The Sleuth Kit (TSK) - Autopsy

 

The Sleuth Kit - Autopsy

The sleuth kit is set of c library and command line utilities which is used for analysis of disk image and for recovery of data from them.

Autopsy is simple to use GUI based software that provides a way for analysing the hard drive and mobile phones. It is generally used by military purpose, corporate examiners, law enforcement to study what happened on the computer. You can also use it for recovering the camera's memory card.

AutopsyLogo(autopsy.com)

Autopsy is free available for general use. Don't use it for any illegal activity. You can download autopsy from here. Now we are going to see that how autopsy work in windows environment.

After installing the autopsy, run it and select new case.

AutopsyHomePage

After that enter the case name which is related to your case or device you are going to scan and select the location of the case in device and also select the case type, and then click next.

CaseInformationPanel

Then type the case number and examiner's other details. Then click finish.

CaseOptionalInformation

Then just wait for some time. Our case database environment going to create. After that select host name will appear, click next. Then select the data source type that you want to scan. Here I selected the local disk as I want to scan my USB pen-drive.

SelectingDataSource

Then select the Data Source which is your USB drive and enter other details according to you and click next.

DataSourceSelection

After that configure the ingest as per your choice. There are many modules to scan, select as per your choice. Click Next.

IngestConfigure

After that click Finish.

Then you now seeing the progress bar of analysing files from your local disk. Make sure it will fully complete. It will recommend for proper investigation. Meanwhile you can explore the other capture data.

When all analysing process completed. You can check each data present in the local disk like Text files, Executable files, Audio, Video, System files, deleted files, etc. You can also check it hash and content of it. Where it will created and owner of that. You can also analyse the search tags and many more.

PDFFileView

PDF Content Exploring


We can also check hash value of any files.

TextFileHash

Text File Hash

We also see the Hex value, File Metadata and OS account of deleted file.

DeletedFileData
Deleted File Exploring

We learnt many things which are related to Sleuth Kit Autopsy. If you want to explore more you can go trough step-wise. We can do lot more things in this tools for forensics purposes.

Comments

Post a Comment

Popular posts from this blog

Basics Forensics Imaging with dd, dcfldd, and dc3dd

Image
  Linux Data acquiring commands DD (Data Dump) dd is use in Linux or Unix operating systems for cloning or converting the files. dd can create bit-by-bit copy of physical drive to generate the image. This image can be used by most of the forensics purposes. Some practical examples on dd command: To backup the entire hard disk:  To backup a complete copy of a hard disc to a different hard disc connected to the identical system, execute the dd command as shown.      # dd if=/dev/sda of=/dev/sdb      'if ' referred as input file, and of referred as output fie. We must be mentioned input and output file carefully. To copy, drive to drive using dd command as shown below, sync option allows you to replicate everything using synchronized input/output.     # dd if=/dev/sda of=/dev/sdb conv=noerror, sync To backup a Partition: You can use the device name of a partition in the input data file, and into the output data either you will be able ...
Read more

Understanding and Demonstrating working of Jumplists

Image
  To understand and demonstrate working of jumplists from data forensic perspective by using jumplists view tool. Jump Lists basically created for providing the quick access to the recently opened documents for respective application. Which is first introduced in the Windows 7. For data forensic perspective, By using Jumplists forensic investigator can analyse the suspect's activity like tracking recently opened application, when the file or application opened or closed, etc. Jumplists provide the Most Recently Used and Most Frequently Used list for respective application which is helpful for data forensic. There are two sets created for storing jumplists in windows: AutomaticDestinations This is automatically generated by Operating System when any file or application opened. The files stored in it, has  .automaticDesinations-ms  extension. To access this file we need to go through the following path. C:\Users\XYZ\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinat...
Read more

Study and install Pro-discover and Encase free version

Image
  Pro-discover Pro-discover is a software in a digital forensics that helps investigators to acquire the evidence from computer device. Pro-discover is mostly used in digital forensics and incident response. By using Pro-discover tool, we can create a image of any disk drive or storage drive to analyse, discover the data for investigation. Some key features of Pro-discover includes: Preview and Image Disks Investigate all filesystems Analyse email artifacts and web Report generation (hash value or automatic) View Internet History You need to install first Pro-Discover basic software which is available freely. After that opening it, we will see the following launch dialog for creating a new project. Mention the project number and project file name on it and click open button. Standard format of Project Number is like  '001-HDD-1-27-07-2022'  and Project File Name is  'SampleDemo-001-HDD-1-27-07-2022'. Then click on the Capture and Add Image which is in the left h...
Read more