9 min read

Digital forensics involves the preservation, acquisition, documentation, analysis, and interpretation of evidence from various storage media types. It is not only limited to laptops, desktops, tablets, and mobile devices but also extends to data in transit which is transmitted across public or private networks.

In this tutorial, we will cover how one can carry out digital forensics with Autopsy. Autopsy is a digital forensics platform and graphical interface to the sleuth kit and other digital forensics tools.

This article is an excerpt taken from the book, ‘Digital Forensics with Kali Linux‘, written by Shiva V.N. Parasram.

Let’s proceed with the analysis using the Autopsy browser by first getting acquainted with the different ways to start Autopsy.

Starting Autopsy

Autopsy can be started in two ways. The first uses the Applications menu by clicking on Applications | 11 – Forensics | autopsy:

starting Autopsy

Alternatively, we can click on the Show applications icon (last item in the side menu) and type autopsy into the search bar at the top-middle of the screen and then click on the autopsy icon:

Autopsy

Once the autopsy icon is clicked, a new terminal is opened showing the program information along with connection details for opening The Autopsy Forensic Browser.

In the following screenshot, we can see that the version number is listed as 2.24 with the path to the Evidence Locker folder as /var/lib/autopsy:

terminal

To open the Autopsy browser, position the mouse over the link in the terminal, then right-click and choose Open Link, as seen in the following screenshot:

Autopsy browser

Creating a new case

To create a new case, follow the given steps:

  1. When the Autopsy Forensic Browser opens, investigators are presented with three options.
  2. Click on NEW CASE:
new case
  1. Enter details for the Case Name, Description, and Investigator Names. For the Case Name, I’ve entered SP-8-dftt, as it closely matches the image name (8-jpeg-search.dd), which we will be using for this investigation. Once all information is entered, click NEW CASE:
create new case
Several investigator name fields are available, as there may be instances where several investigators may be working together.

The locations of the Case directory and Configuration file are displayed and shown as created.  It’s important to take note of the case directory location, as seen in the screenshot: Case directory (/var/lib/autopsy/SP-8-dftt/) created. Click ADD HOST to continue:

creating case
  1. Enter the details for the Host Name (name of the computer being investigated) and the Description of the host.
  2. Optional settings:
    • Time zone: Defaults to local settings, if not specified
    • Timeskew Adjustment: Adds a value in seconds to compensate for time differences
    • Path of Alert Hash Database: Specifies the path of a created database of known bad hashes
    • Path of Ignore Hash Database: Specifies the path of a created database of known good hashes similar to the NIST NSRL:
host name
  1. Click on the ADD HOST button to continue.
  2. Once the host is added and directories are created, we add the forensic image we want to analyze by clicking the ADD IMAGE button:
Adding host
  1. Click on the ADD IMAGE FILE button to add the image file:
Add image
  1. To import the image for analysis, the full path must be specified. On my machine, I’ve saved the image file (8-jpeg-search.dd) to the Desktop folder. As such, the location of the file would be /root/Desktop/ 8-jpeg-search.dd.

For the Import Method, we choose Symlink. This way the image file can be imported from its current location (Desktop) to the Evidence Locker without the risks associated with moving or copying the image file.

copy image
  1. If you are presented with the following error message, ensure that the specified image location is correct and that the forward slash (/) is used:
image
  1. Upon clicking Next, the Image File Details are displayed. To verify the integrity of the file, select the radio button for Calculate the hash value for this image, and select the checkbox next to Verify hash after importing?
  2. The File System Details section also shows that the image is of a ntfs partition.
  3. Click on the ADD button to continue:
file details
  1. After clicking the ADD button in the previous screenshot, Autopsy calculates the MD5 hash and links the image into the evidence locker. Press OK to continue:
calculating MD5
  1. At this point, we’re just about ready to analyze the image file. If there are multiple cases listed in the gallery area from any previous investigations you may have worked on, be sure to choose the 8-jpeg-search.dd file and case:
analyze images
  1. Before proceeding, we can click on the IMAGE DETAILS option. This screen gives detail such as the image name, volume ID, file format, file system, and also allows for the extraction of ASCII, Unicode, and unallocated data to enhance and provide faster keyword searches. Click on the back button in the browser to return to the previous menu and continue with the analysis:
image details
  1. Before clicking on the ANALYZE button to start our investigation and analysis, we can also verify the integrity of the image by creating an MD5 hash, by clicking on the IMAGE INTEGRITY button:
Several other options exist such as FILE ACTIVITY TIMELINES, HASH DATABASES, and so on. We can return to these at any point in the investigation.
  1. After clicking on the IMAGE INTEGRITY button, the image name and hash are displayed. Click on the VALIDATE button to validate the MD5 hash:
file system images
  1. The validation results are displayed in the lower-left corner of the Autopsy browser window:
Autopsy browser window
  1. We can see that our validation was successful, with matching MD5 hashes displayed in the results. Click on the CLOSE button to continue.
  2. To begin our analysis, we click on the ANALYZE button:
analyze

Analysis using Autopsy

Now that we’ve created our case, added host information with appropriate directories, and added our acquired image, we get to the analysis stage.

