Try Hack Me Room: Autopsy

Task 01: Introduction

What is Autopsy?

Flags 1.1

NAna

Task 02: Installation

Installing Autopsy for Windows is pretty straightforward.

  1. If Windows prompts with User Account Control, click Yes
  2. Click through the dialog boxes until you click a button that says Finish

Task 03: Workflow Overview

Before diving into Autopsy and analyzing data, there are a few steps to perform, such as identifying the data source and what Autopsy actions to perform with the data source.

  1. Select the data source you wish to analyze
  2. Configure the ingest modules to extract specific artifacts from the data source
  3. Review the artifacts extracted by the ingest modules
  4. Create the report
  • Base Directory: The root directory that will store all the files specific to the case (the full path will be displayed)
  • Case Type: Specify whether this case will be local (Single-user) or hosted on a server where multiple analysts can review (Multi-user)

Flags 3.1

Autopsy files end with which file extension?.aut

Task 04: Data Sources

Before diving into analyzing the data, let’s briefly cover the different data sources Autopsy can analyze.

  • Raw Split (For example: *.001, *.002, *.aa, *.ab, etc)
  • EnCase (For example: *.e01, *.e02, etc)
  • Virtual Machines (For example: *.vmdk, *.vhd)

Flags-4.1

In the above screenshot, what is the disk image format for SUSPECTHD?EnCase

Explantion-4.1

File name ends with .E01 that’s a extention of EnCase.

Task 05: Ingest Modules

Essentially Ingest Modules are Autopsy plug-ins. Each Ingest Module is designed to analyze and retrieve specific data from the drive.

  1. Create/edit file ingest filters

Flags 5.1

Task 06: The User Interface

Let’s look at the Autopsy user interface, which is comprised of 5 primary areas:

  • Result Viewer (Top right pane)
  • Keyword Search (Upper Top Right)
  • Contents Viewer (Bottom right pane)
  • Status Area (Lower Bottom right)

Tree Viewer

  • Views — files will be organized based on file types, MIME types, file size, etc.
  • Results — as mentioned earlier, this is where the results from Ingest Modules will appear.
  • Tags — will display files and/or results that have been tagged (read more about tagging here)
  • Reports — will display reports either generated by modules or the analyst. (read more about reporting here)

Result Viewer

Note: Don’t confuse the Results node (from the Tree Viewer) with the Result Viewer.

Contents Viewer

From the Table tab in the Result Viewer, if you click any folder/file, additional information is displayed in the Contents Viewer pane.

  • C = Comment If a yellow page is visible in the Comment column, it will indicate that there is a comment for the folder/file.
  • O = Occurrence In a nutshell, this column will indicate how many times this file/folder has been seen in past cases (this will require the Central Repository)

Keyword Search

At the top right, you will find Keyword Lists and Keyword Search.

Status Area

Lastly, the Status Area is at the bottom right.

Task 07: Data Analysis

Case Scenario: An employee was suspected of leaking company data. A disk image was retrieved from the machine. You were assigned to perform the initial analysis. Further action will be determined based on the initial findings.

Flags-7

Flag IDQuestionANS1What is the full name of the operating system version?windows 7 ultimate service pack 12What percentage of the drive are documents? Include the % in your answer.40.8%3The majority of file events occurred on what date? (MONTH DD, YYYY)ans4What is the name of an Installed Program with the version number of 6.2.0.2962?ans5Questionans6Questionans7Questionans8Questionans9Questionans10Questionans

Flag-7.1

Flag-7.2

Click on Disk -> Listing -> Summery

Flag-7.3

Summery tab has the answers

Flag-7.4

Flag-7.5

Flag-7.6

Flag-7.7

Took me 20 min to figure out, lastly I used the hacky way by looking for search results manually and eye balling. not sure if that was intended way.

Flag-7.8

TimeStamp was helpful

Flag-7.9

Flag-7.10

Task 08: Visualization Tools

  1. Events — the events are displayed here based on the View Mode
  2. Files/Contents — additional information on the event(s) is displayed in this area
  1. Details — information on events is displayed, but they are clustered and collapsed, so the UI is not overloaded
  2. List — the events are displayed in a table view

Flag8–1

Using the Timeline, how many results were there on 2015–01–12? 46

Task 9: Conclusion

To conclude, there is more to Autopsy that wasn’t covered in detail within this room.

  • Global File Extension Mismatch Identification Settings
  • Global Keyword Search Settings
  • Global Interesting Items Settings
  • Yara Analyzer

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store