Analyzing a USB Image with Autopsy

The Sleuth Kit is “a collection of command line tools and a C library that allows you to analyze disk images and recover files from them.” (sleuthkit.org) Autopsy is the GUI frontend that runs on TSK (The Sleuth Kit) backend. In a nutshell, Autopsy allows you to do digital forensics investigations on device images. 

When you start the program, you can create a new case. Cases are the individual investigation that you, or your organization, are currently a part of. An investigation will usually have a name, contact information of the investigators working on it, and a central location for the investigation files to sit. Once you create a new case, you can select the Host to be auto-generated, choose the “Disk Image or VM File” Data Source Type, provide the path to your USB image, then load your image into Autopsy, where it will begin analyzing it. 

Now that the image file is loaded into Autopsy, you may start exploring it. You can look into each part of the USB image, including FAT files, and see the results in either text or hex. This is brilliant for being able to find data hidden in the parts of the USB drive that a normal file explorer would not allow you to see. An example of this is orphan files. These orphan files are files that are deleted and no longer in the parent folder. Autopsy will automatically analyze the image when you provide it and locate any orphan files. A practical example of when this may be useful would be if the person you are investigating deletes files but doesn’t go any further than that to hide their traces. Autopsy will locate most or all of the deleted remnants of these files and still allow you to view them. 

A common method of anti-forensics is steganography. This is where you hide data within data, such as hiding text information within an image file. Because Autopsy has a Hex examiner, you can look through the hex or plain-text of a file to find information that may be hidden within it. Autopsy can also be configured to use Google or Bing to translate text, meaning that Autopsy can be used when investigating nation-state events. 

Autopsy’s Application tab will display a file in what appears to be it’s native state. For example, if you find a JPEG file on the USB drive, you can view the image as is, instead of just analyzing hex. It will also display videos and HTML files. You can also view the file’s metadata easily, which is very useful for finding timestamps. 

When I loaded up a peer’s USB drive image onto Autopsy, I went exploring into the file structure. I found images, which I could view as the image and as hex. The headers of the text results allowed me to verify it was a JPEG file. Additionally, I found an MP3 file that I could actually play on my machine! Listening to a jazz song while analyzing a device image isn’t a bad combination. 

One last thing I will touch on, when you explore the file system, you can view change times and access times for each file. During an investigation, this may be important for attribution reasons. If you know that a crime occurred during a particular time window, you can better attribute that crime to a suspect. By being provided access and change times, you can attribute an event to the user of the device during that time. 

References

Open Source Digital Forensics. The Sleuth Kit (TSK) & Autopsy: Open Source Digital Forensics Tools. (n.d.). Retrieved February 5, 2022, from https://www.sleuthkit.org/ 

Device Imaging with dd

In this tutorial, I will explain what dd is and how to use it to create an image of a device. Let’s start with explaining what an image is, and why you may want to create one. An image is just a “comprehensive duplicate of electronic media such as a hard-disk drive.” (Goldstein, 2019) Comprehensive duplicate means that it exactly copies a device, being a USB-drive, hard-drive, floppy disk, etc, bit-for-bit. Images are used in virtualization when you want to run an Operating System from a predetermined state, and in digital forensics investigations to ensure that all work is done on an image, so as to not accidentally taint the integrity of an original piece of evidence. 

The dd command in Linux (*nix) is “a command-line utility for Unix and Unix-like operating systems whose primary purpose is to convert and copy files.” (GeeksforGeeks, 2019) In other words, dd is a program that can be run in a Linux or Unix terminal that can easily make an image of a device medium, such as a USB drive. dd is built into *nix machines so you don’t have to worry about installing it. 

Let’s begin by looking at the manual file and learning the syntax. You can read the man file of most binaries by invoking man <binary>. For dd, you can read it with man dd

We can see that dd is used to convert and copy files, and you can manually adjust some of the operands. The general syntax is dd [OPERAND]. The only operands we will worry about for this tutorial are if (infile), of (outfile), and status. The infile is the device you want to make an image of, the outfile is where you want this image to be safed, and status is used to provide a given level of information to the user. 

When you want to create an image of a usb drive, we must first locate the usb drive using lsblk. This command “lists information about all available devices.” (Broz, Zak 2021)

We can see a couple devices, but we will focus on sdb. This is the second disk drive, and will likely be the usb-stick you want to image. To double check that this is the drive you want to image, you can look at the MOUNTPOINT for sdb1 and see that it is mounted at /media/ubuntu/003B-5B4A. Just list the files in that location using ls and make sure it is the usb-stick you want to image.

Next, we will invoke the dd command. The syntax we will use will be as follows:

sudo dd if=/dev/sdb of=~/Desktop/imageOfUSB status=progress

Above, we specify that we want the infile, or device we want to image, to be the USB stick drive. The outfile will save the image in our current user’s desktop, called imageOfUSB, and the status line states that we want to see the progress of the image. The sudo at the beginning means that we will run the command as superuser, which is necessary for the dd program. When the program completes the copy, the output should look like this:

We can use hashes to ensure that both the image and device are exactly the same, bit-for-bit. A hash takes any input and outputs a string of alphanumeric characters. These characters are found with a very complex algorithm. It ensures that if any data changes, even if one bit is flipped, the output of the hash algorithm will look vastly different. We can see below that the image and the device have the same hash results:

Now, we will put the image on an empty usb stick. To ensure it is empty, I will explain how to format (clean) a usb-stick. First, open the Disks utility on Linux. The screen should look something like this:

Next, select the usb stick. Click the cogwheels on the volume you want to format, then click Format Partition. You can name the volume, but make sure you select Erase to erase everything on that usb stick. Click Next then click Format. It shouldn’t take too long for small drives, but if you have anything over 1GB, it will likely take a few minutes. Anything over 10GB may take an hour or longer on a virtual machine. Anything over 1TB may take a day. Once it is formatted, we can run essentially the reverse of our previous command to put the image onto the usb drive. 

sudo dd if=~/Desktop/imageOfUSB of=/dev/sdb status=progress

This may take a lot longer than the previous run, since usb write speeds are usually slower than the read speeds. 

That is really all there is to making images and putting images onto devices.

References

Broz, M., & Zak, K. (2021, October 27). lsblk(8) -- Linux manual page. LSBLK(8) - linux manual page. Retrieved January 29, 2022, from https://man7.org/linux/man-pages/man8/lsblk.8.html

GeeksforGeeks. (2019, May 15). 'DD' command in linux. GeeksforGeeks. Retrieved January 29, 2022, from https://www.geeksforgeeks.org/dd-command-linux/#:~:text=dd%20is%20a%20command%2Dline,system%20just%20like%20normal%20files.

Goldstein, S. (2019, September 24). Two key differences between digital forensic imaging and digital forensic clone and how they can affect your legal case.: News: Capsicum: Digital Forensics, investigations, cyber security. CAPSICUM. Retrieved January 29, 2022, from https://capsicumgroup.com/2-key-differences-between-digital-forensic-imaging-and-digital-forensic-clone-and-how-they-can-affect-your-legal-case/#:~:text=A%20Forensic%20Image%20is%20a,as%20a%20hard%2Ddisk%20drive.&text=This%20exact%20duplicate%20of%20the,for%20analysis%20and%20evidence%20preservation.