welcome back everyone today we're
talking about how to start a digital
forensic investigation with autopsy and
i'm using autopsy
4.19.3 but really any version of autopsy
4 will be very similar to this but
before we begin we have to get a couple
things ready first we need to go to
autopsy.com and click the big download
button follow the instructions it's very
straightforward next i recommend you get
hxd it's a freeware hex editor and it
does have integrations with autopsy a
full featured hex editor is much nicer
whenever you're trying to dig down into
specific data structures so i recommend
getting both of those and installing
them and they do work together now once
we have autopsy and hxd installed the
next thing we need to do is set up where
our data is going to be located so we
don't want to save data to our c drive
on our forensic workstation because we
don't want to mix suspect data and our
forensic workstation files so what we
want to do is always have a separate
drive where you're going to be saving
your case data this could be an external
hard drive it could be a specific
internal hard drive set up specifically
for your case data or it could be a
network share at your organization the
drive i'm going to be using is the w
drive so again i'm not saving anything
to my forensic workstations c drive i'm
going to be saving everything to my w
drive to keep everything separated in w
drive i have a couple things already one
is a hash set and we'll talk a little
bit about hash sets later and i have my
cases file so inside the cases file i'm
going to create a new case in most
organizations if we're already in doing
an investigation then a case number has
probably already been created for us so
i will create a new folder with a case
number so whatever that case number is
let's just say it was 0 0 1. i also like
to give it some sort of indicator of
what type of investigation i'm doing
that way i can look at the case i might
not recognize the case number but i can
really quickly recognize the tag so i'll
just put like an h here and for me that
will represent hacking i might also
usually include some sort of information
like a tag about its location
a tag about the investigator that's
starting it maybe the investigating
members initial i'll just say xx here so
this structure would tell me for example
case number assigned by our case
management system it's a hacking case
this is the investigator who is looking
at it and then this is the investigating
member requesting the case come up with
your own standard you want to be able to
look at this file and understand really
quickly what it's about even if you
don't recognize the case number and then
always use that standard for the rest of
your cases just to keep everything
consistent and try to use the same
standard through your entire
organization inside this case folder
i'll create a couple more folders my
basic structure is going to be docs
images temp autopsy reports while i'm
here i'm going to go ahead and go into
docs and i'm going to create a new text
document called case number
docs dot text now i have my case
documentation open it up in notepad hit
f5 to insert a timestamp and then say
case
started
by
so now we have our documentation notes
ready to go i'm going to go ahead and
keep that up for images the
investigating member by this stage has
probably already given you images or
you're about to create images so let's
say that we have some suspect data and
the suspect data is in exhibit zero zero
one so let's say a computer was brought
into you or a thumb drive was brought in
to you that thumb drive is classified as
exhibit zero zero one so i will just
use that exhibit number directly exhibit
zero zero one images double click on
that and then i already have my suspect
data here that's already been collected
so i'm going to move that into this
directory now all of my image data for
all exhibits plus all of my reports plus
all of my temporary files and everything
like that are in a single place inside
this case folder so if anyone's
accessing any of the data they know that
they can just find it directly in that
case folder everything is constantly
kept together and i'm never going to
save anything outside of that folder and
i'll have a link to this data below if
you want to follow along specifically
with my data set suspect data.dd next
i'm going to do f5 and then say started
autopsy
4.19.3
because we need to know which version of
autopsy we're using whenever we're
processing something to process case
data now why am i keeping notes like
this this is basically a diary of
everything that i'm doing to make sure
that i don't forget how i've started
everything and to make sure that i'm
processing and documenting exactly where
all of my data is located and a lot of
this will be relevant to my final report
go ahead and open up autopsy and now we
have a couple options first is a new
case or open a case i haven't created a
case yet so i'll do new case click on
new case and then we're asked for a case
name so i'm going to go ahead and copy
and paste the case name in there and
then the base directory i want is w
drive
cases and then the case name and i'm
choosing autopsy as my base directory
that way all of the autopsy case files
are stored inside that autopsy folder
click select so now i have the case
number i have cases and autopsy and then
the case type is single user there's
also multi-user that's possible you have
to set up a network including some
servers on that network and then
multiple people can connect to the same
case at the same time and start
processing and analyzing different data
sources in that case it takes a little
bit more to set up but it is very useful
in real laboratories for now we're just
going to do single user which means
