DC3 2009

Print Friendly

Methodologies & Tools

As we are an academic team, we used a mixture of publicly available and internally created tools.

Publicly available tools:

  1. FTK – Forensics software

  2. The Sleuth Kit / Autopsy Browser – Forensics software

  3. File – Linux file identification command

  4. Luke – Lucene Index Toolbox

  5. StegDetect

  6. strings – Linux strings command

  7. file – Linux file command

Unreleased research tools:

  1. BlackFriar – an experimental distributed system for indexing forensic drive images

  2. RC4 MPI Password Cracker – a password cracker for brute forcing 40 bit RC4 keys used in default office document encryption implemented in MPI for execution on LONI the Louisiana super computer.

BlackFriar was used to pre-index files contained in The Image and create a Lucene index. The indexing included hashing, text extraction, and recording location information for each file. By using a robust indexing system we are able to execute extremely rapid keyword searches across multiple index fields and perform complex search queries. The Lucene index is provided in the DC3DFC09.dd_lucene directory.

Using the provided search terms we immediately located several chat log files which confirm aspects of the witness’ story and provide further information as to the alleged crimes. Most of these log files are skype chat logs and therefore not inherently ASCII/UTF-8 friendly. BlackFriar strips out the string friendly entries so the log files we will discuss are provided in the evidence folder as exports from the Lucene index. The export contains information on the original file’s location within The Image.

Posted in Digital Forensics Tagged with: , , , , ,