Autopsy Forensic Browser

1
Autopsy Forensic Browser

• Beth E. Binde
• Office of Information Technology
• Enterprise Systems and Services
• Information Protection and Security
• October 5, 2005

2
Agenda

• Autopsy
• What it is
• What it can do
• When to use it
• Where to get it

3
What is Autopsy?

• Graphical interface to digital forensic analysis
  tools
• Open source
• Runs on nix platforms
• Written in perl

4
What it can do

• Analysis modes
• Evidence search
• Case management

5
Analysis Modes

• Dead
• Live

6
Evidence Search

• File listing
• File content
• Hash databases (NIST)
• File Type Sorting
• Timeline of file activity
• Keyword search

7
Case Management

• Event Sequencer
• Notes
• Image Integrity
• Reports
• Logging

8
When to use it

• To verify an incident
• To identify specific malware
• As part of your departmental incident response
  program

9
Regulatory Compliance

• Every financial institution should develop and
  implement a response program designed to address
  incidents of unauthorized access to customer
  information maintained by the institution

10
Response Program Elements

• Assess the nature and scope of an incident
• Identify what customer information has been
  accessed or misused
• Notify the primary Federal regulator as soon as
  possible

11
Response Program Elements (2)

• Notify appropriate law enforcement authorities
• Contain and control the incident to prevent
  further unauthorized access
• Preserve records and other evidence
• Notify customers when warranted

12
Where to get it

• Sleuth Kit Autopsy http//www.sleuthkit.org/inde
  x.php
• Free download

13
For further information

• Read Sleuth Kit Informer
• Access reference links
• Request additional training

14
Contact Information

• Office of Information Technology
• Enterprise Systems and Services
• Information Protection Security
• rusecure_at_rci.rutgers.edu
• 732/445-8011
• http//rusecure.rutgers.edu