Extracting files, and or recovery of critical forensic
information is key within the process of computer forensics. Out in the wild
there are a plethora of tools that a forensic examiner may choose to utilize in
order to do so. Although this does not directly relate to recovery of files
from a forensic stand point, it can also be utilized for users who have lost
data and want to try their hand at recovery of information. The focus of this
document will be around Autopsy and how to use the free tool in order to
recover said files.
Before we start, we need to download a few files. Of course
these files are free and they do enable you to obtain some of the basic bits of
information that you will need in order to obtain files from a forensic image.
Please be aware that we are also mounting the images with other software to
provide to you that the files that were deleted are still on the disk we are
performing our analysis on.
Should you wish to follow the process from start to finish
as we are providing, you may want to download the tools located herein:
PassMark OSFMount, this is utilized to mount the img files we've obtained
within this document: Obtain Disk Image With Linux. And, of course a copy of
either Autopsy and lastly lets not forget ProDiscover. Although for this
example I am using Autopsy, I will also do a write up of the documentation with
the usage of ProDiscover which you can Find Here.
with that said Once you've downloaded your tools, and
Obtaining Disk Image With Linux has been completed, the next stop is to mount
the drives and analyze them. The first thing you should do is load it within
your choice of forensic software. For this example we will be utilizing
Autopsy, other documents will focus on recovering files with ProDiscover.
Loading up Autopsy
The first thing we will do is create a new case. For this
demonstration we will select the following options that are seen below:
Once you select this option fill out some basic information
regarding your "Case" (as it is expected). The following set of
images will guide you through this process.
(Autopsy Start Segment)
Once the introduction segments have been filled out, the
next step we have is to select what information we will be loading. There are a
few things that you should be aware of when you are performing a forensics.
First is if you are doing this from an image (which we are) or other type of
disk. In our case we have selected the "Image File" and then we will
be opening the said image file. Ideally because we are EDT, we will be
selecting that to reflect the timezone of the drive image. Also, because of
time issues with GMT and windows, we will cover this in another paper in time
to come. Below will demonstrate the settings that we've used to load and mount
the disk.
(Selecting a disk image to analyze)
From this point we will then need to select the sources and
information that we will be looking for. Once we've obtained this we can then
start selecting other options and looking into the status of the case, or to
recover files.
(Selecting options and settings to utilize for the forensics)
After this point is reached, you can click on the
"finish button" and let the software load the information that you've
selected. You will notice a progress bar on the bottom right of the screen. Let
this load and when it is finished you can begin to analyze the hard disk.
(The loading bar for the images selected)
Mounting & Viewing Drives
At this point once the information has been loaded, we can
then progress to viewing the application itself and what it has to offer. For
the simplicity of the documents we are also viewing the files outside of the
forensic application first. This has been implemented to give you an ideology
into which files will be there forensically and what appears to only the eye.
Just in case you did not review the information in the beginning of this
document you will need the following program: PassMark OSFMount if you want to
play along with us. Note that this program will also mount the drive as
read-only. You cannot interact with the files outside of opening, and reviewing
their information. Saving, and deleting or even modifying the files is not
possible in this view.
To mount the files, install and start the software. Please
note to run this application you will also need administrative privileges in
order to mount the disk. The following screen shot is an example of how to
mount the image file.
(Default load screen for OSFmount)
From these options, and within this view you will select
"Mount New." Once the mount new has been selected Follow the example
in the image blow.
(Steps to mount an image file)
Once you've selected your image and clicked on
"OK" The drive will show up in your explorer on the left side. You
can see this in the following image below:
(Forensic Image as a Disk)
As we can see from the image above, the disk image has been
mounted as a read-only drive and we can interact with it.
(Combining both views from explorer and Autopsy)
From the above image we see that the images on the left side
of the view are from within Autopsy, while the standard view is from windows
explorer. We can clearly see that there are files missing. What is up with
that? Well, the files that are marked with red x's are actually files that have
been deleted. The deleted files are marked as free-space and are waiting to be
over-written. Within the standard view from windows explorer we see that there
are no files listed with the names to the far left. Why? Again, they've been
deleted. So, things aren't what they appear to be.
Autopsy View
The Autopsy application is split and is not that difficult
in order to follow. The view below demonstrates what the software looks like,
and where you may find the drive that you've attached. Once you've selected the
+ on the drive to expand on the files / folders within it's root, the center window
will display the files, folders and other information that was, or currently is
still on the drive. You must select your drive (top left) that is circled in
red. Once this is selected you can begin to scrutinize the disk and it's
contents.
(Autopsy software and it's main window)
Extracting Deleted Files
Forensic examiners (as well as people looking to retrieve
their deleted files) will normally attempt to recover deleted files from a
forensic archive in order to determine what is within the files they are
recovering. And, also to determine if they are in fact evidence which may help
/ impact a case. In order to recover files within Autopsy, select a file with a
Red-x and then right-click the file. In this case, we will extract the folder
"admenot" and "mainbanner.png"
Considering some of the files may not yield anything other
than displaying that a file was once on that disk, you may also be able to
extract directories that were deleted with their entire contents. Considering
this is a very limited example, it does serve the purpose of how an examiner
would go about to extract deleted information. One thing to point out though is
that not all files will contain the same names! If this is part of a forensic
investigation looking at all values / files / folders with their given and
sometimes cryptic names may yield some information for you.
No comments:
Post a Comment