. Finally, this presentation also briefly discusses some free tools for computational forensics.
Keywords: Computer Forensics. Analysis. Forensics Examiner. Powershell.
Due to the great technological advance, the operating systems are actualized at all times, so, forensic computation also needs to evolve to accompany the objects of analysis. In this way, the research and analysis of digital evidence, both for legal and commercial purposes, requires a trained professional, who is the Forensic Analyst or Forensic Specialist.
To make a correct procedure of acquisition and analysis, aiming for excellence for report elaboration, is needed follow some rigorous and well-documented steps, the purpose of this study was explain some steps to examine evidences, during reading, will be possible to make a critical analysis about these topics.
There are many commercial tools for forensic acquisition and analysis on the market. However, the cost of the paid tools is often very high, so the use of the tools contained in the Paladin 7 distribution proved to be more interesting as they are totally free.
First, before you start data transfer, you need to clean up the target media, in other words, do the deep cleaning process. It is very important to check the target disk for errors and correct them. However, by forensically copying, you can generate a RAW-type image and save to a larger-capacity media, with the MD5 and SHA1 Hashes. It is very important to always keep two copies of the media, so if have a problem with one, the expert has another.
2.2 Examination and Analysis, techniques and tools
Examination – At the forensic examination stage, the Expert must collect as many data as possible to compose the material for analysis. With the use of Autopsy software, several plugins are executed at the same time, these plugins have the most diverse specialties, like Data Carving, an important procedure that serves to recover deleted data of the system.
Analysis – At this stage, the Expert will review the information collected in the previous procedure. This phase can consume most of the time in the forensic cycle because all sources of information should be investigated. All the questions submitted must be answered at this stage.
The Expert should answer all questions submitted using only free tools. The acquisition must be done in a Hyper-V environment, must be a bit to bit copy of the virtual disk, where the Operating System is a Windows 10. The user of this virtual machine is suspected of accessing undue content, for example virus infection techniques and anti-forensic tools, which can bring risks to the company’s network.
The complaint was made by a colleague who claims to have seen suspicious activity on 05/30/2017. The company manager decided to hire an Expert Consultant to answer their questions.
- What are the hash values (MD5 & SHA-1) of image?
Does the acquisition and verification hash value match?
- Identify the partition of PC image.
- Explain installed OS information in detail.
- What is the timezone setting?
- What is the computer name?
- Who was the last user to logon into PC?
- When was the last recorded shutdown date/time?
- Explain the information of network interface(s) with an IP address assigned by DHCP.
- List all traces about the system on/off and the user logon/logoff.
(It should be considered only during a time range between 00:00 and 21:00)
- What web browsers were used?
- What websites were the suspect accessing? (Timestamp, URL…)
- What is the IP address of company’s shared network drive?
- What actions were performed for anti-forensics on PC at the last day ‘2017-05-30’?
3.2 Forensic Copy
It is already known to many that the acquisition and analysis procedures are extremely critical and in turn demand great care from the expert. The professional needs knowledge in forensic copy tools such as dd, dc3dd, dcfldd, FTK Imager among others, however it is still not enough, since it is useless to know the tools if you do not have extreme attention at the moment of acquisition.
The expert can assemble his own scripts and programs to make his work easier, but this requires time and sometimes more specific knowledge in programming, in this case, as not everyone has this knowledge beyond time being limited most of the time. To simplify tasks, tools have been created that have automated this process, including the Paladin Toolbox.
Below you can see the forensic copy procedure of the virtual machine, using the Toolbox tool of Paladin 7.
At the end of the bitwise copy, the procedure logs were generated containing the forensic image MD5 and SHA1 hashes. As can be seen below.
File content: windows10.log.hashes
Forensic Analysis, answering the questions.
What are the hash values (MD5 & SHA-1) of image?
This is part of my course:
ABOUT THE AUTHOR: Petter Anderson Lopes
Cybersecurity Specialist Consultant, Pentester, Computer Forensics Expert Witness, Audit and Analysis of Vulnerabilities.
Certified by ACE (AccessData CERTIFIED EXAMINER).
Computer Forensics (Rochester Institute of Technology R.I.T)
Certificate in Computer Forensics and Advanced Penetration Testing.
Lecturer about Penetration Test and Computer Forensics.
Authored article eForensics Magazine and PenTest Mag.
e-mail: [email protected]
- System Development, Ethical Hacker, Computer Forensic Expert. ↑