In this video walkthrough, we covered Disk analysis and forensics using Autopsy. We extracted forensic artifacts about the operating system and uses. This was part of Disk Analysis & Autopsy.

Get Computer Forensics Notes

The Complete Practical Web Application Penetration Testing Course

What is a Disk Image?

A disk image file is a file that contains a bit-by-bit copy of a disk drive. A bit-by-bit copy saves all the data in a disk image file, including the metadata, in a single file. Thus, while performing forensics, one can make several copies of the physical evidence, i.e., the disk, and use them for investigation. This helps in two ways. 1) The original evidence is not contaminated while performing forensics, and 2) The disk image file can be copied to another disk and analyzed without using specialized hardware.

Disk Forensics Methodology

When performing an investigation on a disk, all we need is to parse the MFT to understand what exactly happened on the disk at the time of the attack: which files were modified, created, hidden, etc. The main advantage of directly parsing the MFT over simply mounting the partition using regular tools (mount on Linux) is to be able to inspect every corner of the sectors allocated to the system. We can thus retrieve deleted files, detect hidden data (Alternate Data Streams), check the MFT’s integrity, inspect bad sectors, get slack space, etc.

Disk Forensics with Autopsy

Before diving into Autopsy and analysing data, there are a few steps to perform; such as identifying the data source and what Autopsy actions to perform with the data source. 

  1. Create/open the case for the data source you will investigate
  2. Select the data source you wish to analyse
  3. Configure the ingest modules to extract specific artefacts from the data source
  4. Review the artefacts extracted by the ingest modules
  5. Create the report
    We start by creating a new case or opening an already saved case. You can do that easily by following the wizard that pops-up once you open the program.

Room Answers

What is the MD5 hash of the E01 image?

What is the computer account name?

List all the user accounts. (alphabetical order)

Who was the last user to log into the computer?

What was the IP address of the computer?

What was the MAC address of the computer? (XX-XX-XX-XX-XX-XX)

Name the network cards on this computer.

What is the name of the network monitoring tool?

A user bookmarked a Google Maps location. What are the coordinates of the location?

A user has his full name printed on his desktop wallpaper. What is the user’s full name?

A user had a file on her desktop. It had a flag but she changed the flag using PowerShell. What was the first flag?

The same user found an exploit to escalate privileges on the computer. What was the message to the device owner?

2 hack tools focused on passwords were found in the system. What are the names of these tools? (alphabetical order)

There is a YARA file on the computer. Inspect the file. What is the name of the author?

One of the users wanted to exploit a domain controller with an MS-NRPC based exploit. What is the filename of the archive that you found? (include the spaces in your answer)

Video Walk-through

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles