Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analyzing an Image using MAC Systems Sleuth kit version 3.2.0 & Autopsy 2.24 Page 325 from “Guide to Computer Forensics and Investigations 4th edition”

Published byBrendan Harper Modified over 8 years ago

Similar presentations

Presentation on theme: "Analyzing an Image using MAC Systems Sleuth kit version 3.2.0 & Autopsy 2.24 Page 325 from “Guide to Computer Forensics and Investigations 4th edition”"— Presentation transcript:

1 Analyzing an Image using MAC Systems Sleuth kit version 3.2.0 & Autopsy 2.24 Page 325 from “Guide to Computer Forensics and Investigations 4th edition”

2 MAC Forensic Tools Sleuth Kit – base program for Unix investigations. Uses a command-line interface. Sleuth Kit – base program for Unix investigations. Uses a command-line interface. Autopsy – Graphical User Interface (GUI) that “sits on top” of Sleuth Kit command- line interface. Allows access to Sleuth Kit functions via a GUI. Autopsy – Graphical User Interface (GUI) that “sits on top” of Sleuth Kit command- line interface. Allows access to Sleuth Kit functions via a GUI.

3 Boot your MAC Select number 2 on your KVM Switch Select number 2 on your KVM Switch Press the power button on the MAC Press the power button on the MAC Login in to the ‘student’ account Login in to the ‘student’ account Password: $tudent1 Password: $tudent1

4 Starting Autopsy At Terminal change the working directory by typing “cd /autopsy-2.24/” without the quotes At Terminal change the working directory by typing “cd /autopsy-2.24/” without the quotes Now type “sudo./autopsy” and enter the Student password Now type “sudo./autopsy” and enter the Student password Be sure to add spaces after cd and sudo Be sure to add spaces after cd and sudo Right-click on ‘http://localhost:9999/autopsy’ and select Open URL Right-click on ‘http://localhost:9999/autopsy’ and select Open URL

5 Autopsy Forensic Browser Click on New Case Click on New Case

6 Creating a new case Enter the following information: Case name: GCFI-CH8 Case name: GCFI-CH8 Description: Superior Bicycle Investigation Description: Superior Bicycle Investigation Investigator Names: Investigator Names: a. ‘Your Name’ Click New Case Click New Case

7 Creating a New Case Click ‘Add Host’ Click ‘Add Host’

8 Creating a New Case Enter the following information: Host Name: sb10 Description: Drive Image Time zone: EST Timeskew: 0 Click Add Host

9 Creating a New Case click Add Image

10 Adding an Image click Add Image File

11 Adding a New Image CaSe SeNsItIvE Location: /Forensics/CH8/ LX/GCFI* (entries are case sensitive) Type: Partiton Import Method: Copy click Next

12 Adding a New Image Make sure the image files are in the correct order Click next

13 Calculating Hash Values Click the Calculate the hash value for this image Click Add This will take a few minutes…so don’t keep clicking the Add button

14 Adding a New Image Notice the blue bar in the URL, this means it is calculating the hash value Verify your hash value matches the value in the slide After MD5 is calculated, click ok

15 Analyzing the Image Click Analyze

16 Keyword Search Click on Keyword search

17 Keywords Note the Magnifying glass under key word search. This is where you currently are Type “martha” in the search box Click Search You will not see a status so be patient and don’t mash buttons

18 Keyword Search If case sensitive was selected typing “Martha” or “martha” would give you different results This search takes about 6 minutes Click link to results

19 Viewing Keyword Search Look for Fragment 236019, click on ASCII Review other fragments using the “ASCII” & “Hex” links next to each fragment

20 Viewing Keyword Search Contents of a fragment can be exported for reports via clicking “Export contents” Notes about each fragment can be taken by clicking the “Add Note”

21 Viewing Keyword Search We now want to return to the Select a volume to analyze time lines Click Close to navigate back

22 Timelines Click File Activity Time Lines button

23 Creating a Data File Click Create Data File

24 Creating a Data File Select /1/ GCFI- LX.001-0-0 Type in GCFI-LX- body for the name of output file Click OK This will take about 30 seconds to complete

25 Creating a Data File Click OK again

26 Creating a Timeline Select GCFI-LX- body For starting date click specify and select Dec 1, 2006 For ending date click specify and select Jan 23, 2007 Click OK

27 Creating a Timeline The timeline will also take about 30 seconds to generate When the timeline is complete click OK

28 Viewing a Timeline Use the navigation buttons under the menus to select the dates to view You can also navigate to the text file by opening CIS POD, Forensics, EvLocker, GCFI- CH8, sb10, output and selecting timeline.txt

29 Closing Sleuth Kit Click the red x in the upper left corner of the browser Click inside the Terminal window and use ‘ctrl -c’ to exit the process You can then click the red x in the upper left corner to close Terminal

Download ppt "Analyzing an Image using MAC Systems Sleuth kit version 3.2.0 & Autopsy 2.24 Page 325 from “Guide to Computer Forensics and Investigations 4th edition”"

Similar presentations

Intro to WinHex CSC 414.