everything is going to be processed
locally and only you will have access to
that data confirm that the case data
will be stored in the following
directory i'm going to go ahead and copy
this string and then in my documentation
say f5
autopsy
case
data directory set to this location so i
give the full path consistently and one
reason that i'm using the case number
for my paths is because i want whoever's
reading these notes to see that it's
always in the same directory i want to
be able to very easily show that i'm
saving the data in the right location
next our case number we should just put
the number instead of the identifiers
and then the examiner phone number email
and then any notes about this particular
case we have to include the case number
because we want to reference it back to
this case number that was assigned by
our case management system the examiner
information is necessary because we need
to know who to contact if anyone has
questions about these cases plus this
will end up on reports next is the
organization and this is the
organization that you're doing the
investigation for and that way whenever
you're processing data sets across the
organization you can do comparisons of
data within that organization if you
need to add an organization i already
have the fbi added here just for fun but
we can just go to manage organizations
click new we already have fbi so let's
do cia point of contact john doe email
phone all right so now we have a cia
contact an fbi contact so click close
our organizations are set so now we can
select which organization it is that
we're processing this case for okay so
i'm going to select cia click finish
next thing we want to do is figure out a
host name so a computer can have
multiple hard drives in it so we can
specify a host name and then attach
multiple data sources to that host so if
you have a network dump if you have a
ram dump and you have a hard drive image
you add them under one host so i'm going
to go ahead and specify the host and i'm
going to call it exhibit 001 so under
exhibit 001 which somebody has obviously
already seized and imaged for me i'm
going to add our disk image so our whole
new host name is exhibit zero zero one
if i had a different computer or another
device it might be exhibit zero zero two
or whoever was making the initial
documentation i would use that exhibit
number click next now we can choose if i
want a disk image or vm file disk image
is what i currently have it's a raw disk
image so if i go to images go to our
exhibit zero zero one and i have our
suspect data.dd dd is almost always a
raw disk image it's an exact copy rather
than some type of compressed format like
expert witness format so i have a disk
image this is also a virtual machine
file you can feed it basically a virtual
machine disk image directly next is a
local disk if i've connected the
suspect's disk to my forensic
workstation using a hardware right
blocker then i can select local disk and
then i have the ability to pick that
suspect disk and read the data directly
this is much much faster the problem
with this is that that suspect disk the
hardware could go bad while i'm
analyzing it so it's always better to
work off of a disk image and
specifically a copy of a copy next are
logical files if we've only collected
files from some suspect device or maybe
a cloud service or something like that
we can dump all of those logical files
directly into autopsy instead of having
an image file so the way we access these
are a little bit different an allocated
space image file is specifically looking
at unlocking space images and then
autopsy logical imager results autopsy
does have a logical imager and you can
import the results directly and there's
also xry text export which is from
mobile phone analysis software xry we're
going to do a disk image click next and
then where is this disk image located so
i'm going to go to browse and we are in
cases case number images exhibit one and
then suspect data.dd so that looks okay
the next thing we have is the time zone
i don't necessarily know where this
suspect data dd came from which time
zone it was in normally it's going to be
your local time zone especially if it's
you know the suspect was living in your
time zone most likely their system will
be set up for your time zone but if you
don't know i always set it to gmt plus 0
utc if you do know then click on it and
then select your time zone from the
region but i'm just going to use utc
here anytime i don't know i always use
utc sector size keep that at auto detect
although if you do know it you can
select it specifically hash values now
hash values are used to do some
verification and end up in your final
report so we do want to enter them here
so i'm going to go to the suspect
verification report that was given to me
it was created with hash deep and it has
two hash values in it the md5 hash value
and the sha 256 hash value i'm going to
copy the md5 hash value and you can
usually find these in whatever report
was given to you paste that directly
into md5 the next hash value is sha 256
and copy that and then paste that in
like i said this ends up in reports and
it can be used to do some image
verification later but it says these
values will not be validated when the
data source is added so you have to
explicitly verify the source okay click
next now we have our ingest modules and
this section is how we're going to
process the data that we just gave it so
the suspect data.dd we're going to pick
through it and get out any interesting
information that we possibly can so
let's take a look at these default
modules you can add additional modules
and you can even write your own modules
if you want to so the recent activity
goes through and looks at things like
web browsing activity recent documents
