mirror of
https://github.com/LCTT/TranslateProject.git
synced 2024-12-26 21:30:55 +08:00
Merge pull request #2828 from FSSlc/master
[Translated] 20150320 Sleuth Kit--Open Source Forensic Tool to Analyze Disk Images and Recover Files.md
This commit is contained in:
Xingyu.Wang
commit
76917c677a
@ -1,161 +0,0 @@
|
||||
FSSlc Translating
|
||||
|
||||
Sleuth Kit - Open Source Forensic Tool to Analyze Disk Images and Recover Files
|
||||
================================================================================
|
||||
SIFT is a Ubuntu based forensics distribution provided by SANS Inc. It consist of many forensics tools such as Sleuth kit / Autopsy etc . However, Sleuth kit/Autopsy tools can be installed on Ubuntu/Fedora distribution instead of downloading complete distribution of SIFT.
|
||||
|
||||
Sleuth Kit /Autopsy is open source digital forensics investigation tool which is used for recovering the lost files from disk image and analysis of images for incident response. Autopsy tool is a web interface of sleuth kit which supports all features of sleuth kit. This tool is available for both Windows and Linux Platforms.
|
||||
|
||||
### Install Sleuth kit ###
|
||||
|
||||
First of all, download Sleuth kit software from [sleuthkit][1] website. Use wget command to download it in terminal which is shown in the figure.
|
||||
|
||||
# wget http://cznic.dl.sourceforge.net/project/sleuthkit/sleuthkit/4.1.3/sleuthkit-4.1.3.tar.gz
|
||||
|
||||
|
||||
|
||||
Extract the sleuthkit-4.1.3.tar.gz using following command and go inside the extracted directory
|
||||
|
||||
# tar -xvzf sleuthkit-4.1.3.tar.gz
|
||||
|
||||
|
||||
|
||||
Run following command which perform the requirement check before sleuth kit installation
|
||||
|
||||
#./configure
|
||||
|
||||
|
||||
|
||||
Make command compile the sleuth kit code.
|
||||
|
||||
#make
|
||||
|
||||
|
||||
|
||||
Finally following command install it under **/usr/local** path.
|
||||
|
||||
#make install
|
||||
|
||||
|
||||
|
||||
### Install Autopsy Tool ###
|
||||
|
||||
Sleuth kit installation is complete and now we will install autopsy interface. Download Autopsy software from [sleuthkit's autopsy page][2] . Use wget command to download it in terminal which is shown in the figure.
|
||||
|
||||
# wget http://kaz.dl.sourceforge.net/project/autopsy/autopsy/2.24/autopsy-2.24.tar.gz
|
||||
|
||||
|
||||
|
||||
Extract the autopsy-2.24.tar.gz using following command and go inside the extracted directory
|
||||
|
||||
# tar -xvzf autopsy-2.24.tar.gz
|
||||
|
||||
|
||||
|
||||
Configuration script of autopsy asks for NSRL (National Software Reference Library) and path of **Evidence_Locker** folder.
|
||||
|
||||
Enter "n" for NSRL prompt and create Evidence_Locker folder under **/usr/local** directory. Autopsy stores the configuration files, audit logs and output under Evidence_Locker folder.
|
||||
|
||||
#mkdir /usr/local/Evidence_Locker
|
||||
|
||||
#cd autopsy-2.24
|
||||
|
||||
#./configure
|
||||
|
||||
|
||||
|
||||
After adding Evidence_Locker path in installation process , autopsy stores configuration files in it and shows a following message to run the autopsy program.
|
||||
|
||||
|
||||
|
||||
Type **./autopsy** command in terminal to start the graphical interface of Sleuth kit tool.
|
||||
|
||||
|
||||
|
||||
Type following address in the web browser to access the interface of autopsy .
|
||||
|
||||
http://localhost:9999/autopsy
|
||||
|
||||
Main web page of autopsy plugin is shown int the following figure.
|
||||
|
||||
|
||||
|
||||
Click on the **New Case** button to start analysis in autopsy tool. Enter the case name, description about the investigation and name of agent which is shown in the following figure.
|
||||
|
||||
|
||||
|
||||
Following web page will appear after entering the details in the above page. Click on **Add Host** button to add details for the analyst machine.
|
||||
|
||||
|
||||
|
||||
Enter host name, description and time zone setting of analyst machine on the next page.
|
||||
|
||||
|
||||
|
||||
Click on the **Add Image** button to add image file for forensics analysis.
|
||||
|
||||
|
||||
|
||||
Click on the **Add Image File** button on the following web page. It opens new web page which require Path of image file and select type & importing method.
|
||||
|
||||
|
||||
|
||||
As shown in the following figure, we have entered path of Linux image file. In our case, image file is partition of disk.
