Hi bro, I have few questions 1- What service and what account triggered the alert? 2- What kind of system runs on targeted server? (OS, CPU, etc) 3- What processes were running on targeted server? 4- What are attackers IP and target IP addresses? 5- What service was attacked? 6- What attacks were launched against targeted servers? 7- What flaws or vulnerabilities did he exploit? 8- Were the attacks successful? Did some fail? 9- What did the attacker obtain with attacks? 10- Did the attacker download files? Which ones? Give a quick analysis of those files. 11- What can you say about the attacker? (Motivation, skills, etc) 12- Do you think these attacks were automated? Why? 13- What could have prevented the attacks? How to find answers for above questions for the given .raw file format
Depends. The new operating system surely overwrote existing files, but unless the remainder of the drive was run through bleachbit or overwritten with 0's several times, then yes absolutely. You can pull files off of a formatted drive. Formatting a drive only changes a very tiny portion of the drive at the very beginning and end (depending on the partition table type)... The rest of the drive remains unchanged. The data exist on the drive, but there's no "pointers" to it in the filesystem.... no address, no metadata, no inodes. Imagine owning an island covered in buried treasure, but your map got deleted. Everything is still there under the surface, but it's likely lost... unless you have Autopsy
More tricks and tips, maybe something that shows how to optimize, that is, better use the ingest functions, or if possible, how to list all files and folders along with metadata recursively so that you can load it into a spreadsheet for a detailed time analysis. Thanks
I'm just now using Autopsy. Is it possible to pull wireless activity/SSID information using this tool? My PC is hard wire, so i don't know if it is possible or not.
I accidentally deleted my Bitlock protected Drive. How can I get My Data Back. I can't afford Recovery Service. Please Help or any Suggestions other then Recovery Service center... Thanks
Default modules do not list hardware. You'd have to look through Autopsy's registry viewer to try to piece together info about the hardware you're interested in.
I had to pause the video within the first minute in order to write this comment: I wish I could mute the background music - it is so distracting! Your videos are very thorough, your style of explaining things is simply awesome, but I find it difficult to focus on what you're saying because of the background.
Amazing tutorial. I appreciate the thoroughness of explaining the modules, and also providing real world tips! Subscribed!
Hi bro,
I have few questions
1- What service and what account triggered the alert?
2- What kind of system runs on targeted server? (OS, CPU, etc)
3- What processes were running on targeted server?
4- What are attackers IP and target IP addresses?
5- What service was attacked?
6- What attacks were launched against targeted servers?
7- What flaws or vulnerabilities did he exploit?
8- Were the attacks successful? Did some fail?
9- What did the attacker obtain with attacks?
10- Did the attacker download files? Which ones? Give a quick analysis of those files.
11- What can you say about the attacker? (Motivation, skills, etc)
12- Do you think these attacks were automated? Why?
13- What could have prevented the attacks?
How to find answers for above questions for the given .raw file format
what attackers? you're paranoid, bro
will it show or recover files if person formatted the disk and then installed new windows on it ??? thanks
Depends. The new operating system surely overwrote existing files, but unless the remainder of the drive was run through bleachbit or overwritten with 0's several times, then yes absolutely. You can pull files off of a formatted drive. Formatting a drive only changes a very tiny portion of the drive at the very beginning and end (depending on the partition table type)... The rest of the drive remains unchanged. The data exist on the drive, but there's no "pointers" to it in the filesystem.... no address, no metadata, no inodes. Imagine owning an island covered in buried treasure, but your map got deleted. Everything is still there under the surface, but it's likely lost... unless you have Autopsy
I want you to please add various possible practicals that can be performed using Autopsy 4.5 please your explanation is great
Good Video on Autopsy. Informative and like the clarity of different concepts. It was very helpful with a class project!
I appreciate your detail explanations. Keep these videos coming. Thx
The background music is loud, lol. Thank you for your time to make this video.
Great introduction overview, I hope you plan to do more of these for Autopsy.
Sure can. Do you have anything specific in mind?
More tricks and tips, maybe something that shows how to optimize, that is, better use the ingest functions, or if possible, how to list all files and folders along with metadata recursively so that you can load it into a spreadsheet for a detailed time analysis. Thanks
File meta-data export: ua-cam.com/video/4lDmb-jRp5k/v-deo.html
Excellent overview of timeline analysis, thanks much!
I'm just now using Autopsy. Is it possible to pull wireless activity/SSID information using this tool? My PC is hard wire, so i don't know if it is possible or not.
Yes. If you set up the correlation engine it will be extracted and sent to the correlation database.
Thanks so much for making this. Helps a lot.
Piggybacking off of the meta data portion, is there any steganalysis capability?
No steganalysis built-in, but I have seen some third-party modules trying to do it.
I accidentally deleted my Bitlock protected Drive. How can I get My Data Back. I can't afford Recovery Service. Please Help or any Suggestions other then Recovery Service center... Thanks
Anthem Nations Restore the partition, re-mount and unlock if you have the key.
I'm analyzing memdump file for more than 2 hours but progress shows zero % why ?
Hi, any idea how to locate the exact file location in the storage drive using Autopsy?
In the file/data of interest, right click and look at the properties. That should give you some info on the location.
Awesome tutorial. But how is it possible to obtain information related to HARDWARE? (cpu, wifi card, monitor, ...). Thx!!
Default modules do not list hardware. You'd have to look through Autopsy's registry viewer to try to piece together info about the hardware you're interested in.
Thanks, helpful information
THANK YOU!
17:23 WW2 flashbacks started to kick in.
Good informative video.
from where, I can get the same sample ISO file
Here you are: downloads.digitalcorpora.org/corpora/scenarios/2011-nps-1weapondeletion/
@@DFIRScience thank you
Thanks a LOT, Dude! highfive
great video thx a lot
amazing thank you.
great stuff man ;)
33:52 saunalahti mainittu -> torille!
I had to pause the video within the first minute in order to write this comment: I wish I could mute the background music - it is so distracting! Your videos are very thorough, your style of explaining things is simply awesome, but I find it difficult to focus on what you're saying because of the background.
Yeah, sorry about that. I stopped using BGM in all new videos because it was distracting. Thanks for the comment!
@@DFIRScience Thanks for the quick reply, really appreciated.
How i can extract all files ?
what is the password of this file
There is no password. The image can be found here: downloads.digitalcorpora.org/corpora/scenarios/2011-nps-4drugtraffic/
HAHA Windows Explorer 9!! The recommended browser for Windows Vista! HAHA
Super useful! How do you find a list of remote computers that connected to the suspect's computer?