Case Management
Overview
Autopsy organizes images based on the case and host that they came
from. A case contains one or more hosts (a new case should be
created for each investigation). Each host can contain one or more
images, which correspond to disks or partitions on the host.
Creating a New Case
From the Main Menu (at startup) select New Case. You will
have to enter the case name and an optional short description.
The case name must be a valid directory name (no spaces - no
symbols). A list of investigators will also be requested. These
will be used for the audit logs, not for authentication. A directory
with the same name as the case will be created in the Evidence
Locker. To later rename the case, simply rename the directory.
For example:
| Case Name: | bankofmars |
| Case Description: | Theft of $1,000,000,000.01 from The Bank of Mars |
| Investigators: | gadget |
Adding a New Host
A Host must then be created in the Case. Select the Case that was
just created from the Case Gallery and enter the Host Gallery.
Select Add Host and enter the host name, a short description,
and time information such as time zone and clock skew. The clock
skew is how many seconds the system was off from a synchronized
clock. Adding a host will create a directory in the case directory
and subdirectories in the host for the images, output data, logs,
and reports. If you do not add a time zone, then it will default to
the time zone of your analysis system. A list of time zones can be
found here.
You can optionally add the path to hash databases.
For example, the 'Bank of Mars' incident could have two hosts
involved:
| Host Name: | db_server |
| Host Description: | Main Database Server - Solaris |
| Timezone: | EST5EDT |
| Timeskew: | -100 |
| Known Good Database: | none |
| Known Bad Database: | none |
| Host Name: | file_server |
| Host Description: | Windows File Server - Win 2k |
| Timezone: | CST6CDT |
| Timeskew: | 0 |
| Known Good Database: | /usr/local/forensics/hash/win2k.txt |
| Known Bad Database: | /usr/local/forensics/hash/win_hack.txt |
Adding a New Image
Next, images must be added to the host. Select the host that was
just added from the Host Gallery and enter the Host Manager. Select
Add Image File and a new form is shown. The first text box in
the form is for the path of the image file. If you are importing a
split image, then the extension must be ordered based on the file order.
Supply a '*' in the file name extension where the numbers or letters are.
(i.e. .../image.*). The image file can be
of a full disk or of an individual partition. You must select which
it is though. Before they can analyzed, the images will have to
be located in the evidence locker. You are given a choice to either
create a symbolic link from the current location, to copy the file,
or to move the file from its current location to the host directory.
Select the desired import method. For example:
| Image Path: | /mnt/sys1/disk2.* |
| Type: | Disk |
| Import Action: | symlink |
If you are importing a split image, then the next window will confirm the
order of the images. After that, the next window will allow you to specify
or calculate the MD5 for the file. This should be of the full file and if you
are importing a split image then it should be for all files combined.
If you are importing a volume image, then Autopsy will try to determine the
file system type. You will also need to specify the mounting point. This is used for cosmetic purposes only when printing the full path of files.
If the image file is a disk image then Autopsy will list all of the partitions and try to determine the file system in each one. You have the option to not import a partition and to change the file system type.
MD5 Values
Each host has an md5.txt file that contains
the MD5 value for files in that directory. Autopsy uses that file
to validate the integrity of files. By default, when a file is
imported into Autopsy, its MD5 will be calculated. If it is already
known, then it can be entered in the 'Add Images' window.
Host Subdirectories
Each host has an images directory and an output
directory. All data generated by Autopsy is saved to the output
directory. The theory behind this design, was to allow the images
directory to have strict permissions to prevent accidently modifying
the images. Therefore, the images directory can have its write
bits removed to prevent modifications.
References
Issue 2 of The Sleuth Kit Informer discusses case management and how to break a disk image into file system images.
Brian Carrier