Part 16 - The Autopsy Program

Video Activity

This lesson discusses the Autopsy program which is a set of command line tools which help to investigate incidents. Using this program to create a new case, participants receive step by step instructions in how to obtain images to investigate an incident.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Advanced
CEU/CPE
7
Video Description

This lesson discusses the Autopsy program which is a set of command line tools which help to investigate incidents. Using this program to create a new case, participants receive step by step instructions in how to obtain images to investigate an incident.

Video Transcription
00:04
>> As the encase, forensic and the access data
00:04
FTK analysis programs, they're quite expensive.
00:04
What we're going to talk about today is
00:04
essentially a program that is low cost,
00:04
no cost, and that is going to be the Autopsy program.
00:04
We'll go ahead and we'll get this loaded.
00:04
As you can see, we've got it loaded here.
00:04
If you wanted to download Autopsy,
00:04
you can go to the sleuthkit.org/autopsy.
00:04
[NOISE] You can click on
00:04
the download it now link and then
00:04
download either the 64 bit or 32 bit project.
00:04
They also have the Sleuth Kit,
00:04
which is essentially command-line tools
00:04
to help you investigate disk images.
00:04
A lot of times the Sleuth Kit,
00:04
you'll see that on some of
00:04
your Linux distros for forensics work.
00:04
But either one of those two programs,
00:04
they're both free and they work fairly
00:04
well at investigating some of these disk images.
00:04
Today, we're going to work with the Autopsy program.
00:04
We'll go back to Autopsy.
00:04
We're essentially going to want to create a new case,
00:04
so we can look at the images that we have obtained.
00:04
We're going to open a New Case.
00:04
Then the Case Name, we'll just call it
00:04
[NOISE] Cybrary since that's where we're at right now.
00:04
Then it's going to ask you to essentially
00:04
find a directory where you want to save this information.
00:04
You would be doing this on your forensic machine.
00:04
If you have a forensic machine you'd like to use,
00:04
you could save it somewhere on that forensic machine.
00:04
If you want to do all of your work saved to
00:04
an external hard drive
00:04
that you use for your forensic purposes,
00:04
you could do that as well.
00:04
For the purpose of this demonstration,
00:04
we're just going to save it to
00:04
our forensics folder that I already
00:04
have created on the desktop.
00:04
As you can see there,
00:04
it will be under the C\users\admin\desktop\forensics
00:04
and then Cybrary for our case name.
00:04
Then the case number.
00:04
Again, if you're working at particular incident,
00:04
you would want to probably number with that incident.
00:04
For [NOISE] our purposes, we'll just call it
00:04
case or incident number 1, 2, 3,
00:04
4, [NOISE] and then our examiners name.
00:04
Then we'll click "Finish".
00:04
Then it will start creating our case for us.
00:04
Once it creates that case,
00:04
it's going to pop up with a window where it's
00:04
asking you to select an image.
00:04
We will look for a image or VM,
00:04
a local disk which would allow
00:04
you to image where you're at,
00:04
or hit Logical Files.
00:04
Since we collected a physical image,
00:04
we're going to select image.
00:04
Then we're going to browse for where we had that image.
00:04
Then we had that on our forensic thumb drive.
00:04
Then there is our SanDisk Titanium image.
00:04
We will click that.
00:04
Select an input time zone.
00:04
This is important, more
00:04
specifically for computer systems.
00:04
If we looked at that volatile memory section
00:04
under the Mandiant Redline,
00:04
it did actually say what time zone the computer was on.
00:04
If you can select that correct time zone,
00:04
it will essentially normalize all of
00:04
those times for you and
00:04
make your collection process a lot easier.
00:04
Go ahead and select the appropriate time zone.
00:04
Then it gives you the option to ignore
00:04
orphan files in that file system.
00:04
We can just go ahead and leave that unchecked.
00:04
You will select "Next".
00:04
Then it gives you some configuration module.
00:04
Hash Lookup, File Type
00:04
Identification, Embedded File Extractor.
00:04
You can go ahead and leave all of
00:04
those selected as it is.
00:04
[NOISE] Then it will go
00:04
ahead and process all of that data for you.
00:04
Then we will click "Finish".
00:04
Then down here at the very bottom,
00:04
you can see that it is analyzing the files that
00:04
we have on our two gigabyte thumb drive.
00:04
This is the home screen here,
00:04
we can see the physical image itself.
00:04
We can click through that.
00:04
It shows any orphan files that we have,
00:04
gives us information about the system volume.
00:04
We can click through that.
00:04
Then we see essentially some files on here.
00:04
We have a digital investigation statement
00:04
of purpose that is going to
00:04
the George Washington University.
00:04
Then we have a PDF of the same file.
00:04
We have essentially the encase forensic imager exe file
00:04
that looks like we deleted earlier has that red X file.
00:04
There are essentially a couple
00:04
of these files that we can see on here.
00:04
We also have a letterhead information
00:04
that is the picture.
00:04
Then we can go through and look
00:04
at the various type of files that we have.
00:04
We have one image, zero videos,
00:04
zero audio, documents,
00:04
executables, deleted files, file systems,
00:04
where we deleted that encase forensic imager.
00:04
Again, autopsy is a very powerful and free tool.
00:04
