Introduction
What is Autopsy?
The official description: "Autopsy
is the premier open source forensics platform which is fast, easy-to-use, and
capable of analyzing all types of mobile devices and digital media. Its
plug-in architecture enables extensibility from community-developed or
custom-built modules. Autopsy evolves to meet the needs of hundreds of
thousands of professionals in law enforcement, national security, litigation
support, and corporate investigation."
Autopsy is a
powerful tool. Several features within Autopsy were developed thanks to
the Department of Homeland Security Science and Technology funding. You can
read more about this here.
Learn how to use Autopsy to investigate artifacts from a disk image. Use
your knowledge to investigate an employee who is being accused of leaking
private company data.TryHackme
This room's objective is to provide an overview of
how to use the Autopsy tool to perform analysis on disk images and the
assumption is that you are familiar with the Windows operating system and
Windows artifacts in relation to forensics.
Installation
Installing Autopsy for Windows is pretty straightforward.
Visit the Autopsy download page and download the Windows MSI, which corresponds to your Windows architecture, 32bit or 64bit.
- Run the Autopsy MSI file
- If Windows prompts with User Account Control, click Yes
- Click through the dialog boxes until you click a button that says Finish
Autopsy is also available for Linux and macOS. Follow the install
instructions provided on the Autopsy website.
If you use Kali
Linux, Autopsy is already installed.
Workflow Overview
Before diving into Autopsy and analyzing data, there are a few steps to
perform, such as identifying the data source and what Autopsy actions to
perform with the data source.
Your basic workflow:
- Create the case for the data source you will investigate
- Select the data source you wish to analyze
- Configure the ingest modules to extract specific artifacts from the data source
- Review the artifacts extracted by the ingest modules
- Create the report
Below is a visual of step #1.
When you start
Autopsy, there will be 3 options. To start a new case, click on New Case.
The next screen is titled Case Information, and this is where
information about the case is populated.
- Case Name: The name you wish to give to the case
- Base Directory: The root directory that will store all the files specific to the case (the full path will be displayed)
-
- Case Type: Specify whether this case will be local (Single-user) or hosted on a server where multiple analysts can review (Multi-user)
Note: In this room, the focus is on Single-User.
The
screen that follows is titled, Optional Information and it can be left blank
for our purposes. In an actual forensic environment, you should fill out this
information. When you're done, click Finish.
In this
room, you will import a case. To open a case, you will select is Open Case.
Autopsy case files have an .aut file extension. Navigate to the case folder and select the .aut file you wish to open.
Next, Autopsy will process the case files open the case.
You can identify the name of the case at the top left corner of
the Autopsy window. In the image below, the name of this case is Tryhackme.
Note: If Autopsy is unable to locate the disk image, a warning box
will appear. At this point, you can point Autopsy to the location of the disk
image it's attempting to find, or you can click NO; you can still analyze the
data from the Autopsy case.
Once the case you wish to analyze is open, you are ready to start
analyzing the data.
1) Autopsy files end with which file extension?
Ans :- .aut
Data Sources
Before diving into analyzing the data, let's briefly cover the different
data sources Autopsy can analyze.
Below is a screenshot of the Add Data Source
Windows dialog box.
In this room, we will focus primarily on the first
option, Disk Image or VM file.
Supported Disk Image
Formats:
- Raw Single (For example: *.img, *.dd, *.raw, *.bin)
- Raw Split (For example: *.001, *.002, *.aa, *.ab, etc)
- EnCase (For example: *.e01, *.e02, etc)
- Virtual Machines (For example: *.vmdk, *.vhd)
If there are multiple image files (e.i. E01, E02, E03, etc.) Autopsy
only needs you to point to the first image file, and Autopsy will handle the
rest.
Note: Refer to the
Autopsy documentation
to understand the other data sources that can be added to a case.
Below is a screenshot of an E01 disk image added to a sample case
as a data source.
Specify the time zone and click Next.
Note:
Orphan files are deleted files that no longer have a parent folder. In FAT
file systems, it can be time-sensitive to read and analyze.
1) In the above screenshot, what is the disk image format for SUSPECTHD?
Ans :- Encase
Ingest Modules
Essentially Ingest Modules are Autopsy plug-ins. Each Ingest Module is
designed to analyze and retrieve specific data from the drive.
Below is a screenshot of the Configure Ingest Modules window.
By default, the Ingest Modules are configured to run
on All Files, Directories, and Unallocated Space.
The other two options are:
- All Files and Directories (Not Unallocated Space)
- Create/edit file ingest filters...
Note: We will not cover ingest filters in this room.
If all the Ingest Modules are deselected, and Next is
selected, Autopsy will still process the data source and update the local
database.
Note: Autopsy adds metadata about files to the local database, not
the actual file contents.
When Autopsy is done, you will see the
following:
To complete this process, click Finish.
In the
below image, since the Ingest Modules were deselected, there aren't any
results in the Results node.
