Analysis using Autopsy

Now that we've created our case, added host information with appropriate directories, and added our acquired image, we get to the analysis stage.

After clicking on the ANALYZE button (see the previous screenshot), we're presented with several options in the form of tabs, with which to begin our investigation:

Let's look at the details of the image by clicking on the IMAGE DETAILS tab. In the following snippet, we can see the Volume Serial Number and the operating system (Version) listed as Windows XP:

Next, we click on the FILE ANALYSIS tab. This mode opens into File Browsing Mode, which allows the examination of directories and files within the image. Directories within the image are listed by default in the main view area:

In File Browsing Mode, directories are listed with the Current Directory specified as C:/.

For each directory and file, there are fields showing when the item was WRITTEN, ACCESSED, CHANGED, and CREATED, along with its size and META data:

  • WRITTEN: The date and time the file was last written to
  • ACCESSED: The date and time the file was last accessed (only the date is accurate)
  • CHANGED: The date and time the descriptive data of the file was modified
  • CREATED: The data and time the file was created
  • META: Metadata describing the file and information about the file:

For integrity purposes, MD5 hashes of all files can be made by clicking on the GENERATE MD5 LIST OF FILES button.

Investigators can also make notes about files, times, anomalies, and so on, by clicking on the ADD NOTE button:

The left pane contains four main features that we will be using:

  • Directory Seek: Allows for the searching of directories
  • File Name Search: Allows for the searching of files by Perl expressions or filenames
  • ALL DELETED FILES: Searches the image for deleted files
  • EXPAND DIRECTORIES: Expands all directories for easier viewing of contents

By clicking on EXPAND DIRECTORIES, all contents are easily viewable and accessible within the left pane and main window. The + next to a directory indicates that it can be further expanded to view subdirectories (++) and their contents:

To view deleted files, we click on the ALL DELETED FILES button in the left pane. Deleted files are marked in red and also adhere to the same format of WRITTEN, ACCESSED, CHANGED, and CREATED times.

From the following screenshot, we can see that the image contains two deleted files:

We can also view more information about this file by clicking on its META entry. By viewing the metadata entries of a file (last column to the right), we can also view the hexadecimal entries for the file, which may give the true file extensions, even if the extension was changed.

In the preceding screenshot, the second deleted file (file7.hmm) has a peculiar file extension of .hmm.

Click on the META entry (31-128-3) to view the metadata:

Under the Attributes section, click on the first cluster labelled 1066 to view header information of the file:

We can see that the first entry is .JFIF, which is an abbreviation for JPEG File Interchange Format. This means that the file7.hmm file is an image file, but had its extension changed to .hmm.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset