Re: [sleuthkit-users] Some guidance required
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Some guidance required
|
From: ade <adr...@nt...> - 2015-06-10 17:47:45
|
Hi Owen Did you get just the hard disks, or were they still in the computer systems? If you got the full systems, I would cut 15 copies of the CAINE disto and boot all the systems with that. Prepare a keyword list containing unusual words or phrases from the "nasty letter" and feed that into the bulk_extractor "find" module. You essentially need to triage the systems, identify the system(s) containing the nasty letter, then you can either image + forensicate those, or even use the evidence from bulk_extractor. Do you know what format the letter was originally a .docx file then the contents are compressed. If the letter was deleted and ended up in unallocated space, it is no good doing a standard string search. Bulk_extractor has the ability to find compressed data, decompress it in memory then search that for decompressed data for your strings. TBH, I can't think of many cases where I wouldn't use bulk_extractor. Your situation, screams our for triaging the disks with a Linux forensic distro + bulk_extractor. Stumpy On Wednesday 10 Jun 2015 16:49:27 Owen O' Shaughnessy wrote: > Hi, > > I have a job to do, got 15 hard disks from an office and need to find out > who wrote a nasty letter. My initial thought was to copy the live files > from each disk, then carve out unallocated with blkls and then run foremost > on the unallocated, index the lot and search for my keywords. > > Decided instead to give autopsy a go, so I cranked up a windows host, > inputted my keywords and got it to ingest the first disk. > > Left it overnight, but in reality, it hadn't progressed, as autopsy had > already run out of resources and was non responsive when I left it. There > was a red dot in the bottom right that I couldn't get info out of, a > console with a message saying image was no longer accessible and read > error, a status bar on the bottom saying analyzing image 19% complete, and > 8 hours later, the status of all was still the same. > > Autopsy had used all available RAM on the pc, which is a Corei7 pc running > windows 8.1 pro 64bit with 4GB ram. > > When I restarted autopsy, the red dot revealed an error that my security > software might be blocking the search server, ok that'll be easy to sort, > but my questions are: > > 1) Exactly how much ram should I wedge into this system for Autopsy to run > comfortably? > 2) How can I verify if autopsy successfully ingested the full hard disk? > 3) By clicking all the options on the ingest, am I safe to assume that it > is looking for my keywords in unallocated? > 4) This is disk 1 of 15, am I ok to keep ingesting disks into this case, or > for resource management should I be giving each disk its own case? > 5) I assume, if ingesting all disks into this one case, i can name the > individual disks after I ingest so that if get a keyword hit that I can > determine who the culprit was? > > Would appreciate some guidance before I go much further. I'd like to > evaluate autopsy on this simple exercise, so don't really want to switch > back to the linux command line just yet. > > Thanks, > > Owen. |
