Scribd
Upload
91 views

Lecture 13 - Comprehensive Guide On Autopsy Tool (Windows)

This document provides a comprehensive guide on using the Autopsy tool to perform forensic investigations on disk images. It details Autopsy's features such as creating cases, viewing file types and deleted files, extracting metadata and content, searching with keywords, and generating reports.

Uploaded by

htoothit781
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
91 views

Lecture 13 - Comprehensive Guide On Autopsy Tool (Windows)

This document provides a comprehensive guide on using the Autopsy tool to perform forensic investigations on disk images. It details Autopsy's features such as creating cases, viewing file types and deleted files, extracting metadata and content, searching with keywords, and generating reports.

Uploaded by

htoothit781
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 47

Comprehensive Guide on

Autopsy Tool (Windows)


Autopsy Tool
• Autopsy is an open-source tool that is used to perform forensic
operations on the disk image of the evidence.
• The forensic investigation that is carried out on the disk image is
displayed here.
• The results obtained here are of help to investigate and locate
relevant information.
• This tool is used by law enforcement agencies, local police and can
also be used in the corporates to investigate the evidence found in a
computer crime.
Software Download link

https://www.autopsy.com/download/

Disk image file download link

https://cfreds.nist.gov/all
Contents
• Creating a New Case
• Data Sources
• Views
• File Type
• MIME-type
• Deleted Files
• MB File size
• Results
• Extracted Content
• Keyword Hits
• Timeline
• Discovery
• Images/Videos
• Add File Tags
• Generate Reports
Creating a new Case
Type of data source
• There are various types to choose from.
• Disk Image or VM file: This includes the image file which can be an exact
copy of a hard drive, media card, or even a virtual machine.
• Local Disk: This option includes devices like Hard disk, Pen drives, memory
cards, etc.
• Logical Files: It includes the image of any local folders or files.
• Unallocated Space Image File: They include files that do not contain any
file system and run with the help of the ingest module.
• Autopsy Logical Imager Results: They include the data source from running
the logical imager.
• XRY Text Export: This includes the data source from exporting text files
from XRY,
Views

• File Type: It can be classified in the form of File extension or MIME


type.
• It provides information on file extensions that are commonly used by
the OS whereas MIME types are used by the browser to decide what
data to represent. It also displays deleted files.
• Note: These file types can be categorized depending on Extension,
Documents, Executables.

By Extension
Documents

• The documents are categorized into 5 types: HTML, office, PDF, Plain
Text, Rich Text.
• On exploring the documents option, you can see all the HTML
documents present, you can click on the important ones to view
them.
Executables
Deleted Files: It displays information about the deleted file which can
be then recovered.
MB Size Files: In this, the files are categorized based on their
size starting from 50MB. This allows the examiner to look for
large files
Extracted Content: All the content that was extracted, is segregated
further in detail. Here we have found metadata, Recycle Bin, and web
downloads. Let us further view each one of them.
The information about the user accounts is found in the Operating
system user account section.
The information about the last user to logon to this computer can be
found from the Date accessed column of the user account.
Metadata: Here we can view all the information about the
files like the date it was created, to was modified, file’s owner,
etc.
Recycle Bin: The files that were put in the recycle bin are
found in this category.
Web Downloads: Here you can see the files that were
downloaded from the internet.
Keyword Hits: In this, any specific keywords can be looked up
for in the disk image. The search can be conducted concerning
the Exact match, Substring matches, Emails, Literal words,
Regular expressions, etc.
You can choose to export into a CSV format.
Timeline
By using this feature you can get information on the usage of
the system in a statistical, detailed, or list form
Discovery
This option allows finding media using different filters that
are present on the disk image.
Images/Videos
This option is to find images and videos through various
options and multiple categories
Add File Tag
Tagging can be used to create bookmarks, follow-up,
mark as any notable item, etc.
Generate Report
Once the investigation is done, the examiner can generate the
report in various formats according to his preference.
We can analysis window registry with Autopsy.
• What was the os used on the computer?
• What was the installed date?
• Who is the registered owner?
• What was the computer name?
• Who was the last user to log into the PC?
• What is the account name of the user who mostly uses the computer?
• When was the last recorded computer shutdown date/time?
• What is the time zone setting?
• Explain the information of network interface with an IP address assigned by
DHCP?
• What application were installed by suspect after installing ththe OS?
• List external storage device attached to the PC

You might also like