If we had a hard drive, for instance,
00:04
and we had essentially emails
00:04
that were essentially searched through emails.
00:04
We do have email addresses that it will go
00:04
ahead and search through on this system.
00:04
Again, it just helps you
00:04
analyze all of the data that you have
00:04
collected for only having just
00:04
>> a few files on the drive.
00:04
>> Autopsy is going through and trying to parse
00:04
out this data and make it easy
00:04
for you to investigate
00:04
these files that are on what you had found.
00:04
Again, this is a pretty rudimentary and cursory look
00:04
at the autopsy program and the analysis.
00:04
Just one keyword with analysis.
00:04
When you get into a lot of these larger file systems,
00:04
this file system is
00:04
only two gigabytes and it
00:04
only had three files on the system.
00:04
When you get into essentially an entire hard drive,
00:04
you're going to have
00:04
a ton of information on this hard drive.
00:04
If you don't know what you're looking for,
00:04
you could essentially spend days or weeks
00:04
combing through all of this data
00:04
trying to find something.
00:04
Knowing what you're looking for
00:04
or having an idea where to look
00:04
for will essentially aid you in that investigation.
00:04
We won't go through the process today of going through
00:04
all of the analysis because that would
00:04
essentially take an entire week's worth, of course.
00:04
But the whole purpose of this today was just to expose
00:04
you to this autopsy program and what it can do.
00:04
Again, this is just one type of investigative platform.
00:04
There are many others. Again,
00:04
encase has its own version as well as FTK.
00:04
We covered a lot of material in
00:04
today's lesson and it
00:04
may be a lot of information for you to take in,
00:04
especially if you're not familiar
00:04
>> with digital forensics.
00:04
>> But again, we'll just
00:04
capstone what we talked about today.
00:04
We went over essentially the preparation phase of
00:04
sanitizing and cleaning all
00:04
of the equipment that we're going to
00:04
use in our investigation process.
00:04
We inserted our forensic thumb drive into the system,
00:04
we wiped it using FTK.
00:04
We got it prepared,
00:04
we've reformatted it,
00:04
we can name it whatever configuration
00:04
>> we want to name it.
00:04
>> In this case, we named it forensic td for thumb drive.
00:04
We then went to
00:04
a scene and we started processing that scene.
00:04
We only recovered a SanDisk Cruzer Titanium drive.
00:04
Then before we started imaging that drive,
00:04
we essentially took notes about
00:04
the device and its configuration.
00:04
Then we installed our USB write
00:04
blocker before we inserted that device into our system.
00:04
That way we were ensuring that we're not
00:04
writing or corrupting the data on what we discovered.
00:04
Once we had that device in our system,
00:04
we were then able to forensically image
00:04
that device using the FTK access data imager.
00:04
Then we put that image to our forensic thumb drive.
00:04
Then from there, we talked about
00:04
getting the volatile memory of the system.
00:04
There were several ways to do that.
00:04
We also used the FTK imager
00:04
to obtain the volatile memory,
00:04
which we named EnolaGay.mem.
00:04
However, there are also other ways to get
00:04
that volatile memory and we discussed
00:04
using the Redline program to do that.
00:04
We provided an overview of what Redline look like.
00:04
Then lastly, as
00:04
far as the [inaudible] for memory
00:04
>> process was concerned.
00:04
>> We've looked at getting the BitLocker
00:04
encryption keys on the system.
00:04
It is not encrypted by BitLocker,
00:04
but we went through that process of getting all of
00:04
that BitLocker data just in
00:04
case you had to do that in one of your investigations.
00:04
Then after we got all of the data,
00:04
we ensured that we had the correct hashes of this.
00:04
We have the hash of our mem file.
00:04
We also have the information pertaining to
00:04
our SanDisk physical memory file.
00:04
From there we can take that forensic thumb drive,
00:04
we can remove it,
00:04
and then we can put that back into our forensic machine.
00:04
From there, we can go into our analysis program,
00:04
autopsy that we talked about today.
00:04
It breaks it down into different types of file systems,
00:04
filters, interesting files, email messages.
00:04
Again, the file system
00:04
that we were looking at was very simple.
00:04
It only had three files on it,
00:04
so there wasn't a lot to look at.
00:04
But that steers you through
00:04
>> that process of preparation,
00:04
>> and then the preservation,
00:04
collection, and then analysis.
00:04
Then finally, the reporting of the information.
00:04
Anytime that you collect this information,
00:04
you're going to want to consolidate
00:04
it into some type of report.
00:04
Generally with an executive summary at the top,
00:04
followed by the step actions that you
00:04
took and any type of
00:04
operating systems and programs that
00:04
you've found on the system,
00:04
that one was your victim machine and your system as well.
00:04
Again, that's a lot of information to take in.
00:04
If you have questions,
00:04
please feel free to write in,
00:04
please feel free to ask questions.
00:04
We'll get back to you with anything
00:04
>> that you might have.
00:04
>> If there's something else that
00:04
you think that you want to see,
00:04
please let us know and we can create some type of
00:04
video to go into those processes a little bit deeper.
00:04
But this concludes the hands-on portion of
00:04
the digital forensics in
00:04
as far as incident response is concerned.
Up Next