Netmon forensic tools and tips
Allin1 for sleuthkit
New in 0.4:
What is it?
This tool should help you to make several time consuming tasks in Sleuthkit/autopsy in one row:
All this steps are also saved in the host.aut-file so Autopsy will know about what happened.
- Extract unallocted space
- Extract strings (ASCII and Unicode) from allocated and unallocated
- Sort by file types
- Sort by images and create thumbnails
- Make foremost run on images
This is in beta phase, so it would be nice if you test it in test-cases and send me feedback how it did work or not work.
Perform sh install.sh. It will copy...:
allin1.py to /usr/bin (The GUI frontend)
That's it. Very primitive install script yet, sorry.
What you need
What do you need:
- Python 2.3
- wxPython 2.3
- at (for scheduling)
- These steps are not yet stored in logs/investigator.exec.log!
- ONLY perform these steps on a host where you did not made any of these steps! It focuses on fresh created hosts!
- The tool does not yet recognize if the path to the Sleuthkit binaries is correct!
- Scheduled tasks do not create log-file
- Performing searches
How to use
Choose your sleuthkit/bin directory (like /home/user/sleuthkit/bin/).
Choose your host.aut in your host directory in your case.
Mark which steps you want to perform.
Optionally set options for foremost
Push the Ok Button and get some sleep.
You also can schedule the process, if you want to, activate "Schedule task" and enter a time when it should run. It uses POSIX.2 dates. Examples:
10:15 - runs at 10:15 same day
15:20 Sep 18 - runs at Septermber 18 at 15:20
1am tomorrow - runs at 1am tomorrow ;)
You can check your at queue with atq
Allin1 V0.4 - Download
Allin1 V0.3 - Download
Allin1 V0.2 - Download
The foremost options
The MagicRescue options
From 0.3 to 0.4:
Added MagicRescue support
From 0.2 to 0.3:
No more bash scripts, pure python
Fixed bug which did ignore raw disks w/o partitions
Added foremost support
Some minor bugfixes
From 0.1 to 0.2:
Added support for partition (only raw images in 0.1)
The author takes no responsibility for any damage, data loss and whatsoever.
Feel free to make whatever you want with the script but please let the author know.
If you tested it on another plattform/distribution, please let the author know.
Any questions, suggestions, bug reports - guess - please let the author know.
This app was tested on:
Debian Stable (Sarge) x86
berger at netmon.ch
I'm working at NetMon, a small Swiss based company.
We are active in the area of computer forensics, research and due dilligence.
Last update: June 7 2006