Comprehensive Guide on Autopsy Tool (Windows)

Autopsy is an open-source tool that is used to perform forensic operations on the disk image of the evidence. The forensic investigation that is carried out on the disk image is displayed here. The results obtained here are of help to investigate and locate relevant information. This tool is used by law enforcement agencies, local police and can also be used in the corporates to investigate the evidence found in a computer crime. It can likewise be utilized to recuperate information that has been erased.

Table of Contents

·       Creating a New Case

·       Data Sources

·       Views

1.    File Type

2.     MIME-type

·       Deleted Files

·       MB File size

·       Results

1.    Extracted Content

2.    Keyword Hits

·       Timeline

·       Discovery

·       Images/Videos

·       Add File Tags

·       Generate Reports

 

So, let us get started! Download the Autopsy Tool from here.

Creating a new Case

Run the Autopsy tool on your Windows Operating System and click on “New Case” to create a new case.

Then fill in all the necessary case information like the case name and choose a base directory to save all the case data in one place.

You can also add additional optional information about the case if required.

Now let us add the type of data source. There are various types to choose from.

Disk Image or VM file:  This includes the image file which can be an exact copy of a hard drive, media card, or even a virtual machine.

Local Disk: This option includes devices like Hard disk, Pen drives, memory cards, etc.

Logical Files: It includes the image of any local folders or files.

Unallocated Space Image File: They include files that do not contain any file system and run with the help of the ingest module.

Autopsy Logical Imager Results: They include the data source from running the logical imager.

XRY Text Export: This includes the data source from exporting text files from XRY,

 

 

Now let us add the data source. Here we have a previously created image file, so we will add the location of that file.

Next, you will be prompted to Configure the Ingest Module.

The contents of the Ingest module are listed below:

Data Source information displays basic metadata. Its detailed analysis is displayed at the bottom. It can be extracted one after the other.

Views

File Type: It can be classified in the form of File extension or MIME type.

It provides information on file extensions that are commonly used by the OS whereas MIME types are used by the browser to decide what data to represent. It also displays deleted files.

Note: These file types can be categorized depending on Extension, Documents, Executables.

By Extension

In the category Filetypes by extension and you can see that this has been sub-divided into file types like images, video, audio, archives, databases, etc.

Let us click on images and explore the images that have been recovered.

We can also view the thumbnail of the images.

On viewing the thumbnail, you can view the file metadata and details about the image.

Here we can also view a few audio files that have been recovered. We can extract these files from the system and hear to them using various software.

Documents

The documents are categorized into 5 types: HTML, office, PDF, Plain Text, Rich Text.

On exploring the documents option, you can see all the HTML documents present, you can click on the important ones to view them.

On exploring the PDF option, you can also find the important PDF in the disk image.

Similarly, the various Plain text files can also be viewed. You can also recover deleted plain text files.

Executables

These file types are then sub-divided into .exe, .dll, .bat, .cmd and .com.

 

BY MIME TYPE

In this type of category, there are four sub-categories like application, audio, image, and text. They are divided further into more sections and file types.

 

Deleted Files:  It displays information about the deleted file which can be then recovered.

MB Size Files:  In this, the files are categorized based on their size starting from 50MB. This allows the examiner to look for large files.

 

Results:

In this section, we get information about the content that was extracted.

Extracted Content: All the content that was extracted, is segregated further in detail. Here we have found metadata, Recycle Bin, and web downloads. Let us further view each one of them.

Metadata: Here we can view all the information about the files like the date it was created, to was modified, file's owner, etc.

 

Recycle Bin: The files that were put in the recycle bin are found in this category.

Web Downloads: Here you can see the files that were downloaded from the internet.

Keyword Hits:  In this, any specific keywords can be looked up for in the disk image. The search can be conducted concerning the Exact match, Substring matches, Emails, Literal words, Regular expressions, etc.

 

You can view the available email addresses.

You can choose to export into a CSV format.

Timeline

By using this feature you can get information on the usage of the system in a statistical, detailed, or list form.

 

Discovery

 This option allows finding media using different filters that are present on the disk image.

According to the selected options, you can get the desired results.

Images/Videos

 This option is to find images and videos through various options and multiple categories

Add File Tag

 Tagging can be used to create bookmarks, follow-up, mark as any notable item, etc.

Now when you see the tags options, you will see that files were tagged according to various categories.

Generate Report

Once the investigation is done, the examiner can generate the report in various formats according to his preference.

Check the data source whose report needs to be generated.

Here we chose to create the report in HTML format.

Kudos! Your Autopsy Forensic Report is ready!

Forensic Investigation Using: Volatility Workbench

Volatility Workbench is a GUI version of one of the most popular tool Volatility for analyzing the artifacts from a memory dump. It is available free of cost, open-source, and runs on the Windows Operating system. You can download it from Here.

