Data Artifacts, Analysis Results and Reporting in Autopsy 4.19+

I hope it was helpful. Thanks a lot!

Thanks for that. The .E01 file is a "multi-part disk image." It's common to see them named E01, E02, E03...E0N. Sometimes you will see just .001, .002, .003... .00N. You need each part of the disk image to rebuild the whole image. Also, they all need to be in the same directory! Thanks for posting.

@@DFIRScience Where exactly is the link to that? When I click the link the very long download has no E01 files at all. Please help! Thank you in advance!

The link to download the image(001Win10.E01)does not provide all the content that we get to see here in this video. For example, Under Data Artifcats..I'm not getting installed programs, Recycle Bin etc., But here in the video you have all that.. If possible could you please let me know the exactly image is used for this tutorial. Once again thanks for the video..

The image should be the same! Did you select all the same processing modules? I didn't use a special config. Let me know if you don't find it.

Thank you so much for your response. Yes it's the same image and I have selected all the modules except for "Encryption Detection" , "Drone" , "Plaso" , iOS and Android. All the other modules have been checked and I'm using 4.19.3. Do I need to download any other image other than .E01 ? Not sure what I'm missing..

@@shraunakreddynayam1483 Did you resolve this issue?

Thank you so much!

I'm glad it was helpful! To your questions: 1. Validation depends on your goals and standard operating procedure. Autopsy has been validated (and used in cases that made it to court), but you will need to validate specific functions yourself - and document it. Prior cases can be useful references, but nothing beats your own test documentation. 2. Autopsy is an 'all in one' tool just like EnCase and AXIOM and all support writing additional custom modules (third-party modules). They will all do what is considered basic forensic processing and all have carving, hashing, keyword search. On top of that each tool hash specialty areas that they are better or worse at. For basic processing, essentially the same. It's the advanced stuff where they start to diverge.

Default modules don't parse it,but Autopsy has a registry viewer where you can get it. I think there are third-party modules that parse it too. I'll look for the link.

Thanks a lot! I hope it was useful!

Sorry I just saw this, but it looks like you figured it out!

Excellent question. I know what you're saying, but disagree. All software tools can find inculpatory and exculpatory evidence "equally." The .lnk file in your example could be exculpatory, depending on the claim under investigation.
To your point, it is the investigator that brings their bias and focuses the investigation in a specific direction.
In the video I have a fictional "suspect" to illustrate. Consider that to have the suspect's computer in the first place, police would have to have a warrant to seize the device, implying probable cause and signed off by the court. What's also missing from the video is the *suspect's statement*. We would have a claim, likely a victim statement, and a suspect statement (and anyone else related) that would also guide the investigation. But even with all that, the investigator could still focus on conviction and be biased... SO...
In the U.S. cross-examination is used in court. The suspect('s lawyer) can provide an explanation for each piece of evidence proposed by the prosecution. They can even get their own forensic experts for the defense. Their experts may also be biased, but towards the defense.
Now, the kicker - if an investigator is wrong, and is proven wrong, their qualifications as an expert may be questioned and they may not be able to submit future investigations to court! It's in the interest of an investigator (if they want to keep their job) to look for both inculpatory and exculpatory evidence.
Tools parse and show the data as it is, there is *basically* no bias in the process (although error is possible). Investigators reconstruct events, and this is where bias can be introduced. Investigators usually also have a lot of information to start an investigation with, and if they don't check for exculpatory evidence they are likely to get smashed by a good lawyer. Even a good prosecutor will not move forward if they think the investigation was incomplete.
Digital forensics is a small, but important, part of a whole justice system. I think all countries should allow experts for the defense access to case-related data for analysis. It ensures that bias, or just wrong conclusions, are challenged.

