Professional Documents
Culture Documents
Notes (5/22/20)
What is Autopsy?
Goal: outline the general concepts before we make a case and start analyzing data
● Investigation workflow
● Deployment types
● Central repository
Deployment types
● desktop/single user
● cluster/multi-user
Single-user Deployment
● Functionality
○ Cases can be opened by one person at a time
○ Similar approach to other forensics tool
● Technical:
○ Everything runs on a single computer
○ Works out of the box with installer
○ Launching autopsy will start all embedded services
Multi-user deployment
● Functionality
○ Cases can be opened by many users at the same time
○ Allows auto ingest mode; media is auto analyzed non-stop by multiple nodes
○ Faster analysis; db is faster
● Technical
○ User experience is the exact same
○ Uses central servers dbs, text index, etc.
○ Uses central high speed storage
Central repository
Use cases
● “Other occurrences” content viewer shows you if file was in past case
● Comments about a file can be stored in the CR and shown when file is seen again
● Centralize management of notable hash sets
● Auto flags files if they were previously tagged as notable
● SQLite
○ Requires no other installations
○ Can be used by only one user at a time (do not put on a network share and have
multiple examiner using it at the same time)
● postgreSQL
○ Database is stored on a server
○ Can be used by multiple users at a time
○ Can use the same server for multi-user cases
Picking a type
Section 2: Installation
● Outline how to install and configure Autopsy
Basic steps
● Install Autopsy on each examiner’s computer; can install multi-user cluster services
● Configure each Autopsy client
Config
● Go to multi-user section of options → fill in names of host and user; test each connection
Other config
What is a Case?
Case directory
● Autopsy.db: SQLite database that will store basic case info and data source info unless it
is a multi-user caser
● Export folder: default location to store exported files
● Reports folder: default location to store reports
● ModuleOutput folder: default location for modules to write output to
● Goal is to populate the case database with basic info about source and files inside
○ Size and name info of E01 files are added; system is scanned and a row is created
in database for each file
Supported formats:
● Raw (dd) single and split, E01, raw of phones, VM , etc
● Point autopsy at first image → will do rest
○ 001 -> 002, etc.
● Does not validate E01 files directly on input
Analysis
Orphan files
Carving
Process
● Scan each unallocated block to see if file type starts there
● When found, scan for footer for that type (starts with JPEG header, ends with footer)
In autopsy
Unallocated space
● Add data source → disk image option → popup for adding disk images and navigate path, all
info
Limitations
Analysis
VHD file
● Allows you to make a ‘sparse VHD’ image while you analyze a local drive
○ Useful for triage situations
● When data is read, Autopsy determines if sector has been seen; if not → save copy
● Analyze entire drive = complete image
● Makes copy of data read to do later on analysis on results
Making
Local files
● Local files are those that are stored on file system (collection of JPEG or word, L01 file)
● User specifies file/folder to add
● Folders are recursively added
● Basic info about each file is added to DB
○ Time are ignored
○ Files are not copied or moved
■ Manually copy if they are on USB
● Files added at the same time are grouped together in the UI -- local file sets
Summary
Section 3: Lab
● Reinforce concepts in videos with hands-on exercises
● Provided text about what to do and questions; write down answers to use them in follow
up quiz
Workflow Caveat
Lab answers
1. There are 8 volumes in the disk image
2. The name of the unallocated space file in vol1 is Unalloc_3_0_1048576
3. The file system for vol7 is NTFS
Windows questions
Section 4: UI basics
Outline basic UI concepts needed after data is added to case
● UI flow
● Contents of the tree
● Ways to view file contents
Basic UI flow
The tree
Structure
“Views” area
View by type
View by size
Results area
● Tags area shows what files and results have been tagged
● Reports area shows the reports generated by the user or a module
The table
Table icons
● Many rows have 3 columns to give you quick context about an item
● First column -- Score (S)
○ Stop sign with ! means item is notable; could be hash hit or a notable tag applied
○ Yellow sign with triangle means item was suspicious; module marked it as
interesting or tag was applied normally
● Second column -- Comment
○ Yellow page shown if file has a comment
○ Either in current case or past with Central Repo
● Third column -- Occurrences
○ How often item has been seen in past cases (requires Central Repo) to see which
files are unique and how interesting it might be
Thumbnails
● Use thumbnail tab to see images and videos; identifies them and shows thumbnails for
them
Content viewers
Hex viewer
● Shows raw content in usual form with offset on left, numbers in middle, actual text on
right
● Always enabled if file has content
● Can launch HxD for more powerful features
text/strings
● Text contains various “sub viewers” that are all related to text
● Strings show data that could be text in a given encoding
○ Can have false positives
text/translation
● Uses google or bing translate when configured; translates same text as shown in
“indented text”
Application
● File type-specific viewer: pictures, video, SQLite, HTML, Registry, Binary PList, etc.
● Not a generic viewer like hex or raw text***; only enables if supported
● If picture put into application view, shows it and allows for rotation and zooming
● Plays videos
● Will give pulldown tab with all tables when looking at db/sql, all rows and can page
through them; not very powerful but to see basics; to do more, export
● Can display HTML files and remotely load images (optional to load)
○ Will strip out tags that will reach out to some website; may have evidence and
notify someone but only so much can be done (can download full image to avoid
detection)
Message
● Email-like display for email and text messages; includes header info, RTF, HTML
● Dedicated message reviewer, straight forward and has all info
File metadata
● Shows metadata about a selected file; similar to data in table, easier to copy and paste
● May not have all info from hash hits, under is output from sleuth; lots of info not stored
and usually generic, but can utilize this output for more info
Results
● Shows all analysis results performed and data extracted on selected item
● Data comes from database blackboard
Annotations
Other occurrences
Defaults
● When a new file is selected, can either stay or name viewer/choose most relevant one
○ Hex and strings are only relevant viewer if nothing else is (depends on Autopsy
decisions)
● To change, use gear icon above tree and to change it to only stay on 1 viewer
Other
● History buttons to pull out of dead end lead; forward and back
● Progress bars and cancellation when using ingest modules
● Ingest inbox shows what has been found in background tasks, records number of unread
messages and can scroll down through to investigate
● File searching by metadata; search db for files with all criteria except for keywords
● File exporting, viewing, etc. through right click actions
○ Can export, view in external view/new (“undocked”; floats around and won’t
change to keep around or as reference) content viewer
Additional interfaces
Section 4 Lab
1. There are 8 databases by extension (6 dbs last section)
2. The size of the largest database is 5242880 bytes
3. There are no dbs with MIME type yet
4. The names of the files between 200MB and 1GB are $BadClus:$Bad, Winre.wim,
chrome.7z