9 min read
In this tutorial, we will cover how one can carry out digital forensics with Autopsy. Autopsy is a digital forensics platform and graphical interface to the sleuth kit and other digital forensics tools.
This article is an excerpt taken from the book, ‘Digital Forensics with Kali Linux‘, written by Shiva V.N. Parasram.
Let’s proceed with the analysis using the Autopsy browser by first getting acquainted with the different ways to start Autopsy.
Autopsy can be started in two ways. The first uses the Applications menu by clicking on Applications | 11 – Forensics | autopsy:
Alternatively, we can click on the Show applications icon (last item in the side menu) and type autopsy into the search bar at the top-middle of the screen and then click on the autopsy icon:
Once the autopsy icon is clicked, a new terminal is opened showing the program information along with connection details for opening The Autopsy Forensic Browser.
In the following screenshot, we can see that the version number is listed as 2.24 with the path to the Evidence Locker folder as /var/lib/autopsy:
To open the Autopsy browser, position the mouse over the link in the terminal, then right-click and choose Open Link, as seen in the following screenshot:
Creating a new case
To create a new case, follow the given steps:
- When the Autopsy Forensic Browser opens, investigators are presented with three options.
- Click on NEW CASE:
- Enter details for the Case Name, Description, and Investigator Names. For the Case Name, I’ve entered SP-8-dftt, as it closely matches the image name (8-jpeg-search.dd), which we will be using for this investigation. Once all information is entered, click NEW CASE:
The locations of the Case directory and Configuration file are displayed and shown as created. It’s important to take note of the case directory location, as seen in the screenshot: Case directory (/var/lib/autopsy/SP-8-dftt/) created. Click ADD HOST to continue:
- Enter the details for the Host Name (name of the computer being investigated) and the Description of the host.
- Optional settings:
- Time zone: Defaults to local settings, if not specified
- Timeskew Adjustment: Adds a value in seconds to compensate for time differences
- Path of Alert Hash Database: Specifies the path of a created database of known bad hashes
- Path of Ignore Hash Database: Specifies the path of a created database of known good hashes similar to the NIST NSRL:
- Click on the ADD HOST button to continue.
- Once the host is added and directories are created, we add the forensic image we want to analyze by clicking the ADD IMAGE button:
- Click on the ADD IMAGE FILE button to add the image file:
- To import the image for analysis, the full path must be specified. On my machine, I’ve saved the image file (8-jpeg-search.dd) to the Desktop folder. As such, the location of the file would be /root/Desktop/ 8-jpeg-search.dd.
For the Import Method, we choose Symlink. This way the image file can be imported from its current location (Desktop) to the Evidence Locker without the risks associated with moving or copying the image file.
- If you are presented with the following error message, ensure that the specified image location is correct and that the forward slash (/) is used:
- Upon clicking Next, the Image File Details are displayed. To verify the integrity of the file, select the radio button for Calculate the hash value for this image, and select the checkbox next to Verify hash after importing?
- The File System Details section also shows that the image is of a ntfs partition.
- Click on the ADD button to continue:
- After clicking the ADD button in the previous screenshot, Autopsy calculates the MD5 hash and links the image into the evidence locker. Press OK to continue:
- At this point, we’re just about ready to analyze the image file. If there are multiple cases listed in the gallery area from any previous investigations you may have worked on, be sure to choose the 8-jpeg-search.dd file and case:
- Before proceeding, we can click on the IMAGE DETAILS option. This screen gives detail such as the image name, volume ID, file format, file system, and also allows for the extraction of ASCII, Unicode, and unallocated data to enhance and provide faster keyword searches. Click on the back button in the browser to return to the previous menu and continue with the analysis:
- Before clicking on the ANALYZE button to start our investigation and analysis, we can also verify the integrity of the image by creating an MD5 hash, by clicking on the IMAGE INTEGRITY button:
- After clicking on the IMAGE INTEGRITY button, the image name and hash are displayed. Click on the VALIDATE button to validate the MD5 hash:
- The validation results are displayed in the lower-left corner of the Autopsy browser window:
- We can see that our validation was successful, with matching MD5 hashes displayed in the results. Click on the CLOSE button to continue.
