I am trying to learn Helix. I have created a dd image using Adepto and an image using in Encase format using FTK Imager (I tried making an image using sgzip, but, maybe fortunately, was not successful yet. My input was my current hard drive and my output was to an external 300G HD
Using pyFlag I load my mount point and get Browsing Files system, I then click on the Innode and have the ability to see a Hex Dump or the text, when I go to Keyword Indexing my choices are Keyword Index Results, Build Dictionary or Search Indexed Keyword, but how do I create the Index? When I try to run Keyword Index Results it asks me did I run index scanner? Is that the same as what’s under Load Data “Scan Filesystem”? When I do Scan File system it asks me “Scan under directory” hu? So I put in the mount point where my image file is. But I get a list of innodes and options to select but I don’t get to view anything.
In Autopsy I get it into the evidence locker but File Analysis, File Type, and Meta Data tabs are not highlighted and can not be used. I can only use Keyword Search and Data Unit. I get to do ASCII and Unicode word searches and what comes up is somewhat indecipherable. I can read some of the text but it is out of context and not sure how to understand it.
My Goal
I am not looking to incident response or intrusion investigation (at least not yet). What I am looking to do is to be able to copy an entire hard disk (my own for now, for learning purposes) to an external drive and to search for certain files, documents, emails, Internet URLs whatever depending on the case.
Questions;
1) Are the autopsy and pyFlag programs the ones to use for what I am looking to do?
2) If yes is there any detailed documentation that can help a beginner?
3) Any ideas and tips on how-to get theses software working to do what I need?
4) What about other low cost software that appear easier to use? I am looking at some of Paraben’s software and Farmers Boot, both seem appealing, any thoughts about these?
Thanx in advance
I am not sure if these will help you, but…
The best info on autopsy I have found has actually been reading "The Sleuth Kit Informer"
http//
Here is a presentation that goes into the very basics of autopsy (among many other things) that might help unlock the File Analysis, File Type, and Meta Data tabs
http//
pyFlag
http//
http//
Disk forensics using pyFlag
http//
Also if you want a good intro into digital forensics using Linux you might check out the guide on http//
Hope this helps!
If you figure out your issue your issue you should write a tutorial )
~Joshua
Well, I think FBCD is absolutely fantastic, of course 😉
The one thing I strive to do with my CD is make it so that it is easy to use and navigate. And I provide a single GUI for safely accessing data. Those new to Linux appreciate this, because it takes out all of the commands and flags to pass.
Look into Linux forensics training. Read about the Linux kernel, file systems, and other non-forensic oriented books. I've found that most forensic-oriented books are very narrow in focus and scope, because of the topic. Many non-forensic books contain more information, including that odd ball piece that the examiner missed, because it's not such a narrow focus. Often we don't know what we want until we see it.
regards,
farmerdude