Gathering images

On the the destination computer, start:
nc -l -p 9000 | dd of=/home/user/filename

On the source computer, issue:
dd if=/dev/hda | nc 192.168.1.10 9000
Where /dev/hda is your source disk or partition (e.h. /dev/hda1) and 192.168.1.10 the ip of the computer where you issued the nc | dd of= command.

Time example: 7,9GB Image, 100MBit, Image copy: 40 minutes

Of course, also sdd or other dd-variants such as sdd, which is faster, can be used.

Good stuff

losetup
DD-Images can be mounted as loopback. For this, you have to know the starting sector when using a full disk image, partition images can be mounted w/o additional sector:
losetup /dev/loop0 myimagefile.img
mount /dev/loop0 /mnt/loop
When using a full image, you need the starting sector, mulitplied by 512. Normally in Fat the sector is 63, so the starting sector offset will be 32256:
losetup -o 32256 /dev/loop0 myimagefile.img
mount /dev/loop0 /mnt/loop
You can check the starting sector i.e. with disktype:
disktype myimage.img
In the disktype output: Partition 1: blibli GiB (xyz bytes. xyz sectors from 63, bootable)
So in this example starting from 63, 63*512=32256.

To set the loop device back in empty state, issue:
losetup -d /dev/loop0

Undeletion - Foremost
The above example of undelete only cares about files with the correct extension. More succes gives foremost (also some false positives).

Time example: 7,9GB Image, over SMB-Share, 100MBit, ole: 3:48h, 1990 files found (66 MB) 7,9GB Image, on local fs, ole: 3:48h, 1990 files found (66MB)

foremost.sourceforge.net

Undeletion - Magic Rescue
Like formeost does undeletion of files no matter on what file system they are. Not heavily tested yet by me.

Time example: 7,9GB Image, over SMB-Share, 100MBit, msoffice: 4:54h, 2003 files found (77MB) 7,9GB Image, on local fs, msoffice: 4h, 2003 files found (77MB)

http://jbj.rapanden.dk/magicrescue/

Tools to investigate Windows Boxes

INFO2 in Recycle
The INFO2-File in Recycle sometimes has additional informations on which files where deleted. Use Rifiuti for this.

Among others, both tools are available at odessa.sourceforge.net. You'll find there also a tool to get information from IE-Cookies.

Windows NT/2K/XP Registry
Allows to mount Windows registry files read-only. It's a module.
http://www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm

For registries of NT/2k/XP, kregedit is also a possibility: http://jelmer.vernstok.nl/samba/kregedit/. No further development is done on this and it fails to compile on most Debian Linux.

Win95 registry
Using regutils, Win95 registries can be extracted. Available at http://www.cs.mun.ca/~michael/regutils/.

The registry is stored in the files "system.dat" and "user.dat" which is found in "c:\windows\system". (Win95, Win98)
Windows ME also has a classes.dat.

Interesting key in system.dat:

• "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion"-Section - like "Version" (Exact Windows Version), "RegisteredOrganization", "Registered Owner"

• Everything with "recent" ingeneral i.e. "Recent File list" of applications, show recent opened documents.

Other tools, does not work but looks nice (Developer thinks it only reads NT-style registries!):
http://sourceforge.net/projects/regviewer/

Installation time
Always a good starting point is to know when a system was set up.
Windows NT/2k(?)/XP:
Check out http://www.windowsitpro.com/Article/ArticleID/14962/14962.html. It's the key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate", counted in seconds from January 1 1970 on.

Windows 9x/ME:
Check out at forensicexams.org. It's the registry key found in system.dat "HKLM\Software\Microsoft\Windows\CurrentVersion/FirstInstallDateTime".
Example:
Example value is A1 7D 9A 21
The first pair is Time, second pair is Date
The date:
Invert the pair:
21 9A
Convert to binary:
0010 0001 1001 1010
The first 7 digits are the year from 1980 on:
0010 0001 1001 1010 = 0010000 = 16 = 1996
The next 4 digits are the month:
0010 0001 1001 1010 = 1100 = 12
The last 5 digits are the day:
0010 0001 1001 1010 = 11010 = 26
So the date is Dec 26 1996!

