Starting a New Digital Forensic Investigation Case in Autopsy 4.19+
Вставка
- Опубліковано 4 лип 2024
- This is a mini-course on Autopsy. See chapter times below.
Autopsy is a free, open-source, full-features digital forensic investigation tool kit. It is developed by Basis Technology and a large open-source community. You can use Autopsy as the basis to conduct a full digital forensic investigation. You can also expand Autopsy with modules written in Java and Python.
Thank you to our Members and Patrons, but especially to our Investigators, TheRantingGeek and Roman! Thank you so much!
We take you through how to start a digital investigation case in Autopsy. From organizing your data, starting your forensic documentation, processing case data, forensic analysis workflow, and generating reports.
00:00 Starting a digital investigation with Autopsy
00:11 Setting up your forensic workstation
00:37 Organize case files
02:42 Start your documentation!
03:06 Organizing suspect image data
04:33 Starting a new case in Autopsy
04:42 Autopsy: Case Information
05:59 Autopsy: Optional Information
06:57 Autopsy: Select Host
07:39 Autopsy: Select Data Source Type
09:02 Autopsy: Select Data Source
10:27 Autopsy: Configure Ingest
10:46 Modules: Recent Activity
11:09 Modules: Hash Lookup
12:29 Modules: File Type Identification
14:10 Modules: Extension Mismatch Detector
16:03 Modules: Embedded File Extractor
16:24 Modules: Picture Analyzer
16:45 Modules: Keyword Search
19:34 Modules: Email Parser
19:42 Modules: Encryption Detection
19:58 Modules: Interesting Files Identifier
20:41 Modules: Central Repository
22:10 Modules: PhotoRec Carver
22:42 Modules: Virtual Machine Extractor
23:00 Modules: Data Source Integrity
23:17 Modules: ALEAPP
23:34 Modules: Plaso
23:51 Modules: YARA Analyzer
24:17 Modules: iLEAPP
24:33 Modules: Android Analyzer
24:38 Autopsy module selection strategy
25:13 Autopsy: Add Data Source
25:42 Autopsy: Processed Data View
25:58 Autopsy: Main file view
26:18 Autopsy: File detail view
27:58 Autopsy: Filters and views
28:55 Autopsy: Deleted files filter
29:59 Autopsy: Data Artifacts, etc
30:22 Example investigation workflow
30:43 Case-specific keyword search
31:21 Tagging relevant items
34:46 Generate findings report
37:33 Analysis procedure overview
37:55 Autopsy: Images/Videos tool
38:17 Conclusions
Learn how to do forensic keyword searching, entropy testing, YARA basics, file carving, and more with Autopsy digital forensic software.
🚀 Full Digital Forensic Courses → learn.dfir.science
Links:
* Autopsy Software: www.autopsy.com/
* HxD Hex Editor Software: mh-nexus.de/en/hxd/
* Practice Data: dfir.science/assets/data/Susp...
Related Books:
* Practical Linux Forensics: A Guide for Digital Investigators (amzn.to/3gzXCh9)
* Digital Forensics with Open Source Tools (amzn.to/34FBrUe)
#Autopsy #forensics #investigation #case #dfir
010001000100011001010011011000110110100101100101011011100110001101100101
Get more Digital Forensic Science
👍 Subscribe → bit.ly/2Ij9Ojc
❤️ YT Member → bit.ly/DFIRSciMember
❤️ Patreon → / dfirscience
🕸️ Blog → DFIR.Science
🤖 Code → github.com/DFIRScience
🐦 Follow → / dfirscience
📰 DFIR Newsletter → bit.ly/DFIRNews
010100110111010101100010011100110110001101110010011010010110001001100101
Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please link back to the original video. If you want to use this video for commercial purposes, please contact us first. We would love to see what you are doing. - Наука та технологія
Exactly what I was looking for to complete an assignment. Thank you!
Seriously the best introductory/basic-workflow Autopsy video I've watched. I absolutely love that you give additional detail about the modules, and that you explained your workflow.
I just got my sec+ cert CompTIA and decided forensics is what I love and need to do so I agree! When I watched this video it made me entrench myself in my decision to pursue forensics in the cyber security community. Thank you
agreed!
I thoroughly enjoyed it! Thanks for the great tutorial.
thank you master for the basic introduction of using autospy in digital forensic. i have watch the video is very interesting. my gratitude and wish you all the best
Very interesting material for someone starting in the IR team. Great video!
FTK and Autopsy are the one's I always use. Great vid.
This is amazing video with great works very well
after trying around 5-11 videos this is the only one that i found working
I hope it was helpful. Let me know if you have any questions.
