In this video walkthrough, we covered disk analysis with Autopsy. We performed forensic analysis on the disk to extract artifacts. The scenario is taken from TryHackMe Autopsy room.

Learn how to use Autopsy to investigate artifacts from a disk image. Use your knowledge to investigate an employee who is being accused of leaking private company data.

Get Computer Forensics Notes

The Complete Practical Web Application Penetration Testing Course

Video Highlights

Autopsy is an open-source and powerful digital forensics platform. Several features within Autopsy have been developed by the Department of Homeland Security Science and Technology funding. You can read more about this here.

The official description: “Autopsy is the premier open source forensics platform which is fast, easy-to-use, and capable of analysing all types of mobile devices and digital media. Its plug-in architecture enables extensibility from community-developed or custom-built modules. Autopsy evolves to meet the needs of hundreds of thousands of professionals in law enforcement, national security, litigation support, and corporate investigation.

Before diving into Autopsy and analysing data, there are a few steps to perform; such as identifying the data source and what Autopsy actions to perform with the data source.

Basic workflow:

  1. Create/open the case for the data source you will investigate
  2. Select the data source you wish to analyse
  3. Configure the ingest modules to extract specific artefacts from the data source
  4. Review the artefacts extracted by the ingest modules
  5. Create the report

Autopsy can analyse multiple disk image formats. Before diving into the data analysis step, let’s briefly cover the different data sources Autopsy can analyse. You can add data sources by using the “Add Data Source” button. Available options are shown in the picture below.

Supported Disk Image Formats:

  • Raw Single (For example: *.img, *.dd, *.raw, *.bin)
  • Raw Split (For example: *.001, *.002, *.aa, *.ab, etc)
  • EnCase (For example: *.e01, *.e02, etc)
  • Virtual Machines (For example: *.vmdk, *.vhd)

If there are multiple image files (e.i. E01, E02, E03, etc.) Autopsy only needs you to point to the first image file, and Autopsy will handle the rest.

Answers to the questions

What is the disk image name of the “e01” format?
Expand the “Data Sources” option; what is the number of available sources?

What is the number of the detected “Removed” files?

What is the filename found under the “Interesting Files” section?

What is the full name of the operating system version?

What percentage of the drive are documents? Include the % in your answer.

Generate an HTML report as shown in the task and view the “Case Summary” section.
What is the job number of the “Interesting Files Identifier” module?

The majority of file events occurred on what date? (MONTH DD, YYYY)

What is the name of an Installed Program with the version number of 6.2.0.2962?

A user has a Password Hint. What is the value?

Numerous SECRET files were accessed from a network drive. What was the IP address?

What web search term has the most entries?

What was the web search conducted on 3/25/2015 21:46:44?

What binary is listed as an Interesting File?

What self-assuring message did the ‘Informant’ write for himself on a Sticky Note? (no spaces)
Using the Timeline, how many results were there on 2015-01-12?

The majority of file events occurred on what date? (MONTH DD, YYYY)

Video Walk-through