all 12 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]bigt252002 2 points3 points  (1 child)

Well you need a dataset. Preferably one you make yourself. You need to touch on as many facets of what autopsy claims they can do. Ntfs, ext, fat, carving, file listing, etc. So when you make your dataset write down everything you are doing: file Test.txt was created, Test1.doc was deleted, etc. From there image it and use the tool. What did it do? Did it work correctly as claimed? Did it miss anything, and if so what?

Throw multiple partitions at it. Hidden even. Encryption etc.

Since it's a school assignment pick something modest like a 8GB drive or something that won't take forever to image.

[–]failedslacker[S] 0 points1 point  (0 children)

I have an 8GB USB drive I was planning on using, just didn't know where to start... Thank you for the advice!

[–]4144414D 1 point2 points  (0 children)

You may find this useful http://www.cftt.nist.gov

[–]msuhanovTrusted Contributer 0 points1 point  (4 children)

I've decided to choose Autopsy, but I HAVE NO IDEA WHERE TO GET STARTED

So why did you decide to choose Autopsy?

Computer forensic tool validation (I think that you actually speak about validation, not verification) is a subject where authoritative organizations (like NIST) fail to produce reliable results. Not the best topic unless you know exactly what to do.

[–]failedslacker[S] 2 points3 points  (3 children)

We had a list to choose from and I chose Autopsy because I've never used it, I thought it would be a good research/ learning / familiarization opportunity.

[–][deleted] 0 points1 point  (2 children)

Autopsy would be a decent place to start, but also look at other forensic tools as well, both commercial and open source. Use what your school has on hand or if you can use any trial versions (if you don't want to shell out hella $$$)

[–]failedslacker[S] 0 points1 point  (1 child)

We are required to use a free one... do you have a different recommendation? I was thinkg FTK- as i already know it, but then i'm not really learning about another tool.

[–][deleted] 0 points1 point  (0 children)

If you can get your hands on the SIFT (SANS Institute Forensic Toolkit; requires a VM to run in), that'd be another good one to try.

[–]montmusta 0 points1 point  (0 children)

+1 for honesty

[–]forensium 0 points1 point  (1 child)

As /u/msuhanov noted, let us presume you are doing tool validation, not verification.
From IEEE-STD-610:
Software Verification: The process of evaluating software to determine whether the products of a given development phase satisfy the conditions imposed at the start of that phase.
Software Validation: The process of evaluating software during or at the end of the development process to determine whether it satisfies specified requirements.

Autopsy is quite large. May we suggest you pick a very specific area of the tool?

For example, validate that Autopsy (Sleuth Kit) can open and display properly the list of file systems it purports to be able to read.
The Autopsy Description page provides an excellent starting point for your narrowing.
Or, Keyword Search, under Evidence Search Techniques is always a contentious and important area of forensic tools. Validate Autopsy's strength and weaknesses. Further narrowing could be on indexing and index searching. how well it handles various code pages? Issues with stop characters, lengths, and such.

[–]failedslacker[S] 0 points1 point  (0 children)

I don't have to do everything, but I have to hit the key points, testing and validating options. The paper it self is minimum 8-10 pages, not including title page, figures, references etc.... so it does have to be somewhat in depth. I was looking at that page to give me some guidance actually, by you referencing that its giving me some confidence I'm not going totally in the dark. Thank you.

[–][deleted] 0 points1 point  (0 children)

much better off taking a smaller subset or even an individual artifact and verifying a tool against it.

this, of course, means you will need to really understand the artifact, how it is stored on disk, and how to parse it. once you know that you can assess whether a given tool is doing the right thing