The results of any Ingest Module you select to run
against a data source will populate the Results node in the Tree view, which
is the left pane of the Autopsy user interface.
You can run Ingest
Modules at any time while the case is open. To do so, right-click on the data
source and select Run Ingest Modules.
As Ingest Modules run, alerts may appear in the Ingest Inbox.
Below is an example of the Ingest Inbox after a few
Ingest Modules have completed running.
Drawing the attention back to the Configure Ingest Modules window,
notice that some Ingest Modules have per-run settings and some do not.
For
example, the Recent Activity Ingest Module does not have per-run settings. In
contrast, the Hash Lookup Ingest Module does.
To learn more
about Ingest Modules,
read Autopsy documentation here.
The User Interface
Let's look at the Autopsy user interface, which is comprised of 5
primary areas:
- Tree Viewer (Left pane)
- Result Viewer (Top right pane)
- Keyword Search (Upper Top Right)
- Contents Viewer (Bottom right pane)
- Status Area (Lower Bottom right)
Each area will be explained briefly below.
The Tree Viewer has 5 top-level nodes:
- Data Sources - all the data will be organized as you would typically see it in a normal Windows File Explorer.
- Views - files will be organized based on file types, MIME types, file size, etc.
- Results - as mentioned earlier, this is where the results from Ingest Modules will appear.
- Tags - will display files and/or results that have been tagged (read more about tagging here)
- Reports - will display reports either generated by modules or the analyst. (read more about reporting here)
Refer to the Autopsy documentation on the Tree Viewer for more information
here.
Result Viewer
Note:
Don't confuse the Results node (from the Tree Viewer) with the Result Viewer.
When a volume, file, folder, etc., are selected from the Tree
Viewer, additional information about the selected item is displayed in the
Result Viewer.
For example, the Sample case's data source is
selected, and now additional information is visible in the Results Viewer.
If a volume is selected, the Result Viewer's information will change to
reflect the information in the local database for the selected volume.
Notice that the Result Viewer pane has 3 tabs: Table, Thumbnail, and
Summary. The 2 above screenshots reflect the information displayed in the
Table tab.
The Thumbnail tab works best with image or video
files. If the view of the above data is changed from Table to Thumbnail, not
much information will be displayed. See below.
Volume nodes can be expanded, and an analyst can navigate the volume's
contents, as they would a typical Windows system.
In the Views tree node, files are categorized by File Types - By
Extension, By MIME Type, Deleted Files, and By File Size.
Tip: When it comes to File Types, pay attention to this section.
An adversary can rename a file with a misleading file extension. So the file
will be 'miscategorized' By Extension but will be categorized appropriately by
MIME Type.
Expand By Extension and more children nodes appear,
categorizing files even further (see below).
Refer to the Autopsy documentation on the Result Viewer for more
information here.
Contents Viewer
From the Table
tab in the Result Viewer, if you click any folder/file, additional information
is displayed in the Contents Viewer pane.
In the above image, 3 columns might not be quickly
understood what they represent.
S = Score
The Score will
show a red exclamation point for a folder/file marked/tagged as notable and a
yellow triangle pointing downward for a folder/file that is marked/tagged as
suspicious. These items can be marked/tagged by an Ingest Module or by the
analyst.
C = Comment
If a yellow
page is visible in the Comment column, it will indicate that there is a
comment for the folder/file.
O = Occurrence
In a nutshell,
this column will indicate how many times this file/folder has been seen in
past cases (this will require the Central Repository)
Refer to the
Autopsy documentation on the Contents Viewer for more information here.
Keyword Search
At the top
right, you will find Keyword Lists and Keyword Search.
With Keyword
Search, an analyst can perform an AD-HOC keyword search.
In the image above, the analyst is searching for the word 'secret.'
Below are the search results.
Refer to the Autopsy documentation for more information on how to
perform keyword searches with either option.
Status Area
Lastly, the Status Area is at the bottom right.
When
Ingest Modules are running, a progress bar (along with the percentage
completed) will be displayed in this area. If you click on the bar, more
detailed information regarding the Ingest Modules is provided.
If the X (directly next to the progress bar) is clicked on,
a prompt will appear confirming if you wish to end cancel the Ingest Modules.
Refer to the Autopsy documentation on the UI overview here.
Data Analysis
Case Scenario: An employee was suspected of leaking company data. A disk
image was retrieved from the machine. You were assigned to perform the initial
analysis. Further action will be determined based on the initial findings.
Reminder: Since the actual disk image is not in the attached VM,
certain Autopsy sections will not display any actual data, only the metadata
for that row within the local database. You can click No when you're notified
about the 'Missing Image.' Additionally, you do not need to run any ingest
modules in this exercise.
1) What is the full name of the operating system version?
Ans :- Windows 7 Ultimate Service Pack 1
2) What percentage of the drive are documents? Include the % in your
answer.
Ans :- 40.8%
3) The majority of file events occurred on what date? (MONTH DD, YYYY)
Ans :- March 25, 2015
4) What is the name of an Installed Program with the version number
of 6.2.0.2962?
