Forensic Cop Journal Volume 3(1), Jan 2010

http://forensiccop.blogspot.com

Standard Operating Procedure of Physical Analysis on Ubuntu

by Muhammad Nuh Al-Azhar, MSc. (CHFI, CEI, MBCS)
Commissioner Police – Coordinator of Digital Forensic Analyst Team (DFAT)
Forensic Lab Centre of Indonesian National Police HQ

In this journal, the image file is a dd file which is obtained from the acquisition process
previously. After checking the hash value of the dd image file which must be identical with
the evidence of storage media, the dd is then analysed in the following further actions.

Method: Physical analysis with the use of Autopsy

Autopsy is graphical interface form of The Sleuthkit (TST) created by Brian Carrier. TST is
designed to be used in command lines on terminal, while Autopsy is a browser for running
TST. As Autopsy is a browser, it provides an ease for digital forensic analyst to investigate
the evidence. Both applications are reliable for forensic analysis like other commercial
applications such as EnCase and Forensic Toolkit (FTK) running under Ms Windows OS. TST
and Autopsy are used to analyse the file system of evidence in a non-intrusive way. As it
does not rely on the operating system to examine the file system, it can show the deleted
and hidden contents.

According to the author as described in the Synaptic Package Manager, it allows the analyst
to examine the layout of disks and other media. It supports DOS partitions, BSD partitions
(disk labels), Mac partitions, and Sun slices (Volume Table of Contents). With these tools,
the analyst can identify where partitions are located and extract them so that they can be
analysed with file system analysis tools. It provides case management, image integrity,
keyword searching, and other automated operations for investigative purposes.

As explained in the Synaptic, autopsy starts the Autopsy Forensic Browser server on port
9999 and accepts connections from the localhost. If the -p port is given, then the server
opens the port and if address is given, then connections are only accepted from that host.
When the -i argument is given, then autopsy goes into live analysis mode.

Step 1: Initiating the Autopsy browser

Open terminal, and then type sudo autopsy in order to run the Autopsy browser. It will
provide the link of http://localhost:9999/autopsy. Open this link with browsers such as
Firefox. As to access the dd file requires online mode, go to File menu and then untick Work
Offline.

1
Forensic Cop Journal Volume 3(1), Jan 2010
http://forensiccop.blogspot.com

Step 2: Configuring the case

Click New Case and then it will provide Case Management Window. Enter the information
related to the case, started from Case Name, Description and Investigator Names. On the
Case Name, type letters, numbers and symbols or combination among them to name the
case investigation. For instance, DF001 means DF standing for Digital Forensic and 001
showing the case number. On the Description, type the description of the case in one line
only, while on the Investigator Names, type the names of all analysts involved in the
evidence analysis. After filling them, click New Case to go to Creating Case window.

On this window, the analyst must create a host for the case; therefore click Add Host. On
the new windows, enter the name of computer which is being investigated on the Host
Name and describe the name of the computer on the Description. Other items are Time
zone, Timeskew Adjustment, Path of Alert Hash Database and Path of Ignore Hash
Database. On the Time zone, if it is not given, it will set to the local time, while on the
Timeskew Adjustment, it is an optional value to describe how many seconds this
computer's clock was out of sync. On the Path of Alert Hash Database and Path of Ignore
Hash Database, it is used for known bad and good files respectively. After entering the
information needed, click Add Host to go to the next configuration.

In the new window, click Add Image, and then click Add Image again in the subsequent
window. In this window, on the Location enter the full path of the dd file stored, and on the
Type, select disk or partition for the type of the image file. Meanwhile on the Import
Method, the dd file can be imported from its current location by using Symlink, Copy or
Move. After selecting this last item, click Next to go to the next window describing the
Image File Details and File System Details. After ensuring the information related to the dd
file, click Add; and then click OK.

Step 3: Analysing the image

On the new window, the analyst can select a volume to analyse. It could be raw file or in the
form of file system. After selecting it, click Analyze to analyse the image. There are several
features such as File Analysis, Keyword Search, File Type, Image Details, Meta data and
Data Unit which are provided for the analyst to perform analysis. On the File Analysis, it is
provided for the analyst to browse the image in order to seek the file containing the
information needed including its time stamps such as written, accessed and created date;
and its meta data. This feature also gives the information related to deleted files as well as
directory seek and file name search. On the Keyword Search, the analyst can enter the
keyword string or expression to search for as well as Extract Strings and Extract
Unallocated. This feature gives an ease for the analyst to seek and find certain words in a
bunch of files in the image. On the File Type, the Autopsy will examine allocated and

2
Forensic Cop Journal Volume 3(1), Jan 2010
http://forensiccop.blogspot.com

unallocated files and sort them into categories and verify the extension. This allows the
analyst to find a file based on its type and find "hidden" files. However, this can be a time
intensive process. On the Image Details, it gives any information related to the image in
details such as file system information, meta data information, content information and file
system contents (in sectors). On the Meta Data, the analyst can view the details about any
Directory Entry in the file system which are the data structures storing the file details. On
the Data Unit, the Autopsy provides the analyst to see the content on certain sectors in the
forms of ASCII or Hex mode.

Other action is to select File Activity Time Lines. On this feature, the analyst can collect data
or files based on the date when it is created or deleted. With this feature, the analyst can
easily seek the information on certain date and analyse it.

Step 4: Closing the analysis

To close the session of analysis, click Close, and then Close Host and Close Case. In the Case
Gallery window, the Autopsy displays the Case Name including its Description, so that any
time the analyst would like to analyse the image, just select the Case Name and then click
OK. Go back to the terminal, and then hold the key Ctrl-C to terminate the Autopsy session.

Bibliography

ACPO. (2008). Good Practice Guide for Computer-Based Electronic Evidence. Available:
http://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.p
df. Last accessed 30 September 2009.
Al-Azhar, M.N. (2009). Standard Operating Procedure of Acquisition on Ubuntu. Forensic Cop
Journal. 2 (3). Available: http://forensiccop.blogspot.com. Last accessed 19
December 2009.
Al-Azhar, M.N. (2009). Ubuntu Forensic. Forensic Cop Journal. 2 (1). Available:
http://forensiccop.blogspot.com. Last accessed 19 December 2009.
Carrier, B. (2004). Basic Media Analysis & The Sleuth Kit / Autopsy.
Connectiva S/A and Vogt, M. (2009). Synaptic Package Manager 0.62.5. Ubuntu 9.04.
Ferguson, I. (2008). Lab Session Guidance of CS936: Physical Searching. Glasgow: CIS
Department of University of Strathclyde.
US Department of Justice. (2001). Electronic Crime Scene Investigation: A Guide for First
Responders. Available: http://www.ncjrs.gov/pdffiles1/nij/187736.pdf. Last accessed
30 September 2009.