A detailed guide to Autopsy

Autopsy is an open source software that is used to perform forensic operations on hard drives and smartphones.

This tool is used:

  • law enforcement
  • local police
  • corporate security departments

The main purpose of the program is to investigate evidence of cybercrimes, but Autopsy can also be used to recover deleted information.

Content:

  • Creating a new project
  • Data sources
  • View content
    • File types:
      • By extension
      • Documents
      • Executable files
    • By MIME types
  • Deleted files
  • Files by size
  • Results
    • Extracted content
      • Metadata
      • Basket
      • Internet downloads
    • Keywords
  • Timeline
  • Discovery
  • Images / Videos
  • Tagging
  • Report generation

First thing download Autopsy

Creating a new project

Launch Autopsy on Windows and click “New Case”.

We enter the name of the project, and also select the base directory so that all data is stored in one place.

Additional information can be added as needed.

Data sources

Now let’s add the data source type. There are different types to choose from:

  • Disk Image or VM file: this includes an image file that can be an exact copy:
    • hard disk
    • memory cards
    • virtual machine
  • Local Disk: this parameter enables devices such as:
    • HDD
    • USB drives
    • memory cards, etc.
  • Logical Files: images of any local directories or files.
  • Unallocated Space Image File: files run by the Ingest module.
  • Autopsy Logical Imager Results: data source from the logical disk partition scanner.
  • XRY Text Export: data source from export of text files from XRY.

Now let’s add a data source. In this case, we will choose a pre-prepared image.

You will then be prompted to configure the Ingest module.

The content of the Ingest module is shown below:

Data source information displays basic metadata. Its detailed analysis is displayed below. It can be removed one by one.

View content

File types

File types can be classified by the file extension form or MIME type.

Autopsy provides information on file extensions that are typically used by the OS, whereas MIME types are used by the browser to decide what data to present. Deleted files are also displayed.

File types can be categorized based on:

  • extensions
  • documents
  • executable files

By extension

In the category of files by extension, you can see that they have been categorized into file types such as:

  • Images
  • Video
  • Audio
  • Archives
  • Databases, etc.

Let’s examine the images that have been recovered.

We can also view thumbnails of images.

When viewing a thumbnail, you can examine the file’s metadata and detailed information about the image.

In addition, there is an opportunity to watch several recovered audio files, which can be extracted from the system and listened to using various programs.

Documents

Documents are divided into 5 types:

  • Html
  • Office
  • PDF
  • plain text
  • formatted text

By examining the documents option, you can see all the HTML documents that are available. The most important ones can be opened and viewed.

By examining the PDF option, you can find an important PDF in the disk image.

Likewise, you can view various text files.

Deleted text files can be recovered.

Executable files

These file types are divided into:

  • .exe
  • .dll
  • .bat
  • .cmd
  • .com

By MIME types

There are four subcategories here:

  • Applications
  • Audio files
  • Images
  • Text files

They are divided into several sections and file types.

Deleted files

Deleted Files: Displays information about the deleted file, which can then be restored.

Files by size

MB Size Files: files are classified here based on their size, starting at 50 MB. This allows the researcher to search for large files.

Results

In this section, we get information about the extracted content.

Extracted content

Extracted Content: All extracted content is further refined. In our case, we found:

  • metadata
  • basket
  • downloads from the internet

Let’s take a closer look at each of them.

Metadata: here we can view all information about files such as:

  • creation date
  • change date
  • the owner of the file, etc.

Recycle bin: This category contains files placed in the trash can.

Web Downloads: Here you can see the files that were downloaded from the Internet.

Keywords

Keyword Hits: In this case, any specific keywords can be found in the disk image. The search can be carried out by:

  • exact match
  • emails
  • regular expressions, etc.

You can view the available email addresses.

You can choose to export to CSV format.

Timeline

Using this function, you can get information about the use of the system in the following forms:

  • statistical
  • detailed
  • the list



Discovery

This option allows you to find media using various filters that are present in the disk image.

For the selected parameters, you can get the desired result.

Images / Videos

This option is for searching images and videos using various options and several categories.

Tagging

Tagging is used for:

  • creating bookmarks
  • tracking
  • tagging any noteworthy item, etc.

Now that the tag options are visible, it is clear that the files have been tagged in different categories.

Report generation

After completing the investigation, the expert can compile the report in various formats at his discretion.

Check the data source for which you want to create a report.

Here we have chosen to generate an HTML report.

Our forensic report is ready!

image

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *