CNIT 121 Proj 13: Sleuthkit and Autopsy (15 pts.)

What You Need for This Project

A Backtrack 5 R2 Gnome virtual machine. I will hand out a DVD in class with this machine, but you can also download it from backtrack-linux.org/downloads --get the GNOME VMware version, as shown below.
The CD that came with your textbook. The file you need is in the Chap08 folder, named GCFI-LX.xxx.exe.

Start the BackTrack Virtual Machine>

Enter this command, followed by the Enter key:

startx

Putting the Evidence in the Backtrack VM

Drag the GCFI-LX.xxx.exe file to the virtual machine's desktop and drop it there.

To unzip the file, open a Terminal window and enter these commands, pressing the Enter key after each one, as shown below:

cd Desktop
unzip GCFI-LX.xxx.exe

Starting Autopsy

From the BackTrack 5 desktop menu, at the upper left, click Applications, Backtrack, Forensics, "Forensics Suites", "autopsy".

The program launches, printing the text shown below on this page. Leave this window open.

From the BackTrack menu, click Applications, Internet, "Firefox Web Browser".

When Firefox opens, go to this address:

http://localhost:9999/autopsy

Autopsy opens, as shown below on this page. You may see a warning that Javascript is enabled, or that NoScript is blocking scripts. You can just ignore those notices--Autopsy doesn't use JavaScript anyway.

Opening a New Case in Autopsy

In the Autopsy window, click the "New Case" button.

In the "Create a New Case" window, enter a Case Name of "Your-Name-Project-13", replacing "Your-Name" with your own name.

Enter a Description of "Superior Bicycle Investigation".

Enter your name (without spaces) in the Investigator Names section, as shown below on this page:

Click the "New Case" button.

In the "Creating Case" .window, click the "Add Host" button.

In the "Add a New Host" window, accept the default options and click the "Add Host" button.

In the "Adding host" window, click the "Add Image" button.

In the next window, click the "Add Image File" button.

In the "Add a New Image" window, enter in these options, as shown below on this page:

Location: /root/Desktop/GCFI-LX.00*
Type: Disk
Import: Method: Move

Click Next.

In the "Split Image Confirmation" window, click Next.

The next screen shows a "Warning" -- accept the default option of "dos", as shown below, and click OK.

In the "Image File Details" section, click the "Calculate the hash value for this image" button, as shown below. Click Add.

A message appears saying "Calculating MD5 (this could take a while)". It took about 3 minutes when I did it. When it completes, you will see a MD5 hash, as shown below on this page.

Click OK.

Searching in Autopsy

The "Select a volume to analyze or add a new image file" window appears, as shown below on this page. Click the Analyze button.

In the next window, click the "Keyword Search" tab.

In the search box, type martha as shown to the right on this page. Click the Search button. Wait while the search is performed--it took about 3 minutes when I did it. 2:18

Results of the Search

It finds "77 hits", as shown below on this page:

Saving a Screen Image

Make sure your screen shows "77 Hits".

Save the image with the filename "Your Name Proj 13". Select a "Save as type" of PNG or JPEG.

Examining the Hits

On the left side, scroll down to see the individual hits. Click the blue Ascii links to see the details of the hits in the right pane, as shown below. Look at a few of them to see how the interface works. When you are done, click the Close button on the top right.

Turning in your Project

Email the image to cnit.121@gmail.com with the subject line: Proj 13 from YOUR NAME

Last modified 4-18-11 2:30 pm