Autopsy In Cyber Forensics

Digital forensics is the process of recovering data from electronic devices, such as hard drives and cell phones. This trend is typically linked to criminal or general inquiries. Advanced gadgets can provide a wide range of data that is not readily apparent to the average user. An autopsy is the leading open-source digital forensics platform that is simple to use, fast, and adaptable to any computerized test. It examines hard drives, smartphones, and media cards, among other things. It was designed primarily for Microsoft Windows, however, there is some compatibility for Linux and macOS.

An autopsy is a graphical interface to The Sleuth Kit and other digital forensics tools, as well as a digital forensics platform. Law enforcement, military, and business examiners utilize it to figure out what transpired on a computer. It may also be used to retrieve photographs from the memory card of your camera.”

The autopsy is essentially a free open-source application that supports a variety of additional digital forensics modules and technologies. The Autopsy is a piece of software that simplifies the installation of several of The Sleuth Kit’s open-source tools and plugins.

The graphical user interface shows the results of the forensic search of the underlying volume, making it easier for investigators to identify relevant data portions. Basis Technology Corp., with the help of community programmers, is responsible for the majority of the tool’s upkeep.

Brief History

The first Open Source platform was released in 2001. The Sleuth Kit is connected to it. It is only compatible with Linux and OS X. Then, in 2010, they began building v3 from the ground up as a platform. It is based on conversations at OSDFCon. It’s a Windows-based, fully automated system. The US Army receives some funds (with 42Six Solutions). Finally, in September of 2012, v3.0.0 was released.

Features

  • Multi-User Cases: Work on huge cases with other examiners.
  • Timeline Analysis: Uses a graphical interface to display system events and help identify activities.
  • Keyword Search: You can use the text extraction and index searching modules to identify files that contain specified terms and regular expression patterns.
  • Web Artifacts: Extracts web activity from popular browsers to aid in the identification of user behavior.
  • Reg Ripper is used to identify recently accessed documents and USB devices in the registry.
  • LNK File Analysis: Identifies shortcuts and documents that have been accessed.
  • Parses MBOX format messages, such as Thunderbird, for email analysis.
  • EXIF: Extracts camera and geolocation data from JPEG files.
  • Thumbnail viewer and media playback
  • Analysis of a Robust File System: NTFS, FAT12/FAT16/FAT32/ExFAT, HFS+, ISO9660 (CD-ROM), Ext2/Ext3/Ext4, Yaffs2, and others are supported.
  • Unicode Extraction of Strings from Unallocated Space and Unknown File Types: Extracts strings from unallocated space and unknown file types in a variety of languages.
  • Signature-based file type detection and extension mismatch detection.
  • The Interesting Files Module will mark files and folders as interesting depending on their name and path.
  • Support for Android: Extracts information from SMS, call logs, contacts, Tango, Words with Friends, and other apps.

Process

Autopsy hashes all files unpacks standard archives (ZIP, JAR, etc. ), extract any EXIF values, and adds keywords to an index to study major file systems (NTFS, FAT, ExFAT, HFS+, Ext2/Ext3/Ext4, YAFFS2). Standard email formats and contact files, for example, are processed and cataloged.

Users can look for recent activity in these indexed files or create a report in HTML or PDF that summarises relevant recent actions. Users can engage triage tools that employ rules to assess the most critical files first if they are short on time. In the VHD format, Autopsy can save a partial picture of these files.

Correlation

Investigators working with numerous machines or file systems can create a central data repository that allows them to highlight phone numbers, email addresses, files, and other relevant information that may be found in multiple locations. The information is stored in a SQL Lite or PostgreSQL database, allowing investigators to search for all instances of names, domains, phone numbers, or USB registry entries.

