Open Source Security Tools : Practical Guide to Security Applications part 40. Few frontline system administrators can afford to spend all day worrying about security. But in this age of widespread virus infections, worms, and digital attacks, no one can afford to neglect network defenses. Written with the harried IT manager in mind, Open Source Security Tools is a practical, hands-on introduction to open source security tools. | Page 369 Friday June 25 2004 12 33 AM Making Copies of Forensic Evidence 369 Tracking of separate cases and multiple investigators Viewing allocated and deleted files and directories Accessing low-level file system structures Generating a timeline of file activity Sorting by file categories and checking extensions Searching image data by keywords Identifying graphic images and creating thumbnails Looking up hash databases including the forensic standards NIST NSRL and Hash Keeper Creating investigator notes Generating reports Installing Sleuth Kit 1. Download and unzip the file from the book s CD-ROM or the Web site. 2. In the directory type make The program automatically configures and compiles itself. It may prompt you with a few questions during the installation process. Installing Autopsy Forensic Browser This program is the graphical interface counterpart to Sleuth Kit. Using it with Sleuth Kit will make your life a whole lot easier and allow you to produce some nice graphical output. You can still use the Sleuth Kit command line tools separately if you want to. 1. Make sure you have Sleuth Kit installed before you start to install Autopsy. 2. Get the Autopsy file from the Web site or from the book s CD-ROM in the autopsy directory. 3. Untar and unzip it with the usual tar -zxvf command. 4. Have the path to the Sleuth Kit program directory handy and think about where you want to put your evidence locker the special directory where all your Sleuth Kit case data will reside. 5. Type the make command. This installs the program and prompts you for your evidence locker directory and the directory that Sleuth Kit is installed in. Using Sleuth Kit and Autopsy Forensic Browser 1. To start the server program type . autopsy from the autopsy directory. This runs the server in the background on port 9999. 2. Make a note of the URL that is displayed when it starts up. You will need this to log into the server. Page 370 Friday June 25 2004 12