recently installed programs any recent
activity from a system especially a
windows computer it will try to extract
that recent activity and then have a
special category easily accessible for
the investigator so this is a good
module to always run because we're
usually interested in user activities
whenever we're doing an investigation
next is hash lookup and what this does
we can set hash databases of known good
files and known bad files and with known
good files we can use that hash database
to filter files that we know are good so
we don't necessarily want to see them in
autopsy we can also add known bad hash
databases where if any file matches a
known bad hash then it's automatically
flagged for us for review so it makes
investigation really easy if we can
share these hash values and then it'll
help us to reduce the amount of data we
have to look at and also flag things
that we know are definitely going to be
suspicious i don't have any hash
databases set right now but what i do
always check is calculate md5 even if no
hash set is selected so the md5 hash
value of the files that are being
processed we do want to create a hash
value so whenever we're talking about
those files or extracting them we can
give that hash value as well so make
sure that calculate md5 is checked it
will take a little bit longer to
calculate those hash values but in most
cases it is worth it if we want to add a
hash database we can go to the global
settings button and then i can either
create a new hash set or import hash set
if it's a new hash set then i need to
add hashes manually otherwise it'll be
empty and then import hash sets is what
we normally use and i'll talk about hash
sets in a different video the next file
type identification so matches file
types based on binary signatures we can
set file types that we want to match in
the global settings so custom mime types
let's go ahead and create a new file
type identifier so the mime type that we
want and in linux you can use a command
file dash i to get the mime type of a
particular file so i'm going to do file
type dash i and then i have a hash
database here i'm going to find its mime
type its mime type is application csv
i'm going to copy that and then i'm
going to add a signature
and the signature in this case is bytes
and hex i'm going to use xd with the
hash database and then pipe that into
head so we can get the first bytes here
and actually this is just a header so
it's not going to be that interesting
but let's say that i know that this
signature 2 2 5 3 is going to be
interesting for multiple files and what
i can do is say signature 2 2 5 3 in hex
and the byte offset here is 0 so i'm
essentially looking for a header and
then
relative to the start or the end i'm
gonna say start okay so now i have
application csv mime type with a
signature two two five three
and if i find that i can flag it
automatically so for example we can
check alert as an interesting file when
found click ok and then i have
application csv and my signature so you
can make custom signatures based on any
data structure if you give a hex or
binary value find the data structure
that's interesting and then flag where
that data structure is it is interesting
if you want to do advanced file
structure analysis and then automatic
detection next we go into extension
mismatch director this one's a little
bit more easy i think to understand
basically we have a file signature and
then we also have a file extension so
next i have test.hwp an hwp file is a
hangul word processor file it's
basically a doc file for korean
characters if we do file dash i
test.hwp
i can see it's an application
xhwp file type and then we have the hwp
extension so that's actually what we
would expect to see but if i find the
xhwp file type and the extension is not
hwp then i know something is suspicious
that's essentially what this extension
mismatch detector is doing so here i can
select what types of files i want to
check check only multimedia and
executable files will make things run
much faster but if somebody is trying to
hide a file you might want to check all
file types they might be naming like a
doc file to a jpeg and then whenever you
double click on the jpeg it doesn't open
because it's actually a doc file mac os
and linux use the file header to
understand how to open the file but
windows uses the file extension next go
to global settings and then we can see
the file types this is the file header
type and if we click on pdf for example
then we can see the extension that we
will accept i know the hunger word
processor is not usually in the
extension mismatch identification
setting so i'm going to add hangul word
processor i'm going to click new type
and then the mime type that i want is
application xhwp and then paste that in
okay application x hwp and then i want
to add a new extension that's acceptable
and it's hwp so now if it finds an
application xhwp and it doesn't have a
hwp file extension it will flag it as a
suspicious file extension click ok now
we have our extension mismatch detector
next embedded file extractor this is
fairly straightforward there's a lot of
files that are actually compressed like
zip files essentially and what this will
do is go in and decompress everything
take everything out of the file and then
index all of the files that were inside
the compressed file so we want to keep
that checked pretty much all the time
picture analyzer same thing we're
looking at images and extracting things
like exif information from jpegs xf
information is really useful because it
might have locations it could have time
stamps it could have you know editing
programs that were used to modify the
picture the camera settings so we
definitely want to keep picture analyzer
in most cases it's very relevant next is
