Seriously the best introductory/basic-workflow Autopsy video I've watched. I absolutely love that you give additional detail about the modules, and that you explained your workflow.
I just got my sec+ cert CompTIA and decided forensics is what I love and need to do so I agree! When I watched this video it made me entrench myself in my decision to pursue forensics in the cyber security community. Thank you
Superb explanation. I am now 100% confident going in for my final exam. We will be examining an E01 file using Autopsy for one part of the final. This video provided me with a perfectly sensible workflow that I can follow.
thank you master for the basic introduction of using autospy in digital forensic. i have watch the video is very interesting. my gratitude and wish you all the best
Thanks for the tutorial! I'm a criminal law student so Digital Forensic Investigation is really interesting. I've always wondered how gathering digital evidence works. I learned a lot from your tutorial!
Want to thank you for the time you put into your content. You are pretty much the only forensics UA-cam channel that consistently produces great content. Well done my friend, and thank you.
Thank you so much for this! Do you happen to have a video or guide on how to upload an iPhone or Apple device into FTK imager to create a readable format for autopsy?
This is great stuff thanks. One question. At time code 33:24 when talking about substrings I noted 2 files of the same name however one has -slack on the end. Does this mean the file appears twice once in slack space?
Thank you for the best video. I have one doubt, though. During the case creation, we can add M5. However, we cannot add SHA512. there is only the option of adding SHA256.
Great video! What other steps can be taken to be able to view content of a carved deleted file which was unallocated and not viewable using the application feature in Autopsy? Is it possible to rebuild those kinda files to view the contents? Thanks.
If some file data was successfully carved, but is not showing in the "Application" tab, then the data may not be complete or is otherwise corrupted. You can try exporting the file (right click on the file and click "Extract File(s)") and try to open it with a viewer on your computer. If that still doesn't work, then you can view the structure of the data in the hex viewer "Hex" tab. It really depends on what, where and how much data is missing or corrupt as to whether you can reconstruct the file. You might also try using PhotoRec directly to recover data of the file type you are interested in. You might get lucky. www.cgsecurity.org/wiki/PhotoRec
Thank you so much for this, you are very thorough and provide a high level overview in this video of the various ingest modules which is very helpful. I do have one question though and perhaps this comes later in the video or another video on your channel. When is the best time to configure the settings of Autopsy outside of a case? I would assume it would be prior to starting the first case on my machine. My question really applies to configuring things like the temporary directory of autopsy, changing the central repository, etc etc.
Great question. Some settings you will know what makes sense for your computer/lab setup. Some settings are more case-dependent, or you will learn to tweak to your specific needs over time. Open up a test case in Autopsy and configure the Autopsy global settings how you want. This is when I add NSRL hashes, configure remote repositories, etc. Then close/delete the test case and Autopsy will remember your global settings when you open your real case. Don't be afraid to go back and change settings to try to get better performance. Sometimes they also add new features that need configured.
how do i create a disk image, i want to practise on my own machine and recover things ive deleted from it but cant find anything on how to create a disk image that i can use for autopsy
sir, I just wanted to know how did you downloaded the data artifacts module. Because when I do, my all files are extracted except data artifacts module
Hello sir, I have a question. 4 days ago i was creating a new case with disk image file from a 500gb HDD, and it still anlyzing till today... what if when the analyzing progress is finished, then i close the autopsy and turn off my laptop and then open it again... does it need to re run the analyzing progress again or not? Please help me cuz my laptop is running for 4 days till now. Thanks :) Sorry for bad english :D
Amazing video! Nevertheless, it would have been better to use the dd/ISO files that NIST put at disposal to see all the functionalities of the software
That's true. I used a smaller data set for fast processing, and realized my mistake when I wanted to show OS artifacts... I'll have to fix that! Thank you.
You can do previews, and the media utility hash some additional functionality. For in-depth processing like video spliced in video there is not a default detector (might be an external plugin). What were you thinking?