- To begin our analysis, we click on the ANALYZE button:
Analysis using Autopsy
Now that we’ve created our case, added host information with appropriate directories, and added our acquired image, we get to the analysis stage.
After clicking on the ANALYZE button (see the previous screenshot), we’re presented with several options in the form of tabs, with which to begin our investigation:
Let’s look at the details of the image by clicking on the IMAGE DETAILS tab. In the following snippet, we can see the Volume Serial Number and the operating system (Version) listed as Windows XP:
Next, we click on the FILE ANALYSIS tab. This mode opens into File Browsing Mode, which allows the examination of directories and files within the image. Directories within the image are listed by default in the main view area:
In File Browsing Mode, directories are listed with the Current Directory specified as C:/.
For each directory and file, there are fields showing when the item was WRITTEN, ACCESSED, CHANGED, and CREATED, along with its size and META data:
- WRITTEN: The date and time the file was last written to
- ACCESSED: The date and time the file was last accessed (only the date is accurate)
- CHANGED: The date and time the descriptive data of the file was modified
- CREATED: The data and time the file was created
- META: Metadata describing the file and information about the file:
For integrity purposes, MD5 hashes of all files can be made by clicking on the GENERATE MD5 LIST OF FILES button.
Investigators can also make notes about files, times, anomalies, and so on, by clicking on the ADD NOTE button:
The left pane contains four main features that we will be using:
- Directory Seek: Allows for the searching of directories
- File Name Search: Allows for the searching of files by Perl expressions or filenames
- ALL DELETED FILES: Searches the image for deleted files
- EXPAND DIRECTORIES: Expands all directories for easier viewing of contents
By clicking on EXPAND DIRECTORIES, all contents are easily viewable and accessible within the left pane and main window. The + next to a directory indicates that it can be further expanded to view subdirectories (++) and their contents:
To view deleted files, we click on the ALL DELETED FILES button in the left pane. Deleted files are marked in red and also adhere to the same format of WRITTEN, ACCESSED, CHANGED, and CREATED times.
From the following screenshot, we can see that the image contains two deleted files:
We can also view more information about this file by clicking on its META entry. By viewing the metadata entries of a file (last column to the right), we can also view the hexadecimal entries for the file, which may give the true file extensions, even if the extension was changed.
In the preceding screenshot, the second deleted file (file7.hmm) has a peculiar file extension of .hmm.
Click on the META entry (31-128-3) to view the metadata:
Under the Attributes section, click on the first cluster labelled 1066 to view header information of the file:
We can see that the first entry is .JFIF, which is an abbreviation for JPEG File Interchange Format. This means that the file7.hmm file is an image file but had its extension changed to .hmm.
Inspecting the metadata of each file may not be practical with large evidence files. For such an instance, the FILE TYPE feature can be used. This feature allows for the examination of existing (allocated), deleted (unallocated), and hidden files. Click on the FILE TYPE tab to continue:
Click Sort files into categories by type (leave the default-checked options as they are) and then click OK to begin the sorting process:
Once sorting is complete, a results summary is displayed. In the following snippet, we can see that there are five Extension Mismatches:
To view the sorted files, we must manually browse to the location of the output folder, as Autopsy 2.4 does not support viewing of sorted files. To reveal this location, click on View Sorted Files in the left pane:
Once the index.html file has been opened, click on the Extension Mismatch link:
The five listed files with mismatched extensions should be further examined by viewing metadata content, with notes added by the investigator.
Reopening cases in Autopsy
Cases are usually ongoing and can easily be restarted by starting Autopsy and clicking on OPEN CASE:
In the CASE GALLERY, be sure to choose the correct case name and, from there, continue your examination:
To recap, we looked at forensics using the Autopsy Forensic Browser with The Sleuth Kit. Compared to individual tools, Autopsy has case management features and supports various types of file analysis, searching, and sorting of allocated, unallocated, and hidden files. Autopsy can also perform hashing on a file and directory levels to maintain evidence integrity.
If you enjoyed reading this article, do check out, ‘Digital Forensics with Kali Linux‘ to take your forensic abilities and investigations to a professional level, catering to all aspects of a digital forensic investigation from hashing to reporting.