hi and welcome to every day to draw forensics. I'm euros to just saying you said. And in today's episode of image analysis, we will be performing data Discovery using the autopsy tool.
We're gonna take them in the end. Easier. One image from that we've recovered earlier.
So back in module three, we used the same love to create a test image using autopsy tool. Today, we're going to examine the suspect's image from that suspects system that easier. One file that was created using all top stool in previous modules.
So, as previously stated, this was the lab that was used during the demo off this video.
How do you recommend that you go through a lot of yourself? Do not fully go into details of a lot. This is a short end fun lap. However, I solely focused on the analysis process being performed in the lab
and leave the rest for you to go explore.
This is just a little bit on the lab itself. This is the objective of the lab. I wanted to present this to you so you can see the difference from what I will be reviewing this video first is what you'll get in the lot.
I think it's very beneficial that you go
jump over the lab. No, I'm not being paid to tell you to do this
now. Welcome to my demo. I have autopsy open and ready for analysis. First, we're gonna go through base, accepts
we're gonna create a new case attached a data source and Explorer, review the data. So here we go.
We call this case Suspect strife to the base directory. E.
If your cough tomato through created a sever partition called E
and added the image light from that location then created an image for this demo. We're going to create a new folder investigation at the data source and find the suspects easier. One in the E drive.
And here ical search within
fourth e easier. One file.
We'll skip on through and accept everything, and I will wait for the data to be processed.
You'll see me ignoring
and potentially closing any pop ups.
The autopsy or lab is giving me.
There are some pop ups that I will note later.
Our data source is mounted. Autopsy Still processing data and reviewing the results. Let's export as it processes 1st 2 items will see is the 14 recent documents and the one bookmark
documents, we find Andrews by the zoo office Mauer scam and in a sermon of other files that I won't even try to pronounce
from this directory of you As an examiner, I can see the suspect had access to Android monitoring application, maybe even for banks.
The zoo file has ah file path under folder called Mauer samples with a child directory called suit. This could be another potential Mauer that the suspect either used or could have used for attack.
The zoo is a live our people that could be found in Get up.
I'm just going through the files. So you kind of see what this link file is in relations to Mauer
process. It was either performing Mauer analysis or no good as an examiner is an ethical cold to not place bias in every reports, but only take the fax and items discovered in a scientific manner.
I'm here checking out hundreds by I've a and see what the headers and follows those like
when autopsy examines an image, the image is mounted on your machine. This is why you see the Windows offender pop ups. When Defender has detected
the malicious files in the image and attempting to quarantine the files,
examination should always be done in a lab setting where you are isolated from the others. Other worlds. So your lab environment should not be able to reach out to anything.
And tomorrow should be turned off for prevention for modifying any files during the examination, as this would modify the hash value of image, thus compromising the integrity of the image.
The pop ups at the bottom is notifying me of detection of encrypted files similar to a previous video. The data processing can take some time. It's up to examiner and time constraint whether or not to let the application finish its data processing before starting your analysis,
Not no matter. The file. Um, you always get your anti FS file attributes such as
your standard information, bio name
and those our previously highlighted. So now I'm gonna move into the fuse.
Autopsy provides views based on file types to lead the files and downsize.
You're Val types are like your image, your videos or audios and archives. Your documents are like your pdf, your office suite documents paying taxes. HTM out. Now let's move on to the deleted foul section with both foul and
but both foul system and all.
If an image has multiple partitions, deleted files may be separated by those partitions.
This is where autopsy provides an examiner and amazing benefit.
Imagine to have to search to compare the have similar values
of MF t and M F T mirror
autopsy. Perhaps this is the image and locates the files that happens and laid it but not fully removed from the image source and provides it here within the within. The did he did follow section
Autopsy also has a feature that was sent Examiner to the location where the deleted follows president or was in. So here I'm going to right click on one of the files asking to take it to thief
and now we'll move over to common follows Microsoft's shared
and the director in which that fire was located
and now moving on our next location is gonna be the recycling bin.