Ans :- Eraser
5) A user has a Password Hint. What is the value?
Ans :- IAMAN
6) Numerous SECRET files were accessed from a network drive. What was the
IP address?
Ans :- 10.11.11.128
7) What web search term has the most entries?
Ans :-
information leakage cases
8) What was the web search conducted on 3/25/2015 21:46:44?
Ans :- anti-forensic tools
9) What binary is listed as an Interesting File?
Ans :-
googledrivesync.exe
10) What self-assuring message did the 'Informant' write for himself
on a Sticky Note? (no spaces)
Ans :- Tomorrow...everything will be ok..
Visualization Tools
You may have noticed that other parts of the user interface weren't
discussed as of yet.
Please refer to the Autopsy
documentation for the following visualization tool:
-
Images/Videos -
http://sleuthkit.org/autopsy/docs/user-docs/4.12.0/image_gallery_page.html
-
Communications -
http://sleuthkit.org/autopsy/docs/user-docs/4.12.0/communications_page.html
- Timeline - http://sleuthkit.org/autopsy/docs/user-docs/4.12.0/timeline_page.html
Note: Within the attached VM, you will NOT be able to practice with some
of the visualization tools, except for Timeline.
Below is a
screenshot of the Timeline.
The Timeline tool is composed of 3 areas:
- Filters - narrow the events displayed based on the filter criteria
- Events - the events are displayed here based on the View Mode
- Files/Contents - additional information on the event(s) is displayed in this area
There are 3 view
modes:
- Counts - the number of events is displayed in a bar chart view
- Details - information on events is displayed, but they are clustered and collapsed, so the UI is not overloaded
- List - the events are displayed in a table view
In the above screenshot, the View Mode is Counts. Below is a
screenshot of the Details View Mode.
The numbers (seen above) indicate the number of
clustered/collapsed events for a specific time frame.
For example,
for /Windows, there are 130,257 events between 2009-06-10 and 2010-03-18. See
the below image.
To expand a cluster, click on the green icon with the plus sign.
See the below example.
To collapse the events, click on the red icon with a minus
sign.
Click the map marker icon with a plus sign if
you wish to pin a group of events. This will move (pin) the events to an
isolated section of the Events view.
To unpin the events, click on the map marker with the minus sign.
The last group of icons to cover are the eye icons. If you wish to
hide a group of events from the Events view, click on the eye with a minus
sign.
In the below screenshot, the clustered events for /Boot were
hidden and were placed in Hidden Descriptions (in the Filters area).
If you wish to reverse that action and unhide the events, right-click and select Unhide and remove from list. See the below example.
Last but not least, below is a screenshot of the List View
Mode.
This should be enough information to get you started
interacting with the Timeline with some level of confidence.
1) Using the Timeline, how many results were there on 2015-01-12?
Ans :- 46
Conclusion
To conclude, there is more to Autopsy that wasn't covered in detail within
this room.
Below are some topics that you should explore on your own to configure
Autopsy to do more out of the box:
- Global Hash Lookup Settings
- Global File Extension Mismatch Identification Settings
- Global Keyword Search Settings
- Global Interesting Items Settings
- Yara Analyzer
3rd Party modules are available for Autopsy. Visit the official SleuthKit GitHub repo for a
list of
3rd party modules here.
The disk image used with this room's development was
created and released by the NIST under the Computer Forensic Reference Data
Sets (CFReDS) Project. It is encouraged to download the disk image, go through
the full exercise (here) to practice using Autopsy, and level up your investigation techniques.
Disclaimer
This was written for educational purpose and pentest only.
The author
will not be responsible for any damage ..!
The author of this tool is not
responsible for any misuse of the information.
You will not misuse the
information to gain unauthorized access.
This information shall only be
used to expand knowledge and not for causing malicious or damaging
attacks. Performing any hacks without written permission is illegal ..!
All
video’s and tutorials are for informational and educational purposes only. We
believe that ethical hacking, information security and cyber security should
be familiar subjects to anyone using digital information and computers. We
believe that it is impossible to defend yourself from hackers without knowing
how hacking is done. The tutorials and videos provided on www.hackingtruth.in
is only for those who are interested to learn about Ethical Hacking, Security,
Penetration Testing and malware analysis. Hacking tutorials is against misuse
of the information and we strongly suggest against it. Please regard the word
hacking as ethical hacking or penetration testing every time this word is
used.
All tutorials and videos have been made using our own
routers, servers, websites and other resources, they do not contain any
illegal activity. We do not promote, encourage, support or excite any illegal
activity or hacking without written permission in general. We want to raise
security awareness and inform our readers on how to prevent themselves from
being a victim of hackers. If you plan to use the information for illegal
purposes, please leave this website now. We cannot be held responsible for any
misuse of the given information.
- Hacking Truth by
Kumar Atul Jaiswal
I hope you liked this post, then you
should not forget to share this post at all.
Thank you so much :-)