Amazing technological breakthrough possible @S-Logix pro@slogix.in

Office Address

  • #5, First Floor, 4th Street Dr. Subbarayan Nagar Kodambakkam, Chennai-600 024 Landmark : Samiyar Madam
  • pro@slogix.in
  • +91- 81240 01111

Social List

Autopsy Tool for Digital Forensics

  • auto-spy-tool

Autopsy Tool for Digital Forensics Process

  • Autopsy is an effective digital forensics tool designed to quickly and accurately analyze and examine digital data. Autopsy provides a user-friendly interface and a full set of tools to extract, display, and analyze data from diverse sources, whether for a cybercrime investigation, incident response, or a routine review of digital devices. Digital forensic experts worldwide rely on this open-source program to provide important insights that aid in resolving challenging cases and the discovery of covert digital traces.

An Effective Digital Forensics Process Enhanced by Autopsy:

1.Identification

  • During this stage, the investigator identifies the scope of the investigation and the objectives. Autopsy allows the investigator to specify the target system or device and the types of evidence to be collected, such as file system data, registry entries, email messages, or internet history.
    • 2.Collection
  • Autopsy supports collecting digital evidence from various sources, including hard drives, external storage devices, memory dumps, and network shares. It can acquire data while maintaining integrity using disk imaging and memory dumping techniques.
    • 3.Preservationn
  • Digital evidence must be preserved in a manner that prevents any alteration or tampering. To ensure the integrity of the data, Autopsy offers the compilation of cryptographic hashes and the creation of forensic photographs. These copies are stored securely to ensure chain of custody.
    • 4.Examination
  • This is the core phase of digital forensics, where the investigator uses Autopsy to examine the collected data. Autopsy provides a user-friendly interface for analyzing file systems, registry entries, emails, internet history, metadata, and more. Key activities in this phase include keyword searching, file carving, timeline analysis, and data recovery.
    • 5.Analysis
  • During analysis, investigators conclude and make inferences based on the evidence examined. Autopsy assists in correlating findings and establishing a timeline of events. It can also help identify potential suspects and motives through data analysis.
    • 6.Reporting
  • Autopsy allows investigators to generate comprehensive reports summarizing the entire digital forensics process, including the identification of evidence, collection methods, analysis results, and relevant conclusions. These reports are essential for legal proceedings and may need to adhere to specific forensic standards.
    • 7.Documentation
  • Autopsy supports the documentation of findings through the generation of detailed reports. These reports may include information about the investigation scope, evidence sources, analysis results, and any relevant artifacts. Proper documentation is crucial for legal proceedings.
    • 8.Presentation
  • Autopsy can aid in the presentation of digital evidence clearly and understandably for legal purposes. This includes creating exhibits, charts, or visual aids to help convey the findings to stakeholders, including law enforcement, attorneys, or judges.
    • 9.Archiving
  • Once the investigation is complete, Autopsy supports archiving all case-related data, including images, reports, and any additional documentation. Proper archiving ensures that the data can be retrieved for future reference or additional legal action.
    • 10.Quality Assurance
  • Throughout the process, digital forensics professionals use quality assurance techniques to ensure the accuracy and reliability of their work. Autopsy provides features for validating data integrity, verifying analysis results, and maintaining a documented chain of custody.
    • Workflow with Autopsy:
  • Create a New Case: Define the case name and metadata.
  • Add Data Source: Add disk images, local drives, or folders as data sources.
  • Configure Ingest Modules: Choose and configure various modules to run on the data source, such as file type identification, keyword search, registry analysis, etc.
  • Run Ingest Modules: Process the data source with the selected modules.
  • Analysis: Use various tools and features to explore the data, identify evidence, and document findings.
  • Cryptography Challenges: Users can tackle cryptography challenges and puzzles to test their knowledge and problem-solving skills.
  • Reporting: Generate reports containing findings and tagged items.
  • Close Case: Ensure all findings are documented and close the case in Autopsy.
    • Digital Forensic Analysis and Examination Supported by Autopsy:
  • File System Analysis: Autopsy can analyze file systems (NTFS, FAT, exFAT, HFS+, Ext2/3/4) to recover files, folder structures, and file attributes.
  • Keyword Searching: It supports keyword search and regular expressions across the disk image.
  • Timeline Analysis: Analysts can use Autopsy to create timelines from file metadata.
  • Web Artifacts: Extract and analyze web-related artifacts like browser history, cookies, downloads, and bookmarks.
  • Registry Analysis: Extract and analyze data from Windows Registry files.
  • Carving: Autopsy can perform file carving based on file signatures, even if the file system metadata is missing.
  • Email Analysis: Extract and analyze data from email archives.
  • File Type Sorting: Organize files into categories (documents, images, etc.) based on file types for easy review.
  • File Analysis: Review file properties, metadata, and internal structures.
  • Thumbnail View: View thumbnail previews of image files.
  • Tagging: Users can tag files of interest, comment on them, and organize evidence.
    • Installation Steps :
    Prerequisites :
  • Antivirus software should be removed or turned off from any computers processing or evaluating cases. Antivirus software frequently clashes with forensic software, causing some of the results to be quarantined or even deleted before getting a chance to examine them.
    • System Requirements :
  • 1) Minimum 4GB RAM (16GB is recommended)
  • 2) Ubuntu 18.04
  • 3) Autopsy-4.9.1
  • 4) Sleuthkit-java-4.6.4-1_amd64.deb
  • 5) Java 8 (recommended version 8)
    • Step 1.Install Testdisk
  • D Testdisk is a powerful data recovery tool that can help recover lost or damaged partitions and files from a wide range of storage devices.
  • Open a terminal
  • sudo apt install testdisk
  • testdisk
    • Step 2.Install Java Packages
  • For autopsy installation in ubuntu-18.04, java 8 is recommended. Bellsoft offers packages for OpenJDK 8, which is a widely used version of the Java development kit.
  • Open a terminal
  • wget -q -ohttps://download.bell-sw.com/pki/GPG-KEY - bellsoft | sudo apt-key add -
  • echo “deb[arch=amd64]https://download.bell-sw.com/pki/GPG-KEYstable main” | sudo tee /etc/apt/sources.list.d/bellsoft.list
  • sudo apt update
  • sudo apt install bellsoft-java8-full
  • After installation, open a new terminal
  • sudo update-alternatives --config java
  • config
  • Make default java8 path(bellsoft-java8-full)
  • nano ~/.bashrc
  • export JAVA_HOME=/usr/lib/jvm/bellsoft-java8-full-amd64
  • Click ctrl + o to write the new lines and ctrl + x to exit the file.
  • source ~/.bashrc
  • To check the java version by using java -version command.
  • java-version
    • Step 3.Install Sleuthkit-java-4.6.4-1_amd64.deb
  • Download sleuthkit -> sleuthkit-java-4.6.4-1_amd64.deb
  • https://github.com/sleuthkit/sleuthkit/releases/download/sleuthkit-4.6.4/sleuthkit-java_4.6.4-1_amd64.deb
  • Use the above link to download sleuthkit-java-4.6.4-1_amd64.deb package.
  • Open a terminal
  • Go to the sleuthkit download path, copy the path (for example., Downloads)
  • cd Downloads (path to downloaded file)
  • sudo apt install ./sleuthkit-4.6.4-1_amd64.deb
    • Step4.Install Autopsy-4.9.1
  • Download Autopsy -> Autopsy-4.9.1.zip
  • https://github.com/sleuthkit/autopsy/releases/download/autopsy-4.9.1/autopsy-4.9.1.zip
  • Using the above link to download autopsy-4.9.1 zip folder
  • Open a terminal(Root)
  • cd Desktop
  • mkdir autopsy
  • wget https://github.com/sleuthkit/autopsy/releases/download/autopsy-4.9.1/autopsy-4.9.1.zip
  • unzip autopsy-4.9.1.zip
  • cd autopsy-4.9.1
  • sh unix_setup.sh
  • autospysetup
  • cd bin
  • ./autopsy
  • auto-spy