Quick

Start Guide v0.9.13

Last updated: June 30, 2014

What this Document Covers

How to extract, congure, and run the BitCurator
environment in a virtual machine (using VirtualBox)
GeneraMng summary reports of le system contents and
DFXML metadata that can be used to characterize the
contents of disks (using BitCurator reporMng tools)
ExporMng le system metadata from a disk image (using
walk)
LocaMng and processing sensiMve and personally idenMfying
informaMon within digital materials (using Bulk Extractor)
Understanding the main data elements that are generated
by open source forensics tools (using DFXML)
Other useful tools included in the BitCurator environment

Things Youll Need to Get Started

A machine running a 64-bit version of Windows 7/8, Mac OS 10.9 (or
newer), or a 64-bit Linux variant.
8GB RAM recommended. Running a virtual machine in VirtualBox on a
host with 4GB RAM is possible, but performance will be restricted.
10GB free hard disk space minimum. 20GB is preferred; the virtual
machine is about 7GB uncompressed, and congured to automaMcally
expand in size up to 256GB.
The BitCurator VM or Live CD: hep://wiki.bitcurator.net/
(Tip: The wiki also includes the latest documenta5on)
An up-to-date version of VirtualBox:
heps://www.virtualbox.org/wiki/Downloads
The VirtualBox Extension Pack (to be installed on the host system
just download and double-click on the le once youve installed
VirtualBox)

Unpacking the BitCurator Virtual Machine

The BitCurator Virtual Machine is packaged as a tar archive and
compressed with gzip. The le will look something like:
BitCurator-0.X.X.tar.gz

On a Mac or Linux machine, you can simply double-click on the le to
unpack the contents. On a Windows 7 machine, youll need a 3rd party
uMlity such as 7zip: hep://www.7-zip.org/download.html
When using 7-zip, youll need to unpack the .tar.gz le. Right click on
the .tar.gz le and select Extract here to extract the .tar le. Then
right click on the .tar le and select Extract here again. This will
extract a directory containing the BitCurator virtual machine disk
image (.vbox) and conguraMon (.vdi) les.

The BitCurator Virtual Machine Files

Once youve unpacked the archive, youll nd a directory
containing two les (versions may dier from those shown
here):
BitCurator-0.X.X.vbox (the VirtualBox conguraMon le)
BitCurator-0.X.X.vdi (the VirtualBox disk image)
Copy this directory to a locaMon of your choosing (inside the
VirtualBox VMs directory in your home directory is a good
place), and start up VirtualBox.
Tip: If youve never created or used a VM in VirtualBox before,
you wont have a VirtualBox VMs directory. Dont worry
just remember where you extracted the BitCurator directory.

The Oracle VM VirtualBox Manager

Once youve installed VirtualBox and the VirtualBox extension pack, start up VirtualBox.
You should see a window similar to the one shown above. If youve never used VirtualBox
before, your list of machines (on the len) will be blank.
Tip: You may need to right-click on the VirtualBox icon and select Run as Administrator.
Windows machines with certain administra5ve controls may prevent you from accessing
USB devices (or lock out control of the mouse and keyboard) otherwise.

The Oracle VM VirtualBox Manager

From the menu bar, select the menu item Machine -> Add, and navigate
to the folder containing .vbox le that you extracted. Choose that le, and
the Virtual Machine should appear in the list within the manager, as shown
above.

VirtualBox Manager: Conguring RAM and Processors

Click on the Sepngs icon, and select the system tab. You may wish to increase the RAM
and number of processors dedicated to the VM depending on the hardware that youre
running on. For best results, select the largest number in the green areas for each. (Your
screen may look slightly dierent than the one shown above).

Tip: Youll need 2 or more processors assigned for VirtualBox to support drag-and-drop.

VirtualBox Manager: USB Device Capture

BitCurator depends on a VirtualBox device lter to capture USB devices. On a Macintosh host,
youll nd this lter under the USB tab of the Ports icon under Sepngs. On a Windows host,
youll nd it under its own heading - USB. You dont need to do anything here, unless you dont
see an entry under USB Device Filters. If you dont see an entry, simply create a new lter by
clicking on the blue icon on the right-hand side of the window.