The following is the workflow for analyzing data in Autopsy:

  • Make a case in the first step.
  • A “container for one or more data sources” is referred to as a case. Before data can be evaluated, one must be created.”
  • Add a Data Source in Step 2
  • To the case, one or more data sources are attached. Disk images and local files are examples of data sources.
  • Configure Ingest Modules in Step 3
  • After the data source has been added, ingest modules work behind the scenes to break down the data. The results are continuously shown on the interface, along with significant cautions. Hash count and query, watchword looking, and web relic extraction are all included in the model ingests modules. Modules from third parties can be produced and added to pipelines.
  • Step 4: Examine the data that was manually analyzed.
  • To identify the evidence, the user navigates “the interface, file contents, and ingest module results.”
  • Step 5: Label the Outcomes
  • Tags can be used to organize and categorize interesting items for later reporting and analysis.
  • Step 6: Create a report
  • The user generates a final report depending on the tags or results they’ve chosen.

Types of Deployment

There are two different kinds of deployments.

(a) Single User/Desktop

(b) Cluster/Multiuser.

  • Single User/Desktop:

Functionality: Only one individual can open this sort of case at a time.

Everything is controlled by a single computer. It comes with a single installer that works right out of the box. When you start Autopsy, it will start all of the embedded services (i.e. Databases, Text indexing, etc…)

  • Cluster/Multiuser

Multi-user functionality: Cases can be opened at the same time by several users.

It has an “Auto Ingest” mode where fresh media is automatically examined 24 hours a day, seven days a week in numerous ways. Because databases are frequently speedier, it allows for faster analysis.

Technically, the user experience is the same. It makes use of central-level servers for database, text index, and other functions. It also makes use of high-speed storage at the central level.

Repository Central

In this example, it’s a database that stores information from previous cases. MD5 hash values, comments, and wifi SSIDs are all included. Case-specific databases are common in autopsies. It makes databases smaller and more manageable. It permits for archive purposes, among other things.

Types of Central Repository deployments include:

Two types can be used:

  • SQLite — It does not require any further setup. Only one person can utilize it at a time.
  • PostgreSQL – PostgreSQL is a database management system that runs on a server. Multiple users can use it at the same time. For multi-user scenarios, it can use the same server.

Installation of Autopsy

Download the “.msi” installer. Then, use default values. It will install in a version-specific folder. You can have multiple versions of Autopsy installed at the same time.

Advantages

Easy to Use

An autopsy was created to be intuitive right out of the box. It is very easy to use.

Extensible

An autopsy was built to be an end-to-end platform, with some modules included out of the box and others available from third-party vendors. The following are some of the features provided by some of the modules:

Advanced graphical event viewing interface for timeline analysis (video tutorial included).

  • Hash Filtering – Mark files that are known to be bad and ignore files that are known to be good.
  • Keyword Search – Find files that mention relevant terms using an indexed keyword search.
  • Extract history, bookmarks, and cookies from Firefox, Chrome, and Internet Explorer with Web Artifacts.
  • PhotoRec Multimedia – Extract EXIF from photographs and view videos. Data Carving – Recover deleted files from unallocated space with PhotoRec Multimedia.
  • Compromise Indicators – Use STIX to scan a computer.

Fast

Autopsy performs background operations in parallel across many cores and sends the results as soon as they are discovered. It may take hours to search the entire drive.

Cost-Effective

An autopsy is a free service. Cost-effective digital forensics solutions are becoming increasingly important as budgets tighten. An autopsy has the same key functionality as other digital forensics software, but it also has features that other commercial software lacks, such as web artifact analysis and registry analysis.

Because digital devices are so common, their use in chain-of-evidence investigations is critical. The smoking gun of today is more likely to be a laptop or phone than a more traditional firearm. Whether the device belongs to a suspect or a victim, the massive amounts of data contained in these systems may be all an investigator requires to build a case.

However, getting that information in a secure, efficient, and legal manner is not always simple. New digital forensics tools are becoming increasingly important to investigators. The Autopsy Forensic Browser allows you to conduct a comprehensive criminological investigation. It’s a graphical interface that connects The Sleuth Kit to many devices. Autopsy allows you to examine a hard drive or a cell phone and extract evidence from it.

error: Content is protected !!

Discover more from Forensic's blog

Subscribe now to keep reading and get access to the full archive.

Continue reading