keyword searches and you can do quite a
few things with keyword searches by
default they have phone numbers ip
addresses email addresses urls credit
card numbers and credit card numbers
urls email addresses
and ip addresses are all fairly
universal phone numbers by default are
set up for the us style phone number so
you might want to modify that if you're
looking for other phone numbers by
default it's also only looking for latin
basic so we will need to modify that if
we want to support other character sets
okay then we have the option to enable
optical character recognition and this
looks at images and attempts to extract
text from those images really most the
time we want to turn on optical
character recognition the problem is
that optical character recognition takes
quite a bit longer so if you enable it
it will take longer to process all of
this but you will be able to search for
images with text in them which is
extremely useful in most cases if you
know you're looking for certain types of
keywords make sure you select these
boxes i usually turn on optical
character recognition because i found it
so useful and then now we need to go
into global settings and configure some
settings for this what we can do is set
up first our keyword lists so i might
create a new list and it might be called
for example drugs so i want to search
for any keywords related drugs and i can
add as many keywords as i want here and
i can do for example a new keyword so i
added two keywords here and then i can
do
exact match substring match or regular
expression to make sure i don't get too
many false positives i'm going to do
exact match you'll get a lot fewer
results but also fewer false positives
and then we have regular expression
matches regular expressions are an
advanced form of pattern matching across
keywords an extremely powerful tool in
digital investigations we'll just do
exact match in this case click ok and
then we can see the the keywords that we
have associated with our keywords list
as you do more investigations you'll
find there are patterns and keywords
that you get for certain case types
whenever you detect those patterns
create a neat new keyword list for that
type and then add those keywords to it
and then reuse it in all of your cases
it will save you a lot of time if you're
just looking for english keywords just
click ok but before we leave we can go
to string extraction and this is where
we can select other character types that
we want to include so for example i
sometimes search in hangout korean
characters so i'm going to enable hangul
korean character sets and you can also
enable a lot of other character sets so
if you're trying to search for any other
character sets using keyword searching
make sure you enable this first and this
is a global setting it will be there for
the rest of your cases so make sure
string extraction you're selecting the
alphabets you want to use and then lists
make sure that you create lists for any
keywords that you know tend to show up
for certain case types click ok next is
email parser and this just parses out
psd or ost files and any other email
types that it can try to find so we
usually want to keep that enabled
encryption detection this tries to find
encrypted container files using entropy
testing this takes a very long time if
you have a good reason to suspect that
encryption is being used you might want
to keep it on otherwise if you uncheck
it it will save you a lot of time
interesting files finder you can set up
what you think are interesting files by
default we have cloud storage
cryptocurrency wallets encryption
programs and privacy programs only for
windows hosts so this is by default set
up for interesting files on windows if
we want to change that we can either
select which categories we actually want
to include or go to global settings and
then we can see each category and add or
remove programs to it and we can also
create a new set of what we think are
interesting files if there's a program
or set of programs that you're looking
for and they're always involved in the
cases that you're investigating you
definitely want to make a filter to
automatically scan for them using these
interesting items settings click ok
central repository this is a really
interesting feature in autopsy what this
does is creates a local database that
keeps track of some of the files and
activities that you've seen in past
cases if there's a file that you flag in
one case there's another case that you
don't think is related to the first case
central repository can pop up and say
hey you've already seen this file and
you flagged it in another case do you
want to take a look at it now so it can
really help you to find patterns over
cases so i highly recommend using the
central repository because it can show
you
when there's connections to other cases
that you might not have known were there
now none of the original suspect data is
saved it's all going to be via hash
value so a hash value of file is going
to be created stored in the central
repository and logged which case it was
involved in but you won't be saving
original suspect data now we have
central repository we can save items in
the central repository i highly
recommend you do it and then we can do
things like flag items previously
previously tagged as notable so if we've
seen them in a past case and tagged them
as notable then flag them and i would
definitely check that flag devices and
users previously seen in other cases if
you've set up and you're managing
devices and users across cases then i
would select that just so you know if
they're related to this new case and
then flags apps and domains not seen in
other cases so what this can help you do
is find applications that you've never
seen before which basically helps you to