The time:
Invert the pair:
7D A1
Convert to binary:
0111 1101 1010 0001
The first 5 digits are the hours:
0111 1101 1010 0001 = 01111 = 15
The next 6 digits are the minutes:
0111 1101 1010 0001 = 101101 = 45
The last 5 digits are the seconds in two seconds intervall:
0111 1101 1010 0001 = 00001 = 1 = 1*2 = 1 sec
So the time is 15:45:02!
Note: this is the intial installation time and should not be the reinstall time!

You also can look at write date of the following file and directories:

• [c:\windows\]setver.exe -> Sometimes older as win-dir and label??
• [c:\]windows, [c:\]win95/98/me
• [c:\windows\]oldestdirectoris (sort by write date and look at the oldest dirctories in the windows directory)
• [xyz](Volume Label Entry) -> xyz is the name of the volume -> Please confirm this!

Outlook
Always interesting are the mails. Outlook Express from Version 5 on use the Extension *.dbx. Under Windows you can use the small tool dbxconv to convert DBX to Unix mbox files. (http://people.freenet.de/ukrebs/dbxconv.html)
Older Outlook Express files have the extension *.mbx. You can convert them to Unix mbox with mbx2mbox (http://mbx2mbox.sourceforge.net, nees Date::Manip http://search.cpan.org/~sbeck/DateManip-5.44/Manip.pod). Evolution is also able to import mbx-files but have sometimes bad results.
More difficult are the pst-files from the "full version" of Outlook. There is libpst which is able to convert pst-files into the Unix mbox-format. Unfortunately, it lacks in extracting attachements and also some mails are wrecked or even missing. Still the best way in my opinion is to open it with - Outlook! If available... but anyway, check libpst. Please note: the sourceforge page of libpst is outdated!

DD on Windows
To mount dd-images under windows, use FileDisk.

General Links

Sleuthkit Commands, Forensics

I wrote this for myself to remind me of the most important commands. I focus on doing time-consuming tasks in one turn in a script without the Autopsy-GUI. With doing this tings in one turn, I can start rigth away the next day. I hope I can provide a full script or gui later. Maybe it also will be helpfull for others.
Contact me under fuerst at gmx.li for tips, questions, remarks.
Time examples are from a machine with an AMD XP 2000+ with 1 Gig RAM, IDE Harddisk. More example are welcome.

The examples below are with raw disk images and not with partition images!

All binaries are from sleuthkit! You need your sleuthkit-x.xx/bin in your PATH.

Extract unallocated

Example:
dls -f ntfs -o 63 -i raw '/path/to/my/image.img' > '/home/myuser/morgue/case/host/output/image.img-63-39070079-ntfs.unalloc'

Explanation of flags which have to be changed:
-f ntfs: The filesystem of the partition
-o 63: Starting offset (get it from the file host.aut of your host directory)
image.img-63-39070079-ntfs.unalloc: the output file consists of your image name, starting offset and end offset of the partition (plus fs and .unalloc)

The file also has to be stored in the file host.aut. Example:
dls vol2 vol1 output/image.img-63-39070079-ntfs.unalloc
vol2 ist the first free volume, vol1 shows from which volume the unallocated space is.

Time examples: 7,9GB Image, over SMB-Share, 100MBit: 6:33 h, 5,4 GB output 7,9GB Image, on local fs: 53min, 5,4 GB output

Get the strings

Change the same stuff as in gathering the unallocated (Offset, Filesystem, Filenames)

Example for ASCII strings:
dls -e -f ntfs -o 63 -i raw '/path/to/my/image.img' | srch_strings -a -t d > '/home/myuser/morgue/case/host/output/image.img-63-39070079-ntfs.asc'

Example for unicode strings (This time from the second partition):
dls -e -f ntfs -o 39070143 -i raw '/path/to/my/image.img' | srch_strings' -a -t d -e l > '/home/myuser/morgue/case/host/output/image.img-39070143-78124094-ntfs.uni

Time examples: 7,9GB Image, over SMB-Share, ASCII, 100MBit: 8 h, 1,7GB output 7,9GB Image, onlocal fs: 54min, 1,7GB output 7,9GB Image, over SMB-Share, UNICODE, 100MBit: 6:21 h, 86MB 7,9GB Image, on local fs: 45min, 86MB output

The string output also have to be stored in the file host.aut. Example:
strings vol3 vol1 output/image.img-63-39070079-ntfs.asc
unicode vol4 vol1 output/image.img-63-39070079-ntfs.uni
vol3 and vol4 are the first free volumes, vol1 shows from which volumes the string/unicode-files were made.

