Now available on the @stake web site is the first public release of The @stake Sleuth Kit (TASK) and an updated version of the Autopsy Forensic Browser (version 1.50). TASK: http://www.atstake.com/research/tools/task/ Autopsy: http://www.atstake.com/research/tools/autopsy/ What is TASK? TASK is the only open source collection of tools for the analysis of both Microsoft and UNIX file systems. It combines the file system tools of The Coroner's Toolkit (TCT) and TCTUTILs, adds support for FAT12, FAT16, FAT32, and includes new utilities. NTFS and Palm OS support will be released in the future. Platform independence was also added so that one can analyze any supported file system type on any supported platform (TCT only supported the default native file system type). What does this mean? This means that you can analyze and recover data from a 'dd' generated file system image in a sound, read-only fashion on many UNIX platforms. TASK manually parses the file system image to extract data and represents it as files and other file system data structures. Therefore, it does not matter if the platform you are using actually supports the file system being analyzed. But what about a graphical interface? A new version of Autopsy has also been released with many new features. Autopsy is an HTML-based graphical interface to TASK and other UNIX utilities that allow one to examine images in an automated fashion. It represents the files and directories in a 'File Manager' type interface and has interfaces for viewing content and meta-data structures, file system structure details, and key word searches. New features include automated time line creation, image integrity checks, regular expression key word searches, predefined keyword searches, and images and HTML pages can be viewed in a sanitized environment. Screen shots are available at: http://www.atstake.com/research/tools/autopsy/ Can this be used for Incident Response as well? Autopsy uses an HTML browser and therefore can be used for network-based analysis. A CD-ROM can be created with compiled versions of TASK and Autopsy so that it can be placed in a suspect computer and a preliminary analysis can be performed using the raw devices with out modifying the file system. This helps a responder identify if the system has been compromised and needs to be acquired. Also, the client-server design can be used to have a central analysis server with each investigator connecting to it with their HTML browsers on personal workstations (ssh forwarding can be used for encryption). Many of the tools in TASK are released under the IBM Public License and Autopsy is released under the GNU Public License. brian ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Apr 12 2002 - 09:51:49 PDT