focus in on things that are unique to
this case so i would also select that
this is such a useful feature here next
is photorec carver and this carver is
used to find additional data that has
been deleted or unallocated removed
whatever it will try to carve out any of
that data and then basically present it
back so we have a couple options here
keep corrupted files or focus on certain
file types a lot of people just want to
focus on for example jpeg png or zip i'm
going to just carve everything carving
everything does take longer but you
possibly get more data back the photoret
carver is basically for deleted data
recovery it's a really interesting
program next is the virtual machine
extractor if the image that you're
analyzing has a virtual machine inside
of it the virtual machine extractor will
extract that virtual machine and then
treat that virtual machine as a separate
disk so it's very similar to the
embedded file extractor except it's
specific for virtual machine files next
is data source integrity and this is
calculating the source hashes verify
existing data hashes verify data source
integrity is just verifying that the
hashes that we're dealing with are okay
remember we already copied in the md5
and sha 256 hashes so we will try to
verify against that next is android
analyzer our disk image does not have
anything to do with android so i'm going
to uncheck that but if you are analyzing
an android device make sure it's
selected a leap is a great tool for
parsing out android data structures uh
dji drone analyzer we're not looking at
drones today so i'm going to uncheck
that plaso is a another forensic tool
that's really comprehensive and trying
to extract a bunch of different things i
usually keep it unchecked because it
does take a long time to run and they do
say that it duplicates autopsy modules
if you want to be very thorough you can
enable it but it will take much longer
to run your processing yara analyzer
yara is a really interesting pattern
matching tool we can write
yara scripts to try to analyze a file
structure and then flag those files it's
really similar to file type
identification we use it a lot for
malware analysis so if you're doing any
type of malware analysis people share
yara scripts or yara patterns you can
just add those yara patterns to autopsy
and then detect new malware in a system
it's really interesting next ios
analyzer using ileap we're also not
looking at ios devices like iphones so
we're going to leave that unchecked and
then gpx parser if we do find any gpx
files then we can get some potential
location information i know there's not
any image but it won't take that long to
analyze we also have another android
analyzer so again if you have a android
suspect image then you want to select
those are all the default modules you
notice that i kept most of them on but i
try to remove anything that i know that
i don't need or that's going to take
much too long so the more modules you
enable the longer processing is going to
take usually we want to find a good
balance between processing everything
and taking a very very long time so if
you don't suspect encryption remove
encryption detection if you're not
analyze analyzing android devices remove
android device analyzer things like that
just be conservative with how you're
running your your modules so now we've
selected everything we want to select we
can click next and now it starts to add
the data source and starts processing
you can see in the back we have some
messages popping up and we have this
progress bar if i click finish the
progress is going to be really quick
because this image is very small but now
it's processing and now it's done a
normal disk image will take
a very long time so you can expect like
a one terabyte hard drive of a normal
windows computer to take at least
several hours to process and sometimes
up to 24 or maybe even more we have our
data sources if i expand that we have
exhibit zero zero one and that is the
device name that i gave it and then i
have one hard drive under exhibit zero
zero one called suspect data dot dd if i
select suspect data.dd i can also expand
it and see the file structure or i can
see the files in this main view in the
main view i can see things like the file
name special attributes modified time
change time access time size any flags
md5 hash shot 256 hash mime type
extension and the location relative to
the disk image if i click on any of
these files then i get the main view in
the bottom or in the application view
where it tries to show what the data
actually looks like we also have the hex
view where i can see the raw data of the
image plus the ascii view next to it you
notice whenever i'm selecting this i can
launch an hxd if i have hxd installed if
we click that then hxd pops up and i get
a lot more flexibility in searching with
a hex editor like this so next i have
the text view and we have the indexed
text so this is information about the
indexing and the file itself if i go to
strings then these are the raw strings
that i find in the text that are also
indexed and i can do keyword searches
over you can also go to file metadata
and see everything like modified time
again it's in utc because that's the
time zone that i set other occurrences
so if we've ever seen this file before
if i have correlation set up we can know
when this file was seen so in case x
that i had previously i had source name
suspect data.dd it's the same suspect
image we have the same file name and
hash value so i have seen this before in
a prior case so once i see this i can
say that maybe our current case and case
x are related especially if this file
was a suspicious file okay so other
occurrences can be interesting whenever
we're looking at suspect files most of
the time you're going to be looking at