You can refer to the previous  article Memory Forensics : Using Volatility from here, 

Table of Contents

·        Features of Volatility Workbench

·        Volatility Commands

o   Hunting rootkits and malicious code

o   Malfind

o   Psxview

o   Timers

o   Getsids

o   Cmdscan

o   Consoles

o   Privs

o   Envars

o   Verinfo

o   Memmap

o   Vadinfo

o   Vadwalk

o   Vadtree

o   Iehistory

o   Modules

o   SSDT

o   Driverscan

o   File Scan

o   Mutant scan

o   Thrdscan

o   Netscan

o   Hivescan

o   Hivelist

o   Printkey

o   Hashdump

o   Lsadump

o   Shellbags

o   Getservicesids

o   Getservicesids

o   Dumpregistry

o   Mbrparser

o   Mftparser

o    

 

 

Features of Volatility Workbench

1.       A forensic investigator does not have to worry about remembering the parameters of the command line.

2.       It has made it easier to store dump information to a file on disk.

3.       There is a drop-down list that contains the commands and its brief description.

4.       It records the time stamp of the commands that were previously executed.

Download the tool and run it. Now choose the dump file that you have previously created and select the profile of the image that was created which could be used in place of imageinfo command. Now click on Refresh Process List and you can run all the commands.

Hunting rootkits and malicious code

It tends to run a scan on the memory dump and looks around for the presence of a rootkit or a malicious code that would not be easily seen in the system but could be running in the background.

Malfind

It is a command which helps in finding a hidden code or a code that has been injected into the user’s memory. It doesn’t generally detect the presence of a DLL in a process but instead locates them.

 

psxview

This command usually helps in discovering any hidden processes in the plugin present in the memory dump.

 

Timers

It displays the timer of the kernel and all the associated timers present in the memory dump of the system.

Getsids

This command can be used to view the Security Identifiers that are associated with a particular process. With the help of this command, you can identify if any malicious process has taken any privilege escalation.

Cmdscan

This plugin helps in searching the memory dump for the command the user must have used the cmd.exe application. This command is highly used if the attacker’s command activity is to be traced.

Consoles

This command is similar to cmdscan and helps to find if the attacker had typed anything in cmd or had executed anything via the backdoor.

 

Privs

This command displays the privileges assigned to the processes that are enabled or not enabled by default.

Envars

This command displays all the variables in the process, its environment along with its current directory.

Verinfo

This command displays the version information that is present in the PE files. It helps identify any binaries and also correlates with other files.

 

Memmap

This command shows the exact pages that are present on the page of a specific process. It also shows the virtual address of the page and the size of its page.

Vadinfo

This command usually displays information about a particular process’s VAD nodes. It displays the VAD Flags control flags, VAD tags.

Vadwalk

It is a command that is used to display all the VAD nodes in a tabular form.

Vadtree

This process displays the VAD nodes in a tree form.

iehistory

This Plugin helps in recovering the fragments of the Internet explore history index.dat named cache files. It displays FTP and HTTP links that were accessed, links that were redirected, any deleted entries.

 

Modules

This command is used to list the kernel drivers that are present in the system.

SSDT

This command is used to list the functions present in the original and GUI SSDTs. It displays the index, the name of the function, and the owner of the driver of each entry in the SSDT.

 

Driverscan

This command can be used to find the DRIVER_OBJECT present in the physical memory by making use of a pool tag scan.

File Scan

This command can be used to find File_object that is present in the physical memory by making use of a pool tag scan. This command will help in finding open files in the system dump even if they are hidden with the help of rootkit,

Mutant scan

This command is used to scan the physical memory of kmutant objects by making use of pool tag scanning. 

Thrdscan

This command is used to find the ethread objects that are present in the physical memory with the help of a pool tag scan. It contains certain fields that can identify its parent processes which can help in finding hidden processes.

Netscan

This plugin helps in finding network-related artifacts present in the memory dump. It makes use of pool tag scanning. This plugin finds all the TCP endpoints, TCP listeners, UDP endpoints, and UDP listeners. It provides details about the local and remote IP and also about the local and remote port

Hivescan

This command is used to find the physical address of the registry hives that are present in the memory. It is there to support the hivelist.

 

Hivelist

This command can be used to locate the virtual addresses present in the registry hives in memory, and their entire paths to hive on the disk.

 

                                                                                                            

Printkey

This command is used to display the values, data, subkeys, and data types that are present in a specified registry.

Hashdump

This command can be used to extract and decrypt cached domain credentials stored in the registry which can be availed from the memory dump. The hashes that are availed from the memory dump can be cracked using John the Ripper, Hashcat, etc

Lsadump

This command is used to dump LSA secrets from the registry in the memory dump. This plugin gives out information like the default password, the RDP public key, etc. 

 

Shellbags

This command usually parses and prints the shellbag information that is obtained from the registry.

Getservicesids

This command does the work of calculating the SIDz for the services that are present on the machine. The name of the services has been taken from the registry.

Dumpregistry

This plugin allows one to dump a registry hive into a disk location.

Mbrparser

This command scans and parses potential MBR from the memory dump. There are various ways to find MBR and the way of filtering it.

Mftparser

This command is used to scan the MFT entries in the memory dump and prints out the information for certain types of file attributes.