File Category Type Analysis Help
Overview
Analyzing large file system images can be very daunting. One way
of identifying files that should be examined is to sort the files based
on file type. This mode of Autopsy will allow one to sort the files
in an image based on type and to exclude known files (i.e. data
reduction). It also allows one to flag files that are known to be bad.
Procedure
The sorter document in the docs directory of The
Sleuth Kit has more details on the details, but this will provide
an overview of the interface given by Autopsy.
The first step is to Sort the image. There are several
options to choose when doing this. The sorter tool from
The Sleuth Kit will perform the sorting. There are two major
actions that sorter can do: sort files by type and validate
extensions.
By default, Autopsy will perform both actions. If you do not want
it to do a given action, deselect it.
Within sorting, there are two options:
- The first is to save the output. By default,
details about each file will be added to a category file. For
example, a JPEG image will have the meta data address and image
name saved to the images file. By selecting the Save
option, a directory will be created for each category and a copy
of the files will be saved. This could require lots of disk space
(as much as the original image size).
- The second option is to save unknown file types. There are
configuration files that contain rules about common data types. If
a file is encountered that does not have a rule, it is added to an
unknown file. If this is not desired, select the Do Not
Save Unknown option.
During the sorting process, the sorter tool will also examine
the extension of the file. If the file type is known, it has known
extensions, and the file does not have one of those extensions, it will
be added to a mismatch file. This can be deselected if it is
not wanted.
Hash Databases
One easy way of data reduction is to use hash databases. The sorter
tool can use three different hash databases. Each can be configured
within Autopsy and used in other screens.
- NIST NSRL: The NIST NSRL contains hashes of trusted operating
systems and programs. This is used to ignore known files. Files found
in the NSRL will not be included in the file categories (to save time
when reviewing the files). If the file is in the NSRL and has an
extension mismatch, it will be noted in a special file.
- Ignore Database: This database must be created by the user
and added to the host. It is similar to the NSRL in that it contains
hashes of known good files. They will be ignored in the same way that
those from NSRL are.
- Alert Database: This database must also be created by the
user and added to the host. It contains hashes of files that are
known to be bad and should identified if found in the image. This would
include known rootkits or photographs. Hits from this databases are
found in the alert file.
More details can be found in the Hash
Database Help.
Output
Currently, there is no way to view the output from within Autopsy.
All data can be found in the output directory of the host.
A directory is created for the sorter output. View the
index.html file and it contains links to the other files.
References
Issues 3, 4, and 5 of The
Sleuth Kit Informer discussed using the 'sorter' tool.
Brian Carrier