things in application view or hex view
at least that's where i spend a lot of
my time so we have our data sources tree
we have exhibit one and we have one
image under exhibit 1 and suspect dd we
have all of the files available in the
file view and then whenever i click on
them i have the detailed view in the
bottom and most forensic tools are set
up in this kind of workflow if i was
processing a bigger case we'd also have
a lot more things showing up over here
so let's go ahead and look at these
views first so under file views we have
some filters that are automatically
created we can filter for example by
extension so images based on their
extension we can also do documents if
there's any documents in the the folder
so many times in investigations we want
to see all of the images in the system
or all of the documents in the system we
don't really care where they're located
but we need to scan through them to see
for example pdfs and see if anything's
suspicious so using these filters is a
really quick way to focus in on just the
file types you want we also have
executable file types as well like maybe
we want to know all of the
exe files that are in the system and
then just look for anything suspicious
there after that we can also do it by
mime type we've talked a little bit
about mind type so far so we can either
do applications images or text so same
principle as by extension except this is
using the file header instead of the
extension so next is by deleted files so
we can have files deleted from the file
system that were able to be recovered or
at least partially recovered we have all
data that was recovered whether it was
in a file system or not under file
system we have four items under all we
have six items and you'll notice that
those four items are also in the all
items but we have these two extra carved
files that are available that were
probably carved out of unallocated space
if you have carving enabled you might
see more in all make sure you check what
data has been carved next we can also
filter by file size so by default we can
do 50 to 200 meg one gig and one gig
plus so sometimes it's interesting to
filter and say hey only show me the
devices that are over one gig because
maybe their encrypted containers
containing a lot of interesting
information or you know if you have an
excel file that's like 16 gigabytes
that's very suspicious so you might just
want to take a quick look at anything
over one gig and sometimes it can lead
you in a direction all these are meant
to give you a quick view into odd
situations and odd data that might stick
out at you next is data artifacts i
didn't have very much data inside this
disk image so we don't really have any
data artifacts that were carved out but
ever all of the ingest modules that we
selected if any of them got a hit it
will show up in data artifacts or
analysis results or os accounts so since
we don't have an operating system on
this disk image they don't show up here
but this is essentially the filters that
will show all of that information so one
workflow that i normally do once an
exhibit's been added we have our suspect
image and it's been indexed processing
has mostly been done then what i tend to
do first is keyword searches we might
have already had our keyword lists but
now i'm going to do keyword searches
specific to this case keyword lists have
general keywords that might be relevant
to a similar case type keyword searches
will be specific to my individual case
so i know for example that this disk
image has something related to cats so
i'm going to do cat i'm going to do an
exact match and then i want to search
suspectdata.dd and i'm going to save the
results so i'm going to click search and
then what happens is we have our
analysis results we have our keyword
hits for cat
show up so the string literal keyword
search we can expand that and then we
have our search for cat and it's a
string literal so now i have a filter
set up for that particular keyword and
now i can go through and look for
anything that i think you know might be
interesting so let's say that i think
this image is interesting the next thing
that i would do if it's related to our
case is right click on it
and go to add file tag
if i know it's related to the case
i would probably do either bookmark or
notable depending on what type of file
it was depending on how it was related
to the case let's just go ahead and
bookmark it and then we find another
picture let's say that i know that this
image is definitely related to the case
and it is notable so i'm going to add
file tag and then go to
notable what we tend to do
is tag items that are related that way
we can filter out the related things and
then build our story around those tagged
items so your report will refer to those
tagged items and then
say why they're relevant to your case
all right next so keyword search cat it
gave us eight uh results next i'm going
to do a keyword search again for cap but
it's going to be a sub string search so
i'm not going to save the results search
and a new tab is created so in this
search we got 10 results in cat we got
eight results and the difference is
when keyword searching doing exact match
cat must be by itself so you can have
dash cat and it can be capital or locate
or lower case but it must be essentially
on its own there can't be other
characters around it except things like
dashes or something like that but with a
substring match we can have things like
cats
so cat is a substring of cats so we
actually returned two additional results
by using a sub string match so let's say
that this one might be relevant to our
case but i'm not really sure if it is so
i need to come back to it i'm gonna add
file tag to follow up so i tend to go
through everything and
