is an open-source and powerful digital forensics platform.
“Autopsy is the premier open-source forensics platform which is fast, easy to use, and capable of analysing all types of mobile devices and digital media. Its plug-in architecture enables extensibility from community-developed or custom-built modules. Autopsy evolves to meet the needs of hundreds of thousands of professionals in law enforcement, national security, litigation support, and corporate investigation.”
- Create/open the case for the data source you will investigate
- Select the data source you wish to analyse
- Configure the ingest modules to extract specific artefacts from the data source
- Review the artefacts extracted by the ingest modules
- Create the report
Case Analysis | Create a New Case
To prepare a new case investigation, you need to create a case file from the data source. When you start Autopsy, there will be three options. You can create a new case file using the “New Case” option. Once you click on the “New Case” option, the Case Information menu opens, where information about the case is populated.
- Case Name: The name you wish to give to the case
- Base Directory: The root directory that will store all the files specific to the case (the full path will be displayed)
- Case Type: Specify whether this case will be local (Single-user) or hosted on a server where multiple analysts can review (Multi-user)
Case Analysis | Open an Existing Case
The Autopsy can also open prebuilt case files. Note that supported data sources are discussed in the next task. This part aims to show how to create/open case files with Autopsy.
Autopsy can analyse multiple disk image formats. Before diving into the data analysis step, let’s briefly cover the different data sources Autopsy can analyse. You can add data sources by using the “Add Data Source” button. Available options are shown in the picture below.
We will focus primarily on the Disk Image or VM File option in this room.
Supported Disk Image Formats:
- Raw Single (For example: *.img, *.dd, *.raw, *.bin)
- Raw Split (For example: *.001, *.002, *.aa, *.ab, etc)
- EnCase (For example: *.e01, *.e02, etc)
- Virtual Machines (For example: *.vmdk, *.vhd)
If there are multiple image files (e.i. E01, E02, E03, etc.) Autopsy only needs you to point to the first image file, and Autopsy will handle the rest.
Note: Refer to the Autopsy documentation to understand the other data sources that can be added to a case.
Essentially Ingest Modules are Autopsy plug-ins. Each Ingest Module is designed to analyse and retrieve specific data from the drive. You can configure Autopsy to run specific modules during the source-adding stage or later by choosing the target data source available on the dashboard. By default, the Ingest Modules are configured to run on All Files, Directories, and Unallocated Space. You can change this setting during the module selecting step. You can track the process with the bar appearing in the lower right corner.
Drawing the attention back to the Configure Ingest Modules window, notice that some Ingest Modules have per-run settings and some do not. For example, the Keyword Search Ingest Module does not have per-run settings. In contrast, the Interesting Files Finder Ingest Module does. The yellow triangle represents the “per-run settings option”.
As Ingest Modules run, alerts may appear in the Ingest Inbox. Below is an example of the Ingest Inbox after a few Ingest Modules have completed running.
To learn more about Ingest Modules, read Autopsy documentation here.
The User Interface I
Let’s look at the Autopsy user interface, which is comprised of 5 primary areas:
The Tree Viewer has five top-level nodes:
- Data Sources — all the data will be organised as you would typically see it in a normal Windows File Explorer.
- Views — files will be organised based on file types, MIME types, file size, etc.
- Results — as mentioned earlier, this is where the results from Ingest Modules will appear.
- Tags — will display files and/or results that have been tagged (read more about tagging here).
- Reports — will display reports either generated by modules or the analyst (read more about reporting here).
Refer to the Autopsy documentation on the Tree Viewer for more information here.
Note: Don’t confuse the Results node (from the Tree Viewer) with the Result Viewer.
When a volume, file, folder, etc., is selected from the Tree Viewer, additional information about the selected item is displayed in the Result Viewer. For example, the Sample case’s data source is selected, and now additional information is visible in the Results Viewer.
If a volume is selected, the Result Viewer’s information will change to reflect the information in the local database for the selected volume.
Notice that the Result Viewer pane has three tabs: Table, Thumbnail, and Summary. The above screenshots reflect the information displayed in the Table tab. The Thumbnail tab works best with image or video files. If the view of the above data is changed from Table to Thumbnail, not much information will be displayed. See below.
Volume nodes can be expanded, and an analyst can navigate the volume’s contents like a typical Windows system.
In the Views tree node, files are categorised by File Types — By Extension, By MIME Type, Deleted Files, and By File Size.
Tip: When it comes to File Types, pay attention to this section. An adversary can rename a file with a misleading file extension. So the file will be ‘miscategorised’ By Extension but will be categorised appropriately by MIME Type. Expand By Extension and more children nodes appear, categorising files even further (see below).
Refer to the Autopsy documentation on the Result Viewer for more information here.
From the Table tab in the Result Viewer, if you click any folder/file, additional information is displayed in the Contents Viewer pane.
In the given image, three columns might not be quickly understood what they represent.
- S = Score
The Score will show a red exclamation point for a folder/file marked/tagged as notable and a yellow triangle pointing downward for a folder/file marked/tagged as suspicious. These items can be marked/tagged by an Ingest Module or the analyst.
- C = Comment
If a yellow page is visible in the Comment column, it will indicate that there is a comment for the folder/file.
- O = Occurrence
In a nutshell, this column will indicate how many times this file/folder has been seen in past cases (this will require the Central Repository)
Refer to the Autopsy documentation on the Contents Viewer for more information here.
At the top right, you will find Keyword Lists and Keyword Search. With Keyword Search, an analyst can perform an AD-HOC keyword search.
In the image above, the analyst searches for the word ‘secret.’ Below are the search results.
Refer to the Autopsy documentation for more information on performing keyword searches with either option.
Lastly, the Status Area is at the bottom right. When Ingest Modules run, a progress bar (along with the percentage completed) will be displayed in this area. More detailed information regarding the Ingest Modules is provided if you click on the bar.
X (directly next to the progress bar) is clicked, a prompt will appear confirming if you wish to end/cancel the Ingest Modules.
The User Interface II
Let’s look at where we can find summarised info with ease. Summarised info can help analysts decide where to focus by evaluating available artefacts. It is suggested to view the summary of the data sources before starting an investigation. Therefore you can have a general idea about the system and artefacts.
Data Sources Summary
The Data Sources Summary provides summarised info in nine different categories. Note that this is an overview of the total findings. If you want to dive deep into the findings and look for a specific artefact, you need to analyse each module separately using the “Result Viewer” shown in the previous task.
You can create a report of your findings in multiple formats, enabling you to create data sheets for your investigation case. The report provides all information listed under the “Result Viewer” pane. Reports can help you to re-investigate findings after finishing the live investigation. However, reports don’t have additional search options, so you must manually find artefacts for the event of interest.
Tip: The Autopsy tool can be heavy for systems with low resources. Therefore completing an investigation with Autopsy on low resources can be slow and painful. Especially browsing long results might end up with a system freeze. You can avoid that situation by using reports. You can use the tool for parsing the data and generating the report, then continue to analyse through the generated report without a need for Autopsy. Note that it is always easier to conduct and manage an investigation with the GUI.
You can use the “Generate Report” option to create reports. The steps are shown below.
Once you choose your report format and scope, Autopsy will generate the report. You can click on the “HTML Report” section (shown above) to view the report on your browser. Reports contain all of the “Result Viewer” pane results on the left side.