Their second been is interesting directory to examine. As the naming content convention is different than what you expect. The s 15 21 and so on.
Name of a directly identifies a user's that's associated with
other data can be poorest from the directories name. Expending this doctor you got two additional directories was strange looking
It's obviously also provides its metadata extracted from the file, such as your change time, access, time size flags
For a move on into this directory, any experience examiner will notice that the long
alphanumeric folders a recycling bin or A S i. D. This is your security identifier and identifies each user on the computer is very significant because in Windows, each user has its own recycling bin
and essentially the reason Clinton is a special folder
from a friend's ex point of view. The Recycle Mint is a gold mine for gathering evidence, clues
and everything in his brain.
By analyzing them recycling bin, you can recover useful data
without the action hard work to understand how the information files are structured and how the naming convention works, there must be first and understanding of how the recycling bin works. When a user deletes a file in Windows, the FAO itself is not actually deleted.
The file at this point is copied into the recycling bin System Folder World, where it's held until user gives further instructions on Once and deer,
you can either restore, recover or delete
The location of fouls varies and depends on which version the users running.
As you see I expanded our
security identified air from a recycling bed or US 152 and so on.
We have two directories.
Both start with the letter father sign our
when you see this director within the recycling bin. These are the contents of actual files in other words, the files, their actions dating from the account
under our and we see the contents of what was actually deleted, and in this case,
it looks like a book that was a come
that came with its own language. Cuticles
recycling bins also have an unconventional naming. Every second events also have other files that start with the dollar Sign one, and these are essentially the metal datas for the particular file that was defeated. The dollar sign I file is not a fixed size and is only as large as the found needs to be.
So here we see that the other five has nothing but the one with the 16 contents has executed bols dot de l l's that I and I files. This could potentially have been maybe one of those CDs. Um,
they came with the tractors and some additional information
the seas that came with trucker notes and study guides
that was potentially dumped onto the machine and then deleted at some point here and just kind of scrolling through to show you that
deal l found this is not something we've discussed previously.
Just to show you the strings and the values that you get. This is our execution file.
we can see that the beginning offsets of this foul don't really contain lunch. But as you scroll down
into different sectors of the file,
we see additional data
autopsy allows you to search, and we can do a search by while card specific characters and extensions.
Still, the next area I want to show you is your volume tomb, your anti fs file system.
If you recall there was different attributes related to NDFs, you had your boot, your long file, your Entifadh preventive of mirror
volume says on all this particular to find your file system. This would identify any potential deleted files with a suspect attempting to hide data without a system such as autopsy and Examiner would have to compare your MF T in your M F T mirror for any discrepancies. The solution actually identifies any potentially good files
or anything. The suspect had something to hide
the start of each file in MMT and I'm of team mayor of beacons with 46494 c for five. And this is to identify the foul system that the file starts here.
This is a member address in which the file will reference to and point to on execution that the files deleted. The found object hasn't after. Cute has an attribute that declares, If it delayed or not, one thing to do the note is M F T is broken two sectors. Each sector holds a fighting.
Upon reviewing both M of team almost team here,
I cannot only identify any data that should not belong, but I can also identify any data that the known suspect
has hidden within slack space with facts. Lack space is that space between the two files in which all you see are nothing but zeros.
You see, this is the *** face. This is the start of a file
knowing scrolled down. This is our long file.
And now this is our socks based. And here starts another file.
And as we continue scrolling, we see the same pattern.
Now, with every image, an image summer file is created in the directory on their previous moment drills. We've seen this data in different for months by the software.
The data holds the same. Behold the drive drama tree, your sectors, your drive models, your check sounds
and your verification results The hash body before in the hash value after.
And I wanted to jump over and show you the document types Document types are laid out in html office pdf paying tax and rich
on the show under office. You have your prior appointments, your xlu Marcus off documents.
So I hope you enjoyed today's video in which we use the data recovery with autopsy lab
and examine these suspects system that easier. One foul that we created in module three.
So I hope you enjoyed today. But even on catch on the next one