Thank you for this well made tutorial!
I hope it was helpful!
Awesome tutorial, thanks a lot
One word, amazing
Glad that I found your channel 👍🏽👍🏽
Glad you're here! Let me know if you have any questions. :D
Thank You. This was helpful
TNice tutorials was very helpful thankyou.
Great explanation, thanks
Thanks for the tutorial! I'm a criminal law student so Digital Forensic Investigation is really interesting. I've always wondered how gathering digital evidence works. I learned a lot from your tutorial!
Nice video, well done, thanks for sharing it with us :)
Very thorough explanation! Your videos have been pointed to by one of my college professors.
Love the cat pictures as a stand-in for criminal evidence. Very cute.
Excellent content as always!
Thank you so much!
Great tool for forensic .
Want to thank you for the time you put into your content. You are pretty much the only forensics UA-cam channel that consistently produces great content. Well done my friend, and thank you.
Thank you so much for the kind words. I appreciate it. Let me know if you have any questions or topics you'd like to see.
Found a new DFIR channel gem
This is good. Thanks for this.
I hope it was helpful!
Thanks ❤❤
Fantastic!
Thank you!
@@DFIRScience How do i create a disk image?
awesome tutorial for learning the Autopsy tool! Can you also share some good sources for getting forensic images for data recovery challenges?
Thank you so much for this, you are very thorough and provide a high level overview in this video of the various ingest modules which is very helpful. I do have one question though and perhaps this comes later in the video or another video on your channel. When is the best time to configure the settings of Autopsy outside of a case? I would assume it would be prior to starting the first case on my machine. My question really applies to configuring things like the temporary directory of autopsy, changing the central repository, etc etc.
Great question. Some settings you will know what makes sense for your computer/lab setup. Some settings are more case-dependent, or you will learn to tweak to your specific needs over time.
Open up a test case in Autopsy and configure the Autopsy global settings how you want. This is when I add NSRL hashes, configure remote repositories, etc. Then close/delete the test case and Autopsy will remember your global settings when you open your real case.
Don't be afraid to go back and change settings to try to get better performance. Sometimes they also add new features that need configured.
Thank you
You're welcome! I hope it's useful for you.
@@DFIRScience yes absolutely, just another data in my toolset. Even though I don't use it now, I still find a way to enjoy learning and reenforcing the concepts. I am currently a Windows Forensics student at SANS. So much to learn for the GCFA. Thank you for sharing.
good stuff
Thanks a lot!
Thank you so much for this! Do you happen to have a video or guide on how to upload an iPhone or Apple device into FTK imager to create a readable format for autopsy?
Thank you for the best video. I have one doubt, though. During the case creation, we can add M5. However, we cannot add SHA512. there is only the option of adding SHA256.
The link in your description for sample data doesn't contain the hash file that is in the video. it only has an image .dd file. How do I proceed ?
Love it, thank you for the content
Thank you so much!
@DFIRScience can my ex bf use this to spy on me. He sent me a text with an autopsy image and
I clicked on it.
This is great stuff thanks. One question. At time code 33:24 when talking about substrings I noted 2 files of the same name however one has -slack on the end. Does this mean the file appears twice once in slack space?
I have an image file on an external HD I run autopsy and it parses through and says finished but it will never load the image in.
Great video!
What other steps can be taken to be able to view content of a carved deleted file which was unallocated and not viewable using the application feature in Autopsy?
Is it possible to rebuild those kinda files to view the contents? Thanks.
If some file data was successfully carved, but is not showing in the "Application" tab, then the data may not be complete or is otherwise corrupted. You can try exporting the file (right click on the file and click "Extract File(s)") and try to open it with a viewer on your computer. If that still doesn't work, then you can view the structure of the data in the hex viewer "Hex" tab.
It really depends on what, where and how much data is missing or corrupt as to whether you can reconstruct the file.
You might also try using PhotoRec directly to recover data of the file type you are interested in. You might get lucky. www.cgsecurity.org/wiki/PhotoRec
Amazing video! Nevertheless, it would have been better to use the dd/ISO files that NIST put at disposal to see all the functionalities of the software
That's true. I used a smaller data set for fast processing, and realized my mistake when I wanted to show OS artifacts... I'll have to fix that! Thank you.
See part 2 - we process a Windows 10 disk image and go through data artifacts and analysis results: ua-cam.com/video/5SHB4HwkX28/v-deo.html
cool
how do i create a disk image, i want to practise on my own machine and recover things ive deleted from it but cant find anything on how to create a disk image that i can use for autopsy
hi is it possible to use autopsy to repair corrupted video file ?