Example for ASCII strings from unallocated:
srch_strings -a -t d '/home/myuser/morgue/host/case/output/image.img-39070143-78124094-ntfs.unalloc' > /home/myuser/morgue/case/host/output/image.img-39070143-78124094-ntfs.unalloc-dls.asc

Example for unicode strings from unallocated:
srch_strings' -a -t d -e l '/home/myuser/morgue/host/case/output/image.img-39070143-78124094-ntfs.unalloc' > '/home/myuser/morgue/case/host/output/image.img-39070143-78124094-ntfs.unalloc-dls.uni'

Time examples: 7,9GB Image, local, ASCII, 100MBit: 44 min, 1,1 GB 7,9GB Image, local, UNICODE, 100MBit: 37 min, 63 MB

The string output also have to be stored in the file host.aut. Example:
strings vol5 vol2 output/image.img-63-39070079-ntfs.unalloc-dls.asc
unicode vol6 vol2 output/image.img-63-39070079-ntfs.unalloc-dls.uni
vol5 and vol6 are the first free volumes, vol2 shows from which volumes the string/unicode-files were made (the unallocated space in this case).

Creating MD5

Example with the ASCII-Strings:
md5 /path/to/my/image.img

Generated MD5sums have to be added to the file md5.txt in the case directory. In the first column is the md5-value, in the second the name of the volume (like "vol1").

List all deleted files

My costumers always want a list off all deleted files. Here we go with an example:
fls -f ntfs -ldr -z ''CET'' -s '0' -o 63 -i raw '/path/to/my/image.img' >> output.txt
Again change the offset and put in the right time zone. The list will sent to output.txt.

Time example: 7,9GB Image, over SMB-Share, 100MBit: 9 sec, 597 undeleted files 7,9GB Image, on local fs: 7 sec, 597 undeleted files

Undelete the files

We take here the output.txt generated above and restore all pdf-files:
for i in `cat output.txt | grep -i "\.pdf" `; do icat -f ntfs -r -o 63 -i raw '/path/to/my/image.img' `echo $i | cut -f 1 | cut -d " " -f 3 | cut -d \( -f 1` > /path/to/my/output-files-directory/`echo $i | cut -f 2 | sed -e s/\ //g | sed -e "s/\///g"`; done
Please note: this is definitely not a good solution yet, better use foremost. Using the sorter output would also a better approach because it does not look at the file suffix. The "Pro" argument here that is stores the stuff with the real filename unlike foremost.

Sort File Types

This will create sorted list of files on a FAT32 Partition (add corresponding offset at -o flag). It checks the file header, but does not copy any file from the partition! Furthermore it also stores information about unknown file types.
sorter -h -m 'C:/' -d /home/myuser/morgue/case/host/output/sorter-vol1/' -o 0 -i raw -f fat32 '/path/to/my/image.img'

Additional parameters:
-U - does not stored information about files with unknown file types
-s - save copy of files in category directories
To only save copies of image files into category order add: (binary is not in the sleuthkit binary, path below relative to sleuthkit-bin-directory):
-C '../share/sorter/images.sort' -s -U 'path/to/my/image.img'

Time example: 7,9GB Image, over SMB-Share, 100MBit: 6:13 h 7,9GB Image, on local fs: 1h

Creating timeline

Because this needs some interaction, no commands are provided here yet.

Example host.aut

# Autopsy host config file
# Case: Example Host: Fat32
# Created: Wed Jun 8 11:44:05 2005
timezone CET
timeskew 0
image img1 raw images/fat32.img
part vol1 img1 0 0 fat32 C:
dls vol2 vol1 output/fat32.img-0-0-fat32.unalloc
strings vol3 vol1 output/fat32.img-0-0-fat32.asc
unistrings vol4 vol1 output/fat32.img-0-0-fat32.uni
strings vol5 vol2 output/fat32.img-0-0-fat32.unalloc-dls.asc
unistrings vol6 vol2 output/fat32.img-0-0-fat32.unalloc-dls.uni