Difference between revisions of "Autopsy: Setting Up a Case"
From SleuthKitWiki
(A tutorial on how to setup a new case on the Autopsy browser on Linux machines.) |
(Tutorial on setting up a case on Autopsy, including links to other tutorials.) |
||
Line 3: | Line 3: | ||
This is a simple tutorial for beginners. This tutorial describes how to setup a case on a Linux machine (using the Autopsy browser). The steps are straightforward, so let's get started! | This is a simple tutorial for beginners. This tutorial describes how to setup a case on a Linux machine (using the Autopsy browser). The steps are straightforward, so let's get started! | ||
− | + | #Bootup the browser, if you forgot how to [http://cyberforensics.et.byu.edu/wiki/Install_Sleuthkit look here], and look for the command to startup Autopsy (near the end of the Linux or Ubuntu Install tutorial). | |
− | :2 | + | #On the opening screen select "NEW CASE" |
+ | #This section is the "CREATE A NEW CASE" so we will fill out a few things: | ||
+ | ##"Case Name": name the case something that is descriptive; for instance: Office Issues | ||
+ | ##"Description": write a short summary of the case; for instance: "The case of inappropriate material on Office computers." | ||
+ | ##"Investigator Names": write the names of those working on the case | ||
+ | ##Click "NEW CASE" | ||
+ | #The new screen will say: "Creating Case: <name of your case>" | ||
+ | #Select your name from the dropdown list, and then click "ADD HOST" | ||
+ | #The next screen will show the options for "Add A NEW HOST" | ||
+ | ##"Host Name": name the computer that you are investigating; for instance: "Desktop112" | ||
+ | ##"Description": write a small description of the host; for instance: "This is computer with ID:Desktop112, suspect of illicit material" | ||
+ | ##"Time Zone": write the time zone, if you want to specify it | ||
+ | ##"Timeskew Adjustment": write the time adjustment; sometimes the computers being investigated may have their time off by minutes, use this field to correct the skew | ||
+ | ##"Path of Alert Hash Database": there are databases that have [[hashes]] of known malicious files. If you have such a database, indicate the path to the database here | ||
+ | ##"Path of Ignore Hash Database": there are database that have hashes that are known to be fine; that is they can be ignored, indicate the path to the database here, if you have one | ||
+ | #Click "ADD HOST" | ||
+ | #The next screen, "Adding host: <name of your host> to case <name of your case>", is where we will add a disc image to the case | ||
+ | #Click "ADD IMAGE" | ||
+ | #The next screen you will see a series of options, click "ADD IMAGE FILE", this is how we will add our disc image | ||
+ | #Next, we'll enter the information needed to get the image | ||
+ | ##"Location": enter the full path name to the image; for instance: ''/home/sleuth/Desktop/usbkey.image'' | ||
+ | ##"Type": choose the radio button of your image type: | ||
+ | ###"Disk": if your image is a full disk image, choose this | ||
+ | ###"Partition": if your image is only a partition of a Disk, select this option | ||
+ | ##"Import Method": Autopsy will need to have the image in the ''Evidence_Locker''directory, so choose one of the options: | ||
+ | ###"Symlink": this imports the image from its current location | ||
+ | ###"Copy": this copies the image from its location to the directory | ||
+ | ###"Move": this moves the file to the ''Evidence_Locker'' directory | ||
+ | #Next, we are on the "Image File Details" screen | ||
+ | ##"Data Integrity": here we can choose if we want a MD5 hash to be calculated or not, and if we want to add the hash for the image to a file of hashes | ||
+ | ##Click "ADD" | ||
+ | #Over view data will be shown, click "OK" | ||
+ | That's it. We have successfully created a case, added a host, and an image. Now we can analyze the image! | ||
+ | |||
+ | ===Other resources=== | ||
+ | Here are some other tutorials on setting up cases. | ||
+ | * [http://www.sleuthkit.org/autopsy/help/caseman.html Tutorial 1]: This is a case tutorial on sleuthkit.org, it is a great resource, which shows the basic steps to create a case. | ||
+ | * [http://computer-forensics.sans.org/blog/2009/05/11/a-step-by-step-introduction-to-using-the-autopsy-forensic-browser/ Tutorial 2]: This tutorial has pictures, which makes it easy to follow, and see if you're on the right track. |
Latest revision as of 17:13, 9 March 2013
Setting Up a Case
This is a simple tutorial for beginners. This tutorial describes how to setup a case on a Linux machine (using the Autopsy browser). The steps are straightforward, so let's get started!
- Bootup the browser, if you forgot how to look here, and look for the command to startup Autopsy (near the end of the Linux or Ubuntu Install tutorial).
- On the opening screen select "NEW CASE"
- This section is the "CREATE A NEW CASE" so we will fill out a few things:
- "Case Name": name the case something that is descriptive; for instance: Office Issues
- "Description": write a short summary of the case; for instance: "The case of inappropriate material on Office computers."
- "Investigator Names": write the names of those working on the case
- Click "NEW CASE"
- The new screen will say: "Creating Case: <name of your case>"
- Select your name from the dropdown list, and then click "ADD HOST"
- The next screen will show the options for "Add A NEW HOST"
- "Host Name": name the computer that you are investigating; for instance: "Desktop112"
- "Description": write a small description of the host; for instance: "This is computer with ID:Desktop112, suspect of illicit material"
- "Time Zone": write the time zone, if you want to specify it
- "Timeskew Adjustment": write the time adjustment; sometimes the computers being investigated may have their time off by minutes, use this field to correct the skew
- "Path of Alert Hash Database": there are databases that have hashes of known malicious files. If you have such a database, indicate the path to the database here
- "Path of Ignore Hash Database": there are database that have hashes that are known to be fine; that is they can be ignored, indicate the path to the database here, if you have one
- Click "ADD HOST"
- The next screen, "Adding host: <name of your host> to case <name of your case>", is where we will add a disc image to the case
- Click "ADD IMAGE"
- The next screen you will see a series of options, click "ADD IMAGE FILE", this is how we will add our disc image
- Next, we'll enter the information needed to get the image
- "Location": enter the full path name to the image; for instance: /home/sleuth/Desktop/usbkey.image
- "Type": choose the radio button of your image type:
- "Disk": if your image is a full disk image, choose this
- "Partition": if your image is only a partition of a Disk, select this option
- "Import Method": Autopsy will need to have the image in the Evidence_Lockerdirectory, so choose one of the options:
- "Symlink": this imports the image from its current location
- "Copy": this copies the image from its location to the directory
- "Move": this moves the file to the Evidence_Locker directory
- Next, we are on the "Image File Details" screen
- "Data Integrity": here we can choose if we want a MD5 hash to be calculated or not, and if we want to add the hash for the image to a file of hashes
- Click "ADD"
- Over view data will be shown, click "OK"
That's it. We have successfully created a case, added a host, and an image. Now we can analyze the image!
Other resources
Here are some other tutorials on setting up cases.
- Tutorial 1: This is a case tutorial on sleuthkit.org, it is a great resource, which shows the basic steps to create a case.
- Tutorial 2: This tutorial has pictures, which makes it easy to follow, and see if you're on the right track.