Data Artifacts, Analysis Results and Reporting in Autopsy 4.19+

Показать описание

This is a mini-course on Autopsy. See chapter times below.

Autopsy is a free, open-source, full-features digital forensic investigation tool kit. It is developed by Basis Technology and a large open-source community. You can use Autopsy as the basis to conduct a full digital forensic investigation. You can also expand Autopsy with modules written in Java and Python.

Thank you to our Members and Patrons, but especially to our Investigators, TheRantingGeek and Roman! Thank you so much!

We review the data artifacts and analysis results sections after ingesting a Windows 10 physical disk image in Autopsy 4.19. We walk through what each of the artifacts looks like and how they can be used in digital forensic investigations.

During our forensic analysis of a Windows 10 disk image, we reconstruct nmap installation and usage as an example. Then we use Autopsy to produce an artifact report that we can use as a reference for our final forensic investigation report.

00:00 Autopsy Data Artifacts
00:41 Exploring the Windows 10 disk image
01:50 Autopsy: Data Artifacts
02:15 Installed Programs
03:52 Metadata
05:00 Operating System Information
05:54 Recent Documents
08:12 Recycle Bin
08:48 Run Programs
10:47 Run Programs - Verify with additional evidence
12:27 Autopsy analysis procedure overview
12:56 Shell Bags
14:02 USB Device Attached
15:25 Web Accounts
15:52 Web Bookmarks
16:00 Web Cache
16:25 Web Cookies
17:16 Web Downloads
18:36 Web Form Autofill
18:51 Web History
19:45 Web Search
21:55 Autopsy: Analysis Results
22:00 Encryption Suspected
22:36 EXIF Metadata
23:23 Extension Mismatch Detected
24:33 Interesting Files
25:02 Keyword Hits
27:29 Previously Unseen
28:36 User Content Suspected
28:49 Web Account Type
29:32 Web Categories
29:54 Artifacts and Results Overview
30:10 Bookmarked items review
31:01 Generate an artifact report based on bookmarks
32:26 Example full Autopsy report
32:41 How to use an Autopsy report
33:36 Conclusions

Links:

Related Books:

#Autopsy #forensics #investigation #case #dfir
010001000100011001010011011000110110100101100101011011100110001101100101
Get more Digital Forensic Science

010100110111010101100010011100110110001101110010011010010110001001100101

Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please link back to the original video. If you want to use this video for commercial purposes, please contact us first. We would love to see what you are doing.

Рекомендации по теме

Комментарии

This is Brilliant, Thank you so much for this video.👍

shraunakreddynayam

sir, I just wanted to know how did you downloaded the data artifacts module. Because when I do, my all files are extracted except data artifacts module

piyushsingh

Sir, can you tell me where to find MAC Address of the image file?

chenqinghung

Please reply sir. The "Data Artifacts" section is empty when I take physical image of my test mobile phone and analyze it on Autopsy. I have done detailed activity on the phone before taking the image. Any help would be highly appreciated since I have searched on the internet and cannot find an answer.

qwerty.

Can Autopsy retrieve video files from a formatted SD card that is formatted in exfat?

tony

For those who are trying to download the necessary files to follow along with the video and can't see the same file content as the ones in the video esp if vol 3 doesn't show the right files, you have to download all 15 EnCase files (i.e 001Win10.E01-001Win10.E15). Torrent the entire folder which should be about 15Gb.

muhdismailmuhdishak

This and the other videos in this series are superb. You have demystified the entire process for me in just a a couple of hours! OK, but I have a couple of questions. 1. Has Autopsy been validated for all its functions and where is that valdiation data and 2. How does this programe compare to say Encase or AXIOM? Is it essentialy the same?

adrianmutimer

Excellent presentation and quality. Thank You!

forpaqk

Hi, I have a question for Metadata Artifacts, what is the difference between User ID and Owner of a document. And also the Last Printed Date?

ajegun

Is it possible to recover information from Whatsapp/Signal using Autopsy?

danielhinton

Yet another great video. Thank you so much!

xDx

Can u download the report to your computer l? And if so how?

zoebryant

Hello sir,
I tried adding 001Win10.E01 as a data source but nothing pops up in the data artifacts section and vol3(NTFS...) cannot be openend. Pls Send Help!

muhdismailmuhdishak

Product ID can be found under the "OS Info" section. But where is it possible to find the Product Key, or information related to Hardware (cpu, monitor, eth/wifi cards...). Thanks in advance. :)

dadobe

Hello, i have some error when uploading the new data soruce to exivbit002 (error processing unallocated)

skywalker

Actually, I have another question. What I think I see here is a process where data is collected according to an initial hypothesis of guilt, and story is built up that supports that hypothesis. The process starts biased and is then highly constructive on the part of the examiner in the saem direction. And this process is well supported by the set of tools in Autopsy.