Thanks for overview, how well does Autopsy do with video?
You can do previews, and the media utility hash some additional functionality. For in-depth processing like video spliced in video there is not a default detector (might be an external plugin). What were you thinking?
Kya is app ko mobile 📲 phone me use kr skte he
I want to learn how to track devices like phones and PC. Pls I need advice on how and where to start from. Thank you to anyone helping me out on this
wow
I installed libscca-tools and I want to analyze the Prefetch folder in autopsy, I am on Tsurugi how should I proceed?
where to get hash values and other data shown in video, only dd file is downloadable in the given link
Here are the hashes for SuspectData.dd
%%%% HASHDEEP-1.0
%%%% size,md5,sha256,filename
## $ hashdeep SuspectData.dd
##
31457280,efbf30672c4eb3713b7f639f16944fd3,6baed29520499d2d5c44c32a0f3a8a08cbe92c47b4e00101b1041d14f9a579e2,SuspectData.dd
Hello sir, I have a question. 4 days ago i was creating a new case with disk image file from a 500gb HDD, and it still anlyzing till today... what if when the analyzing progress is finished, then i close the autopsy and turn off my laptop and then open it again... does it need to re run the analyzing progress again or not? Please help me cuz my laptop is running for 4 days till now. Thanks :)
Sorry for bad english :D
yea
Let's go get some coffee
Anyone else have issues installing it on Mac?
If you have a partition that is encrypted and have the key /password how do you ingest it or import it?
You will need to mount the encrypted partition first. If you are using Windows the easiest way is probably to use Arsenal Recon's Arsenal Image Mounter -> arsenalrecon.com/products/arsenal-image-mounter
How can I do the parts using linux? I'm using a windows vm on mac
Hi I am new to all of this. I downloaded the practice data and I think I don't have the right format as it does not look the same as what you are showing. I have a windows 11 machine. What should I open the file with? Thanks.
The practice data is in a "zip" file to make it a bit smaller. In windows you should be able to right click on the zip file and select "extract here" (or something similar). This will create a new file that is the original disk image. You should be able to load that into autopsy. Let me know if you have any trouble.
sir please provide the sample data
Hi can this be used to view video aswell
Yes, Autopsy has a media viewer that can preview videos.
How do you view emails? I don’t see an option for it because I keep getting a “read error”
What are you clicking on before you get the read error? If you processed with the emails ingest module they should show in the main file view.
@@DFIRScience any of the emails. I don’t have the same options as you do in the video. I processed with the emails ingest but I don’t see a section for it in your video or in my Autopsy. The last one (4.18) had a section that said “Emails”
@@tammyrhodes3823 The image I used this time did not have a local email container PST/OST. That's why it didn't show up in my view. For example, if the user always uses email in their browser, they likely won't have a PST file locally. If they use an application like Microsoft Outlook, then they probably will. What application do you think the user was using on the system you are looking at?
Love the video! I'm 15 and I wanna getting to dfir any advices for learning. Should I go college etc?
Also where can I get practice for right now and what can I do to practice
Thank you so much! One of the easiest things you can do is create a Twitter account and follow people that talk about digital forensics. A lot of DFIR-related people are there and always posting some amazing information. Going to college really depends on what kinds of investigations you want to do. Some people go to college and some people don't. Either can be successful, and both require a lot of work. This field does take a lot of study, so being able to do experiments is a good skill. Email me if you have any specific questions: bit.ly/DFIRSciContact
In the description of this video I give a link to the test disk image. Download Autopsy and the test data and try for yourself! Let me know if you have any questions or need any help!
@@DFIRScience Thank you for responding
can I do with android images?
Yes. Autopsy has modules to process Android data. You can add the data source as a file structure, not a disk image.
everytNice tutorialng. It was still interesting. Wish I had tNice tutorials video when I started out
How to quickly paste timestamp for documentation in linux?
@Chinz In notepad, you can just hit the F5 key and it will add the timestamp for you.
@@DFIRScience I tried in Linux but it didn't worked 🙁
@@chinz3614 Yeah, notepad in Windows, unfortunately. For Linux check out github.com/MattETurner/DFIRlogbook
@@DFIRScience okay thanks, I will have a look
depending on what editor you are using. if you are taking notes in a text document, from the shell you can do "date >> filename" to get a timestamp added to the end of the file. If you are using vi, you can do :r !date to add a date stamp into the file you are editing.
Now we know that the evil cat abused the dog... The dog, curiously named jack, was the victim.
hahahah :D
pls send cat photos 😀
cannot able forensic about encript ios buck up