Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital...
Transcript of Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital...
![Page 1: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/1.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
Sleuth Kit and Autopsy 3.0 Update
Brian Carrier Basis Technology Corp
![Page 2: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/2.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
§ What is TSK § What’s new since last year § What’s planned for this year
§ Autopsy 3.0 § Hadoop Prototype Framework
2
Agenda
![Page 3: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/3.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
What Is The Sleuth Kit?
Open source software that allows you to forensically analyze disk images and local drives.
![Page 4: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/4.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
Scenario
§ You have a disk image and want to look for specific files.
1. TSK will auto-detect the image format 2. TSK will auto-detect the volume system
and layout: § What sectors are allocated to partitions § What sectors are not allocated to any
partitions
©2010, Basis Technology.
![Page 5: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/5.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
Scenario (contd.)
3. TSK will auto-detect the file system type and can search for your file (even if it is deleted) § Analyzes the directory hierarchy in file
system. § Identifies files that have been marked for
deletion. § Searches for “orphan files” that no longer have
a name.
©2010, Basis Technology.
![Page 6: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/6.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
Command Line Tools
• Original method for using TSK • Currently, over 25 different tools • Mmls example:
# mmls tsk1.img
Slot Start End Length Description
00: ----- 0000000 0000000 0000001 Primary Table
01: ----- 0000001 0000062 0000062 Unallocated
02: 00:00 0000063 0032129 0032067 NTFS (0x07)
03: 00:01 0032130 0064259 0032130 DOS FAT16 (0x06)
![Page 7: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/7.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
Fls example
§ Lists the files in a directory.
# fls -o 63 tsk1.img r/r 4-128-4: $AttrDef […] r/r 3-128-3: $Volume d/d 29-144-6: dir1 d/d 31-144-1: dir2 d/d 34-144-1: RECYCLER v/v 19920-144-1: $OrphanFiles
©2010, Basis Technology.
![Page 8: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/8.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
Library
• All of the command line functionality, in a C/C++ library.
• More efficient to use when processing a full disk image.
• Reduced overhead: § Load general file system data only once
• Full API docs and sample programs exist.
![Page 9: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/9.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
§ Create a C++ class that extends TskAuto. § Implement the processFile() method
§ It will get called for every file in an image.
§ That’s it!
Library Quick Start (New School)
9
![Page 10: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/10.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
§ Use ‘tsk_loaddb’ or library to dump file system data to SQLite database.
§ Open database in your program using the language of choice.
§ Reduces the number of required cross-‐language bindings.
SQLite Database
10
![Page 11: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/11.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
Autopsy
• Original graphical interface to TSK • First released in 2001 • HTML-based interface:
§ Runs TSK command line tools § Parses output and adds HTML tags
• Does not use the library interface.
![Page 12: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/12.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
Autopsy 2
©2010, Basis Technology.
![Page 13: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/13.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
§ Open source tools § Commercial tools § Bootable CDs
§ Refer to wiki.sleuthkit.org for full lis[ng.
Lots of other tools…
13
![Page 14: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/14.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
What’s New Since Last Year?
14
![Page 15: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/15.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
§ Releases 3.2.0 to 3.2.2 § New TskAuto class § SQLite database output § RAW CD Format § Performance § Be`er data corrup[on handling § New tools & func[onality
TSK Changes
15
![Page 16: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/16.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
§ Tables store file system metadata: § Image_info: Image size and type § Vs_info: Describes each volume system § Vs_parts: A row for every volume § Fs_info: Describes each file system § Fs_files: A row for every file § Fs_blocks: Map files to their blocks
§ Does not store any file content.
SQLite Database Overview
16
![Page 17: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/17.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
§ Tsk_recover: § Extracts files from disk image. § Creates directory hierarchy in local file system.
§ Tsk_comparedir: § Compares local directory hierarchy to disk image.
§ Useful for detec[ng rootkits and tes[ng.
§ Tsk_geimes: § Equivalent of ‘fls –m’ on all file systems.
New 3.2 Tools
17
![Page 18: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/18.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
What Has Yet to Be Released
18
![Page 19: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/19.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
§ Threads allow systems to take advantage of mul[ple cores at the same [me.
§ Locks were added to TSK. § Works on all planorms. § None of the released tools use mul[ple-‐
threads. § Code is in the public source code
repository and will be included in 3.3.0.
Mul[-‐threaded Support
19
![Page 20: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/20.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
§ New C++ classes wrap C func[ons and structs.
§ Same func[onality, but more data encapsula[on.
§ Helps to enforce thread safety. § Code is in the public source code
repository and will be included in 3.3.0. § Sample programs and documenta[on
exist.
