In this video walkthrough, we covered disk analysis with Autopsy. We performed forensic analysis on the disk to extract artifacts. The scenario is taken from TryHackMe Autopsy room.

Learn how to use Autopsy to investigate artifacts from a disk image. Use your knowledge to investigate an employee who is being accused of leaking private company data.

Computer Forensics Notes

The Complete Practical Web Application Penetration Testing Course

Introduction to Autopsy

Autopsy is a digital forensics platform used to analyze mobile devices, digital media, disk images, and virtual machines to extract artifacts for forensic investigations. It’s designed for computer forensic professionals.

The official description: “Autopsy is the premier open source forensics platform which is fast, easy-to-use, and capable of analysing all types of mobile devices and digital media. Its plug-in architecture enables extensibility from community-developed or custom-built modules. Autopsy evolves to meet the needs of hundreds of thousands of professionals in law enforcement, national security, litigation support, and corporate investigation.

Before diving into Autopsy and analysing data, there are a few steps to perform; such as identifying the data source and what Autopsy actions to perform with the data source.

Basic workflow:

  1. Create/open the case for the data source you will investigate
  2. Select the data source you wish to analyse
  3. Configure the ingest modules to extract specific artefacts from the data source
  4. Review the artefacts extracted by the ingest modules
  5. Create the report

Autopsy can analyse multiple disk image formats. Before diving into the data analysis step, let’s briefly cover the different data sources Autopsy can analyse. You can add data sources by using the “Add Data Source” button. Available options are shown in the picture below.

Supported Disk Image Formats:

  • Raw Single (For example: *.img, *.dd, *.raw, *.bin)
  • Raw Split (For example: *.001, *.002, *.aa, *.ab, etc)
  • EnCase (For example: *.e01, *.e02, etc)
  • Virtual Machines (For example: *.vmdk, *.vhd)

If there are multiple image files (e.i. E01, E02, E03, etc.) Autopsy only needs you to point to the first image file, and Autopsy will handle the rest.

Initial Setup in Autopsy

Case Management:

  • The video starts by showing how to create or open an existing case in Autopsy. Users can set the case name, directory, and choose between single-user or multi-user options.
  • The directory stores all case-related files, and multi-user mode allows multiple analysts to work on the case from a server.

Data Sources:

  • The instructor navigates through a previously opened case and demonstrates how to attach data sources such as disk images, virtual machines, or local files. Autopsy supports different formats like dd, img, and raw files, along with virtual machine files and in-case imaging files.

Tree Viewer and Views:

  • The Tree Viewer organizes data sources and files similarly to a typical file explorer. The video shows how to expand and navigate through volumes and directories of the disk image.
  • File Types and Extensions: The tool also categorizes files based on their extension, MIME type, and file size. This helps in verifying the authenticity of file types, especially if attackers modify file extensions.

Ingest Modules and Analysis in Autopsy

Ingest Modules:

  • Ingest modules are plugins that extend the functionality of Autopsy. The video explains how to use modules like email parsers, picture analyzers, and other plugins to analyze a disk image.
  • The results of the ingest modules are stored in the results section, where analysts can view extracted artifacts, deleted files, and more.

Keyword Search:

  • Autopsy allows analysts to perform keyword searches through the entire disk image. The video shows how to search for specific terms (e.g., “secret”) to find relevant files, displaying results with details such as file path, text, and hex data.

Analysis

The result viewer provides different viewing modes:

  • Table View: Best for textual data.
  • Thumbnail View: Suitable for images and videos.

The instructor demonstrates how to analyze various directories under the users’ folder in the disk image to retrieve user-specific information.

TryHackMe Autopsy | Room Answers

What is the disk image name of the “e01” format?
Expand the “Data Sources” option; what is the number of available sources?

What is the number of the detected “Removed” files?

What is the filename found under the “Interesting Files” section?

What is the full name of the operating system version?

What percentage of the drive are documents? Include the % in your answer.

Generate an HTML report as shown in the task and view the “Case Summary” section.
What is the job number of the “Interesting Files Identifier” module?

The majority of file events occurred on what date? (MONTH DD, YYYY)

What is the name of an Installed Program with the version number of 6.2.0.2962?

A user has a Password Hint. What is the value?

Numerous SECRET files were accessed from a network drive. What was the IP address?

What web search term has the most entries?

What was the web search conducted on 3/25/2015 21:46:44?

What binary is listed as an Interesting File?

What self-assuring message did the ‘Informant’ write for himself on a Sticky Note? (no spaces)
Using the Timeline, how many results were there on 2015-01-12?

The majority of file events occurred on what date? (MONTH DD, YYYY)

Video Walk-through

 

 

, ,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles