Forensic Investigation of victim pc using Autopsy

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what exactly happened on a computer. You can even use it to recover photos from your camera’s memory card for case investigation.

Autopsy features.

  • Timeline Analysis:Displays system events in a graphical interface to help identify activity.
  • Keyword Search:Text extraction and index searched modules enable you to find files that mention specific terms and find regular expression patterns.
  • Web Artifacts:Extracts web activity from common browsers to help identify user activity.
  • Registry Analysis:Uses RegRipper to identify recently accessed documents and USB devices.
  • LNK File Analysis:Identifies short cuts and accessed documents
  • Email Analysis:Parses MBOX format messages, such as Thunderbird.
  • EXIF:Extracts geo location and camera information from JPEG files.
  • File Type Sorting:Group files by their type to find all images or documents.
  • Media Playback:View videos and images in the application and not require an external viewer.
  • Thumbnail viewer:Displays thumbnail of images to help quick view pictures.
  • Robust File System Analysis:Support for common file systems, including NTFS, FAT12, FAT16, FAT32, HFS+, ISO9660 (CD-ROM), Ext2, Ext3, and UFS from The Sleuth Kit.
  • Hash Set Filtering:Filter out known good files using NSRL and flag known bad files using custom hashsets in HashKeeper, md5sum, and EnCase formats.
  • Tags:Tag files with arbitrary tag names, such as ‘bookmark’ or ‘suspicious’, and add comments.
  • Unicode Strings Extraction: Extracts strings from unallocated space and unknown file types in many languages (Arabic, Chinese, Japanese, etc.).
  • File Type Detectionbased on signatures and extension mismatch detection.
  • Interesting Files Modulewill flag files and folders based on name and path.
  • Android Support: Extracts data from SMS, call logs, contacts, Tango, Words with Friends, and more.

First Download autopsy from here and install in your pc

Click New Case. The ‘Create a New Case’ page will open Even you can use a device clone which was earlier created click here to view

Fill in the ‘Case Name’, ‘Base Directory’and choose the location to save the report Eg:cusersrajdesktopautopsy report

Then click on next to proceed to next step. 

Here in next step you have to enter the case number and Examiner details and click on finish to proceed to next step.

Here now in Add Data Sourceyou have to complete the three steps

In first step that is Enter data Source Information  select the following as local disk, location of local disk, time zone as per your location, click on next to proceed to step 2

In Step 2 Configure ingest Modules I have chosen all the modules as I was discussing about complete information on evidence device or disk or computer etc. and click next for step 3

In Add Data Source just click on finish to generate the report of the device and you can perform complete investigate on the victim device or pc or any disk

Here you can see the local disk of the user we can completely analyze  it from here without accessing the actual data in local disk, you can see Data Sources, Views , Results, Email messages, Interesting items, etc.

Now finally when you choose the Data Sources and select the drive we choose you can see the following details will be shown in the image as all the files and folder available in local disk And also with their Modified Time, Change time, Access time, etc.

With these you can investigate on user details in local disk as well as know which file was deleted from the disk and with their time and date along with information. 

Author “Abdul Salam is a cyber security researcher and Corporate Trainer of Ignite Technologies. He is Having 2+ Year Experience in Cyber Security.

Related Posts Plugin for WordPress, Blogger...

Leave a Reply