sleuthkit-users

[sleuthkit-users] Possible Suggestion for timeline creation in future versions of Autopsy

[Surago J. <su...@sj...>]

Hi all,

Whilst using Autopsy, and testing with a couple different suspect
images, I have found that now and again I am often running several
commands from the command line to help the investigation process.

One process I often complete as part of an investigation is to create a
timeline of files and folders that start with a '.' (dot).  I was
thinking that an additional option in the 'Create Timeline' feature of
Autopsy could allow an extra step to be run that would run grep to limit
the timeline to certain details..

For example, I run the following command to get a timeline of all '.'
(dot) folders and files...

grep '\/\.' flsdatafile > fls-dotfiles.dat

It would be useful if on the 'Create Timeline' form, if the user could
click a button (Similar to the pre-defined search options, on the search
form) in order to create various useful timelines.   Another example
would be to create a timeline of only the 'dev' folders.

If this could be templated in some way, then maybe people could
place/upload their own search options/template on the sleuthkit website,
as whilst each investigation differs from each other, there is still
some common ground. =20

In the case of the dot files, it currently appears to be a common
practice of intruders to utilise files and folders starting with a dot.
Obviously, as time progresses and development on the rootkit side of
things and the forensic side of things this practice may become rare as
it is an easy method for identifying possible suspect files and folders.

Just an idea I thought would help improve Autopsy's usability.

Cheers=20

Surago

[sleuthkit-users] Re: [sleuthkit-developers] Possible Suggestion for timeline creation in future versions of Autopsy

[Brian C. <ca...@sl...>]

I can add this to the TODO list.  The basic concept can be achieved=20
using the file name search in the File Mode, but then you can sort only=20=

on one of the times and not a full timeline.

brian


On Feb 15, 2005, at 1:24 AM, Surago Jones wrote:

> Hi all,
>
> Whilst using Autopsy, and testing with a couple different suspect
> images, I have found that now and again I am often running several
> commands from the command line to help the investigation process.
>
> One process I often complete as part of an investigation is to create =
a
> timeline of files and folders that start with a '.' (dot).  I was
> thinking that an additional option in the 'Create Timeline' feature of
> Autopsy could allow an extra step to be run that would run grep to=20
> limit
> the timeline to certain details..
>
> For example, I run the following command to get a timeline of all '.'
> (dot) folders and files...
>
> grep '\/\.' flsdatafile > fls-dotfiles.dat
>
> It would be useful if on the 'Create Timeline' form, if the user could
> click a button (Similar to the pre-defined search options, on the=20
> search
> form) in order to create various useful timelines.   Another example
> would be to create a timeline of only the 'dev' folders.
>
> If this could be templated in some way, then maybe people could
> place/upload their own search options/template on the sleuthkit=20
> website,
> as whilst each investigation differs from each other, there is still
> some common ground.
>
> In the case of the dot files, it currently appears to be a common
> practice of intruders to utilise files and folders starting with a =
dot.
> Obviously, as time progresses and development on the rootkit side of
> things and the forensic side of things this practice may become rare =
as
> it is an easy method for identifying possible suspect files and=20
> folders.
>
> Just an idea I thought would help improve Autopsy's usability.
>
> Cheers
>
> Surago
>
>
>
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real=20
> users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_ide95&alloc_id=14396&op=CCk
> _______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers