[sleuthkit-users] Autopsy 2.01 - LiveAnalysis Questions

[Surago J. <su...@sj...>]

Hi All,

So now that I have managed to get autopsy to run fine for a live
analysis (Using Perl and libraries from a trusted cd), there are a few
things I was wondering, and was hoping someone could confirm or deny for
me.

Fristly, it is my understanding, that during a live analysis, autopsy
v2.01 does not offer any extra functionality that can be found in
autopsy when performing a so called dead analysis on a hdd image
(however during a dead analysis autopsy does have extra functionality
not available during a live analysis).  Can someone confirm this for me
please, just so I know I'm on the right track.

I have created some shell scripts to help automate the incident
verification process, by returning information from volatile sources
(ps, netstat, arp, ifconfig) using trusted binaries, and it might be
useful if autopsy had an interface for these sources of information
during a liveanalysis.  Currently I simply pipe the output from these
sources thru netcat, and save the datafile on the evidence server.

Obviously access to these information sources would vary from platform
to platform, and architecture to architecture, and having not had
experience but with more than a few differing platforms I can't comment
on how much of an issue/hassle this could be.  My current research is
limited to the Linux platform, on i?86 architecture due to resource
constraints.

Secondly, I understand that a liveanalysis is not the preferred method
of performing an analysis, and depending on circumstances (every case is
different), should be avoided where possible.  However, if one was to
utilise autopsy for browsing the filesystem, the underlying
functionality of autopsy (tools from sleuthkit) does not modify the MAC
times on directories and files browsed.  If someone can confirm, or
comment on this, it would be much appreciated also.

Any comments, suggestions, ideas, would all be much appreciated, and
thank you for you time.

Cheers

Surago Jones.