Autopsy 3: The Limi...
 
Notifications
Clear all

Autopsy 3: The Limitations

11 Posts
7 Users
0 Likes
5,924 Views
(@twebster01)
Posts: 3
New Member
Topic starter
 

Hi there,

I'm currently doing some research into the limitations of open source and proprietary computer forensic tools and was advised to ask the forensic focus community for some of their experiences with Autopsy 3 and any limitations that have been found with it.

I'm currently in the process of stress testing Autopsy so any information I find, I will happily post here. So far I've looked at file size limitations (a 750GB compressed image) which was fine, noticed that Autopsy does not show images that are in Microsoft Office documents - but still trying to find away around that.

So any help would be greatly appreciated. Thanks

 
Posted : 21/07/2014 5:15 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I'm currently doing some research into the limitations of open source and propitiatory computer forensic tools and was advised to ask the forensic focus community for some of their experiences with Autopsy 3 and any limitations that have been found with it.

Propitiatory? 😯
http//www.merriam-webster.com/dictionary/propitiatory

May I ask what is the scope of the research?

Is it a comparison review of some kind?

And if yes which tools are you going to analyze?

I mean, these three sentences may all be fine

  1. Autopsy cannot plurdle gabbleblotchits
  2. Autopsy cannot plurdle gabbleblotchits but Commercial tool xy can
  3. Autopsy cannot plurdle gabbleblotchits and as well NO Commercial tool can
  4. [/listo]
    but they do carry with them some slightly different meaning. wink

    jaclaz

 
Posted : 21/07/2014 5:29 pm
(@twebster01)
Posts: 3
New Member
Topic starter
 

The scope is to determine the reason commercial tools are used over open source tools such as Autopsy. The tools that I'm reviewing are AccessData FTK, Encase, Autopsy. In a nutshell, I'm comparing open source and commercial tools and why commercial tools are used

 
Posted : 21/07/2014 6:10 pm
(@joachimm)
Posts: 181
Estimable Member
 

The scope is to determine the reason commercial tools are used over open source tools such as Autopsy.

If you are after determining the *reason* do you think comparing tools yourself will provide you with this answer? My guess the *reason* will differ per organisation why they prefer one or the other.

A couple of my *reasons* to use Open Source

https://digital-forensics.sans.org/summit-archives/Prague_Summit/Your_Workflow_is_NOT_my_workflow_Joachim_Metz.pdf

 
Posted : 22/07/2014 10:03 am
(@twjolson)
Posts: 417
Honorable Member
 

The scope is to determine the reason commercial tools are used over open source tools such as Autopsy. The tools that I'm reviewing are AccessData FTK, Encase, Autopsy. In a nutshell, I'm comparing open source and commercial tools and why commercial tools are used

And what if the 'limitations' have nothing to do with it? You'll find limitations, no doubt. Every tool has them. However, that may have nothing to do with why people use commercial solutions instead. For instance, what about marketing? How much does Guidance or AccessData spend on advertising? How much does Autopsy?

If you limit yourself strictly to how the program performs, you will never get the whole answer.

 
Posted : 22/07/2014 6:25 pm
(@athulin)
Posts: 1156
Noble Member
 

… their experiences with Autopsy 3 and any limitations that have been found with it.

Doesn't seem to handle large ISO-9660 images well. However, I used a synthetic image, so it might be argued that it is not a 'real-life' situation. (Not reported as a bug yet.)

There's also (issue #164 in the Autopsy issue tracker at https://github.com/sleuthkit/autopsy/issues?page=1&state=open) some problems with NTFS time stamp interpretation.

However … any closed-source products should be checked for similar issues. See http//articles.forensicfocus.com/2013/04/06/interpretation-of-ntfs-timestamps/ for some details. It may give you ideas for additional tests.

 
Posted : 22/07/2014 7:45 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Allow me to add a couple of considerations.

#1. Implied differences
Encase or FTK are more or less what could be called forensic "suites", most of the work the good guys making these products do is about integrating features into the "suite" and make these features "compatible", "user friendly" and "integrated" in a given work flow.
Autopsy aims more or less to do the same, but it should be clear that an Open Source project will have less resources to dedicate to the project and it is more about "core" features. On the other hand there are available a zillion other Open Source (or however free/freely available) smaller/simpler programs that (in the hands of an expert digital forensicator) can often (if not always) replicate the features that either Encase or FTK offer and that Autopsy may miss.
I.e. IMHO "FTK vs. Autopsy" or "Encase vs. Autopsy" are "unfair" comparisons, whilst "FTK vs. Autopsy+ALL the other Open Source or free software available" or "Encase vs. Autopsy+ALL the other Open Source or free software available" would be much more fair (though extremely difficult to actually be carried on).

#2. Responsibility (or faster procedures in Court)
Encase or FTK are long time known Commercial tools, already used in Courts all over the world and "accepted" (either explicitly or implicitly) by most Courts.
This *somehow* helps in the acceptance of the results coming from an investigation carried with the one or the other tool, making it easier for the digital investigator to have his/her "expert witness" status be not challenged and also *somehow* taking part of the responsibility off his/her shoulders.
This could be a good reason (independent from the actual "quality" or completeness of the tool) to make someone choose one of these Commercial suites over Open Source solutions.

A good example of a case where in practice something is preferred, in this case why a disk is wiped before being used as a target for a forensic image has been given by jhup, here
http//www.forensicfocus.com/Forums/viewtopic/p=6559991/#6559991
and following
http//www.forensicfocus.com/Forums/viewtopic/t=6613/postdays=0/postorder=asc/start=14/
and it is a sound, logical reason, which has noting to do with the "purely technical" part.

So, as twjolson just highlighted the reason why *something* is preferred over *something else* may not necessarily be connected on how good technically the *something* or the *something else* are.

Think about VHS vs. BetaMax wink

jaclaz

 
Posted : 22/07/2014 10:45 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

twebster01, what was the original question of your paper/essay/thesis/dissertation?

So far what your 'stress test' found are not necessarily limitations, but scope difference as jaclaz described it.

You are comparing a tractors to buses.

 
Posted : 23/07/2014 12:02 am
(@twebster01)
Posts: 3
New Member
Topic starter
 

No the scope of my project is a lot bigger - just wanted to see what the forensic community thought of Autopsy 3 and any problems they had come across

Thanks guys you've been a great help

 
Posted : 31/07/2014 11:31 pm
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

This *somehow* helps in the acceptance of the results coming from an investigation carried with the one or the other tool, making it easier for the digital investigator to have his/her "expert witness" status be not challenged and also *somehow* taking part of the responsibility off his/her shoulders.

If I remember correctly, Guidance used to say that if the validity of EnCase as a tool is questioned, they will come to court and defend it. Not sure if it's still the case though.

 
Posted : 01/08/2014 1:14 pm
Page 1 / 2
Share: