Data Artifacts, Analysis Results, and Reporting in Autopsy

This is a mini-course on Autopsy. See chapter times below. You might want to watch Part 1 first - Starting a new case in Autopsy: https://youtu.be/fEqx0MeCCHg

Autopsy is a free, open-source, full-features digital forensic investigation tool kit. It is developed by Basis Technology and a large open-source community. You can use Autopsy as the basis to conduct a full digital forensic investigation. You can also expand Autopsy with modules written in Java and Python.

We review the data artifacts and analysis results sections after ingesting a Windows 10 physical disk image in Autopsy 4.19. We walk through what each of the artifacts looks like and how they can be used in digital forensic investigations.

During our forensic analysis of a Windows 10 disk image, we reconstruct nmap installation and usage as an example. Then we use Autopsy to produce an artifact report that we can use as a reference for our final forensic investigation report.

Links:

• Autopsy Software: https://www.autopsy.com/
• HxD Hex Editor Software: https://mh-nexus.de/en/hxd/
• Practice Data: Windows 10 multi-part disk image - https://archive.org/details/africa-dfirctf-2021-WK01

Related Books:

• Practical Linux Forensics: A Guide for Digital Investigators
• Digital Forensics with Open Source Tools