What I *don't* see is anything in Autopsy, or tools like it, that assists the examiner in finding alternative explanations for evidence. An example will help ame this clear: we find a drive has a set of .lnk files in unallocated space and with incriminating targets. In this case the building block of our story would be that the user interacted with the target files. All good - except what if the .lnk files are from backup the user did of someone else's machine? Well, in this case there would be a mismatch of the MAC addresses of the .lnk files with the users machine, but here is the problem, there is nothng in Autopsy to flag this up. What is most likely to happen is the examiner will go on build on his incorrect foundation and misconstrue all the other evidence he finds as a rsult... This entire process, from hypothesis, to examination, to story-building bodes well for conviction but bodes badly for justice...

You will surely be aware that there are about a gazillion ways in which evidence can be misconstrued like this, and it seems to me that what we have available to examiners is a set of tools that are good at finding inculpatory evidence in line with a guilty theory and hypothesis but not at all good at finding exculpatory evidence and assisting with an alternative hypothesis. Do you agree?

adrianmutimer

Hi Dude,

Three questions. Sorry to go on at you like this.

1. Based on your comment elsewhere in this comments section, can you explain why it is that you consider exculpatory evidence is by its very nature harder to find and make sense of than inculpatory evidence?

2. If you could add new tools to Autopsy that could help you find exculpatory evidence, what would they be?

3. This question is longer. In many other branches of forensic science there are standard methods, but there are no such methods in digital forensic science. Equally, in other branches of forensic science there is a body of research work that sits alongside the methods that strengthen and validate them, but no such thing exists with digital forensic science. An imaginary example will get this over. Imagine we find a dead body, partially decayed and out in the woods. We suspect the victim was posioned. We run a set of tests for commonly used poisons and we find poison chemical XXX. But there is a body of research that shows that XXX is also to be fond in the mouths of predators...The research also show us that wherever XXX is found by cause of the actions of predators chemical YYY is also invariably present. We do a second test for chemical YYY and we find it absent...We now have some good, validated evidence that this victim was poisoned. But there is nothing anlogous to all this in digital forensic science. There are no standard methods, no body of research, no methods for validation. In digital forensic science, we find chemical XXX and we move on...My questions is, do you agree with my assertions here and do you think there is scope for improvement?

😀😀😀😀😀😀😀😀

A

adrianmutimer

Data Artifacts, Analysis Results and Reporting in Autopsy 4.19+

Data Artifacts, Analysis Results and Reporting in Autopsy 4.19+

Scoring and Judging Artifacts in Autopsy | Brian Carrier

Clarity LIMS API Introduction Series: Artifacts: Derived Samples and Result

Understanding & Identifying Artifacts - Part 1

How to Navigate Analyzed Data and Find Artifacts in Cellebrite Physical Analyzer

Extraction and Analysis of Retrievable Memory Artifacts From Windows Telegram Desktop Application

An introduction to EEG analysis: event-related potentials

Detection of Artifacts in Ambulatory Electrodermal Activity Data

[AI Book Summary for Study] Penetration, By Ingo Swann (Book)

Visualise ANY Complex Data using AI Artifacts

Connecting the Dots Between Artifacts and User Activity

Geolocation Artifacts and Timeline Analysis in Digital Forensics

How filtering artifacts on EEG leads to improved brain trend data

Autopsy - Forensic Acquisition Tool | Digital Forensics Investigation | Autopsy Tutorial

Did I do that? - Understanding action & artifacts w/ Matthew Seyer & David Cowen - SANS DFIR...

CIS27A Unit 6 Lecture: Windows Artifacts Analysis

Starting a New Digital Forensic Investigation Case in Autopsy 4.19+

Windows 10 Artifacts for Forensics

Investigating computer and mobile artifacts with Belkasoft Evidence Center

Internet Artifacts & Cryptographic Hashes (Lecture)

NW-NLP 2018: Annotation Artifacts in Natural Language Inference Data

Unlock Data's Magic: The 3 Artifacts You Need

PMBOK7-26 A Guide to Project Management Body of Knowledge:- Artifacts

Existing records, artifacts, and documents