Re: [sleuthkit-users] Autopsy 2.01 - LiveAnalysis Questions
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy 2.01 - LiveAnalysis Questions
|
From: Brian C. <ca...@ce...> - 2004-06-16 15:13:15
|
[The sourceforge server was black listed on the SPAM list that sleuthkit.org uses and I can't send e-mail from there ...] On Jun 16, 2004, at 2:26 AM, Surago Jones wrote: > Fristly, it is my understanding, that during a live analysis, autopsy > v2.01 does not offer any extra functionality that can be found in > autopsy when performing a so called dead analysis on a hdd image > (however during a dead analysis autopsy does have extra functionality > not available during a live analysis). Can someone confirm this for me > please, just so I know I'm on the right track. Yes, this is true. The first phase was to provide the basic functionality. Features that require files to be created on the local system were disabled because there is no where to write them to. > I have created some shell scripts to help automate the incident > verification process, by returning information from volatile sources > (ps, netstat, arp, ifconfig) using trusted binaries, and it might be > useful if autopsy had an interface for these sources of information > during a liveanalysis. Currently I simply pipe the output from these > sources thru netcat, and save the datafile on the evidence server. This is part of the second phase of the autopsy live-analysis support. I want to be able to make scripts and let users make scripts that can be placed on the CD and that will show up in a menu in Autopsy. > Secondly, I understand that a liveanalysis is not the preferred method > of performing an analysis, and depending on circumstances (every case > is > different), should be avoided where possible. However, if one was to > utilise autopsy for browsing the filesystem, the underlying > functionality of autopsy (tools from sleuthkit) does not modify the MAC > times on directories and files browsed. If someone can confirm, or > comment on this, it would be much appreciated also. Yes, this is true. TSK reads from the raw device and does not use any of the kernel's file system support. Therefore, MAC times are not updated and any files that are hidden by kernel-based rootkits are shown. brian |