@@DFIRScience Great reply and thank you. I am going to persist with my point. Pleas forgive the length of what follows.
I'm in the UK (you're in Canada, right) and we have the same process of probable cause - but it is susceptible to error. It is not a matter of public record, but I believe I know the Secretary of State here has used his powers to grant law enforcement the right to operate a super-computer that can track the movement of a database of illegal images and, when they see those files move in decent quantities over the course of two different days to the same ip address, they go get a search warrant. It's a good start, but it isn't conclusive and by a looooong way. Nevertheless, it is this that first conditions the instruction to the digital forensic unit...
Now consider they way the Digital Forensic Unit (lab) is typically hired. In most cases here the DFU will be given a box filled with the computers and drives confiscated during the search and will be told that the potential crime is the "making" of indecent images. The DFU does not benefit from any information the police may get from interview under caution because in this country the interview is done *after* the lab work and indeed is done on the *basis* of the lab work. It means the instruction to the lab is bald and in a single direction - the lab does not get the exculpatory statements of the suspect to use as an alternative theory. And, critically, at that point, neither the police nor the lab have any idea of the strength of the evidence that will be found on the drives. I add that the lab here is typically on a fixed fee and has every commercial reason to do no more than the job that was ordered. I also add that, in this country, most police units have conviction rates in relation to this crime above 95%. In other words, the initial intelligence is rarely found to be wrong. So, the inputs conditioning the thinking of the lab are very strong and they are all in one direction...The motivation is to get the goods on the suspect the quickest cheapest way and get onto the next case.
Now it is absolutely true that in the vast majority of cases the lab finds the suspect is "bang to rights" as we say in this country. There are 5000 images, they have incriminating titles, there are records of the suspect in chat rooms trying to find a source for these kinds of images, there are incriminating searches etc. The DFU would have to go to the wild edges of the extreme to find a viable alternative theory to fit the facts. BUT, that is not always the case...
In this country we have a zero tolerance policy throughout the justice system in relation to crimes against children. It means that even if there is a single image, the process will move forward. So, from hereonin let us consider only the cases where the evidence found by the lab is sparse.
So, the lab cranks the handle and does their usual job. They find very little, but they report it forward. The police then conduct an interview and the suspect cannot make any sense of the evidence, the reason being that he is innocent and has never once even considered doing such a crime nor has he ever considered how an illegal image could come to be on his system. Prosecution proceeds and, in the abscenc of excupatory evidence the jury convicts. Something went deeply wrong...
It will help us get where I think we are going if I spell out an alternative process I think works better. It's simple; the lab should be hired by the police with an instruction to look for evidence of the crime *and* in the case where the evidence is found to be slim, to test all exculpatory possibilities. The effect of this would be that the interview under caution would be properly informed and the police could question the witness in the light of all of the possibilities. Furthermore, in the case where the interview under caution provides new exculpatory possibilities the lab should be required to test those possibilities in a second round of analysis.
Now, I bet you are thinking "well, yes, of course the lab should test for all viable theories". But you can surely see why,i n our system at least, they actually don't.
I'll add a couple more disturbing facts. The third most common reason for miscarriages of justice in the UK is incorrect or miscontrued forensic evidence...We have a slew of truly horrific cases of this. The lives of innocent people were ruined.
Also, the labs here are positively encouraged to "streamline" their process. What this means is, as soon as they have what they consider sufficient inculpatory evidence to convict with penalties at the highest level *they should stop their work and move on*. The reason is that the penalties imposed on the convict will be the same and given the ubiquity of this crime we have to use our resources in the UK maximally effectively - maximally effectively for the objective of conviction - not maximally effectively for the process of justice...
So, you can most likely see that we have a set of procedural issues to fix in this country, but also I hope you can see the core of this is to considerably improve the process in the lab.
What's your thinking about all this?
Is the Canadian system better?

