If you are working as an incident responder, security analyst, or forensic investigator, then most of the time, you will be busy investigating a cyber incident or cybercrime. You may be involved in a lot of nitty-gritty stuff that is broadly called digital forensics. Well, digital forensics is a very broad term that encompasses file analysis, memory forensics, reverse engineering, dump analysis, disc analysis, and so forth. It is not possible to cover all of them in a single post. We have decided to dedicate this post to disc forensics since Digital forensics and incident response (DFIR) investigations rely heavily on disk forensics to uncover valuable evidence.
Disk forensics is the process of extracting forensic information from storage mediums like hard drives, USB devices, and firmware. It plays a crucial role in digital forensics and incident response (DFIR) investigations by uncovering valuable artifacts left behind by attackers or criminal activity. There are several premium and open-source tools available to perform disc forensics. However, we are covering one such most powerful open-source tool in this post called, Autopsy from Basis Technology, which is trusted by enterprises and law enforcement worldwide.
In this comprehensive guide, we will look into digital forensic analysis, what is Autopsy, what are its features of it, and finally, learn how to forensically analyze a disk using Autopsy. Let’s begin this post with an introduction to disc forensics.
Digital forensics is the process of collecting, analyzing, and preserving digital evidence to investigate and solve crimes or security incidents. It involves the examination of electronic devices, networks, and digital media to uncover relevant information and establish a clear understanding of digital events. The goal is to provide accurate and admissible evidence that can be used in legal proceedings.
Disc Forensics is a subset of Digital Forensics. Disk forensics refers to the process of forensically analyzing storage media devices such as hard disk drives, solid-state drives, USB storage devices, logical drives, virtual drives, and more. The goal of disk forensics is to extract digital information and artifacts from a storage device in a forensically sound manner. Some of the key steps involved in disk forensics include:
Creating a forensic duplicate or disk image of the storage medium without altering the source evidence. Specialized write-blocking hardware is used for this purpose.
Analyzing the forensic disk image with tools like Autopsy to extract artifacts like deleted files, file metadata, browser history, registry data, password remnants, encryption keys, and more.
Carving and reconstructing data from unallocated and slack space through data recovery techniques.
Generating timelines of file system activity to recreate sequences of events.
Uncovering evidence like document edits, access timestamps, hidden data, and source attribution details.
It is crucial to create a digital copy or forensic image of the drive without modifying any data. This allows investigators to work on the image instead of the original drive, preserving the integrity of the evidence. Forensic images are created with specialized imaging tools that perform bit-stream transfers. Popular options include FTK Imager, EnCase Imager, and dd for Linux.
Once an image is obtained, investigators use tools like Autopsy to extract artifacts like:
Deleted files
Email messages
Browser history
Installed programs
File metadata
And much more
Disk forensics provides crucial evidence for many types of investigations and incident response scenarios. Some examples include:
In cybercrime investigations, disk forensics provides insights into malware activity, exfiltrated data, attacker behaviors, and other IOCs. This aids in tracking perpetrators, understanding their tactics, and preventing future incidents.
In insider threat cases, analyzed disk images reveal unauthorized data access, policy violations, account misuse, and other risky user behaviors.
During breach investigations, disk analysis determines impact, identifies compromised data, and uncovers root causes and vulnerabilities exploited.
For litigation support, forensic disk images provide legally admissible evidence like document revisions, file timestamps, usage patterns, and audit trails.
In anti-espionage operations, deep analysis detects stealthy tradecraft like hidden partitions, covert channels, classified data remnants, etc. on devices.
For intelligence purposes, disk forensics on seized equipment uncovers data like communications, plans, affiliations, etc. to connect dots.
During maintenance, storage media diagnostics pinpoint physical defects and prevent loss of critical data.
Given the wealth of digital evidence available on storage media, disk forensics provides immense value to public and private sector investigative scenarios where concrete data-driven insights are required.
Autopsy is a free open-source digital forensic tool created by Basis Technology. It is primarily used by cyber forensic investigators, law enforcement, military, etc.
Autopsy is the graphical interface for The Sleuth Kit, which is a comprehensive collection of command-line tools and a library designed for investigating disk images in the field of digital forensics. Autopsy aims to provide a user-friendly and efficient interface for digital forensic investigations, supporting both beginner and advanced users. It is compatible with Windows, macOS, and Linux operating systems.
Autopsy is a powerful forensic tool that offers a wide range of features for analyzing digital evidence. Some of its key capabilities include:
Disk Imaging: Autopsy allows the creation of forensic images of storage media like hard drives or USB devices, ensuring the preservation of original data integrity for analysis.
File Analysis: Autopsy analyzes files and their metadata, including file types, timestamps, properties, and file system information. It can identify known file types and perform keyword searches to locate specific content.
Artifact Analysis: Autopsy examines various artifacts such as internet history, emails, chat logs, registry entries, and social media data. This helps in uncovering evidence and reconstructing user activities.
Keyword Search: Autopsy provides powerful keyword search functionality, allowing investigators to identify specific content within the digital evidence.
Timeline Analysis: Autopsy can create timelines of events based on file timestamps, registry entries, and other artifacts. This helps establish a chronological sequence of activities.
Data Carving: Autopsy includes data carving capabilities, enabling the recovery of deleted or hidden files from unallocated disk space.
Reporting: Autopsy offers customizable reporting features, generating detailed reports and findings suitable for legal proceedings or investigative documentation.
Plugin Support: Autopsy supports a plugin architecture, allowing users to extend its functionality and integrate additional forensic tools or modules as needed.
Autopsy runs on Windows, Linux, and macOS.
