An autopsy is an open-source digital forensics tool developed by Basis
Technology, first released in 2000. It is a free-to-use and quite efficient
tool for hard drive investigation with features like multi-user cases,
timeline analysis, registry analysis, keyword search, email analysis, media
playback, EXIF analysis, malicious file detection, and much more.
Start a new case in Autopsy
Step 1: Select New Case from the Autopsy menu.
|
New Case Option |
Step 2: Provide the Case Name as well as the location where the case
file will be saved. After completing these details click on Next.
|
Folder location to save case files
|
|
Step 3: Include the Case Number as well as the Examiner's information
and then click on Finish.
|
Details of case |
Step 4: Select the appropriate data source type (We have taken Disk
Image for Demo Purposes) and then click on next.
|
Selecting Data Source
|
Data sources autopsy supports:
-
Disk Image or VM File: A file that is a byte-for-byte copy of a
hard drive or media card, or a virtual machine image.
-
Local Disk: Local storage devices like a local drive,
USB-attached drive, etc.
-
Logical Files: Local files or folders.
-
Unallocated Space Image Files: Any type of file that does not
contain a file system but you want to run through ingest
-
Autopsy Logical Imager Results: The results after running the
logical imager can be used in a case using this type of data
source.
-
XRY Text Export: The results from exporting text files from
XRY.
Step 5: Specify the source of data and then click on next.
|
Specifying the source of data
|
Step 6: Choose the modules that are necessary for the case and then
click on next.
|
Select necessary modules
|
The ingest modules help in determining the
factors for the data in the data source.
-
Recent Activity: Find out about the most recent disc actions,
such as the files that were the last read.
-
Hash Lookup: Use hash values to find files.
-
File Type Identification: Rather than relying on file
extensions, identify files based on their internal signatures.
-
Extension Mismatch Detector: Detect files with
tampered/changed extensions, presumably to hide evidence.
-
Embedded File Extractor: It extracts embedded files such
as.zip, .rar, and other formats and analyses the resulting file. A
PNG picture stored within a document to make it look like a document
and so hide vital information is another example.
-
EXIF (Exchangeable Image File Format) Parser: It's used to
get information about the file's metadata, such as the date of
creation, geolocation, and so on.
-
Keyword Search: It looks for a certain term or pattern in the
data source.
-
Email Parser: If the disc contains any type of email
database, such as Outlook's pst/ost files, an email parser can
extract information from these files.
-
Encryption Detection: Encrypted / password-protected files
are detected and identified.
-
Interesting File Identifier: Let's develop some custom rules
for data filtering. When findings related to these guidelines are
discovered, the examiner is alerted.
-
Correlation Engine: Allows properties to be saved in the
central repository and subsequently retrieved. It helps in the
visual representation of associated characteristics.
-
PhotoRec Carver: Recover files, photographs, and other items
from the free space.
-
Virtual Machine Extractor: Any Virtual Machine discovered on
the data source can be extracted and analyzed using this module.
-
Data Source Integrity: If the hash values aren't already in
the database, it calculates them and saves them. Otherwise, the hash
values connected with the database will be checked.
-
Plaso: Extract timestamps for a variety of file formats.
-
Android Analyzer: Analyze SQLite and other Android-retrieved
files.
Step 7: After the processing of the data source is completed, click
on finish.
|
File insertion in progress
|
Step 8: You can start exploring right away, but we suggest 'waiting'
till the analysis and integrity check are finished.
|
Integrity and Analysis check
|
Great! We have successfully
created our first case
You might be interested in,
We hope this helps. If any suggestions or doubts you can add a comment and
we will reply as soon as possible
I'm trying to get the ingest module to import XRY files, but I've exported as files, text, pdf and the inget modules say "no xry files in the folder" What am I doing wrong?
ReplyDeleteI'll add that I am using XAMN for exporting some pre existing xry file I create a few years ago. There are multiple export formats in the current version of XAMN...
Delete