@@adrianmutimer3820 Hi Adrian - this discussion is very interesting. To your general points - yes, labs have incentive to finish quickly. Exculpatory evidence is by it's very nature more difficult than inculpatory.
Let's take your illegal images case. In most countries possession is no the crime - it is "knowingly possessing". This means that finding 5000 images is useless unless you can also show that someone *knew* about the images. I'm sure that standard is true in the U.K.
It is not true that interviews only take place after the digital investigation. Initial interviews are conducted on-scene when seizing devices. So by the time of the 'full' interview you have:
1. intelligence that lead to investigation that justifies probable cause in the legal system.
2. On-scene collection and initial interviews.
3. Prelimiary analysis of digital evidence.
4. Suspect interview including digital evidence (and whatever else the investigator has).
5. If 4. provides useful information, then we go back to 3.
That procedure is true for pretty much every country.
Now, assume the suspect is actually innocent and cannot explain evidence found in 3. If the investigator decides to contine, then it goes to court.
There are a lot of opportunities for bias and failure at each step before that. But what you are missing in your scenario is 1. the interest of the court to actually uphold justice and 2. the defense.
Assuming that through interviews and analysis the investigator finds enough evidence to prosecute the suspect, and the prosecution agrees -> that's already a high bar to reach.
At that stage the suspect actually has to defend themselves. "I don't know" is likely no longer good enough.
So they hire a lawyer. The prosecution normally has to provide the charges and main evidence. Basically what the prosecution's story. The defense then has to build a story that refutes these claims.
One way to do this is by getting a digital expert for the defense and showing that Lab X did not look for exculpatory evidence.
If the defense can show this, then Lab X's reputation is damaged, and they may not get any future work! Same for investigators in a Police unit. If it's shown that you are not an expert, you may not be able to come back to court.
So, yes. Bias can be injected into cases. But the investigation is not where a criminal case stops - it's where it begins. If labs are cutting corners to save money, eventually they will be smacked by a good defense.
In most systems (like the U.K.), the burden of proof for conviction is quite high. It's not just "you have a picture, you're under arrest." In Ireland we spent a lot of time finding evidence the suspect knew about the images.
So, in most countries, I can't agree that the procedure is flat-out wrong. The system is a lot of checks and balances, as it should be.
What I will agree is that when you have labs that are incentivized to finish cases ASAP, a strong prosecution, and a weak and expensive defense system - then a lot of misjustice is possible.
Defense lawers - and quite often judges - all over the world are mostly terrible at understanding digital evidence. THAT is the true weakness is most systems. If you have a good (and probably expensive) defense lawyer, they will know how to challenge digital evidence that focused on inculpatory and not exculpatory.
Note that I work with law enforcement, but I still want the defense to get better. A good defense will shore up a lot of your concerns. Until then, investigators can potentially cut corners.
Does that make sense? Throw a good defense lawyer into your example, and the whole case would probably fall apart. Throw a bad defense lawyer in, and the prosecution can push how they want.

