Introduction

While learning the basics of digital forensics, I often became frustrated about the lack of support for common tools on various Unices, specifically Linux. One of the most powerful feature of Unix-like operating systems is the ability to chain arbitrary commands, such that the output of one command becomes the input of the next. This allows an investigator to process arbitrary output, a feature that is especially useful when confronted with seemingly endless walls of text, a format often used for the output generated by digital forensics tools. Read more...

FTK Imager

FTK Imager is a popular program for making forensically-sound images of various storage media including both a conventional hard disks and solid-state drives. FTK Imager supports various types of image files, including EnCase Physical (.e01), SMART, Advanced Forensic Format (.AFF), DD (.001, .img), and many others, which makes it an indispensable tool for reading and converting from various image formats. While the command-line version was last updated in 2012, and remains at version 3. Read more...

Autopsy

Autopsy is a graphical front end to The Sleuth Kit, a collection of command-line forensic tools that allow for detailed exploration of forensically-relevant artifacts. Due to the fact that autopsy is a heavyweight, opinionated, graphical Java application, building it as a container is non-trivial. Another issue that has become relevant as of 16 April, 2019, is that Oracle has changed Java SE Licensing. This has resulted in the popular Ubuntu “WebUpd8” team PPA being discontinued due to licensing concerns. Read more...

RegRipper

RegRipper is a useful utility for parsing Windows Registry hives, written in Perl by Harlan Carvey. It has various profiles that can be used to parse the SAM, SYSTEM, SOFTWARE, SECURITY, NTUSER.DAT, and USRCLASS.DAT hives, outputting the results to stdout, which can then use I/O redirection to output the results to a file. Since it is not a graphical application, it is easier to write a Dockerfile for this application than for a graphical application, such as Autopsy. Read more...

Volatility

Volatility is another command line forensics program, which is used for memory forensics. The default installation contains various profiles that can be used to specify the specific Windows build that a given dump of a memory image was made from. Building a volatility Docker image is relatively straightforward, although, as a Python program, it has dependencies on specific python modules, which can be installed through a combination of the OS package manager, apt in the case of Ubuntu, and the Python pip package manager. Read more...

Wireshark

The final forensics application that I containerized as a part of this project, is Wireshark 3.0.1. While the other containers were all built using Ubuntu as a base, the wireshark container is built using the development branch of fedora, Rawhide, because it has the latest version of Wireshark already packaged in its repositories. Wireshark is a graphical application, although it does have a command line implementation called tshark, which is useful in scripts. Read more...

Infrastructure

Containers, and specifically Docker, provide a useful abstraction for packaging arbitrary applications and their dependencies in a way that provides a degree of security and isolation from the host environment. This is particularly useful in cybersecurity disciplines such as incident response and forensics, as it is crucial to not modify the data that is being investigated. Additionally, while not a secure as a traditional virtual machine, judicious use of privilege separation and the principle of least privilege can help maintain the integrity of the host environment, as well as allow the safer handling of potentially dangerous files. Read more...

README_Linux

Linux Installation Most of the Autopsy development occurs to be run on Windows systems, but it is possible to run Autopsy on Linux and OS X. This file contains the instructions for building and running Autopsy on Ubuntu 18.10 (Cosmic Cuttlefish). The same instructions with minor modifications, should probably work on Ubuntu 18.04.2 LTS (Bionic Beaver), but this has not yet been tested. Prerequisites It appears that Autopsy relies on JavaFX, and therefore will not successfully run when compiled against OpenJDK. Read more...