TCTUTILs & Autopsy Release

From: Brian Carrier (carrierat_private)
Date: Tue May 29 2001 - 14:12:48 PDT

Next message: D. Douglas Rehman: "RE: Determining if someone copied file to a: drive"

Previous message: Troy Larson: "RE: Registry Key LastWrite times"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The latest version (1.01) of my forensic tools, TCTUTILs and the 
Autopsy Forensic Browser, are available at:
   www.cerias.purdue.edu/homes/carrier/forensics/

TCTUTILs is a set of tools that are built on the framework of The
Coroners Toolkit (TCT).  Some features include file and directory name 
analysis, mapping between inodes and blocks, and mapping between file 
names and inodes.  The 'fls' utility displays information about
deleted files, the quantity of which depends on the OS.  6 tools are
included in the package.

Autopsy is an HTML-based graphical interface to TCT, TCTUTILs, and 
basic UNIX utilities.  It integrates many command line based tools
to automate the tedious tasks, while giving the investigator the 
ability to use the individual tools for more complex scenarios.  It
offers 4 methods of browsing: File, Inode, Block, and Block Search.  

Both tools will be presented at SANSFIRE in July.

Major Changes from v1.00 include:
TCTUTILs:
- New tool called blockcalc, which converts the block number in an
  unrm (TCT) generated image (i.e. only the unallocated blocks) to 
  the original block number.  This can be used when using lazarus (TCT)
  on an image created by unrm (i.e. when recovering deleted files).
- find_inode now identifies an inode that is using a block as an 
  indirect block pointer (it previously only examined direct blocks).
- The -m option of fls outputs in grave-robber(TCT) format, so it can
  be concatenated with the body file before mactime(TCT) is run. 
  Therefore, the mac_merge tool is no longer included with TCTUTILs.  
- istat displays the blocks that an inode is using as indirect pointers.
- istat can be forced to display a specified number of block pointer
  entries.  This is useful for deleted directories in Linux, since the
  size is set to 0, but the block pointers are not deleted.  

Autopsy:
- Block numbers can be entered as a 'dd' value or as an 'unrm' value.
  This makes it easier to use both Lazarus and Autopsy together. 
- Automated Installation Process!
- Improved Menus.
- Can save block and inode contents as files.


Platforms:
TCTUTILs and Autopsy are supported on OpenBSD, Solaris, and Linux.

Next message: D. Douglas Rehman: "RE: Determining if someone copied file to a: drive"
Previous message: Troy Larson: "RE: Registry Key LastWrite times"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 29 2001 - 20:34:38 PDT