tag everything as follow up unless i
absolutely know it's relevant to our
case and then i'll mark it as notable
but i use follow-up a lot and then i go
back again once i've done my preliminary
examination and then
we'll follow up now you might be
thinking why am i tagging things well
now i can close these searches and we
can go into this tags folder and in the
tags folder i'm going to expand it
under bookmarks
i have one picture book marked and then
i have the picture view so i can access
that picture directly along with all of
its data for follow-up same thing so i
can go back to follow up and say oh all
of these could have been related now i
need to do a little bit more analysis on
each of them and i have access to them
directly i can right click on a file i
can do for example extract a file and
then work with it in other tools if i
need to or i can just start to do some
analysis on it directly
i can also see a text view and
everything just like before and then the
same for notable items i already have
notable items and then i can start to
use this to build up my report i can say
that these are related and also how
they're related how the suspect was
using this data at when did the suspect
access this file when did the suspect
download this file things like this is
are what i'm going to need to answer
in my report so i would start to use
tags
uh for images and then pro probably go
into like windows registry artifacts and
things like that to try to get user
activities to say
what this user was doing with this file
so we did a keyword search we started
tagging things based on the keyword
search we found one bookmark one
follow-up and then one notable item so
the next thing i might want to do is go
to generate report and what this will do
there's a couple different report types
but the most basic is going to be our
html report click next
i'm going to process the suspect data.dd
click next and then i want to do which
data to report on we can either do all
results all tagged results or specific
tagged results so i'm going to do
specific tagged results and i want to
make a report that includes books marks
and notable items so i'm going to
uncheck that click finish this will
generate a report about our
data that we've already tagged if i
click on this link here i can see the
report file and it has some of our
metadata from where we started the
autopsy forensic case all of our
locations that should match our
documentation and then on the left hand
side we can see tagged files
and we have our bookmark which is one of
the cat pictures with its metadata and
then the notable item
also bookmarked with its metadata and if
i click on any of those links then i can
see the file directly so it's been
exported with our report i can get this
kind of overview so i would have all of
my notable images for example and if i
click on them i can access them i can
now copy this report out and give this
to anyone who i'm reporting to and say
here's the things that we found that are
notable this fits along with the report
that i'm writing so my final
investigation report i can refer back
to these images in this
exported report file and say here are
the images that i'm referring back to
please see them in this report now if we
open up our directory structure again
i am going back to our case folder go
into autopsy
and then we have our case file for
inside autopsy and i have our reports
folder and our report that we generated
are in this file directly so the report
plus all of the content which are all of
the bookmarks images everything like
that thumbnails that were created so all
we have to do is make a copy of this
folder
and i'm going to take it out of the
autopsy folder and then put it into my
reports folder and then i'm going to
name this supporting
evidence so supporting evidence so i
would have some sort of like word
document or pdf for my main report
article like the write up of my report
and then i would be referring back to
the supporting evidence inside
these html reports with the html report
it's very easy for people to see exactly
what you're talking about and then i
would also potentially include these
images in my report while referring to
this case okay so once you're done with
your report go ahead and click close and
then under reports you can see the
report that you've generated and when
you generated it and then if you right
click on it you can also open report and
then get the report back so so far we've
added a data source once it was done
processing we did a keyword search for
cat and found some responsive files to
cat we also looked at our file views our
analysis results for search terms we
tagged a few items and then we generated
a report based on those tagged items and
that's really a workflow that will work
in most investigations there's also
quite a few other tools that are useful
here for this data set the one that's
probably going to be most interesting
are images and videos if you click on
that we open up a new utility and this
will give us a gallery view of all of
the images and also let us flag things
really quickly so if you deal with a lot
of images and video this image video
gallery editor view really helps so
really if you can add a data source do
some keyword searching sort by images
and videos and then do some filtering if
you understand about tagging items and
then if you can generate reports based
on things that you tagged then you can
do at least a basic investigation that's
really all it is is loading up the data
searching through it
usually using keyword searching first
and then finding anything interesting
flagging it and then building a story
around those things that are interesting
usually the story is about why a user
was doing a specific thing so that's it
for today thank you very much