October 23rd, 2008 by ahoogI have found there are 2 approaches to handling swap space analysis while using the Autopsy Forensic Browser. Since swap space is unstructured, it does not conform to typical file system structure and analysis techniques.
Add swap space into Autopsy’s Host Manager
Your first option is to add the partition or disk image into the Host Manager within Autopsy. This can be a bit confusing as you must choose a mount point and swap is not mounted in the file system. Generally, I set a Mount Point of none and select swap as the file system type. The advantages of this approach are:
- You will benefit from the time saved performing repetitive tasks such a extracting strings, searching in ASCII or Unicode and more
- All analysis you perform on the swap space will be audited in the same case audits and allow for a less complicated explanation when developing your report.
- You can make sure of the Notes function to log important findings
- You have a consistent interface for all forensic analysis
However, you are also limited by the interface. More creative analysis requires that you analyze swap space out side of the Autopsy Forensic Browser. Which leads to…
Analyze swap space from the command line, outside of Autopsy
This approach to swap space analysis provides the experienced forensic analyst the most control. You can quickly generate strings and easily change default parameters (say, for instance, you wanted to require more than the 4 characters strings defaults to). Also, you can easily run powerful programs such as Lazarus and foremost directly against the raw image and speed up analysis.
Conclusions
Swap space analysis is a key step in computer forensics, whether for incident response or perhaps more corporate concerns such as intellectual property investigation. The Autopsy Forensic Browser provides powerful tools to quickly analyze this treasure trove but the more experienced analyst might find themselves better served analyzing swap space outside of Autopsy.
Share your thoughts
If you come across this HOWTO and have drawn the same conclusions or perhaps different ones, I’d love to hear from you. Please share your experiences in our Comments section.