VirtualBox Manager: Shared Folders

If you wish to move processed materials back to your host machine from the
BitCurator VM, the simplest approach is to set up a shared folder that both the
host and the VM can see. In the Shared Folders tab, click the folder with the green
plus on it to choose a folder on your host machine to share. Important: Select
Automount but not Read Only. When the machine is booted, the folder will
appear in the Shared Folders and Media folder on the desktop. Items copied
to this folder will be accessible to the host machine.

StarMng the BitCurator Environment

Clicking on the green Start arrow in the Oracle VM VirtualBox Manager screen
will start the BitCurator environment. Youll see a startup screen, and then the
BitCurator environment will boot and automaMcally log in.

Tips:

If you see an error message men5oning virtualiza5on extensions, or Intel VT-
x, your host machines BIOS does not have the VT-x extensions enabled. Youll
need to reboot your computer, holding down Del (or Esc, or the ThinkPad
buYon, depending on your machine). Once youre in the BIOS, enable the Intel
Virtualiza5on Extensions.

If BitCurator fails to boot for other reasons, it may be due to a non-op5mal
seZng detected for your par5cular hardware. Try powering o the virtual
machine, checking your seZngs, and star5ng again. If youre s5ll having a
problem, let us know on the BitCurator users group (linked on our wiki at
hYp://wiki.bitcurator.net/)

StarMng the BitCurator Environment

The BitCurator virtual machine should log in automaMcally. If you log out or
the machine goes to sleep, the password to log back in is bcadmin. You
can also use this password to update installed sonware, if prompted.

Adding a Folder to Store Disk Images and Reports

Right-click anywhere on the desktop, and select Create New Folder. A folder
named UnMtled Folder will appear on the Desktop. Click on the name and
rename it to SampleData. Well use this locaMon to store the data for the rest of
the exercise.

Gepng Ready to Image Digital Media

BitCurator can be used to image a wide

variety of digital media. For this example*
well use an external USB oppy disk drive
and a 3.5 FAT16 (DOS) formaeed oppy
disk.

Now that the VM is started up, the device
will be automaMcally captured when
plugged in.

*The process from this point on will be largely the same

whether were working with data from a CD, a oppy, a hard
disk, or any other media.

Imaging the Disk

Once the drive is plugged in with the media inserted, a disk images should appear in the
menubar on the right. The disk has not been mounted. This simply indicates that it has
been recognized. Double-click on Imaging Tools on the Desktop, and then double-click on
Guymager. The TEAC-brand oppy drive is selected in the picture above.

Entering Imaging Metadata

Right click on the device, and select Acquire image. Well capture the disk image in the
Expert Witness Format (the second opMon at the top). The remaining metadata can be
entered as desired or len blank. Dont forget to select the directory we made on the
desktop under Image directory, and name the image. Then click OK.

Running the AcquisiMon

Youll see the main dialog state change to AcquisiMon Running. When the acquisiMon
nishes, youll see an OK message in State. Note: The BitCurator environment runs at a
resolu5on of 1024x768 by default. If you wish to see the whole dialog, just make the
window bigger. The resolu5on should resize automa5cally.

Examining the Image

You can now exit Guymager, open up the SampleData directory we made on
the desktop, and see the two les that have been produced: the .E01 image
le, and a .info le specic to Guymager.

Safely removing a disk from the system

Now that the disk has been imaged, you can eject it from the system. Note that even
though its not mounted, you will sMll want to do this so the operaMng system knows
its no longer available. Right-click on the disk icon in the doc and click Safely
remove. You can now unplug your drive, or eject the disk.

Tip: Your disk icon may appear dierent from the one shown above.

Processing the le system, carving data, and

generaMng reports

Double-click on the Forensics Tools folder, and then double click on the
BitCurator ReporMng Tool launcher. Youll see a window pop up that should
match the picture shown above.

Processing the le system, carving data, and

generaMng reports

The Run All tab will allow you to carve the raw disk contents for features of
interest, generate a DFXML lisMng of the le system hierarchy, links features to
les, and generate high-level reports. Click on Launch BEViewer to run
bulk_extractor before proceeding

GeneraMng Feature Reports with Bulk Extractor

BEViewer is the GUI front-end to Bulk Extractor, a tool that allows you to idenMfy
various features of interest contained within the bitstream extracted from the
source media, such as SSNs, email addresses, EXIF metadata, and others..