Here are the hashes for SuspectData.dd %%%% HASHDEEP-1.0 %%%% size,md5,sha256,filename ## $ hashdeep SuspectData.dd ## 31457280,efbf30672c4eb3713b7f639f16944fd3,6baed29520499d2d5c44c32a0f3a8a08cbe92c47b4e00101b1041d14f9a579e2,SuspectData.dd
You will need to mount the encrypted partition first. If you are using Windows the easiest way is probably to use Arsenal Recon's Arsenal Image Mounter -> arsenalrecon.com/products/arsenal-image-mounter
@@DFIRScience any of the emails. I don’t have the same options as you do in the video. I processed with the emails ingest but I don’t see a section for it in your video or in my Autopsy. The last one (4.18) had a section that said “Emails”
@@tammyrhodes3823 The image I used this time did not have a local email container PST/OST. That's why it didn't show up in my view. For example, if the user always uses email in their browser, they likely won't have a PST file locally. If they use an application like Microsoft Outlook, then they probably will. What application do you think the user was using on the system you are looking at?
Thank you so much! One of the easiest things you can do is create a Twitter account and follow people that talk about digital forensics. A lot of DFIR-related people are there and always posting some amazing information. Going to college really depends on what kinds of investigations you want to do. Some people go to college and some people don't. Either can be successful, and both require a lot of work. This field does take a lot of study, so being able to do experiments is a good skill. Email me if you have any specific questions: bit.ly/DFIRSciContact
In the description of this video I give a link to the test disk image. Download Autopsy and the test data and try for yourself! Let me know if you have any questions or need any help!
@@DFIRScience yes absolutely, just another data in my toolset. Even though I don't use it now, I still find a way to enjoy learning and reenforcing the concepts. I am currently a Windows Forensics student at SANS. So much to learn for the GCFA. Thank you for sharing.
depending on what editor you are using. if you are taking notes in a text document, from the shell you can do "date >> filename" to get a timestamp added to the end of the file. If you are using vi, you can do :r !date to add a date stamp into the file you are editing.
![Lp. Сердце Вселенной #60 РОЖДЕНИЕ ЛОЛОЛОШКИ [Финал] • Майнкрафт](http://i.ytimg.com/vi/YoR0pAV9FVQ/mqdefault.jpg)
Seriously the best introductory/basic-workflow Autopsy video I've watched. I absolutely love that you give additional detail about the modules, and that you explained your workflow.
I just got my sec+ cert CompTIA and decided forensics is what I love and need to do so I agree! When I watched this video it made me entrench myself in my decision to pursue forensics in the cyber security community. Thank you
agreed!
Superb explanation. I am now 100% confident going in for my final exam. We will be examining an E01 file using Autopsy for one part of the final. This video provided me with a perfectly sensible workflow that I can follow.
Exactly what I was looking for to complete an assignment. Thank you!
after trying around 5-11 videos this is the only one that i found working
I hope it was helpful. Let me know if you have any questions.
thank you master for the basic introduction of using autospy in digital forensic. i have watch the video is very interesting. my gratitude and wish you all the best
Very thorough explanation! Your videos have been pointed to by one of my college professors.
Love the cat pictures as a stand-in for criminal evidence. Very cute.
Thanks for the tutorial! I'm a criminal law student so Digital Forensic Investigation is really interesting. I've always wondered how gathering digital evidence works. I learned a lot from your tutorial!
Wow! This is really great!!! Information is loved!!!!
This is better information than my textbook. Thank you
Want to thank you for the time you put into your content. You are pretty much the only forensics UA-cam channel that consistently produces great content. Well done my friend, and thank you.
Thank you so much for the kind words. I appreciate it. Let me know if you have any questions or topics you'd like to see.
With what program do you get the the disk image from the beggining like how do you extract it from the phone ?
Very interesting material for someone starting in the IR team. Great video!
I thoroughly enjoyed it! Thanks for the great tutorial.
Thank you for this well made tutorial!
I hope it was helpful!
The link in your description for sample data doesn't contain the hash file that is in the video. it only has an image .dd file. How do I proceed ?
This is amazing video with great works very well
Glad that I found your channel 👍🏽👍🏽
Glad you're here! Let me know if you have any questions. :D
FTK and Autopsy are the one's I always use. Great vid.
awesome tutorial for learning the Autopsy tool! Can you also share some good sources for getting forensic images for data recovery challenges?