​@@DFIRScience
Hi Dude,
I hope your subscibers find this as interesting as we do! In what follows I will try to show you the large gap that I think exists between your system and ours. I expect you will be a bit shocked. So, I simpify your response and comment in between....
***************************
Hi Adrian - this discussion is very interesting. To your general points - yes, labs have incentive to finish quickly. Exculpatory evidence is by it's very nature more difficult than inculpatory.
Let's take your illegal images case. In most countries possession is no the crime - it is "knowingly possessing". This means that finding 5000 images is useless unless you can also show that someone knew about the images. I'm sure that standard is true in the U.K.
[Adrian - We have a "possession" law in which it is necessary for the prosecution to show knowedge, just as you say. But that law is rarely used here because it is hard to show knowledge. Normally, we prosecute a second law - the so-called "making" law. The essence of this is that if you deliberately made the image, you are guilty. However case law has defined "making" exptremely widely. So, opening an email attachment is "making", recieving a word document with an illegal image embedded is "making", even a pop-up is "making", even merely seeing a thumbnail of an illagal image is "making" And making can be prosecuted and *is* prosecuted even where the single image is deleted and unavailable to the accused. In short, the law is draconian. That is where we start here.]
It is not true that interviews only take place after the digital investigation. Initial interviews are conducted on-scene when seizing devices.
[ADrian - I assume you mean in your jusdiction. Not here. In fact, because we have a great many rules about how interviews must be done in the UK - there's a whole book of it - many police forces here ask no questions relative to the crime at all during the search. It's because if they ask questions not according to the rules the evidence will become inadmisable in court. They will ask only such things as, "where are the keys for this locker? and so on". Please compute this difference].
So by the time of the 'full' interview you have:
1. intelligence that lead to investigation that justifies probable cause in the legal system
[Adrian - FYI, that that evidence won't be used in the UK becuase it is capable of making public the methods used by law enforcement. But it is given to the lab.]
.
2. On-scene collection and initial interviews.
[Adrian - See above]
3. Prelimiary analysis of digital evidence.
[ADrian - Here, typically, this initial analysis is the only analysis - there are no iterations. The work is done once complete with all the biases we have thus far discussed.]
4. Suspect interview including digital evidence (and whatever else the investigator has).
[Adrian - The interview will be based on the analysis....I explain that here the interview never rises to a dispassionate review of the evidence because that is not its objective. The objective is to get a confession. If that happnes the rest of the justice system is unworked and the poloice can move on...]
5. If 4. provides useful information, then we go back to 3.
That procedure is true for pretty much every country.
[Adrian - By now, you are aware that this is not so in the UK.]
Now, assume the suspect is actually innocent and cannot explain evidence found in 3. If the investigator decides to contine, then it goes to court.
[Adrian - I need to explain that the position here is very assymetric and there are big incentives for accused people here to plead guilty. If they do so early they gain "credit" meaning any sentence they get will be reduced. We have a financial anomoly here too, which is that even if an accused person wins in court there is still what is referred to here as the "innocent fine". It is the difference between what it will cost him to go to court and the amount the court will refund. In cases like these that fine will typically be £5000.
Now, couple these two with the complete an utter inability of the accused person to understand what has happened - he's innocent - he has no idea how the images got there, furthermore he has no idea of how images like that could in any way possibly have got on his system. When the police ask him and when his defence lawyer asks him "do you have any idea how these images canme to be on your system?" he has no idea. He is at a dead loss. He has now only got he option of hiring an DFU at further cost to himself on the off-chance that the DFU will be able to find out what happened. So, its' a game of poker...This is no way resembles justice.
To get justice the UK would have to require labs to do as I suggested before.]
There are a lot of opportunities for bias and failure at each step before that. But what you are missing in your scenario is 1. the interest of the court to actually uphold justice and 2. the defense.
[Adrian - By the time we get to court the de facto fine and the loss of credit are already unrecoverable costs to the defendant...]
Assuming that through interviews and analysis the investigator finds enough evidence to prosecute the suspect, and the prosecution agrees -> that's already a high bar to reach.
[Adrian - No. Not here. The bar for "making" is extremely low. See above.]
At that stage the suspect actually has to defend themselves. "I don't know" is likely no longer good enough.
[Adrian - Exactly. If you have followed the UK system as I have described it, you will see that the mere existence of the image and the inabiluty to explain it will probably get the accused convicted.]
So they hire a lawyer. The prosecution normally has to provide the charges and main evidence. Basically what the prosecution's story. The defense then has to build a story that refutes these claims. One way to do this is by getting a digital expert for the defense and showing that Lab X did not look for exculpatory evidence.
[Adrian - You cannot show that a lab did that. In order to make your case you will have to (i) get access to the raw data, on the offchance that it can reveal something that assists you in your defence, and then find the exculpatory data yourself, which, as you rightly say, is more difficult...and you will do this at unrecoverable cost and with no certainty that you will find what you need. ..]
If the defense can show this, then Lab X's reputation is damaged, and they may not get any future work! Same for investigators in a Police unit. If it's shown that you are not an expert, you may not be able to come back to court.
[Adrian - The required qualification for labs doing this kind of work is ISO 17025, and, in the UK almost no lab has it...But, even if they did, it wil not in and of itself ensure a symetrical approach to analysis. ]
So, yes. Bias can be injected into cases. But the investigation is not where a criminal case stops - it's where it begins. If labs are cutting corners to save money, eventually they will be smacked by a good defense.
[Adrian - "Eventually" is no good to the people that have already been falsely convicted by the work of the lab. I remind you, we have a history of false convictions here, and these are only the cases that have been retried...there are certainly many more. We need a major systematic change. Fundamantal to that change is new approach in the lab.]
In most systems (like the U.K.), the burden of proof for conviction is quite high. It's not just "you have a picture, you're under arrest." In Ireland we spent a lot of time finding evidence the suspect knew about the images.
[Adrian - Not in the UK. We have de facto reverse onus (lost presumption of innocence), a draconian "making" law, zero tolerance, an assymetric pleading environment and a DFU system biased by several factors we have between us shown here in our exchange. Anyone who wants t understand why these cases go wrong does not have to look far. It is staring at us.]
So, in most countries, I can't agree that the procedure is flat-out wrong. The system is a lot of checks and balances, as it should be.
What I will agree is that when you have labs that are incentivized to finish cases ASAP, a strong prosecution, and a weak and expensive defense system - then a lot of misjustice is possible.
Defense lawers - and quite often judges - all over the world are mostly terrible at understanding digital evidence. THAT is the true weakness is most systems. If you have a good (and probably expensive) defense lawyer, they will know how to challenge digital evidence that focused on inculpatory and not exculpatory.
Note that I work with law enforcement, but I still want the defense to get better. A good defense will shore up a lot of your concerns. Until then, investigators can potentially cut corners.
Does that make sense? Throw a good defense lawyer into your example, and the whole case would probably fall apart. Throw a bad defense lawyer in, and the prosecution can push how they want.
[ADrian - Yes, everything you say makes sense and I agree completely that defence and judges and especially jurys(!) are hopeless bad at understanding digital evidence. The problem there is that an accused here will often hear from his barrister "look, *I* understand what you did and how the image came to be on your system, but try explaining that to a jury. Half of them can't even add an attachment to an email!"
The several factors I have listed here are why it is so important for labs to do the work I suggest...If it isn't done, then the whole justice system just falls over like a line of dominoes. The police get extremely high conviction rates...but justice is lost. ]

