as the in case forensic in in the access data f t k analysis programs, they're quite expensive. What we're going to talk about today is essentially a program that is low cost, new cost. That is going to be the autopsy program.
well, go ahead and get this loaded.
And, as you can see, we've got it loaded here. If you wanted to download Autopsy,
you can go to the sleuth kit dot org's forward slash autopsy. You can click on the download it now link and then downloaded the 64 Better 32 project.
They also have Sleuth Kit,
which is essentially command line tools to help you investigate disc images. Ah, lot of times Sleuth Kit. You'll see that on your some of your Lennox Destro's for forensics work. But either one of those two programs through, they're both free, and they work fairly well
at investigating Sima Beast
disc images. Today we're going to work with the autopsy program,
so we'll go back to autopsy and were essentially going to want to create a new case so we can look at
ah, the images that we have obtained.
So we're going to open a new case
and then the case name. We'll just call it
Cy Berry. That's where we're at right now.
And then it's going to ask you to
essentially find a directory where he want to save this information So you wouldn't be doing this on your forensic machine. So if you have a forensic machine, you'd like to use you to say that similar on that forensic machine. If you want to do all of your work, save Tiu an external hard drive
that you use for your forensic purposes. You could do that as well. For the purpose of this demonstration, we're just going to say that
to our forensics folder that I already have created on the desktop.
And as you can see there, it will be under the sea users, admin, desktop forensics and Siberia for our case name
and in the case number Again. If you're working at a particular incident, you would want to probably number with that incident for our purposes. We'll just call it a case or incident number 1234 and
and then we'll finish
and then start creating our case for us.
So once it creates that case, it's going to pop up with a window where it's asking you to select
So we will look for a image of'em, a local disc which would allow you to image that where you're at our logical file. Since we collected a physical image, we're going to select image
and then we're going to Brown's for where we had that image.
And then we had that on our forensic some dry.
And then there is our sand disk titanium image,
so we will click that
selected input time zone.
more specifically for computer systems. So we looked at that volatile memory
under the mandate redline. It did actually say what time zone the computer was in. So if you can select that correct times of essentially, normalize all of those times
for you on, make your collection process a lot easier.
So, uh, go ahead and select the appropriate time zone,
and then it gives you the option to nor orphan files in that file system. We can just go ahead and leave that unchecked.
You will select next,
and then it gives you some configuration modules, hash look up file type identification embedded file extractor. Just you couldn't go ahead and leave all of those selected as it ISS,
and then it will go ahead and process all of that data for you,
and then we will collect.
and then down here at the very bottom, you can see that is analyzing the files that we have
on our two gigabyte thumb drive.
And this is the home screen here. We can see
physical image, self
we can click through that
shows any orphan files that we have
gives us information about the system volume.
We can click through that,
and then we see essentially
some files on here. So we have a digital investigation statement of purpose that is going to the George Washington University
on. Then we have a pdf
essentially the in case forensic imager. E x e file that
looks like we deleted earlier. Has that red X by.
ah, a couple of these files that we can see on here. We also have the
ah letterhead information that is a picture.
And then we can go through and look at the various type of files that we have. So we have one image, zero video, zero audio
documents, executed Bols,
deleted files, file systems
where we deleted that in case forensic imager.
So again, autopsy is a very powerful and free tool.
hard drive, for instance and we had essentially
e mails, it would essentially search through e mails. We do have email addresses,
that it will go ahead and search through
So again, it just helps you analyze all of the data that you've collected for only having just a few files on the drive. Autopsy is going through and trying to parse out this data and make it easy for you to investigate these
these files that are on on the
what you have found.
again, this is a pretty rudimentary and cursory look
at the autopsy program and the analysis
Just one key word with analysis. When you get into a lot of the larger file systems, this this file system is only two gigabytes on. It only had three files on the system.
When you get into essentially an entire hard drive, you're going to have a ton of information on this hard drive.
And if you don't know what you're looking for, you could essentially spend days or weeks combing through all of this data trying to find something
us of knowing what you're looking for, having an idea where to look for, well, essentially a Jew in that investigation.
So we won't go through the process today of going through all of the analysis because that would essentially taken entire week's worth, of course, but the whole purpose of this today was just to expose you to this autopsy program and what it can do.
And again, this is just one type
of investigative platform. There are many others again, in Case has its own version as well as F K.
So we covered a lot of material
in today's lesson, and it may be a lot of information for you to take in, especially if you're not familiar
with digital forensics. But the again, we're just kind of capstone what we talked about today
essentially the preparation phase of
sanitizing and cleaning all of the equipment that we're going to use in our investigation process. So we
inserted our forensic thumb drive into the system
we wiped it using F k. We got it prepared. We reform out of that way we can name it whatever configuration they want to name it. In this case, we named it forensic TV for a thumb drive.
we then went to a scene and we started processing that scene. We only recovered a
Sandis Cruiser, Titanium Dr.
And then before we started imaging, that driveway essentially took notes about the device in its configuration. And then we installed are USB right blocker
before we inserted that device into our system. That way, we were ensuring we were not writing are corrupting the data on what we discovered.
Once we have that device and our system, we were then able to forensically image that device using the F t K access data imager
on. Then we put that image to our
And then from there we talked about getting the volatile memory of the system, and there were several ways to do that. We also used the F T K imager to obtain the volatile memory, which we named Enola *** dot meme. However, there are also other ways to get that volatile memory and we discussed using the red line program to do that,
and we provided an overview
of what red line looks like.
And then, lastly, as faras, the volatile memory process was concerned. We looked at getting the locker encryption keys on the system is not encrypted by bit locker, but we went through that process of getting all of that bit locker data
just in case you had to do that and one of your investigations.
And then after we got all of the data, we ensured that we had the correct caches of this, and we have hash of our meme file, and we also have the information pertaining to our SanDisk
physical memory files.
So from there we can take that forensic thumb drive, we can remove it, and then we can put that back into our forensic machine. And from there we can go into our analysis program
autopsy that we talked about today, and it kind of breaks it down into different types of file systems. Voelker's interesting files, email messages. So again, the file system that we were looking at was simple. It only had three files on it,
so there wasn't a lot to look at, but that kind of steers you to that process of preparation
and then the preservation collection and then analysis. And then finally, the reporting of the information.
So any time that you collect this information, you're gonna want you consolidate it
into some type of report, generally with an executive summary at the top, followed by the step actions that you took and any type of operating systems and programs that you found on Thesis Tum. That one was your victim machine and then your system as well.
So again, that's a lot of information to take in. If you have questions, please feel free to write in. Please feel free to ask questions. We'll get back to you with anything you might have.
If there's something else that you think that you want to see, please, a lot of snow and we can create some type of video to go into. The process is a little bit deeper,
but this concludes the hands on portion
of the digital forensics in a sw far as incident response is concerned,