![[LWN Logo]](/images/lcorner.png)
![[LWN.net]](/images/Included.png)
|
|
|
|
From: Brian Carrier <carrier@cs.purdue.edu> To: sectools@securityfocus.com Subject: TCTUTILs & Autopsy Release Date: Tue, 29 May 2001 16:13:23 -0500 The latest version (1.01) of my forensic tools, TCTUTILs and the Autopsy Forensic Browser, are available at: www.cerias.purdue.edu/homes/carrier/forensics/ TCTUTILs is a set of tools that are built on the framework of The Coroners Toolkit (TCT). Some features include file and directory name analysis, mapping between inodes and blocks, and mapping between file names and inodes. The 'fls' utility displays information about deleted files, the quantity of which depends on the OS. 6 tools are included in the package. Autopsy is an HTML-based graphical interface to TCT, TCTUTILs, and basic UNIX utilities. It integrates many command line based tools to automate the tedious tasks, while giving the investigator the ability to use the individual tools for more complex scenarios. It offers 4 methods of browsing: File, Inode, Block, and Block Search. Both tools will be presented at SANSFIRE in July. Major Changes from v1.00 include: TCTUTILs: - New tool called blockcalc, which converts the block number in an unrm (TCT) generated image (i.e. only the unallocated blocks) to the original block number. This can be used when using lazarus (TCT) on an image created by unrm (i.e. when recovering deleted files). - find_inode now identifies an inode that is using a block as an indirect block pointer (it previously only examined direct blocks). - The -m option of fls outputs in grave-robber(TCT) format, so it can be concatenated with the body file before mactime(TCT) is run. Therefore, the mac_merge tool is no longer included with TCTUTILs. - istat displays the blocks that an inode is using as indirect pointers. - istat can be forced to display a specified number of block pointer entries. This is useful for deleted directories in Linux, since the size is set to 0, but the block pointers are not deleted. Autopsy: - Block numbers can be entered as a 'dd' value or as an 'unrm' value. This makes it easier to use both Lazarus and Autopsy together. - Automated Installation Process! - Improved Menus. - Can save block and inode contents as files. Platforms: TCTUTILs and Autopsy are supported on OpenBSD, Solaris, and Linux.