School of Computer Science and Engineering

BCSE322P Digital Forensics Laboratory

Exercise No: 1

Autopsy – Installation | Self-Study

21BCI0383
Register Number

YASHITA MITTAL
Name

5th September 2024

Submission Date

FALL SEMESTER 2024-25

Lab Slot: L51+L52

Venue: SJT 317

 Exercise No: 1 Autopsy – Installation | Self-Study

Problem Statement

You are asked to install the digital Forensic Tool, Autopsy (Latest Version) in your
Windows System and explore all the functionality and features in it. Also, you are
asked to write a detailed document based on the self-study you have carried out.

Aim
The aim is to install the latest version of the digital forensic tool, Autopsy, on a
Windows system, explore all its functionalities and features, and create a detailed
document based on self-study. The document should include all the steps of
installation, exploration of features, and functionalities with respective screenshots
and interpretations.

Procedure / Steps
1. Introduction to Autopsy
Autopsy is an open-source digital forensic platform used for analyzing hard drives,
mobile devices, and other storage media to investigate cybercrimes and recover
deleted files. It is widely used by law enforcement, government, military, and
corporate examiners to conduct forensic investigations. Some key features include
file and directory analysis, keyword searching, timeline analysis, hash filtering, and
reporting.

Key Points:

 Use Cases: Cybercrime investigation, corporate investigations, data recovery.

 Capabilities: Evidence collection, file system analysis, internet artifacts analysis, and
more.

2. System Requirements
Before installing Autopsy, it's important to know the system requirements to ensure
compatibility.

Minimum System Requirements:

 Operating System: Windows 7 or later (64-bit)

  Processor: Dual-core CPU
 RAM: 4 GB
 Disk Space: 1 GB for installation; additional space for data sources

Recommended System Requirements:

 Operating System: Windows 10 (64-bit)

 Processor: Quad-core CPU
 RAM: 8 GB or more
 Disk Space: 100 GB or more for large data analysis

3. Download and Installation

 Step-by-step guide to downloading the latest version of Autopsy:
o Visit the official Autopsy website.
o Navigate to the download section.
o Choose the appropriate version for Windows.
 Step-by-step guide for the installation process:
o Run the installer executable.
o Follow the installation wizard steps, including setting up the installation path,
components to install, etc.
o Complete the installation and verify the successful installation.
 Screenshots:





Download the file

DOWNLOAD AND INSTALL

4. Launching Autopsy and Initial Setup

After installation:

1. Launch Autopsy:
o Double-click the Autopsy icon on your desktop or search for it in the
Start menu.
2. Initial Setup:
o Set up user preferences (language, default modules).
o Familiarize yourself with the user interface

Add Data Source: Add disk images, files, or drives for forensic analysis.
Images/Videos: Analyze and review multimedia files for evidence.
Communications: Investigate emails, chats, and other communication
data.
Geolocation: Extract and visualize GPS data from media and mobile files.
Timeline: Create a chronological sequence of digital events.
Discovery: Search, filter, and categorize findings within the data.
Generate Report: Create detailed forensic reports in various formats.
Close Case: Save and close the current case after analysis is completed.

 Screenshots:

After installation, when you click and open Autopsy, this screen appears.

5. Creating a New Case

 Detailed steps to create a new case in Autopsy:
o Navigating to "Create New Case"
o Entering case details such as Case Name, Description, Case Number,
Examiner, etc.
o Choosing the storage location for the case data.
 Explanation of different types of data sources that can be added (disk images,
logical files, local drives, etc.).
 Screenshots:
o New Case creation form
6. Adding Data Sources

Adding data sources is a crucial step in setting up the case for investigation:

1. Types of Data Sources Supported:

o Disk Images: RAW, E01, AFF formats.
o Local Drives: Analyzing a local drive directly connected to the
system.
o Logical Files and Folders: Specific files or directories.
2. Adding a Data Source:
o Navigate to "Add Data Source" in the toolbar.
o Select the type of data source.
o Follow the prompts to add the source.
CLICK ON “BROWSE”
7. Exploring Core Features

 File Analysis:
o Description and use cases for file analysis.
o Steps to navigate and analyze files and directories.

 Keyword Search:
o Explanation of the keyword search functionality.
o Steps to perform keyword searches and view the results.
 Timeline Analysis:
o Steps to create and interpret timeline views for forensic analysis.

 File Type Detection and Analysis:

o Overview of built-in modules that help in detecting file types and their
analysis.

 Reports Generation:
o Steps to generate different types of reports (HTML, PDF, CSV) and
customize them.
8. Exploring Additional Features and Plugins
The most important components are below-

New Case: Create a new forensic case for investigation.

Open Recent Case: Open a recently accessed case.
Open Case: Open an existing forensic case from storage.
Unpack and Open Portable Case: Load a portable case for analysis from
a packaged format.
Close Case: Close the currently active forensic case.
Delete Case: Permanently delete a case from the system.
Manage Hosts: Manage and configure hosts associated with cases.
Add Data Source: Add new data sources like disk images or folders to the
case.
Case Details: View and edit the details of the current case.
Data Source Summary: Display a summary of all data sources in the
case.
Exit: Exit the Autopsy application.

b) Image/Video Gallery Editor

Image/Video Gallery Editor in Autopsy allows investigators to browse, categorize,

and analyze multimedia files from a case in a gallery view. It enables tagging,
filtering, and quick review of images and videos for identifying potential evidence
efficiently.
9. Advanced Analysis Techniques

Analysis Results in Autopsy provide a summary of key findings from the forensic
analysis, organized into subheadings for easy review:

1. Encryption Detected: Lists files that appear to be encrypted, suggesting

potential hidden or protected data.
2. EXIF Metadata: Displays metadata extracted from images, such as
timestamps and GPS coordinates.
3. Extension Mismatch Detected: Identifies files where the extension does not
match the actual file type, indicating potential obfuscation.
4. Keyword Hits: Shows results of keyword searches, helping to find specific
terms or phrases within the data.
5. User Content Suspected: Highlights content suspected to be user-
generated, which may be relevant to the investigation.
6. Web Categories: Categorizes web-related artifacts, such as browsing history,
into different categories for targeted analysis.

10. Best Practices for Using Autopsy

Managing Cases and Data Sources:

 Keep data sources organized and documented to ensure evidence integrity.

Evidence Organization:

 Tagging, categorizing, and annotating evidence as it is analyzed.

Optimizing Performance:

 Best practices for configuring system resources, such as memory and disk
space, to handle large datasets.
11. Interpretation/Conclusion
In conclusion, using Autopsy has provided valuable insights into the field of digital
forensics. Through hands-on exploration, we learned about the various components
of Autopsy, including data source management, timeline analysis, image/video
gallery, keyword search, and report generation. Each component plays a crucial role
in facilitating a comprehensive forensic investigation—from collecting and managing
evidence to analyzing digital artifacts and generating reports for legal proceedings.
Autopsy's strengths lie in its user-friendly interface, modular design, and ability to
handle multiple data types, making it a versatile tool for law enforcement, corporate,
and academic use.

However, there are areas for improvement, such as optimizing performance for large
datasets and enhancing support for mobile device analysis. Future exploration could
involve integrating Autopsy with other specialized forensic tools like Volatility for
memory analysis or leveraging machine learning for automated artifact detection.
Additionally, testing Autopsy in different types of investigations, such as insider
threats or financial fraud, could further extend its applicability and effectiveness in
real-world scenarios.