Using Nautilus for Data Triage

From BitCurator
Jump to: navigation, search

If you'd prefer following video instructions, check out the screencast version of this tutorial in our video gallery.

Introduction to Nautilus Scripts

Nautilus (see Figure 1) is a popular GUI file manager for Linux and is the default file manager in Ubuntu Linux 12.04. It functions similarly to Windows Explorer on Windows systems and Finder on Macs. One key feature of Nautilus is the ability to add custom functionality by incorporating user-created back-end scripts. These scripts work much like plug-ins for a web browser and extend Nautilus's basic functionality. We have included a number of custom Nautilus scripts in the BitCurator Environment specifically geared to assist the digital archivist in pre-ingest data analysis. See below for specific instruction on how to use Nautilus to perform a number of critical data analysis tasks.

Figure 1: Nautilus file manager in Ubuntu Linux 12.04

Calculate and Display MD5 Sums

A checksum (of which MD5 sums are one type) is a string of characters produced by an algorithm acting on a file; the checksum is used to validate data integrity, as the algorithm will produce a different checksum if any changes occur to the file in question, making it easy to detect errors that may have been introduced during the file's transmission or storage (e.g. due to physical damage, bit rot, malicious intent, or accidental non-write-protected usage). The sum thus acts as an identifier for the file in its exact current state. You can calculate the sum at a point when you know your file (e.g. a disk image) isn't corrupted or altered, and calculate the sum again at later points in time, comparing the newly calculated sum to the original sum to check that the disk has not been corrupted or altered. See page for more on how checksums work.

  1. Open Nautilus and navigate to the file or files for which you would like to calculate MD5 sums.
  2. Choose the desired file or files.
  3. Right click on any of the file icons and navigate to Scripts > File Analysis > Calculate MD5 (see Figure 2).
  4. Choose whether you would like the MD5 sum to be displayed or saved (if you have chosen multiple files, the output will be saved by default) (see Figure 3).
  5. If you chose to save the MD5 sum(s), a file listing each of the MD5's will be generated in your present directory. Otherwise the MD5 sum will be displayed in a window.
Figure 2: Choose "Calculate MD5" in the Nautilus script menu.
Figure 3: Choose to either save or display the MD5 sum output.

Report on file types/file info

File Info

The File Info add-on to Nautilus allows the user to perform a number of file-identifying tasks including gathering metadata, generating ASCII and Unicode streams, and viewing MD5 and SHA1 hash sums. To run File Info:

  1. Open Nautilus and navigate to the desired file.
  2. Right click on the file and navigate to Scripts > FileInfo.
  3. Choose the desired report in the menu. (see Figure 4)
  4. To close File Info, click the "Cancel" button.
Figure 4: Choose the desired information in the File Info menu.

Show File Details

Show file name, size, blocks, access permissions, and history (see Figure 5).

  1. Open Nautilus and navigate to the desired file.
  2. Right click on the file and navigate to Scripts > File Analysis > Show File Details.
Figure 5: Use the Show File Details script to display the file name, size, permissions, and more.

Display a file in hex

  1. Open Nautilus and navigate to the desired file.
  2. Right click the file and navigate to Scripts > File Analysis > View in Hexeditor (see Figure 6).
Figure 6: Viewing a file in hex.

Live Search for Files by Name and Content

Search for files by either name or content

  1. Open the Nautilus file browser
  2. Right click anywhere within the browser and navigate to Scripts > Find Files (see Figure 7).
  3. Choose either "Find by Content" or "Find by Name", depending on your search requirements.
  4. After the find interface opens, type your search terms into the search window (see Figure 8).
Figure 7: Choose which of the Find Files options works best for your search.
Figure 8: Enter your search terms in the appropriate window.

Search for images recursively in the present directory

  1. Open the Nautilus file browser.
  2. Navigate to the top of the directory tree you would like to search. (Example: to search for all images in a users home directory, navigate to /home/[username])
  3. Right click anywhere within Nautilus and navigate to Scripts > Find Files > Find Images (recursively).
  4. Nautilus will open a new window and create a temp directory with symlinks to all of the images found in the directory/directories you searched.
  5. Click 'No' when asked if you would like to delete the new temp directory (see Figure 9).
Figure 9: Click 'No' when asked if you would like to delete the temp directory.

Extracting Compressed Files

  1. Open Nautilus and navigate to the archive you would like to decompress.
  2. Right click on the file that has been compressed using zip or gzip. Choose 'Open With Archive Manager'. (Note that a compressed file type such as a zip file is often referred to as an 'archive' within the Ubuntu Linux environment and technical communities.)
  3. A new window will open in which you can either browse the contents or extract them (see Figure 10).
  4. Left click on the 'Extract' button to extract the contents.
  5. Navigate to the location to which you would like the files extracted using the navigation window (see Figure 11).
  6. Left click the 'Extract' button on the bottom right of the window to complete the process.
Figure 10: Either browse or extract the archive in this window.
Figure 11: Navigate to where you would like the file extracted and then click 'Extract'.

Display E01 or AFF Disk Image Metadata

One of the primary benefits to using forensics disk images--as opposed to a raw disk image--is that the metadata created during the imaging process is packaged with the disk image itself. That way, no matter where the disk image is moved, its metadata always travels with it. This Nautilus script allows users to quickly and easily view the forensics metadata associated with either an EnCase (E01) or Advanced Forensics Format (AFF) disk image.

  1. Open Nautilus and navigate to the directory containing either an AFF or E01 disk image.
  2. Right click on the disk image and navigate to Scripts > Disk Image Info > Show E01 Info (or Show AFF Info if viewing an AFF disk image; see Figure 12).
  3. A new window will open displaying the forensics metadata captured during the disk imaging process. The metadata displayed includes the case or accession number, a description of the original media, the name of the processor, original media size, date the disk image was create, any hashes created during the imaging process, and more (see Figure 13).
Figure 12: Choose either EO1 or AFF depending on the disk image type.
Figure 13: Metadata about the original media, disk image, and imaging process.