Autopsy

Notes from on-line training

Intro

Autopsy is digital forensic platform. It analyses hard drives, smart phones, media cards, etc. It has been designed for easy to use, fast results and extensibility (many plugins).

Basic Investigation Workflow

Describes basic overview of workflow - how to make a case, analyze it,...

Brief workflow description

Add description, where are files stored, select data for analysis, configure ingest module (for analysis), review results, tag results and generate report.

Workflow

Create a case
Add a data source
Configure keywords that are relevant to the case
Run ingest with all relevant modules
Start to review data as it comes in
Update keywords as you find more relevant terms
Tag files that are interesting
Generate report

Central Repository

Allows easily access important data from past cases, eg. MD5 hashes, comments, WiFi SSIDs. Usualy it could help with case like other occurences, it will shows if the file was seen in past case.

Installation

Easier on Windows environment than on Linux/macOS, follow this page. There are some notes how to install Autopsy on Linux/macOS.

Cases

Basic idea is organize data into case and add data into it. Usually data are organized by case, or by host.

Click on New Case, it is wizzard process.

Data sources

Autopsy supports this kind of data:

Disk Images
Local Drives
Local Files (Logical files/Folders)
Output from Autopsy Logical Imager
Unallocated Space Files (no structure)

Metadata of files (name, path, times, size, hashes) are stored in DB (Central Repository).

Supported image formats:

raw
E01
raw images of phones (Android)
Virtual machines images

Supported partitions:

DOS
GPT
mac
BSD
Solaris

Supported file system formats:

NTFS
FAT, ExFAT
HFS+
ISO9660
Ext2/3/4
YAFFS2
UFS

There is also support for orphan files (deleted files without parent folder), this feature could be disabled (time consuming) in time when disk is added as a source.

Autopsy supports carving, recover deleted files without relying on file system knowledge.

Keep in mind that analysis of something that is connected via USB is possible only with write-blocker!

UI

Tree

data sources - organized by drive layout and directories
views - organized by MIME type (more accurate), extension (immediately available), size (looking for large files)
results - results from analysis ingest modules, usually under extracted content.
tags - assigned to files/reports
reports - generated by user or module

Tree could be organized by data sources, sometimes it could be useful.

Table

Content of selected node from the tree. By default it is a table view. Search is available.

Icons is showing Score (red circle with exclamation mark = notable - hash hit/notable tag; yellow circle = suspicious, marked by module as interesting), Comments and Occurrences (seen in past cases).

Viewer Area

Usualy displays content in basic Hex editor (if file has content). Another option is Text (showing strings) of file. Application is specific to type: pictures, video, SQLite, HTML, Registry,... Message displays e-mail and text messages. File metadata shows all metadata related to selected file (MIME type, hashes, timestamps, path, size,...). Results shows all results that are related to selected file. Other Occurrences will show other data sources in same case or in past cases.

Search for Metadata

Usualy we have some IoCs like hashes, suspicious names,... by clicking on Tools > File Search by Attributes

Timeline

Events are sorted by time, useful in time of tracking - what happen before/after something.

Analyzing data sources

Ingest modules are responsible for analyzing the data on the drive: hashing, key word searching, registry analysis, extension mismatch, web activity,...

There are two types: file ingest modules (analysis is analyzed in pipeline) and data source ingest modules (there are looking for specific file - to analyze it).

Ingest Manager is responsible for scheduling the files for analysis, based on priority (User folders, Program files and other root folders, Windows folder and unallocated space).

Blackboard Artifacts

Ingest modules save their results as blackboard artifacts. Artifacts have type and one or more attributes. For example: Web Bookmark, Hash hit, Encryption detected,...

Modules

Hash Lookup Module

This module si responsible for calculation of MD5 hashes, storing them in case db, lookups in hash sets and marking as Known (could be good or bad) or Known Bad/Notable.

Lookup does not stop at first hit. It support NIST NSRL (flagged as known) also EnCase, SleuthKit format (SQLite), md5sum and hashkeeper.

Every file has status: Notable/Known Bad, Known or Unknown (default). We can ignore files with known status (could be useful or not, depends).

View FIle in Directory (right click) could help us to find other suspicious files.

Hash sets should be sorted, if not they will be very slow in search.

There is possibility to add hash into Hash Set (useful when creating IoC from some big case). We can also use Report module/Central Repository

File Type ID

Determine filetype based on signatures (based on magic number). More accurate identification of file. Many modules depends on this one.

Reports filetypes as MIME type.

application/octet-stream means unknown file type

Results could be find in metadata tab.

Extension Mismatch

Compare file extension and file type, will fire an alert if mismatch. Someone is trying to hide something. Could produce a lot of false positives (.tmp or .bak) so by default only multimedia and executables are analyzed.

Results could be find in the tree.

EXIF

Extracts EXIF (metadata from pictures) structure from JPEG. Useful when we need information abou camera, time when picture was taken, GPS,...).