GeneraMng Feature Reports with Bulk Extractor

Click on the Tools menu in the top of the window, and select Run Bulk
Extractor. This will bring up a dialog that allows you to select which scanners
to run, and where to generate the report directory.

GeneraMng Feature Reports with Bulk Extractor

Using the icons to the right of the Image File and Output Feature
Directory text boxes, select the image le we previously produced and tell Bulk
Extractor to output the report in a new directory bulk-extractor-output, within
the SampleData directory we made previously on the desktop.

GeneraMng Feature Reports with Bulk Extractor

Click on Submit Run at the boeom of the dialog, and you will see a new dialog
appear, indicaMng the progress made so far. This may take a while for large
images. Be paMent! Tip: Addi5onal processors assigned to the VM will improve
performance.

Viewing the Bulk Extractor Report

Once the process has completed, the report directory will be available in the relevant locaMon (in
our case, the directory bulk-extractor-output within SampleData). The features idenMed can
also be viewed in the main Bulk Extractor Viewer window, by clicking on the report name in the
Reports subwindow. Tip: For the small disk image shown here, rela5vely few of the possible
reports are shown. Your list may include a range of addi5onal reports.

Processing the le system, carving data, and

generaMng reports

With the bulk_extractor output in place, we can now run walk, the annotaMon
tool that will link bulk_extractor features to les within the le system, and the
BitCurator reports, using the Run All tab. (Appendix A shows how to run these
tools individually using the other tabs).

Processing the le system, carving data, and

generaMng reports

Click on the box with three dots next to the Image File entry, and navigate
to the sample image (sampleimage.E01) we created in our SampleData
directory on the Desktop earlier.

Processing the le system, carving data, and

generaMng reports

The image le you selected should now appear under the Image File entry.

Processing the le system, carving data, and

generaMng reports

Follow the same process for the Bulk Extractor Feature Directory entry. We
previously created the bulk-extractor-output directory within the
SampleData directory on the desktop.

Processing the le system, carving data, and

generaMng reports

Finally, assign an output directory for the reports that will be generated. Note
that you do not need to click Create Folder when selecMng this locaMon. Simply
navigate to the desired locaMon (in this case, Desktop/SampleData) and type in
the name of the folder you wish to store the reports in. Then, click Save.

Processing the le system, carving data, and

generaMng reports

Now, click Run. Be paMent! It may take some Mme for each of the steps to run
on larger images. Note: If youre analyzing a raw disk image rather than a
forensically-packaged one, BitCurator will not currently produce PREMIS output.

MounMng a disk image to browse the contents

BitCurator includes scripts in the context (right-click) menu that allow you to
mount and unmount disk images on the Desktop. Simply right click on the
image le, and select Mount Disk Image or Unmount Disk Image.

MounMng a disk image to browse the contents

Youll see a disk icon appear on the desktop corresponding to the mounted image. If a disk
image does not appear on the desktop, one of two things occurred: no le system was
found on the disk image, or an unrecognized le system was encountered. Remember: To
unmount, right-click on the disk image, not the mounted disk icon on the desktop.

What Weve Done So Far

Closing any open windows, lets open
the SampleData directory on the
desktop and review what weve
produced so far:

A sample image (sampleimage.E01)

A walk XML report (sampleimage.xml)

Bulk extractor output (in the beoutput
directory)

The annotated output, linking bulk
extractor features to les (in the
beannotated directory)

A set of human-readable reports for
our sample image (in the
bcsamplereports directory)

Examining Some of the Reports

Open the BitCurator reports directory, and
examine some of the les. Youll nd
visualizaMons, .xlsx transcripMons of le
system metadata, high level reports on le
types, and overviews of features idenMed
by bulk extractor.

bc_format_bargraph.pdf (le) - the format histogram

bulk_extractor_report.pdf (le) high-level overview of
feature locaMons on disk

walk_deleted_les.pdf (le) shows paths to any
deleted materials found in a given parMMon

walk-output.xml.xlsx (le) - Excel converted DFXML
output (le system metadata)

walk_report.pdf (le) high-level overview of le
system characterisMcs

format_table.pdf (le) long-form le format names for
formats shown in bargraph

premis.xml (le) PREMIS preservaMon metadata

ExporMng Files from a Disk Image Using the BitCurator

ReporMng Tool

The File Access tab in the BitCurator reporMng tool allows you to generate a
navigable tree of the le system, select specic le items, and export them to
a local folder without mounMng the le system.

