The Sleuth Kit (TSK) is a library and collection of Unix- and Windows-based tools and utilities to allow for the forensic analysis of computer systems. It was written and maintained by digital investigator Brian Carrier. TSK can be used to perform investigations and data extraction from images of Windows, Linux and Unix computers. The Sleuth Kit is normally used in conjunction with its custom front-end application, Autopsy, to provide a user friendly interface. 

Source: http://en.wikipedia.org/wiki/The_Sleuth_Kit

TSK and Autopsy are preinstalled in both CERT Fedora and SANS SIFT. However, if you are using a different Linux machine installation instructions are provided below. Tutorials for using TSK and Autopsy can be found in the “Presentation Slides” and “Video” section.

Installing TSK & Autopsy

The first step is to download and install TSK.

Note: TSK and Autopsy are preinstalled in both CERT Fedora and SANS SIFT.

You can download TSK here:

https://sourceforge.net/projects/sleuthkit/files/latest/download

As of the time of writing this tutorial, the newest version is version 3.2.3.

 

Next, we need to extract TSK, compile it, and install it.

First, to extract TSK, open a terminal and change to the directory where TSK was downloaded to.

Then, run:
$ tar -xf sleuthkit-3.2.3.tar.gz to extract the files to sleuthkit-3.2.3

Now we need to compile TSK. To do that, first run:
$ ./configure

If there were no errors, run 'make'.
$ make

Because we plan on using Autopsy, we need to install TSK. To do that, run:
$ make install

Yay, we’ve installed the TSK. Now, time to do it for Autopsy.

As before, we need to download and compile Autopsy. However, this time we don’t need to install it.

You can download Autopsy here:

https://sourceforge.net/projects/autopsy/files/latest/download

As of the time of writing this tutorial, the newest version is version 2.24

 

Now again, extract the files with:
$ tar -xf autopsy-2.24.tar.gz

As part of its installation we will need to give Autopsy a location to store the evidence. Let’s create that now in /home/<username>/evidence
$ mkdir /home/<username>/evidence

Now we need to compile autopsy. To do that, first run:
$ make

For now, select that you don’t want to use the NSRL hash database (just hit enter)

 

Then it will ask for a folder to use as the evidence locker. This folder must exist.

Let’s use the folder we made before:
/home/<username>/evidence

Now we can start Autopsy with `./autopsy`

 

If you start Autopsy this way you will need to open a web browser (like Firefox or Chrome) and open http://localhost:9999/autopsy

In the resources section you will find two compressed disk images. Your goal is to analyze these files using Autopsy and find all the user files (image, text, and docx) on the drives. Solutions can be found by going through the presentation slides and watching the module video.
 

Further information on this module can be found at the following links.

Below are compressed copies of the images analyzed in the slides and video for this module. They can be used to follow along with the presentation or for analysis on your own in the Sample Challenges section.

example1_deletedTravelDrive.zip(218.93 KB) marcbudofsky, Mar 17 2013, 9:42 PM
example2_timelineAnalysis.zip(5.73 MB) marcbudofsky, Mar 17 2013, 9:42 PM

You must Sign-In to post a comment.