Difference between revisions of "Autopsy: Setting Up a Case"

From SleuthKitWiki
Jump to: navigation, search
(A tutorial on how to setup a new case on the Autopsy browser on Linux machines.)
 
(Tutorial on setting up a case on Autopsy, including links to other tutorials.)
 
Line 3: Line 3:
 
This is a simple tutorial for beginners. This tutorial describes how to setup a case on a Linux machine (using the Autopsy browser). The steps are straightforward, so let's get started!
 
This is a simple tutorial for beginners. This tutorial describes how to setup a case on a Linux machine (using the Autopsy browser). The steps are straightforward, so let's get started!
  
:1. Bootup the browser, if you forgot how to [http://cyberforensics.et.byu.edu/wiki/Install_Sleuthkit look here], and look for the command to startup Autopsy (near the end of the Linux or Ubuntu Install tutorial).
+
#Bootup the browser, if you forgot how to [http://cyberforensics.et.byu.edu/wiki/Install_Sleuthkit look here], and look for the command to startup Autopsy (near the end of the Linux or Ubuntu Install tutorial).
:2
+
#On the opening screen select "NEW CASE"
 +
#This section is the "CREATE A NEW CASE" so we will fill out a few things:
 +
##"Case Name": name the case something that is descriptive; for instance: Office Issues
 +
##"Description": write a short summary of the case; for instance: "The case of inappropriate material on Office computers."
 +
##"Investigator Names": write the names of those working on the case
 +
##Click "NEW CASE"
 +
#The new screen will say: "Creating Case: <name of your case>"
 +
#Select your name from the dropdown list, and then click "ADD HOST"
 +
#The next screen will show the options for "Add A NEW HOST"
 +
##"Host Name": name the computer that you are investigating; for instance: "Desktop112"
 +
##"Description": write a small description of the host; for instance: "This is computer with ID:Desktop112, suspect of illicit material"
 +
##"Time Zone": write the time zone, if you want to specify it
 +
##"Timeskew Adjustment": write the time adjustment; sometimes the computers being investigated may have their time off by minutes, use this field to correct the skew
 +
##"Path of Alert Hash Database": there are databases that have [[hashes]] of known malicious files. If you have such a database, indicate the path to the database here
 +
##"Path of Ignore Hash Database": there are database that have hashes that are known to be fine; that is they can be ignored, indicate the path to the database here, if you have one
 +
#Click "ADD HOST"
 +
#The next screen, "Adding host: <name of your host> to case <name of your case>", is where we will add a disc image to the case
 +
#Click "ADD IMAGE"
 +
#The next screen you will see a series of options, click "ADD IMAGE FILE", this is how we will add our disc image
 +
#Next, we'll enter the information needed to get the image
 +
##"Location": enter the full path name to the image; for instance: ''/home/sleuth/Desktop/usbkey.image''
 +
##"Type": choose the radio button of your image type:
 +
###"Disk": if your image is a full disk image, choose this
 +
###"Partition": if your image is only a partition of a Disk, select this option
 +
##"Import Method": Autopsy will need to have the image in the ''Evidence_Locker''directory, so choose one of the options:
 +
###"Symlink": this imports the image from its current location
 +
###"Copy": this copies the image from its location to the directory
 +
###"Move": this moves the file to the ''Evidence_Locker'' directory
 +
#Next, we are on the "Image File Details" screen
 +
##"Data Integrity": here we can choose if we want a MD5 hash to be calculated or not, and if we want to add the hash for the image to a file of hashes
 +
##Click "ADD"
 +
#Over view data will be shown, click "OK"
 +
That's it. We have successfully created a case, added a host, and an image. Now we can analyze the image!
 +
 
 +
===Other resources===
 +
Here are some other tutorials on setting up cases.
 +
* [http://www.sleuthkit.org/autopsy/help/caseman.html Tutorial 1]: This is a case tutorial on sleuthkit.org, it is a great resource, which shows the basic steps to create a case.
 +
* [http://computer-forensics.sans.org/blog/2009/05/11/a-step-by-step-introduction-to-using-the-autopsy-forensic-browser/ Tutorial 2]: This tutorial has pictures, which makes it easy to follow, and see if you're on the right track.

Latest revision as of 17:13, 9 March 2013

Setting Up a Case

This is a simple tutorial for beginners. This tutorial describes how to setup a case on a Linux machine (using the Autopsy browser). The steps are straightforward, so let's get started!

  1. Bootup the browser, if you forgot how to look here, and look for the command to startup Autopsy (near the end of the Linux or Ubuntu Install tutorial).
  2. On the opening screen select "NEW CASE"
  3. This section is the "CREATE A NEW CASE" so we will fill out a few things:
    1. "Case Name": name the case something that is descriptive; for instance: Office Issues
    2. "Description": write a short summary of the case; for instance: "The case of inappropriate material on Office computers."
    3. "Investigator Names": write the names of those working on the case
    4. Click "NEW CASE"
  4. The new screen will say: "Creating Case: <name of your case>"
  5. Select your name from the dropdown list, and then click "ADD HOST"
  6. The next screen will show the options for "Add A NEW HOST"
    1. "Host Name": name the computer that you are investigating; for instance: "Desktop112"
    2. "Description": write a small description of the host; for instance: "This is computer with ID:Desktop112, suspect of illicit material"
    3. "Time Zone": write the time zone, if you want to specify it
    4. "Timeskew Adjustment": write the time adjustment; sometimes the computers being investigated may have their time off by minutes, use this field to correct the skew
    5. "Path of Alert Hash Database": there are databases that have hashes of known malicious files. If you have such a database, indicate the path to the database here
    6. "Path of Ignore Hash Database": there are database that have hashes that are known to be fine; that is they can be ignored, indicate the path to the database here, if you have one
  7. Click "ADD HOST"
  8. The next screen, "Adding host: <name of your host> to case <name of your case>", is where we will add a disc image to the case
  9. Click "ADD IMAGE"
  10. The next screen you will see a series of options, click "ADD IMAGE FILE", this is how we will add our disc image
  11. Next, we'll enter the information needed to get the image
    1. "Location": enter the full path name to the image; for instance: /home/sleuth/Desktop/usbkey.image
    2. "Type": choose the radio button of your image type:
      1. "Disk": if your image is a full disk image, choose this
      2. "Partition": if your image is only a partition of a Disk, select this option
    3. "Import Method": Autopsy will need to have the image in the Evidence_Lockerdirectory, so choose one of the options:
      1. "Symlink": this imports the image from its current location
      2. "Copy": this copies the image from its location to the directory
      3. "Move": this moves the file to the Evidence_Locker directory
  12. Next, we are on the "Image File Details" screen
    1. "Data Integrity": here we can choose if we want a MD5 hash to be calculated or not, and if we want to add the hash for the image to a file of hashes
    2. Click "ADD"
  13. Over view data will be shown, click "OK"

That's it. We have successfully created a case, added a host, and an image. Now we can analyze the image!

Other resources

Here are some other tutorials on setting up cases.

  • Tutorial 1: This is a case tutorial on sleuthkit.org, it is a great resource, which shows the basic steps to create a case.
  • Tutorial 2: This tutorial has pictures, which makes it easy to follow, and see if you're on the right track.