|
||||
|
||||
|
||||
|
||||
Click on the next button and select **Calculate hash** option in the next page which is shown in the following figure. It also detect the file system type of the given image.
|
||||
|
||||
|
||||
|
||||
Following window shows the MD5 hash of the image file before static analysis .
|
||||
|
||||
|
||||
|
||||
On the next web page, autopsy shows following information about the image file.
|
||||
|
||||
- mount point for the image
|
||||
- name of image
|
||||
- file system type of given image
|
||||
|
||||
Click on the **details** button to get more information about the given image file. It also offer extraction of unallocated fragments and strings from the volume of image file which is shown in the following figure.
|
||||
|
||||
|
||||
|
||||
Click on **Analyze** button which is shown in the below figure to start analysis on given image . It opens another page which shows the multiple options for image analysis.
|
||||
|
||||
|
||||
|
||||
Autopsy offer following features during image analysis process.
|
||||
|
||||
- File Analysis
|
||||
- Keyword Search
|
||||
- File Type
|
||||
- Image Details
|
||||
- Data Unit
|
||||
|
||||
File Analysis on given image of Linux partition is shown in the following figure.
|
||||
|
||||
|
||||
|
||||
It extracts all files and folders from the given image . Extraction of deleted files are shown int he figure.
|
||||
|
||||
|
||||
|
||||
### Conclusion ###
|
||||
|
||||
Hopefully this article will be useful for the beginner in static forensics analysis of disk image. Autopsy is web interface for sleuth kit which provides features such as extraction of strings , recovery of deleted files, timeline analysis, extraction of web surfing history, keyword search and email analysis on windows and linux disk images.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: http://linoxide.com/ubuntu-how-to/autopsy-sleuth-kit-installation-ubuntu/
|
||||
|
||||
作者:[nido][a]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:http://linoxide.com/author/naveeda/
|
||||
[1]:http://www.sleuthkit.org/sleuthkit/download.php
|
||||
[2]:http://www.sleuthkit.org/autopsy/download.php
|
||||
@ -0,0 +1,159 @@
|
||||
Sleuth Kit -- 一个用来分析磁盘映像和恢复文件的开源取证工具
|
||||
================================================================================
|
||||
SIFT 是一个由 SANS 公司提供的基于 Ubuntu 的取证发行版本。它包含许多取证工具,如 Sleuth kit/Autopsy 。但 Sleuth kit / Autopsy 可以直接在 Ubuntu 或 Fedora 发行版本上直接安装,而不必下载 SIFT 的整个发行版本。
|
||||
|
||||
Sleuth Kit/Autopsy 是一个开源的电子取证调查工具,它被用于从磁盘映像中恢复丢失的文件,基于事件响应的磁盘映像的分析。 Autopsy 工具是 sleuth kit 的一个网页接口,支持 sleuth kit 的所有功能。这个工具在 Windows 和 Linux 平台下都可获取到。
|
||||
|
||||
### 安装 Sleuth kit ###
|
||||
|
||||
首先,从 [sleuthkit][1] 的网站下载 Sleuth kit 软件。使用下面的命令在虚拟终端下使用 wget 命令来下载它,下图展示了这个过程。
|
||||
|
||||
# wget http://cznic.dl.sourceforge.net/project/sleuthkit/sleuthkit/4.1.3/sleuthkit-4.1.3.tar.gz
|
||||
|
||||
|
||||
|
||||
使用下面的命令解压 sleuthkit-4.1.3.tar.gz 并进入解压后的目录:
|
||||
|
||||
# tar -xvzf sleuthkit-4.1.3.tar.gz
|
||||
|
||||
|
||||
|
||||
在安装 sleuth kit 之前,运行下面的命令来执行所需的检查:
