The Sleuth Kit (TSK) is an open source file library and collection of command line tools that can be used to analyze hard drives and removable media. It has been underdevelopment for over 9 years and is used in many training courses and included in many Linux distributions. This talk provides an overview of TSK, how you can use it in your investigations, and how you can integrate it into your automated analysis systems. This talk will highlight some of the recent developments in TSK.
As the scale of incidents continues to increase, it is crucial to accelerate your ability to get and analyze data as quickly as possible. Building your tool chain on open source technologies and limiting the scope and depth of data investigation can greatly enhance your ability to execute nimbly. Open source libraries provide a great foundation along with an active, although less formal, user community. This presentation will show how MANDIANT has used The Sleuth Kit and other open source projects, along with Quality Assurance, to provide unique capabilities in a rapid time period.
Since starting from scratch in 2008, PTK, an alternate interface for The Sleuth Kit, has gained the support of the forensics community around the world, with almost 10,000 downloads to date. PTK started as a basic solution expanding to offer more advanced features and moving to the cutting edge. Currently PTK is also distributed in a powerful package that covering almost all the features of the more costly forensic tools on the market. This talk will take you from the motivation behind the PTK Idea, to a current overview of the tool and end with a sneak peek at its future roadmap.
Mac Marshal, ATC-NY’s Mac OS X operating system and application forensic tool, makes extensive use of The Sleuth Kit tools and libraries. In this talk, we will discuss the current state of HFS+ and Mac OS X support in The Sleuth Kit, which have both undergone major changes within the past two years (in part due to ATC-NY’s contributions). We will then describe how Mac Marshal uses The Sleuth Kit to analyze disk and partition images, as well as how it is used to read and extract data from HFS+ file systems. Finally, we will describe some directions for future The Sleuth Kit development work that would benefit both Mac Marshal and the Mac OS X forensics field in general.
Many examiners are aware of the utility of open source tools for exploiting file system artifacts. Fewer are aware of the best tools and methodologies for extracting valuable data from higher-order artifacts - web history, email, executable files, images, and documents. This talk will showcase the speaker’s top choices for tool and techniques for ensuring you’ve left no stone unturned during your open source-based forensic examination.
This year marks the fifth anniversary of AFF, the Advanced Forensics Format. AFF is an open evidence file format designed for holding disk images, memory dumps, network packet captures, and associated metadata. AFF1 was designed primarily for data archiving---it solved the problem of having dozens of E01 files for a single disk image. AFF3 introduced encryption and digital signatures for AFF files. With AFF4 we have completely redesigned the underlying format to improve access speed and to make it possible to store media from different devices in a single archive.
This talk will summarize the history of AFF, discuss the AFFLIB API, and showcase the new features in AFF4. We will discuss existing tools for converting between raw, AFF and EnCase file formats. We will also briefly discuss the Real Data Corpus, a large collection of AFF-formatted files available for research use.
Commercial forensic analysis tools provide a great deal of functionality, but they do not provide the correlation of timeline data from either multiple sources within a system, or from multiple systems. Free and open-source tools, including those based on The Sleuth Kit, as well as others written in scripting languages such as Perl or Python can be used to craft timelines from multiple data sources, providing a much more granular view into activity on a system, as well as a greater level of context and confidence in that data. This presentation will briefly discuss the benefits of producing timelines through case studies and a demonstration.