Finding evidence in forensics

In previous articles in this series, we created a forensic image of the attacker's hard drive and RAM and used Autopsy to recover deleted files from the image.

fsc minor

In this guide, we will use Autopsy to do file analysis. In other words, we will use Autopsy to find words-, file types, metadata, etc. which may be useful in finding evidence to support our case.

Contents hide
Step #1 Open Autopsy
Step #2 Search for keywords
Step #3 Specialized search types
Conclusion

Step #1 Open Autopsy

Open Autopsy and navigate to the file firstimage.dd.001.

fore

Autopsy will immediately begin preparing the image for analysis.

When it finishes analyzing it, it will categorize each file by type. As you can see in the screenshot below s, Autopsy has categorized every file type including images, videos, audio, documents, executables and deleted files.

front0

 

Step #2 Search for keywords

Let's say we're looking for files that include the keyword “forensics”. We can type this word in the window Search in the upper right part of our screen and click on the button Search .

Autopsy will now start searching each file for that keyword. As you can imagine, in a this keyword would likely be specific to the search, such as “ransom”, “blackmail”, “sex”, etc.

front1

When Autopsy completes its search, it will display every file containing that keyword in the main window “Panel". We can then click on any of these files to examine it further.

front2

If we then click on the “Indexed Text” in the lower right window, it will show us every instance of that keyword and highlight it for us.

Step #3 Specialized search types

Autopsy allows us to do very specialized investigations that may be key to our investigation. These may include URLs, email addresses, phone numbers or IP addresses.

Click on eye near the top right of this screen. It should open one window like below. Here we can search for,

1. phone numbers

2. IP addresses

3. Email addresses

4. URL's

Let's see if we can find any URLs in these files that might be useful in identifying what the suspect was doing before his system was seized.

In the popup window click on control box next to the URLs. It will complete the expression regex which it uses to find URLs.

front3

Then click the button Search and Autopsy will start searching each file for that text. The regular expression it searches for appears in the right pane.

Regular expression searches are very CPU intensive and slow, so please be patient.

When it finishes searching, it will display the results as below.

front4

As you can see above, Autopsy displays every file in which it found a URL.

Additionally, we can use this method to find email addresses as well, but when Autopsy did its initial analysis, it categorized all the email addresses it found in its window Exploration.

Conclusion

Autopsy is a powerful tool for performing forensic analysis. Among the many things it can do are deleted file analysis, file type analysis, keyword analysis, and finding key objects such as URLs, email addresses, IP addresses, and phone numbers.

Additionally, we can create custom expressions to search for almost any text imaginable.

 

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.087 registrants.

Autopsy

forensic, Autopsy, ram, hard, disk

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).