|
||||
|
||||
#./configure
|
||||
|
||||
|
||||
|
||||
然后使用 Make 命令来编译 sleuth kit :
|
||||
|
||||
#make
|
||||
|
||||
|
||||
|
||||
最后,使用下面的命令将它安装到 **/usr/local** 目录下:
|
||||
|
||||
#make install
|
||||
|
||||
|
||||
|
||||
### 安装 Autopsy 工具 ###
|
||||
|
||||
Sleuth kit 已经安装完毕,现在我们将为它安装 autopsy 界面。从 [sleuthkit 的 autopsy 页面][2] 下载 Autopsy 软件。使用下面的命令在虚拟终端下使用 wget 命令来下载它,下图展示了这个过程。
|
||||
|
||||
# wget http://kaz.dl.sourceforge.net/project/autopsy/autopsy/2.24/autopsy-2.24.tar.gz
|
||||
|
||||
|
||||
|
||||
使用下面的命令解压 autopsy-2.24.tar.gz 并进入解压后的目录:
|
||||
|
||||
# tar -xvzf autopsy-2.24.tar.gz
|
||||
|
||||
|
||||
|
||||
autopsy 的配置脚本将询问 NSRL (National Software Reference Library) 和 **Evidence_Locker** 文件夹的路径。
|
||||
|
||||
当弹窗问及 NSRL 时,输入 "n",并在 **/usr/local** 目录下创建名为 Evidence_Locker 的文件夹。Autopsy 将在 Evidence_Locker 文件夹下存储配置文件,审计记录和输出文件。
|
||||
|
||||
#mkdir /usr/local/Evidence_Locker
|
||||
|
||||
#cd autopsy-2.24
|
||||
|
||||
#./configure
|
||||
|
||||
|
||||
|
||||
在安装过程中添加完 Evidence_Locker 的安装路径后, autopsy 在那里存储配置文件并展现如下的信息来运行 autopsy 程序。
|
||||
|
||||
|
||||
|
||||
在虚拟终端中键入 **./autopsy** 命令来启动 Sleuth kit 工具的图形界面:
|
||||
|
||||
|
||||
|
||||
在浏览器中键入下面的地址来获取 autopsy 的界面:
|
||||
|
||||
http://localhost:9999/autopsy
|
||||
|
||||
下图展现了 autopsy 插件的主页面:
|
||||
|
||||
|
||||
|
||||
在 autopsy 工具中,点击 **新案例** 按钮来开始进行分析。键入案例名称,此次调查的描述和检查人的姓名,下图有具体的展示:
|
||||
|
||||
|
||||
|
||||
在接下来的网页中,将展示在上一个的网页中键入的详细信息。接着点击 **增加主机** 按钮来添加有关要分析的机器的详细信息。
|
||||
|
||||
|
||||
|
||||
在下一个网页中键入主机名,相关的描述和要分析的机器的时区设置。
|
||||
|
||||
|
||||
|
||||
点击 **增加映像** 按钮来为取证分析添加映像文件。
|
||||
|
||||
|
||||
|
||||
在接下来的网页中点击 **增加映像文件** 按钮。它将打开一个新的网页,来询问映像文件的路径和选择映像的类型以及导入的方法。
|
||||
|
||||
|
||||
|
||||
正如下图中展示的那样,我们已经键入了 Linux 映像文件的路径。在我们这个例子中,映像文件是磁盘的分区。
|
||||
|
||||
|
||||
|
||||
点击 下一步 按钮并在下一页中选择 **计算散列值** 的选项,这在下图中有展示。它也将检测所给映像的文件系统类型。
|
||||
|
||||
|
||||
|
||||
下面的图片展示了静态分析之前映像文件的 MD5 散列值。
|
||||
|
||||
|
||||
|
||||
在下一个网页中, autopsy 展现了有关映像文件的如下信息:
|
||||
|
||||
- 映像的挂载点
|
||||
- 映像的名称
|
||||
- 所给映像的文件系统类型
|
||||
|
||||
点击 **详情** 按钮来获取更多有关所给映像文件的信息。它还提供了从映像文件的卷中导出未分配的片段和字符串的数据信息,这在下图中有展现。
|
||||
|
||||
|
||||
|
||||
在下图中那样,点击 **分析** 按钮来开始分析所给映像。它将开启另一个页面,其中包含了映像分析的多个选项。
|
||||
|
||||
|
||||
|
||||
在映像分析过程中,Autopsy 提供了如下的功能:
|
||||
|
||||
- 文件分析
|
||||
- 关键字搜索
|
||||
- 文件类型
|
||||
- 映像详情
|
||||
- 数据单元
|
||||
|
||||
下图展示的是在给定的 Linux 分区映像上进行文件分析:
|
||||
|
||||
|
||||
|
||||
它将从所给映像中提取所有的文件和文件夹。在下图中也展示了已被删除的文件的提取:
|
||||
|
||||
|
||||
|
||||
### 结论 ###
|
||||
|
||||
希望这篇文章能够给那些进入磁盘映像的静态分析领域的新手提供帮助。Autopsy 是 sleuth kit 的网页界面,提供了在 Windows 和 Linux 磁盘映像中进行诸如字符串提取,恢复被删文件,时间线分析,网络浏览历史,关键字搜索和邮件分析等功能。
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: http://linoxide.com/ubuntu-how-to/autopsy-sleuth-kit-installation-ubuntu/
|
||||
|
||||
作者:[nido][a]
|
||||
译者:[FSSlc](https://github.com/FSSlc)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:http://linoxide.com/author/naveeda/
|
||||
[1]:http://www.sleuthkit.org/sleuthkit/download.php
|
||||
[2]:http://www.sleuthkit.org/autopsy/download.php
|
||||
Loading…
Reference in New Issue
Block a user