After clicking on the ANALYZE button (see the previous screenshot), we’re presented with several options in the form of tabs, with which to begin our investigation:

analysis using Autopsy

Let’s look at the details of the image by clicking on the IMAGE DETAILS tab. In the following snippet, we can see the Volume Serial Number and the operating system (Version) listed as Windows XP:

file system information

Next, we click on the FILE ANALYSIS tab. This mode opens into File Browsing Mode, which allows the examination of directories and files within the image. Directories within the image are listed by default in the main view area:

file browsing mode

In File Browsing Mode, directories are listed with the Current Directory specified as C:/.

For each directory and file, there are fields showing when the item was WRITTEN, ACCESSED, CHANGED, and CREATED, along with its size and META data:

  • WRITTEN: The date and time the file was last written to
  • ACCESSED: The date and time the file was last accessed (only the date is accurate)
  • CHANGED: The date and time the descriptive data of the file was modified
  • CREATED: The data and time the file was created
  • META: Metadata describing the file and information about the file:
current directory

For integrity purposes, MD5 hashes of all files can be made by clicking on the GENERATE MD5 LIST OF FILES button.

Investigators can also make notes about files, times, anomalies, and so on, by clicking on the ADD NOTE button:

Add note

The left pane contains four main features that we will be using:

  • Directory Seek: Allows for the searching of directories
  • File Name Search: Allows for the searching of files by Perl expressions or filenames
  • ALL DELETED FILES: Searches the image for deleted files
  • EXPAND DIRECTORIES: Expands all directories for easier viewing of contents
directory seek

By clicking on EXPAND DIRECTORIES, all contents are easily viewable and accessible within the left pane and main window. The + next to a directory indicates that it can be further expanded to view subdirectories (++) and their contents:

EXPAND DIRECTORIES

To view deleted files, we click on the ALL DELETED FILES button in the left pane. Deleted files are marked in red and also adhere to the same format of WRITTEN, ACCESSED, CHANGED, and CREATED times.

From the following screenshot, we can see that the image contains two deleted files:

deleted files

We can also view more information about this file by clicking on its META entry. By viewing the metadata entries of a file (last column to the right), we can also view the hexadecimal entries for the file, which may give the true file extensions, even if the extension was changed.

In the preceding screenshot, the second deleted file (file7.hmm) has a peculiar file extension of .hmm.

Click on the META entry (31-128-3) to view the metadata:

metadata

Under the Attributes section, click on the first cluster labelled 1066 to view header information of the file:

Attributes section

We can see that the first entry is .JFIF, which is an abbreviation for JPEG File Interchange Format. This means that the file7.hmm file is an image file but had its extension changed to .hmm.

Sorting files

Inspecting the metadata of each file may not be practical with large evidence files. For such an instance, the FILE TYPE feature can be used. This feature allows for the examination of existing (allocated), deleted (unallocated), and hidden files. Click on the FILE TYPE tab to continue:

file type sorting

Click Sort files into categories by type (leave the default-checked options as they are) and then click OK to begin the sorting process:

sorting categories

Once sorting is complete, a results summary is displayed. In the following snippet, we can see that there are five Extension Mismatches:

extension mismatch

To view the sorted files, we must manually browse to the location of the output folder, as Autopsy 2.4 does not support viewing of sorted files. To reveal this location, click on View Sorted Files in the left pane:

sort files
The output folder locations will vary depending on the information specified by the user when first creating the case, but can usually be found at /var/lib/autopsy///output/sorter-vol#/index.html.

Once the index.html file has been opened, click on the Extension Mismatch link:

extension mismatch

The five listed files with mismatched extensions should be further examined by viewing metadata content, with notes added by the investigator.

Reopening cases in Autopsy

Cases are usually ongoing and can easily be restarted by starting Autopsy and clicking on OPEN CASE:

Autopsy Forensic browser

In the CASE GALLERY, be sure to choose the correct case name and, from there, continue your examination:

Case gallery

To recap, we looked at forensics using the Autopsy Forensic Browser with The Sleuth Kit. Compared to individual tools, Autopsy has case management features and supports various types of file analysis, searching, and sorting of allocated, unallocated, and hidden files. Autopsy can also perform hashing on a file and directory levels to maintain evidence integrity.

If you enjoyed reading this article, do check out, ‘Digital Forensics with Kali Linux‘ to take your forensic abilities and investigations to a professional level, catering to all aspects of a digital forensic investigation from hashing to reporting.

Read Next:

What is Digital Forensics?

IoT Forensics: Security in an always connected world where things talk

Working with Forensic Evidence Container Recipes


Subscribe to the weekly Packt Hub newsletter. We'll send you this year's Skill Up Developer Skills Report.

* indicates required

LEAVE A REPLY

Please enter your comment!
Please enter your name here