Since our initial research phase, a lot of progress has been made on the tool evaluation project. Everyone within the Tool Evaluation team has their own Virtual Machine, also known as a VM, that their individual tool is on. A VM is software that can run an operating system and applications, acting like a normal desktop. It has access to some of the hardware on the computer that allows it to run, essentially making it a way to use a separate computer within another.
Problem Solving with Our VM
We’ve been sifting through the data recently and have made a couple of interesting discoveries and accomplishments. We’ve successfully added the forensic image from our data generation to our VM, which took almost 2 hours. We ended up running the data through Autopsy seven different times to test for consistency, which was the longest part of using the tool. We spent the time it was running doing some extra research and figuring out extra quirks of Autopsy.
The VM was temperamental during this whole process. It would freak out and not let us type, and when it wasn’t doing that, it took complete control of the mouse and we couldn’t do anything in the system/program. After figuring out the quirks of typing in the VM, it was fairly easy to just watch as it loaded, keeping track of how long everything took to make sure that it was all still functioning.
We made a couple of predictions of how long it would take to process and tried to figure out one odd thing: Autopsy doesn’t like Mozilla Firefox. Anything from Mozilla Firefox was labeled as a zip bomb by the program. To date, we still don’t know why it wanted Firefox to be a zip bomb so badly, but we assume that it has something to do with the compression ratio that Firefox uses. Because of this, our tool did not pick up essential evidence contained within the Firefox App Data that other teams did.
So far, it has been fun and interesting to work through the hiccups of this project. We look forward to analyzing and comparing our results, and then sharing them with the world!