Sleuthkit autopsy manual

Step 3 — Enter the Case Details Begin by entering the details about the case. Step 5 — Add a Host to the Case Click "Add Host" and you will be presented with a screen above that allows you to add the host and a description.

Where a time skew is known, you can also add this in advance. Step 8 — Select the location of the Image to Analyze This will allow us to import an image into our evidence locker. Step 9 — the Case Gallery As you add hosts to the case, these will be displayed in the "Case Gallery".

Step 10 — Now try the other options You should work with various features of Autopsy browser and experiment with these in order to become familiar with the options and functionality. The Evidence Analysis Techniques in Autopsy The primary modes and functions of the Autopsy Forensic Browser are to act as a graphical front end to the Sleuth Kit and other related tools in order to provide the capabilities of analysis, search and case management in a simple but comprehensive package.

Analysis Modes in Autopsy A dead analysis occurs when a dedicated analysis system is used to examine the data from a suspect system.

Evidence Search Techniques The Autopsy Browser provides the following evidence search functionality: File Listing: Analyze the files and directories, including the names of deleted files and files with Unicode-based names.

When data is interpreted, Autopsy sanitizes it to prevent damage to the local analysis system. Autopsy does not use any client-side scripting languages. Hash Databases: Lookup unknown files in a hash database to quickly identify it as good or bad. File Type Sorting: Sort the files based on their internal signatures to identify files of a known type.

Autopsy can also extract only graphic images including thumbnails. The extension of the file will also be compared to the file type to identify files that may have had their extension changed to hide them. Timeline of File Activity: A timeline of file activity can help identify areas of a file system that may contain evidence. Autopsy can create timelines that contain entries for the Modified, Access, and Change MAC times of both allocated and unallocated files.

Searches can be performed on either the full file system image or just the unallocated space. An index file can be created for faster searches. Strings that are frequently searched for can be easily configured into Autopsy for automated searching. Meta Data Analysis: Meta Data structures contain the details about files and directories.

Autopsy allows you to view the details of any meta data structure in the file system. This is useful for recovering deleted content.

Autopsy will search the directories to identify the full path of the file that has allocated the structure. Data Unit Analysis: Data Units are where the file content is stored. Autopsy allows you to view the contents of any data unit in a variety of formats including ASCII, hexdump, and strings. The file type is also given and Autopsy will search the meta data structures to identify which has allocated the data unit. Image Details: File system details can be viewed, including on-disk layout and times of activity.

This mode provides information that is useful during data recovery. Case Management Autopsy provides a number of functions that aid in case management. The following functions within Autopsy are specifically designed aid in case management: Event Sequencer: Time-based events can be added from file activity or IDS and firewall logs.

Autopsy sorts the events so that the sequence of incident associated with an event can be easily determined. Notes: Notes can be saved on a per-host and per-investigator basis. These allow the investigator to make quick notes about files and structures. The original location can be easily recalled with the click of a button when the notes are later reviewed.

Image Integrity: Being that one of the most crucial aspects of a forensics investigation involves ensuring that data is not modified during analysis; Autopsy will generate an MD5 value for all files that are imported or created by default. The integrity of any file that Autopsy uses can be validated at any time.

This enables investigator to promptly make consistent data sheets during the course of the investigation. Logging: Audit logs are created on a case, host, and investigator level so that all actions can be easily retrieved. The entire Sleuth Kit commands are logged exactly as they are executed on the system. Copy url Url was copied to clipboard. Related Content. December 9, Here were the top-rated talks of the year. Emily Blades. December 8, See the Features page for more details.

Developers should refer to the module development page for details on building modules. Everyone wants results yesterday. Autopsy runs background tasks in parallel using multiple cores and provides results to you as soon as they are found. It may take hours to fully search the drive, but you will know in minutes if your keywords were found in the user's home folder. See the fast results page for more details. Autopsy is free. As budgets are decreasing, cost effective digital forensics solutions are essential.

Autopsy offers the same core features as other digital forensics tools and offers other essential features, such as web artifact analysis and registry analysis, that other commercial tools do not provide.

Easy to Use Autopsy was designed to be intuitive out of the box. Extensible Autopsy was designed to be an end-to-end platform with modules that come with it out of the box and others that are available from third-parties. Fast Everyone wants results yesterday.