Go to the Autopsy website and download the latest release. At the time we published this post, we have Autopsy v4.20.0 was released.
Once the downloads are complete, run the Autopsy installer as administrator. Accept the license agreement and installation defaults to install it under C:\Program Files\autopsy-4.19.3-64bit
.
The only prerequisites on Windows are Java 8+ and 20 GB of free space. The installer will notify you if any requirements are missing.
Here are instructions on how to download and install Autopsy on Windows, Mac, and Linux:
Under Autopsy 4, download the Windows 64-bit installer.
Save the .zip file and extract it.
Run the .exe installer as Administrator and follow the prompts to install Autopsy.
By default, it will install in C:\Program Files\autopsy-<version>
Under Autopsy 4, download the macOS installer.
Save the .dmg file and open it.
Drag and drop the Autopsy app into the Applications folder to install it.
Launch Autopsy from the Applications folder.
AOn Debian/Ubuntu, run: sudo apt-get install Autopsy
On Fedora/CentOS, run: sudo dnf install Autopsy
On Arch Linux, run: sudo pacman -S autopsy
Launch Autopsy from the applications menu.
This installs the latest Autopsy version packaged for your Linux distribution.
As we said earlier, the disc forensics process starts with creating an exact digital copy of the drive. Hence, in addition to Autopsy, we also need a disk imaging tool to create forensic images. A popular free option is FTK Imager from AccessData. However, for this demo, we are not going to create any forensic image of the disc. Instead, we have downloaded a sample forensic image file from this link: https://downloads.digitalcorpora.org/corpora/drives/nps-2010-emails/ . If you want more sample images for practice, you can get more free forensic testing image samples from here.
Autopsy will enable the extraction of artifacts like installed programs, archives, email & web activities, user accounts, and many more things.
Upon the installation of Autopsy, when we launch Autopsy for the first time, Autopsy will great with the below screen. Since Autopsy uses the concept of cases to organize investigations, choose “New Case”.
We need to create a folder structure for cases before using Autopsy. Under C:\Users\<User>\
, create a folder called Cases
. Under it, create separate folders for individual cases, like Test
and NIST
. Autopsy will automatically create case databases and reports inside these folders. With this, Autopsy is fully installed and configured. Next, we will learn how cases work in Autopsy.
After clicking the new case we will have to provide the necessary information like the case name, base directory and where do you wish to store the analyzed data.
After providing the above information we have to add a data source which is to create a new host for new cases. In the next step, we have to select the type of source we are adding. In this case, we are adding a disk image.
1. Disk Image or VM File: Represents exact copies of hard drives, media cards, or virtual machine images.2. Local Disk: Refers to physical storage devices such as hard disks, pen drives, and memory cards connected to the system.3. Logical Files: Encompasses local folders and individual files stored on the system.4. Unallocated Space Image File: Represents image files that represent unallocated space on storage devices, which do not contain a file system but require analysis for potential.
We can provide the location of the image file and decide on what fields need to be extracted from the image file, if you are not sure of what needs to be extracted you can select all fields.
Carefully choose the modules and the data. This step can take time depending on the size of the image file uploaded and modules selected once the ingestion is successfully done it will show the analyzed data.
Now we are in the data analysis phase. where you can view the data in different dimensions. extract artifacts and metadata, and do all the investigations.
Autopsy even lets you view the deleted files present in the image file. This feature is known as file carving. File carving is a method used to recover deleted or formatted files on a computer by searching for specific file patterns in a data stream. It involves extracting and reconstructing the deleted files from the available data.
We can view the image file and metadata and other details right there on the screen, its so simple and efficient to use.
Autopsy allows you to see all the email IDs listed in the sample image file, we can also search using the keywords which makes this process more effective.
One interesting feature of the autopsy is it will show all the events inside the image file in a timeline. Anyways, we can customize this data as we need.
Autopsy does come with reporting options. It allows generating reports containing all results or just bookmarked items, which can be saved as HTML, Excel, or CSV files.
Autopsy will enable to extraction of artifacts like installed programs, archives, email & web activities, user accounts, and many more things.
Features are endless. We can’t go into every feature explaining in this single post. We attacked a video by HackerSploit associated with Akamai. Please don’t miss to watch. More information is covered in the video.
Source:
By walking through this demo, we learned how Autopsy simplifies the process of disk forensics analysis. Key takeaways include:
Autopsy extracts and structures artifacts from disk images in an intuitive interface
Automated modules speed up analysis substantially
Timelines, custom tags, and reports help document the investigation.
Evidence like user activity, programs, accounts, etc., provides deep insight.
Autopsy is an invaluable free tool for any forensic investigator or DFIR professional. This guide should have provided a solid foundation for getting started with Autopsy and leveraging it for real-world disk forensics. The capabilities of Autopsy and digital forensics extend much further than highlighted here. To dive deeper, I recommend checking Autopsy’s extensive documentation and training material. You can also browse through the many forensic sample images provided by CFReDS and other sources to continue honing your skills. Thanks for reading! Let me know if you have any other topics you would like covered.
We hope this article helped in understanding digital forensic analysis, what Autopsy is, what are its features of it, and finally, how to forensically analyze a disk using Autopsy. Thanks for reading this post. Please share this post and help secure the digital world. Visit our website, thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.
You may also like these articles:
Aroma is a cybersecurity professional with more than four years of experience in the industry. She has a strong background in detecting and defending cyber-attacks and possesses multiple global certifications like eCTHPv2, CEH, and CTIA. She is a pet lover and, in her free time, enjoys spending time with her cat, cooking, and traveling. You can connect with her on LinkedIn.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.