In this video walkthrough, we covered Disk analysis and forensics using Autopsy. We extracted forensic artifacts about the operating system and uses. This was part of Disk Analysis & Autopsy.
The Complete Practical Web Application Penetration Testing Course
What is a Disk Image?
A disk image file is a file that contains a bit-by-bit copy of a disk drive. A bit-by-bit copy saves all the data in a disk image file, including the metadata, in a single file. Thus, while performing forensics, one can make several copies of the physical evidence, i.e., the disk, and use them for investigation. This helps in two ways. 1) The original evidence is not contaminated while performing forensics, and 2) The disk image file can be copied to another disk and analyzed without using specialized hardware.
Disk Forensics Methodology
When performing an investigation on a disk, all we need is to parse the MFT to understand what exactly happened on the disk at the time of the attack: which files were modified, created, hidden, etc. The main advantage of directly parsing the MFT over simply mounting the partition using regular tools (mount on Linux) is to be able to inspect every corner of the sectors allocated to the system. We can thus retrieve deleted files, detect hidden data (Alternate Data Streams), check the MFT’s integrity, inspect bad sectors, get slack space, etc.
Disk Forensics with Autopsy
Before diving into Autopsy and analysing data, there are a few steps to perform; such as identifying the data source and what Autopsy actions to perform with the data source. Basic&workflow:
- Create/open the case for the data source you will investigate
- Select the data source you wish to analyse
- Configure the ingest modules to extract specific artefacts from the data source
- Review the artefacts extracted by the ingest modules
- Create the report
We start by creating a new case or opening an already saved case. You can do that easily by following the wizard that pops-up once you open the program.
Forensic Investigation
The investigator begins by opening the Autopsy tool and loads a hard disk image file (json2.e01). The MD5 hash of the image is extracted to verify the integrity of the image, ensuring it hasn’t been tampered with during the imaging process.The investigator then answers several questions based on the disk image analysis, including identifying:
- The computer account name by accessing the operating system information.
- A list of all user accounts on the system, ordered alphabetically.
User Account Analysis
The investigator finds user account information, including usernames and account details, from the operating system’s registry files. They are required to omit default accounts (e.g., Administrator) from the list of user accounts.
IP Address and MAC Address
The investigator uses Autopsy to locate the IP address and MAC address of the system by analyzing program files and searching for network-related information. These details are found in log files related to the LAN network.
Network Cards
The analysis proceeds to identify the network cards on the system by exploring the software registry entries. Information about installed network adapters is retrieved from the registry, including their service names and descriptions.
Network Monitoring Tool
The room also asks about the network monitoring tool installed on the system. The investigator looks through a list of installed programs and identifies a tool named Look@LAN, which is likely the monitoring software.
Bookmarks and Coordinates
The user had bookmarked a Google Maps location, and the investigator retrieves the coordinates from the web browser bookmarks stored in the disk image.
Desktop Wallpaper and Full Name
Another question involves finding a user’s full name printed on their desktop wallpaper. By locating and analyzing the image file used as the wallpaper, the investigator uncovers the user’s full name written on the desktop background.
Powershell Flag Modification
The user had a file on the desktop containing a flag that was later modified using PowerShell. The investigator must analyze PowerShell logs or related files to determine the original flag before it was changed.
TryHackMe Disk Analysis & Autopsy | Room Answers
What is the computer account name?
List all the user accounts. (alphabetical order)
Who was the last user to log into the computer?
What was the IP address of the computer?
What was the MAC address of the computer? (XX-XX-XX-XX-XX-XX)
Name the network cards on this computer.
What is the name of the network monitoring tool?
A user bookmarked a Google Maps location. What are the coordinates of the location?
A user has his full name printed on his desktop wallpaper. What is the user’s full name?
A user had a file on her desktop. It had a flag but she changed the flag using PowerShell. What was the first flag?
The same user found an exploit to escalate privileges on the computer. What was the message to the device owner?
2 hack tools focused on passwords were found in the system. What are the names of these tools? (alphabetical order)
There is a YARA file on the computer. Inspect the file. What is the name of the author?
One of the users wanted to exploit a domain controller with an MS-NRPC based exploit. What is the filename of the archive that you found? (include the spaces in your answer)