ExporMng Files from a Disk Image Using the BitCurator

ReporMng Tool

Enter the full path of the image you wish to browse in the Image File line
(or click on the bueon to the right of the text box for that line to navigate to
the locaMon for that image).

ExporMng Files from a Disk Image Using the BitCurator

ReporMng Tool

Click on the bueon to the right of the Output Directory text eld. The directory
should point to an appropriate locaMon to export selected contents from the disk
image. To create a new directory, click on the folder in the top-right of the
window with the + in it.

ExporMng Files from a Disk Image Using the BitCurator

ReporMng Tool

A new window will appear enMtled Disk Image Access Interface. Navigate the le system tree in
the len-hand pane, select items of interest, and export them to the folder you selected by
clicking Export. To select all items in the disk image, click Select All. Deleted items idenMed
in the le system are colored red.
Note: This tool uses the icat u5lity provided by The Sleuth Kit to extract les directly from raw
and forensic disk image formats. Extrac5ng lots of les (or large les) may take some 5me!

ExporMng Files from a Disk Image Using the BitCurator

ReporMng Tool

Note: Just as with Windows Explorer and the OS X nder, Ubuntu hides some types of directories
and les from regular view in folders on the Desktop (including those where the name begins
with a .). To fully view all of your exported les, select Show Hidden Files from the View
menu of the folder where they have been exported.

Other Tools: IdenMfy and Delete Duplicates with

FSLint

BitCurator includes FSLint*, which allows you to rapidly scan directory

contents to idenMfy duplicates, and delete selected items from the
subsequent duplicate lists.

*This replaces the tool used in previous releases, DuplicatesDeleMon.

Other Tools: pyExifToolGUI

BitCurator includes Harvey Van Der Wolfs pyExifToolGUI, a front-end for

ExifTool, to simplify the process of viewing, ediMng, and manually exporMng
data from select images.

Other Tools: FITS

In the AddiMonal Tools directory on the desktop, you will nd a launcher for
the (command-line-only) FITS tool for le idenMcaMon and metadata export.

Other Tools: ClamTK (GUI for Clam AnMvirus)

In the AddiMonal Tools directory on the desktop, you will nd a launcher for ClamTK, the
GUI front-end to the ClamAV anMvirus service. Most of the opMons are not located in the
window that appears. Move your mouse to the top-len corner of the screen to open the
scan menu, which will allow you to scan specic les, directories, mounted disks, and other
devices.

Other Tools: Running walk with the ClamAV plugin

to idenMfy viruses and malware (command-line only)
The walk tool has a plugin architecture allowing you to run external tools over le items it
idenMes. In a terminal, enter the clam directory by typing:

cd Tools/clam

This directory contains a walk ClamAV plugin from The Sleuth Kit (clam.sh) and the
associated conguraMon le. You can generate walk output that includes virus scan results
by typing:

walk c clamcong.txt X /home/bcadmin/Desktop/myoutput.xml /home/bcadmin/
Desktop/myimage.E01

In this example, myoutput.xml is where youd like the DFXML output to appear, and
myimage.E01 is the name of your disk image. Change these names and directory paths as
needed.

File entries in the DFXML that are clean will appear as follows (at the end of each leobject
entry):
<!-- plugin_process -->
<clamav_infected>0</clamav_infected>

Find Updated BitCurator InformaMon and

DocumentaMon Online
Get the sonware
DocumentaMon and technical
specicaMons
Google Group
hYp://wiki.bitcurator.net/

People
Project overview
News
hYp://www.bitcurator.net/

APPENDIX A: Running tools individually

Producing a DFXML report of the le system contents

using the walk tab.

Double-click on the Forensics Tools folder, and then double click on the
BitCurator Forensics GUI launcher. Youll see a window pop up that should
match the picture shown above. Select the Fiwalk XML tab

Producing a DFXML report of the le system contents

using the walk tab.

Fiwalk needs to know where the disk image le you created is, and it needs to
know where to create the DFXML output le. Click on the box with the three dots
to the right of the Image File text edit box, and navigate to the directory
containing the image we just created. Select sampleimage.E01 and click OK.

Producing a DFXML report of the le system contents

using the walk tab.

Now click on the box with three dots to the right of the Output XML File text
area, and navigate to the same directory on the desktop. Type in
sampleimage.xml under Name at the top, and click OK.