C++ Wrappers
20
![Page 21: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/21.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
§ Allows Java programs to use TSK C library.
§ Can create SQLite database with metadata.
§ Can call library func[ons to obtain file content (not stored in database).
§ Code will be checked into public repository.
JNI Java Binding
21
![Page 22: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/22.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
What is Planned to be Released
22
What will be finished and released
![Page 23: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/23.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
Application-Level Framework
![Page 24: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/24.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
Applica[on-‐level Examples
24
File Type IDText Extraction
(e-mail)
Keyword Search
Open ZIPFiles
Internet History
Registry Parsers
EXIF AnalyzersSteg
Detection
Text Extraction (PDF)
Text Extraction (Docs)
![Page 25: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/25.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
§ Pipeline: § A series of plug-‐in modules § A file is analyzed by running it in the pipeline § Defined with an XML file
§ Database: § Stores analysis results § Can also be used to store file metadata § SQLite or a client-‐server database
Framework Basics
25
![Page 26: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/26.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
§ Dynamic Library Plug-‐in Modules: § Has access to file content and metadata § Has access to results from previous modules § Can write analysis results to blackboard § API: analyze(File)
§ Repor[ng Modules § Run arer all of the files have been analyzed § Creates output report § API: report()
Modules
26
![Page 27: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/27.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
Framework
27
File Type IDModule
Text ExtractionModules
ZIP File Module
Browser Artifact Modules
Framework Pipeline
...
Database LoggingSleuthKit Files
![Page 28: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/28.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
§ If you build it, they will come.
§ We can’t create all needed modules. § Ask other tools to write TSK modules:
§ Internet ar[facts § Registry § …
§ We’ll provide docs for doing this.
Help Will be Needed
28
![Page 29: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/29.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
Autopsy Version 3
29
![Page 30: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/30.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
§ Java GUI will run on mul[ple planorms. § Currently, only Windows
§ Based on Netbeans Rich Client Planorm. § Allows for easy module integra[on
§ Will allow us to leverage Lucene and other Java open source sorware.
§ Uses SQLite database and JNI bindings.
Autopsy 3.0 Basics
30
![Page 31: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/31.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
Autopsy 3 Screen Shot
31
![Page 32: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/32.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
Modular Design
32
![Page 33: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/33.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
§ Ler-‐side: § Directory Tree § File search (by name, [mes, size)
§ Upper-‐right: § Table lis[ng § Thumbnails
§ Lower-‐right: § Image viewer § Strings view § Hex dump
Current Features
33
![Page 34: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/34.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
§ Ler-‐side can be used for interface. § Access disk image and file data using
internal Autopsy services. § Save results as “Netbeans Nodes”. § Push nodes to upper right area.
Plug-‐in Analysis Module 101
34
![Page 35: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/35.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
§ Keyword search § Timeline analysis (log2[meline) § Hash database integra[on § Bookmarks § …
§ First beta release will be in July.
Planned Features
35
![Page 36: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/36.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
Hadoop
36
![Page 37: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/37.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
Basics of Hadoop
§ Open source Apache project for distributed compu[ng.
§ Based on papers that Google has published § Provides (among other things):
§ Scheduling among thousands of nodes § Distributed and localized storage § Resilience if nodes fail § …
§ To get these features, you must formulate your work as a series of “MapReduce” tasks
![Page 38: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/38.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 38
![Page 39: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/39.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
§ Joint project with: § 42Six Solu[ons § Lightbox Technologies
§ Funded by US Army Intelligence Center of Excellence (USAICoE)
Prototype Framework Project
39
![Page 40: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/40.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
Sleuth Kit Framework
Text Extraction Apache Tika
Keyword SearchJava Regexp
Document ClusteringApache Mahout
Drive Similarity
Report Generation
Known HashLookup
Inside Cloud Ingest
Outside Cloud IngestSleuth Kit
40
![Page 41: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/41.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011
§ S[ll working on prototype. § S[ll collec[ng numbers on performance. § Will be released as open source later this
summer.
Next Steps
41
![Page 42: Sleuth’Kitand’Autopsy’3.0’Update’ - OSDFCon · The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 Sleuth’Kitand’Autopsy’3.0’Update’](https://reader035.fdocuments.net/reader035/viewer/2022063006/5fb69ef271599654102406dc/html5/thumbnails/42.jpg)
The Sleuth Kit and Open Source Digital Forensics Conference © Basis Technology, 2011 42
For more informa+on Visit www.basistech.com Write to [email protected] Call 617-‐386-‐2090 or 800-‐697-‐2062
Thank You!