Comprehensive Guide on Autopsy Tool (Windows)

Autopsy is an open-source tool that is used to perform forensic operations on the disk image of the evidence. The forensic investigation that is carried out on the disk image is displayed here. The results obtained here are of help to investigate and locate relevant information. This tool is used by law enforcement agencies, local police and can also be used in the corporates to investigate the evidence found in a computer crime. It can likewise be utilized to recuperate information that has been erased.

Table of Contents

·       Creating a New Case

·       Data Sources

·       Views

1.    File Type

2.     MIME-type

·       Deleted Files

·       MB File size

·       Results

1.    Extracted Content

2.    Keyword Hits

·       Timeline

·       Discovery

·       Images/Videos

·       Add File Tags

·       Generate Reports

 

So, let us get started! Download the Autopsy Tool from here.

Creating a new Case

Run the Autopsy tool on your Windows Operating System and click on “New Case” to create a new case.



Then fill in all the necessary case information like the case name and choose a base directory to save all the case data in one place.



You can also add additional optional information about the case if required.



Now let us add the type of data source. There are various types to choose from.

Disk Image or VM file:  This includes the image file which can be an exact copy of a hard drive, media card, or even a virtual machine.

Local Disk: This option includes devices like Hard disk, Pen drives, memory cards, etc.

Logical Files: It includes the image of any local folders or files.

Unallocated Space Image File: They include files that do not contain any file system and run with the help of the ingest module.

Autopsy Logical Imager Results: They include the data source from running the logical imager.

XRY Text Export: This includes the data source from exporting text files from XRY,

 

 



Now let us add the data source. Here we have a previously created image file, so we will add the location of that file.



Next, you will be prompted to Configure the Ingest Module.



The contents of the Ingest module are listed below:



Data Source information displays basic metadata. Its detailed analysis is displayed at the bottom. It can be extracted one after the other.




Views

File Type: It can be classified in the form of File extension or MIME type.

It provides information on file extensions that are commonly used by the OS whereas MIME types are used by the browser to decide what data to represent. It also displays deleted files.

Note: These file types can be categorized depending on Extension, Documents, Executables.





By Extension

In the category Filetypes by extension and you can see that this has been sub-divided into file types like images, video, audio, archives, databases, etc.





Let us click on images and explore the images that have been recovered.



We can also view the thumbnail of the images.





On viewing the thumbnail, you can view the file metadata and details about the image.





Here we can also view a few audio files that have been recovered. We can extract these files from the system and hear to them using various software.





Documents

The documents are categorized into 5 types: HTML, office, PDF, Plain Text, Rich Text.

On exploring the documents option, you can see all the HTML documents present, you can click on the important ones to view them.





On exploring the PDF option, you can also find the important PDF in the disk image.





Similarly, the various Plain text files can also be viewed. You can also recover deleted plain text files.





Executables

These file types are then sub-divided into .exe, .dll, .bat, .cmd and .com.

 




BY MIME TYPE

In this type of category, there are four sub-categories like application, audio, image, and text. They are divided further into more sections and file types.





 

Deleted Files:  It displays information about the deleted file which can be then recovered.





MB Size Files:  In this, the files are categorized based on their size starting from 50MB. This allows the examiner to look for large files.

 




Results:

In this section, we get information about the content that was extracted.

Extracted Content: All the content that was extracted, is segregated further in detail. Here we have found metadata, Recycle Bin, and web downloads. Let us further view each one of them.





Metadata: Here we can view all the information about the files like the date it was created, to was modified, file's owner, etc.

 

Recycle Bin: The files that were put in the recycle bin are found in this category.




Web Downloads: Here you can see the files that were downloaded from the internet.




Keyword Hits:  In this, any specific keywords can be looked up for in the disk image. The search can be conducted concerning the Exact match, Substring matches, Emails, Literal words, Regular expressions, etc.



 

You can view the available email addresses.






You can choose to export into a CSV format.





Timeline

By using this feature you can get information on the usage of the system in a statistical, detailed, or list form.

 







Discovery

 This option allows finding media using different filters that are present on the disk image.



According to the selected options, you can get the desired results.




Images/Videos

 This option is to find images and videos through various options and multiple categories




Add File Tag

 Tagging can be used to create bookmarks, follow-up, mark as any notable item, etc.





Now when you see the tags options, you will see that files were tagged according to various categories.




Generate Report

Once the investigation is done, the examiner can generate the report in various formats according to his preference.




Check the data source whose report needs to be generated.




Here we chose to create the report in HTML format.




Kudos! Your Autopsy Forensic Report is ready!



0 comments:

Post a Comment