Time
7 hours 26 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson discusses the Autopsy program which is a set of command line tools which help to investigate incidents. Using this program to create a new case, participants receive step by step instructions in how to obtain images to investigate an incident.

Video Transcription

00:04
so
00:05
as the in case forensic in in the access data f t k analysis programs, they're quite expensive. What we're going to talk about today is essentially a program that is low cost, new cost. That is going to be the autopsy program.
00:24
So
00:26
well, go ahead and get this loaded.
00:30
And, as you can see, we've got it loaded here. If you wanted to download Autopsy,
00:36
you can go to the sleuth kit dot org's forward slash autopsy. You can click on the download it now link and then downloaded the 64 Better 32 project.
00:48
They also have Sleuth Kit,
00:51
which is essentially command line tools to help you investigate disc images. Ah, lot of times Sleuth Kit. You'll see that on your some of your Lennox Destro's for forensics work. But either one of those two programs through, they're both free, and they work fairly well
01:08
at investigating Sima Beast
01:11
disc images. Today we're going to work with the autopsy program,
01:15
so we'll go back to autopsy and were essentially going to want to create a new case so we can look at
01:23
ah, the images that we have obtained.
01:27
So we're going to open a new case
01:33
and then the case name. We'll just call it
01:37
Cy Berry. That's where we're at right now.
01:40
And then it's going to ask you to
01:42
essentially find a directory where he want to save this information So you wouldn't be doing this on your forensic machine. So if you have a forensic machine, you'd like to use you to say that similar on that forensic machine. If you want to do all of your work, save Tiu an external hard drive
02:01
that you use for your forensic purposes. You could do that as well. For the purpose of this demonstration, we're just going to say that
02:09
to our forensics folder that I already have created on the desktop.
02:14
And as you can see there, it will be under the sea users, admin, desktop forensics and Siberia for our case name
02:23
and in the case number Again. If you're working at a particular incident, you would want to probably number with that incident for our purposes. We'll just call it a case or incident number 1234 and
02:39
our examiners name,
02:42
and then we'll finish
02:44
and then start creating our case for us.
02:55
So once it creates that case, it's going to pop up with a window where it's asking you to select
03:02
Emmett.
03:05
So we will look for a image of'em, a local disc which would allow you to image that where you're at our logical file. Since we collected a physical image, we're going to select image
03:20
and then we're going to Brown's for where we had that image.
03:24
And then we had that on our forensic some dry.
03:29
And then there is our sand disk titanium image,
03:32
so we will click that
03:35
selected input time zone.
03:37
This is important
03:38
more specifically for computer systems. So we looked at that volatile memory
03:46
section
03:46
under the mandate redline. It did actually say what time zone the computer was in. So if you can select that correct times of essentially, normalize all of those times
04:03
for you on, make your collection process a lot easier.
04:08
So, uh, go ahead and select the appropriate time zone,
04:14
and then it gives you the option to nor orphan files in that file system. We can just go ahead and leave that unchecked.
04:20
You will select next,
04:24
and then it gives you some configuration modules, hash look up file type identification embedded file extractor. Just you couldn't go ahead and leave all of those selected as it ISS,
04:40
and then it will go ahead and process all of that data for you,
04:45
and then we will collect.
04:46
Then if
04:48
and then down here at the very bottom, you can see that is analyzing the files that we have
04:55
on our two gigabyte thumb drive.
04:58
And this is the home screen here. We can see
05:01
physical image, self
05:04
we can click through that
05:06
shows any orphan files that we have
05:12
gives us information about the system volume.
05:18
We can click through that,
05:25
and then we see essentially
05:29
some files on here. So we have a digital investigation statement of purpose that is going to the George Washington University
05:38
on. Then we have a pdf
05:41
of the same file
05:43
we have
05:44
essentially the in case forensic imager. E x e file that
05:48
looks like we deleted earlier. Has that red X by.
05:54
So there are
05:56
essentially
05:58
ah, a couple of these files that we can see on here. We also have the
06:01
ah letterhead information that is a picture.
06:10
And then we can go through and look at the various type of files that we have. So we have one image, zero video, zero audio
06:17
documents, executed Bols,
06:20
deleted files, file systems
06:25
where we deleted that in case forensic imager.
06:28
So again, autopsy is a very powerful and free tool.
06:32
If we had a
06:35
hard drive, for instance and we had essentially
06:42
e mails, it would essentially search through e mails. We do have email addresses,
06:46
um,
06:47
that it will go ahead and search through
06:50
on this system.
06:54
