FIMETIS (FIlesystem METadata analysIS) is a web application for the analysis of file system metadata. When introduced to the forensic investigation workflow, the tool helps cybersecurity experts quickly identify signs of the incident that the attacker left on storage media. Only file system metadata are used for the analysis to protect privacy and reduce the amount of data.
SERVICE DESCRIPTION
FIMETIS (FIlesystem METadata analysIS) is a web application for the analysis of file system metadata. When introduced to the forensic investigation workflow, the tool helps cybersecurity experts quickly identify signs of the incident that the attacker left on storage media.
Only file system metadata are used for the analysis to protect privacy and reduce the amount of data.
The FIMETIS tool was designed primarily to support the following analytical tasks and functions:
- Exploration of the file system structure: The tool supports analysts in efficiently switching between different parts of the file system and narrowing the area of interest by offering filtering functions that would localize the data by various aspects and meanings encoded in the available file system metadata.
- Exploration of temporal relationships: Disk snapshots have strong temporal characteristics -- each record provides the timestamp of the last manipulation, e.g., the creation, modification, or access. Therefore, the tool provides a scalable temporal view of the data with efficient filtering, zooming, and preserving time coherence.
- Predefined clusters: Some combinations of file location and attributes can be considered unusual or deserving analyst’s attention. For example, publicly writable files or directories, hidden files outside of users’ homes, executables with administrator’s privileges, files masking their names (e.g., a binary file with a .txt extension or named with only white spaces). The tool provides multiple predefined views (called clusters) on EXT filesystem metadata to localize typical situations quickly. New clusters can be defined easily in GUI by combining location paths and attributes.
- Discontinuous analysis: The analysts can upload and manage multiple disk snapshots (FS metadata). A command-line tool for creating the snapshots is available. As the investigation process can take a long time, fluent iterative data exploration is supported, including the possibility to interrupt analysis or switch between data sources and then return back smoothly.
- Intuitiveness: All operations are available online via web GUI. Two versions of the user interface are supported that can be switched at any time: basic and advanced dashboard. The latter provides broader functionality.
CASE EXAMPLES
Analysing filesystem impacted by security incident - identifying data created or modified by attacker.
LINKS
Contact - https://crp.kypo.muni.cz/#contact