Nice video, well done, thanks for sharing it with us :)
Thank you so much for this! Do you happen to have a video or guide on how to upload an iPhone or Apple device into FTK imager to create a readable format for autopsy?
TNice tutorials was very helpful thankyou.
This is great stuff thanks. One question. At time code 33:24 when talking about substrings I noted 2 files of the same name however one has -slack on the end. Does this mean the file appears twice once in slack space?
Found a new DFIR channel gem
One word, amazing
Thank you for the best video. I have one doubt, though. During the case creation, we can add M5. However, we cannot add SHA512. there is only the option of adding SHA256.
Excellent content as always!
Thank you so much!
Thank You. This was helpful
Great explanation, thanks
Awesome tutorial, thanks a lot
Great video!
What other steps can be taken to be able to view content of a carved deleted file which was unallocated and not viewable using the application feature in Autopsy?
Is it possible to rebuild those kinda files to view the contents? Thanks.
If some file data was successfully carved, but is not showing in the "Application" tab, then the data may not be complete or is otherwise corrupted. You can try exporting the file (right click on the file and click "Extract File(s)") and try to open it with a viewer on your computer. If that still doesn't work, then you can view the structure of the data in the hex viewer "Hex" tab.
It really depends on what, where and how much data is missing or corrupt as to whether you can reconstruct the file.
You might also try using PhotoRec directly to recover data of the file type you are interested in. You might get lucky. www.cgsecurity.org/wiki/PhotoRec
This is good. Thanks for this.
I hope it was helpful!
I have an image file on an external HD I run autopsy and it parses through and says finished but it will never load the image in.
Thank you so much for this, you are very thorough and provide a high level overview in this video of the various ingest modules which is very helpful. I do have one question though and perhaps this comes later in the video or another video on your channel. When is the best time to configure the settings of Autopsy outside of a case? I would assume it would be prior to starting the first case on my machine. My question really applies to configuring things like the temporary directory of autopsy, changing the central repository, etc etc.
Great question. Some settings you will know what makes sense for your computer/lab setup. Some settings are more case-dependent, or you will learn to tweak to your specific needs over time.
Open up a test case in Autopsy and configure the Autopsy global settings how you want. This is when I add NSRL hashes, configure remote repositories, etc. Then close/delete the test case and Autopsy will remember your global settings when you open your real case.
Don't be afraid to go back and change settings to try to get better performance. Sometimes they also add new features that need configured.
how do i create a disk image, i want to practise on my own machine and recover things ive deleted from it but cant find anything on how to create a disk image that i can use for autopsy
I want to learn how to track devices like phones and PC. Pls I need advice on how and where to start from. Thank you to anyone helping me out on this
sir, I just wanted to know how did you downloaded the data artifacts module. Because when I do, my all files are extracted except data artifacts module
I installed libscca-tools and I want to analyze the Prefetch folder in autopsy, I am on Tsurugi how should I proceed?
Hello sir, I have a question. 4 days ago i was creating a new case with disk image file from a 500gb HDD, and it still anlyzing till today... what if when the analyzing progress is finished, then i close the autopsy and turn off my laptop and then open it again... does it need to re run the analyzing progress again or not? Please help me cuz my laptop is running for 4 days till now. Thanks :)
Sorry for bad english :D
Amazing video! Nevertheless, it would have been better to use the dd/ISO files that NIST put at disposal to see all the functionalities of the software
That's true. I used a smaller data set for fast processing, and realized my mistake when I wanted to show OS artifacts... I'll have to fix that! Thank you.
See part 2 - we process a Windows 10 disk image and go through data artifacts and analysis results: ua-cam.com/video/5SHB4HwkX28/v-deo.html
Thanks for overview, how well does Autopsy do with video?
You can do previews, and the media utility hash some additional functionality. For in-depth processing like video spliced in video there is not a default detector (might be an external plugin). What were you thinking?
Great tool for forensic .