So again, it just helps you analyze all of the data that you've collected for only having just a few files on the drive. Autopsy is going through and trying to parse out this data and make it easy for you to investigate these
07:14
these files that are on on the
07:16
what you have found.
07:17
So
07:19
again, this is a pretty rudimentary and cursory look
07:24
at the autopsy program and the analysis
07:29
Just one key word with analysis. When you get into a lot of the larger file systems, this this file system is only two gigabytes on. It only had three files on the system.
07:45
When you get into essentially an entire hard drive, you're going to have a ton of information on this hard drive.
07:53
And if you don't know what you're looking for, you could essentially spend days or weeks combing through all of this data trying to find something
08:03
us of knowing what you're looking for, having an idea where to look for, well, essentially a Jew in that investigation.
08:11
So we won't go through the process today of going through all of the analysis because that would essentially taken entire week's worth, of course, but the whole purpose of this today was just to expose you to this autopsy program and what it can do.
08:30
And again, this is just one type
08:33
of investigative platform. There are many others again, in Case has its own version as well as F K.
08:41
So we covered a lot of material
08:43
in today's lesson, and it may be a lot of information for you to take in, especially if you're not familiar
08:54
with digital forensics. But the again, we're just kind of capstone what we talked about today
09:01
we went over
09:03
essentially the preparation phase of
09:07
sanitizing and cleaning all of the equipment that we're going to use in our investigation process. So we
09:15
inserted our forensic thumb drive into the system
09:18
we wiped it using F k. We got it prepared. We reform out of that way we can name it whatever configuration they want to name it. In this case, we named it forensic TV for a thumb drive.
09:30
Um,
09:31
we then went to a scene and we started processing that scene. We only recovered a
09:39
Sandis Cruiser, Titanium Dr.
09:41
And then before we started imaging, that driveway essentially took notes about the device in its configuration. And then we installed are USB right blocker
09:54
before we inserted that device into our system. That way, we were ensuring we were not writing are corrupting the data on what we discovered.
10:03
Once we have that device and our system, we were then able to forensically image that device using the F t K access data imager
10:15
on. Then we put that image to our
10:18
forensic
10:20
thumb drive.
10:22
And then from there we talked about getting the volatile memory of the system, and there were several ways to do that. We also used the F T K imager to obtain the volatile memory, which we named Enola *** dot meme. However, there are also other ways to get that volatile memory and we discussed using the red line program to do that,
10:43
and we provided an overview
10:46
of what red line looks like.
10:48
And then, lastly, as faras, the volatile memory process was concerned. We looked at getting the locker encryption keys on the system is not encrypted by bit locker, but we went through that process of getting all of that bit locker data
11:05
just in case you had to do that and one of your investigations.
11:09
And then after we got all of the data, we ensured that we had the correct caches of this, and we have hash of our meme file, and we also have the information pertaining to our SanDisk
11:24
physical memory files.
11:28
So from there we can take that forensic thumb drive, we can remove it, and then we can put that back into our forensic machine. And from there we can go into our analysis program
11:39
autopsy that we talked about today, and it kind of breaks it down into different types of file systems. Voelker's interesting files, email messages. So again, the file system that we were looking at was simple. It only had three files on it,
11:56
so there wasn't a lot to look at, but that kind of steers you to that process of preparation
12:03
and then the preservation collection and then analysis. And then finally, the reporting of the information.
12:11
So any time that you collect this information, you're gonna want you consolidate it
12:16
into some type of report, generally with an executive summary at the top, followed by the step actions that you took and any type of operating systems and programs that you found on Thesis Tum. That one was your victim machine and then your system as well.
12:35
So again, that's a lot of information to take in. If you have questions, please feel free to write in. Please feel free to ask questions. We'll get back to you with anything you might have.
12:48
If there's something else that you think that you want to see, please, a lot of snow and we can create some type of video to go into. The process is a little bit deeper,
12:58
but this concludes the hands on portion
13:01
of the digital forensics in a sw far as incident response is concerned,

Up Next

Incident Response and Advanced Forensics

In this course, you will gain an introduction to Incident Response, learn how to develop three important protection plans, perform advanced forensics on the incident, deep dive into insider and malware threats, and commence incident recovery.

Instructed By

Instructor Profile Image
Max Alexander
VP, Cybersecurity Incident Response Planning at JPMorgan
Instructor