Autopsy User Documentation
4.11.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
|
Sometimes you need to make a quick decision about a system or systems and don't have the time or resources to make full images. For example, during a knock and talk you want to know if there is notable data on their system. Or you are at a location with many systems and want to know which should be analyzed first. Autopsy has features that will allow you to quickly find the data of interest without making full images of the devices. Those features will be described below, followed by some example scenarios that show how to put everything together.
There are many features of Autopsy that can come into play in a triage situation. Some help you process the files most likely to be relevant earlier, and others allow you to continue analyzing the data after disconnecting from the target system.
The goal is to find the most important files first when there is limited time to analyze a system. Autopsy always runs on the user folders first (if present), since in many situations they are the most likely folders to contain data of interest.
For a particular scenario, you may know specific file types that you are interested in. For example, if you are only concerned with finding images, you could save time by not analyzing any non-image files. This will allow a system to be processed far faster than if you analyzed every file.
File filters allow you to limit which types of files will be processed. The Custom File Filters section of Ingest Modules page shows how to create a file filter. You can filter on file name/extension, path, or how recently the file was modified. Once saved, your new file filter can be selected when configuring ingest modules.
Another way to speed up analysis is to only run some of the ingest modules. For example, if we're only interested in images, there may be no point in running the Keyword Search Module or the Encryption Detection Module. You can manually select and configure the modules you want to run each time, but since many sessions are similar it may be easier to set up an ingest profile. An ingest profile allows you to store which file filter you want to run, which ingest modules should be enabled, and your configuration for each ingest module.
Once you have at least one ingest profile configured, a new screen will appear before the normal ingest module configuration panel. If you choose your user-defined profile, that ingest module configuration panel will be skipped entirely and the ingest modules from that profile will be run on the data source.
See the Using Ingest Profiles section of the Ingest Modules page for additional information on how to set up and use an ingest profile.
In a triage situation, there is generally not time to make a full image of the system in question. There are a few ways to process live systems and devices with Autopsy:
With any of the above methods for analyzing live systems and devices there is still the problem that your Autopsy case won't be very useful after you disconnect from the drive. To solve this problem you can choose to make a "sparse VHD" as Autopsy is processing the device. This is a file format used by Microsoft Virtual Machines that is readable by Windows and other forensic tools. Instead of copying each sector sequentially, sparse VHDs allow us to copy sectors in any order. This lets us copy each sector as Autopsy reads it, so the sparse VHD will contain all of the files that have been processed so far. We will also have the data associated with volumes and file systems since Autopsy has to process those in the course of analyzing the system.
To create a sparse VHD, check the box for "Make a VHD image..." when selecting the disk to analyze.
In this scenario, you are trying to answer whether child exploitation images exist in a knock and talk type situation where you will have a limited amount of time with the target system.
Preparaton at the office:
At the house:
Copyright © 2012-2019 Basis Technology. Generated on Fri Jun 21 2019
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.