Producing a DFXML report of the le system contents

using the walk tab.

Your main window should now have both the Image File and the Output XML
File elds lled with the appropriate locaMons. Click Run, and walk will run.

Producing a DFXML report of the le system contents

using the walk tab.

The resulMng DFXML le can be found in the Sample Data directory we

created earlier on the desktop. You can examine the contents by double-
clicking on it.

Matching Features to Files

Bulk Extractor extracts these
features from a disk image by
scanning the raw bitstream not
by parsing the le system.

In order to determine which les
these features appear within (or
if they appear on an area of the
disk not associated with the le
system), we need to run an
addiMonal tool.

For the next step, either
maximize the BitCurator GUI you
minimized earlier, or restart it
from the Forensics Tools
directory on the desktop. Click on
the Annotated Features tab.

Matching Features to Files

In order to annotate the features that is, idenMfy which features belong to
which les within the le system we need to know about four things:
1. Which feature reports to work from (the GUI uses all of them; if youd
like to be more selected, there is a command-line opMon)
2. Where the image le is
3. Where the walk output is
4. Where the bulk extractor output we just created is
5. Where we want to generated the output. In this case, were telling it
to make a new directory called beannotated in our SampleData
directory on the desktop.

In the following slide, we follow the same procedure for selecMng these items
as we did for the walk tab.

Matching Features to Files

In the screenshot shown above, weve selected the exisMng image le, the exisMng bulk extractor
output directory, and named a new directory within the SampleData directory on the desktop for
the annotated features. (All of these steps were performed by bringing up the relevant le
dialogues for each selecMon by clicking on the great boxes with three dots to the right of each
text box). Note: The Bulk Extractor python directory can be leh unmodied.

Matching Features to Files

Click Run, and the tool will run. Scroll down in the Command Line Output
window and you should see a Success message as indicated above.

GeneraMng BitCurator Forensic Reports

Now that we have a disk image, an
XML representaMon of the le system
contents, a directory of feature les,
and a set of reports that match
features to lenames, we can run the
BitCurator reporMng tool.

Click on the Reports tab in the
BitCurator GUI.

The Generate Report program
needs to know about four things:
1. Where the walk output is
2. Where the annotated bulk
extractor report directory is (we
generated this in the previous
step)
3. Where we want to generate the
output.

GeneraMng BitCurator Forensic Reports

As in steps for the previous tabs, use the grey squares to select the walk XML le that we
created in the SampleData directory, the annotated features directory, and nally to
specify a new output directory for the BitCurator reports. In the image above, weve chosen
to place this new directory in SampleData, and call it bc-reports.

GeneraMng BitCurator Forensic Reports

Click Run, and you will see output appear in the Command Line Output box
indicaMng success or noMfying you of an error.

APPENDIX B: Using these tools via the command-line

B1. Fiwalk: Producing a DFXML report of the File

System Contents

The walk program really only needs to know three things:
1. Whether you want to run le to idenMfy the le formats in the le
system (the - f opMon)
2. The name of the DFXML le that will be produced (-X, followed by the
le path)
3. The name of the image to process.

The command to run is shown below (the ~/ at the beginning of each path
just tells the program to start looking for these folders in the users home
directory)

B2. IdenMfy_lenames.py: Matching Features to Files

The IdenMfy Filenames program needs to know about four things:
1. Which feature reports to work from (here weve used the all ag to tell it to use all of them)
2. Where the image le is (image_lename [FILE LOCATION])
3. Where the walk output is (xmlle [FILE LOCATION])
4. Where the bulk extractor output is (just the locaMon)
5. Where we want to generated the output. In this case, were telling it to make a new
directory called beannotated in our SampleData directory on the desktop.

B3. BitCurator reporMng: Running the Report

Generator
The Generate Report program needs to know about four things:
1. Where the walk output is (walk_xmlle [FILE LOCATION])
2. Where the annotated bulk extractor report directory (the one we
generated in the last step) is (annotated_dir [DIRECTORY LOCATION])
3. Where we want to generated the output. In this case, were telling it
to make a new directory called bcsamplereports in our SampleData
directory on the desktop.

Finally, well get a couple of prompts for conguraMon. Well use the defaults
for now (typing Y and enter for the rst prompt, and simply hipng enter for
the second)