Autopsy User Documentation  4.21.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
Logical Imager

Table of Contents

Overview

The logical imager allows you to collect files from a live Windows computer. The imager is configured with rules that specify what files to collect. Rules can be based on file attributes such as folder names, extensions, and sizes. You can use this feature when you do not have time or authorization to perform a full drive acquisition.

Logical imager can save the matching files in two ways. The default method is to save individual files, which is the faster method and uses less disk space. The other option is to produce one or more sparse VHD images that contain all of the file system data that was read. These VHD images can be imported into Autopsy or mounted by Windows. In either case, the logical imager also enumerates the user accounts on the system and can generate alerts if encryption programs exist.

The general workflow is:

Currently logical imager can only be configured on Windows, and will only analyze Windows systems. You will also need to be able to run logical imager as administrator on the target system.

Configuration

To start, open Autopsy and go to Tools->Create Logical Imager.

tools_menu.png

In either case you can now configure your imager. If the configuration file already exists, this screen will be loaded with the current settings from the file.

main_config_panel.png

On the left side you can see each rule in the configuration file. Each of these rules will be applied against the live system. A rule has a name, an optional description, one or more conditions, and settings for what should happen when a file matching the rule is found. When you select a rule you'll see all the settings for that rule on the right side of the panel. You can edit or delete rules once you select them. There are also global settings in the bottom right that apply to the configuration file as a whole:

More information on creating a VHD versus saving any matching files directly:

To make a new rule, click on the "New Rule" button.

new_attr_rule.png

There are two rule types to choose from:

For either rule type, you start by entering a rule name and optional description. You will also need to choose at least one action to take when a match is found.

Attribute rules can have one or more conditions. All conditions must be true for a rule to match.

Full path rules have a single condition.

full_path_rule.png

Once you've set up all your rules, go to the next panel and click "Save" to save your configuration file and the logical imager executable to the location you selected.

save.png

Running Logical Imager

Running with the Default Configuration

Using the defaults in the configuration process will create a drive with the config file (named "logical-imager-config.json") and the logical imager executable in the root folder of your drive.

exe_folder.png

The default case is to run the logical imager on every drive except the one containing it. Note that the logical imager executable must be in the root directory for the drive to be skipped. To run the imager, right-click on "tsk_logical_imager.exe" and select "Run as administrator". This will open a console window where you'll see some information about the processing and if you set any rules to create alerts, you'll see matches in the console window as well. Depending on which option you selected during configuration, the window may close automatically when the processing is complete.

The logical imager will start writing to a directory next to the executable.

output_folder.png

Running from a Command Prompt

To run the logical imager with custom settings, you'll need to first open a command prompt in administrator mode (right-click and then select "Run as administrator"). Then switch to the drive where logical imager is located. You can run using the default configuration by simply typing "tsk_logical_imager.exe".

command_prompt.png

If your configuration file is not named "logical-imager-config.json" (for example, if you have multiple configuration files for different situations), you'll need to specify the file name using the "-c" flag.

config_flag.png

If you want to specify the drive to run on, you can use the "-i" flag. This can be helpful for testing your configuration file - you can create a small USB drive with files that should match your rules to ensure that everything is working correctly before using it on a real system. The following example shows how to only run on the "G" drive on this system:

image_flag.png

Viewing Results

Output folder structure

If logical imager was run in the default mode (not creating a VHD), the output folder will look similar to this:

nonVHDfolder.png

Folder contents:

If logical imager was set to create VHDs, you'll see those VHDs in the output folder (along with the other output files described above except the root folder):

VHDfolder.png

Adding results to Autopsy

The logical imager results can be added to an Autopsy case as a data source. This brings in either just the matching files or the sparse VHD(s) as a disk image, and also adds the other files created by the logical imager. Select the "Autopsy Imager" option and proceed to the next page.

dsp_select.png

In the top section, you can see all the logical imager result folders in the root folder of each drive. Select the one you want to add and then hit the "Next" button.

import.png

If your logical imager results are in a different location, select "Manually Choose Folder" and use the "Browse" button to locate your results.

In either case you'll get to configure the ingest modules to run. You can run any of them, but if you created a VHD your disk image may not be complete you may see more errors than normal. For example, the sparse VHD will contain the entire file allocation table but the actual data that goes with most of the files will be missing.

Regardless of whether you used a VHD or not, the matching files will appear in their original path with their original name in the Tree Viewer. If you did not create a VHD, you will only see matching files in the tree. If you did create a VHD, you'll see entries for non-matching files as well, though the contents of these files may not exist.

fileTree.png

Interesting File artifacts will be made for any files that match the rules.

interestingFiles.png

The alert and user files created by the logical imager can be found under the Reports section of the Tree Viewer.


Copyright © 2012-2023 BasisTech. Generated on Tue Feb 6 2024
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.