Can you give more details about the type of image you are processing?

@@DFIRScience Error Processing Unalloc_66 with photo rec carver

Thanks a lot!

1. What type of phone? 2. Make sure you are selecting the aleapp module for android or the ileapp module for iphone. 3. What type of phone dump is it? You may need to extract the contents from a consider (like udfr) first before processing with Autopsy.

Did I ask too much?

Hello!
1. With criminal investigations, questions (and hypotheses) are formed around what took place regarding the overall claim. If it is with a criminal investigator, the claim is some criminal act. This sets the investigator up for looking at inculpatory evidence first. Depending on the crime, and how law is written, and how good the defense is, it may be easy to stop at inculpatory. Meanwhile, exculpatory evidence is part of the overall story of what happened, and it might be on a very different investigation thread than the inculpatory evidence. This means an investigator has to specifically look for that thread, even if there is no evidence that the thread exists.
2. Exculpatory evidence and inculpatory evidence are the same things to forensic tools: data. What I would add to make more/stronger exculpatory evidence are more capable defense lawyers. When the court can ask for technically-plausible alternatives, investigators are pushed to look for alternative hypotheses.
3. Your #3 claim is incorrect. Digital forensics has industry-standard practices, a large corpus of formal research to back up practices, and methods for validation. Even the AAFS accepts digital forensics as a branch of forensic science. So I don't agree with the #3 claim, but your question at the end -> "is there scope for improvement?" Absolutely! There is scope for improvement in all science and justice systems. Investigation *is* science. We are taking an unknown and trying to know something about it. By its very nature, there is no "perfect" investigation, just like there is no "perfect" justice. But now we're getting into philosophy.

@@DFIRScience Hail Groover!
Your answers are superb. I get more sense from you in two hundred words than I do out of some people in 10 000. Can I pick up in relation to your answer to question 3? DFUs in the UK use a document produced by our Forensic Science Regulator titled "Method Validation in Digital Forensics (FSR-G-218)". At position 3.4.2 we get "There are no standard methods in digital forensic science..." This explains why when DFUs get accreditation to 17025 their scope of acceditation does not refer to standard methods as you might find in other areas of forensic science - instead you will typically see something like "Documented in-house methods using Autopsy". How do you square that with your answer? Is there a middle ground that I am missing?
You are very critical of the quality of the defence lawyers you have encountered. I am too. It seems to be just as you say; becuase they do not understand the process of digital forensic science they cannot concieve of alternative theories to fit the facts, not can they concieve of the possibility of other facts that might be found in the data if they were searched for that might generate and support alternative theories. I have found this with lawyers widely - I think I could make you laugh out loud with the stories I've got. But, anyway, this is one of the main reasons why I am so concerned that the DFU should do that work. If they don't do it, It probably won't happen and the line of dominoes in the justice system *will* fall over...it has here, quite often. Years, sometimes decades, later the justice system takes repsonsibity for shattering the entire lives of innocent people. It's not justice, actually it is the exact opposite, and we have to do better here.