Kya is app ko mobile 📲 phone me use kr skte he
How can I do the parts using linux? I'm using a windows vm on mac
hi is it possible to use autopsy to repair corrupted video file ?
where to get hash values and other data shown in video, only dd file is downloadable in the given link
Here are the hashes for SuspectData.dd
%%%% HASHDEEP-1.0
%%%% size,md5,sha256,filename
## $ hashdeep SuspectData.dd
##
31457280,efbf30672c4eb3713b7f639f16944fd3,6baed29520499d2d5c44c32a0f3a8a08cbe92c47b4e00101b1041d14f9a579e2,SuspectData.dd
Fantastic!
Thank you!
@@DFIRScience How do i create a disk image?
If you have a partition that is encrypted and have the key /password how do you ingest it or import it?
You will need to mount the encrypted partition first. If you are using Windows the easiest way is probably to use Arsenal Recon's Arsenal Image Mounter -> arsenalrecon.com/products/arsenal-image-mounter
Can you help me I cant see my content
Thanks ❤❤
Anyone else have issues installing it on Mac?
How do you view emails? I don’t see an option for it because I keep getting a “read error”
What are you clicking on before you get the read error? If you processed with the emails ingest module they should show in the main file view.
@@DFIRScience any of the emails. I don’t have the same options as you do in the video. I processed with the emails ingest but I don’t see a section for it in your video or in my Autopsy. The last one (4.18) had a section that said “Emails”
@@tammyrhodes3823 The image I used this time did not have a local email container PST/OST. That's why it didn't show up in my view. For example, if the user always uses email in their browser, they likely won't have a PST file locally. If they use an application like Microsoft Outlook, then they probably will. What application do you think the user was using on the system you are looking at?
sir please provide the sample data
Love the video! I'm 15 and I wanna getting to dfir any advices for learning. Should I go college etc?
Also where can I get practice for right now and what can I do to practice
Thank you so much! One of the easiest things you can do is create a Twitter account and follow people that talk about digital forensics. A lot of DFIR-related people are there and always posting some amazing information. Going to college really depends on what kinds of investigations you want to do. Some people go to college and some people don't. Either can be successful, and both require a lot of work. This field does take a lot of study, so being able to do experiments is a good skill. Email me if you have any specific questions: bit.ly/DFIRSciContact
In the description of this video I give a link to the test disk image. Download Autopsy and the test data and try for yourself! Let me know if you have any questions or need any help!
@@DFIRScience Thank you for responding
Hi can this be used to view video aswell
Yes, Autopsy has a media viewer that can preview videos.
yea
Let's go get some coffee
good stuff
Thanks a lot!
Thank you
You're welcome! I hope it's useful for you.
@@DFIRScience yes absolutely, just another data in my toolset. Even though I don't use it now, I still find a way to enjoy learning and reenforcing the concepts. I am currently a Windows Forensics student at SANS. So much to learn for the GCFA. Thank you for sharing.
How to quickly paste timestamp for documentation in linux?
@Chinz In notepad, you can just hit the F5 key and it will add the timestamp for you.
@@DFIRScience I tried in Linux but it didn't worked 🙁
@@chinz3614 Yeah, notepad in Windows, unfortunately. For Linux check out github.com/MattETurner/DFIRlogbook
@@DFIRScience okay thanks, I will have a look
depending on what editor you are using. if you are taking notes in a text document, from the shell you can do "date >> filename" to get a timestamp added to the end of the file. If you are using vi, you can do :r !date to add a date stamp into the file you are editing.
Love it, thank you for the content
Thank you so much!
@DFIRScience can my ex bf use this to spy on me. He sent me a text with an autopsy image and
I clicked on it.
can I do with android images?
Yes. Autopsy has modules to process Android data. You can add the data source as a file structure, not a disk image.
📌8:57
everytNice tutorialng. It was still interesting. Wish I had tNice tutorials video when I started out
Now we know that the evil cat abused the dog... The dog, curiously named jack, was the victim.
hahahah :D
meanwhile , autopsy run on linux :
cannot able forensic about encript ios buck up
wow
cool
pls send cat photos 😀