Intro to WinHex CSC 414.
Chapter 1: Introduction. Contents Whats New in Dreamweaver CS4? The Dreamweaver CS4 Interface Setting Up a Site Creating a Web Page Adding Text to Your.

Chapter 1: Introduction. Contents Whats New in Dreamweaver CS4? The Dreamweaver CS4 Interface Setting Up a Site Creating a Web Page Adding Text to Your.
Updating the Ohio Educational Directory. Log in to OEDS by clicking on the Sign In button in the upper left corner of any ODE Web page (www.ode.state.oh.us).

Updating the Ohio Educational Directory. Log in to OEDS by clicking on the Sign In button in the upper left corner of any ODE Web page (
AIMSweb Progress Monitor Online User Training

AIMSweb Progress Monitor Online User Training
Microsoft Office 2010 Access Chapter 1 Creating and Using a Database.

Microsoft Office 2010 Access Chapter 1 Creating and Using a Database.
XP Information Technology Center - KFUPM1 Microsoft Office FrontPage 2003 Creating a Web Site.

XP Information Technology Center - KFUPM1 Microsoft Office FrontPage 2003 Creating a Web Site.
Adobe Photoshop CS Design Professional ADOBE PHOTOSHOP CS GETTING STARTED WITH.

Adobe Photoshop CS Design Professional ADOBE PHOTOSHOP CS GETTING STARTED WITH.
1 of 6 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 6 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
Copyright 2007, Paradigm Publishing Inc. POWERPOINT 2007 CHAPTER 1 BACKNEXTEND 1-1 LINKS TO OBJECTIVES Create Presentation Open, Save, Run, Print, Close,Delete.

Copyright 2007, Paradigm Publishing Inc. POWERPOINT 2007 CHAPTER 1 BACKNEXTEND 1-1 LINKS TO OBJECTIVES Create Presentation Open, Save, Run, Print, Close,Delete.
The Internet. Telnet Telnet means using your computer as a terminal. All commands you type are sent to the host computer you are connected to and executed.

The Internet. Telnet Telnet means using your computer as a terminal. All commands you type are sent to the host computer you are connected to and executed.
FIRST COURSE Getting Started with Microsoft Office 2007.

FIRST COURSE Getting Started with Microsoft Office 2007.
WINDOWS XP BACKNEXTEND 1-1 LINKS TO OBJECTIVES Starting Windows Using the Taskbar, opening & switching programs Using the Taskbar, opening & switching.

WINDOWS XP BACKNEXTEND 1-1 LINKS TO OBJECTIVES Starting Windows Using the Taskbar, opening & switching programs Using the Taskbar, opening & switching.
Getting Started with Linux: Novell’s Guide to CompTIA’s Linux+ (Course 3060) Section 2 Use the Linux Desktop.

Getting Started with Linux: Novell’s Guide to CompTIA’s Linux+ (Course 3060) Section 2 Use the Linux Desktop.
Quick Start Guide. This 22 page introduction to the Financial Assessment Subsystem provides the user with a visual overview of the components of the system.

Quick Start Guide. This 22 page introduction to the Financial Assessment Subsystem provides the user with a visual overview of the components of the system.
Creating a Web Page HTML, FrontPage, Word, Composer.

Creating a Web Page HTML, FrontPage, Word, Composer.
Www.vanschools.org Website Tutorial. www.vanschools.org Administration  Log on by clicking Login on the footer of almost any page  Your Username is.

Website Tutorial. Administration  Log on by clicking Login on the footer of almost any page  Your Username is.
Welcome to the Southeastern Louisiana University’s Online Employment Site Applicant Tutorial!

Welcome to the Southeastern Louisiana University’s Online Employment Site Applicant Tutorial!
One to One instructions Installing and configuring samba on Ubuntu Linux to enable Linux to share files and documents with Windows XP.

One to One instructions Installing and configuring samba on Ubuntu Linux to enable Linux to share files and documents with Windows XP.
Eucalyptus Virtual Machines Running Maven, Tomcat, and Mysql.

Eucalyptus Virtual Machines Running Maven, Tomcat, and Mysql.
Microsoft Expression Web - Illustrated Unit B: Creating a Web Site.

Microsoft Expression Web - Illustrated Unit B: Creating a Web Site.

Similar presentations

Ads by Google