Results could be find in the tree.

Embedded File Extractor

Extrects embedded files from container files like ZIP, RAR, office documents or PDF. It will help us analyze all files on the system.

If the file is password protected it will be flagged. We can submit password (right click).

Found filed will be accessible via tree, extracted file will be children of parent (ZIP, RAR,...).

E-mail module

Searches for MBOX, PST or EML files. Adds e-mail artifacts to blackboard. Attachments as children of the messages.

Results could be found in Communications viewer or in the tree.

Interesting files

Is flagging files that analyst should be aware (checklist in investigation) of, for example: backup files, vm images, bitcoin wallets,...

Out of the box there is nothing. We have to specify our own rules (where should Autopsy look).

Encryption detection

Flag files and volumes that could be encrypted. Also detects docs/dbs that are encrypted. It calculates entropy.

Results could be found in the tree.

Plaso

It pulls up timestamps of logs and files to extract time stamps. Could duplicate some timestams that Autopsy extracts. By default is disabled (time consuming) by default.

If you want to use it there are few modules that are by default disabled (registry timestamps, PE headers).

VM Extractor

Analyzes VMs found on machine. It also could contain evidence. Detect vmdk/vhdi files and add them as new data source.

Data Source Integrity

Validate and calculate hash of disk image. Ensure integrity of evidence (from E01 or what user entered when data source was added). Alert is fired when hashes are different.

Recent Activity

What user done: web activity (bookmarks, visited websites, downloads,...), registry analysis (installed apps, inserted USBs,...).

Web artifacts

All main browsers are supported (hostory, cookies, bookmarks). Best support is for Chrome, the worst is IE/Edge.

Results will be merged (web bookmarks), program name will help to differentiate.

Results could be found in the tree/report section.

Registry analysis

Uses RegRipper to analyze Hive (System, Software, Security and SAM).

Results could be found in the tree/report section.

Recycle Bin

Autopsy will parse an associated manifest that list where the file came from.

Keyword Search

Main purpose of this modele is updates and searches a text index to enable text based searching. Extracts text from each file (HTML, DOC, PDF,...). One index per case.

We can search for exact matches, substrings or RE. Exact match is default.

Periodic searching during ingest!

Correlation Engine

Queries Central Repositorz if some items in current case were seen before. Also adds data to central reposository for future cases.

Module is quering central repository/insert new data there.

Types of data:

MD5
Domain
E-Mail Address
Phone Numbers
USB Devices
WiFi SSIDs

All values are inserted with Case, data source, File path,... it is complex.

Files are flagged only if they were previously tagged as notable, USB are flagged always if they were previously seen.

Android analyzer

Locate SQLite DBs and files from Android and 3rd party Apps. It parse databases and adds results to the blackboard.

We have to acquire data first, with another tool. Then just simply add the data as a data source.

Extracted could be:

Call logs
Contacts
Messages
Browsers related Data
File Transfer Apps
Geolocation Data

Timeline

Graphic overview of system activity. What happen, when. It is sorted, so it is easy to follow what triggered what and when. There are useful views: Details that show specific events clustered by name and List which shows all events in a table

It relies on other modules that extract timestamps: web activity, EXIF, Plaso, Android,...

Image Gallery

Allows more easily review sets of images and videos. Images are grouped in folders (after analyze - hash, EXIF,...).

Purple dashed means image has a hash hit, other colors are for categorization.

Communications

Powerfull interface for viewing communication data, oriented on accounts. Shows messages and data for selected account. Module is account oriented, so at first select one and then see all activity associated with it.

Account is address that people use to refer to someone/something, like e-mail. It is identified by e-mail address (example@example.com). Relationship is communication between two accounts. Device account is a special account created of each data source to represent physical device (eq. call log on mobile) when bettwe ID is not available.

Displays data from Android and E-mail module.

Tagging, commenting and reporting

Tagging

Allows you to make a reference to a file or object and easily find it later (bookmarking). Useful if we would like to highlight bad file or other interesting files.

It is possible to tag result (when we view it) - options are to tag result or a file. Final report will focus either the result or file. Depends on your choice, what is important for analyst.

There is also possibility to tag specific region of an image.

Comments

Comments will be shown in reports, could be saved in the central repository for future reference.

Reporting

It is extensible framework, comes with HTML and Excel results (document analysis module results and associated tags), text file (document files and metadata relevant to the case), KML (EXIF artifacts or other geo related information), Hash Sets,...

By hitting Generate Report you will be able to create report at the end of investigation.

Portable case is subset of original case, for review/help others/... it is new case only with relevant data.

Installing 3rd Party Modules

Autopsy is a platform plug-in modules (Java or Python). There is several places like Ingest modules, Content viewers, Report Modules. Python could be used only for Ingest and Report modules.

There is GitHug Repo with 3rd party modules. There should be backward compatibility.

PreviousMemory Forensic NextLabs

Last updated 4 years ago