The analysis phase of the digital forensic investigative process is very complex. This phase grows more complicated as the size and ubquity of digital devices increases. There are many tools aimed at assisting the investigator in the extraction of digital evidence; however, very few aimed at analyzing the evidence. sherlock is an open-source forensic toolkit for analyzing digital evidence. sherlock enables investigators to identify, correlate and reason about evidence.
Requires Python 2.7.14 or above
apt install python3
apt install python-pip
pip install -r requirements.txt
Install python 2 using the Homebrew package manager (https://brew.sh):
brew install python2
Verify that the python2 alias is the same as the version installed with Homebrew:
Python2 —version
If not, link them:
brew unlink python2 && brew link python2
Optionally, point the python alias to python2. This method can also be used to easily switch between python 2 and 3 https://stackoverflow.com/a/43354441
Install Graphviz:
Brew install Graphviz
Install Pygraphviz:
pip install pygraphviz --install-option="--include-path=/usr/local/include/graphviz/" --install-option="--library-path=/usr/local/lib/graphviz"
Install pkg-config:
pip install pkg-config
Navigate to sherlock/server and install requirements:
pip install -r requirements.txt
Download and install python 2.7.14 from https://www.python.org/downloads/release/python-2714/
Follow these instructions to add it to your path and verify installation: https://edu.google.com/openonline/course-builder/docs/1.10/set-up-course-builder/check-for-python.html
Follow these instructions to add pip: https://dev.to/el_joft/installing-pip-on-windows
Download and install the Microsoft Visual C++ Compiler for Python 2.7 from https://www.microsoft.com/en-us/download/details.aspx?id=44266
In a command prompt window, run:
pip install scipy
pip install scikit-learn
Follow the steps here: https://stackoverflow.com/a/44009261 with the following modifications:
for step 2: the file you want is pygraphviz‑1.3.1‑cp27‑none‑win32.whl unless you have an amd processor: pygraphviz‑1.3.1‑cp27‑none‑win_amd64.whl
for step 4: run the command pip install pygraphviz-1.3.1-cp27-none-win.whl
if you do not have an amd processor
Navigate to sherlock/server and install requirements:
pip install -r requirements.txt
Coming Soon
Coming Soon
python sherlock.py
Output:
- Observe Evidence
- Formulate Hypotheses
- Evaluate Hypotheses
- Exit
Choose a Phase: 1
Enter 1 into the prompt
Output:
Enter Filename: example.txt
Enter example.txt into the prompt, Need to give the full path information for this prompt
Output:
[1, 3, 4]
[0.666666. 0.222222. 0.111111]
This information is important for the determination of likelihood of a hypothesis. There is more information in the folder data
- Observe Evidence
- Formulate Hypotheses
- Evaluate Hypotheses
- Exit
Choose a Phase: 2
Enter 2 into the prompt
Output:
Enter Source Node of your Hypothesis: explorer.exe
Enter explorer.exe into the prompt
Output:
[('explorer.exe', 'AcroRd32.exe'), ('AcroRd32.exe', 'notepad.exe'), ('AcroRd32.exe', '192.168.1.115')] [('explorer.exe', 'firefox.exe'), ('firefox.exe', 'Dropbox'), ('firefox.exe', '54.201.155.11'), ('firefox.exe', '23.209.190.51')]
This is a link of paths in the graph, for example (explorer.exe - AcroRd32.exe - notepad.exe), means GUI opened a PDF document and opened notepad application.
- Observe Evidence
- Formulate Hypotheses
- Evaluate Hypotheses
- Exit
Choose a Phase: 3
Enter 3 into the prompt
Enter Source Node of your Hypothesis: explorer.exe
Enter Target Node of your Hypothesis: 192.168.1.115
explorer.exe 0.2222222 AcroRd32.exe 0.2222222 192.168.1.115 0.6666667
This are the likelihoods for each individual piece of evidence.
- Observe Evidence
- Formulate Hypotheses
- Evaluate Hypotheses
- Exit
Choose a Phase: 4
Done!
Review on the techniques used by this tool:
Exploring Digital Evidence with Graph Theory
Towards Sound Analysis of Computer Evidence