Greetings! Destruct_Icon here with a look into a forensics tool named Autopsy. Autopsy is a GUI into a suite of tools known as The Sleuth Kit and can be found here. In this article, we want to introduce you to the interface itself as well as describe some of the capabilities.
First off, we have a few different windows to look at. There is a Navigation pane on the left, a Directory Listing window on the top right and a Data Content window on the bottom right. The Navigation pane consists of the sources of the parsed data, the categorization of the parsed data as well as other custom searching results such as keyword hits. The Directory Listing window will list out the artifacts or data which was parsed along side file location, timestamps or search strings that are relevant. Lastly, when you select an item in the Directory Listing window, details about the item will be displayed on the bottom right which will be demonstrated later.
The first few steps are all about building your case/investigation and are very straight forward. This will include your case name, the output directory, case numbers and examiner information. After you finish up building your case, Autopsy should automatically ask you to add a data source. If this doesn’t happen, there is an Add Data Source option at the top which will bring up the same prompt.
Adding a Source
We can use all the usual suspects here: dd, img, bin, E01, etc… You may also change the source type to a local disk or logical file if required. For this intro, I’ve used an image of my host which was collected via FTK Imager with the output format of E01. Don’t forget to set the timezone!
The second step will be the request for modules you’d like to use. I’ve set this as default but take note of what can be selected. You can build hash sets, keyword lists, carve files with PhotoRec and more.
Step three, you know what time it is? That’s right! Progress bar time!
This may take a few minutes depending on what kind of collection or file you are parsing. The modules will finish and display a count of their results in the Navigation pane on the left.
Exploring the Navigation Pane
You will have a few categories to pick from. The data source should be the first category that can be selected which will allow you to drill down into the data inside it. In this scenario, the image that was parsed has the partitions broken up by type with the second “Basic data partition” containing the majority of what’s on the file system. This was also able to identify the recovery partition created by Windows as well as unallocated space.
The views category will contain file types, deleted files and files by size. The file types are represented as images, videos, documents, etc… The file sizes options are listed as 50 – 200MB, 200MB – 1GB and 1GB+.
Results will be the count of artifacts extracted from some of the modules you selected such as matches from your keyword lists, hits on your hash sets, extracted cookies, web browsing history and more. When performing any extra added keyword searching, post initial parsing, the results will be displayed here in the “Keyword Hits” area.
The last options are Tags and Reports. Tags allow you to bookmark data for later viewing while reports will have details about your generated reports.
Viewing Your Data
Now that we are familiar with the Navigation pane, let’s take a look at some of the data that was parsed. . When you have selected one of the results, such as the “images” file type, the Directory Listing window should look something similar to below.
All of the images that were identified will be displayed in this view. You should have a total count in the top right which will also be reflected in the nav pane. In the viewer, the filenames are presented along side a large amount of meta data. Some of the notables are the file location, MACB times, size and MD5 hash. Below this view, the Data Content window will display the selected image.
The tabs which we have available to us are Hex, Strings, File Metadata, Results, Indexed Data and Media. Most of the tabs are self explanatory however we will take a look at a few of the slightly less obvious ones in the next section.
Building a Keyword List
Building a keyword list is an extremely important part of analysis. In challenges, this is one of the first files we create as a team in order to keep track of relevant information. Autopsy allows you to build your lists at any time and makes searching simple. On the top right of the Autopsy GUI, you will see the Keyword Lists and Keyword Search buttons. The Keyword Search will allow you to create an exact match, substring match or regular expression match. When searched, the data will be stored in the Single Literal Keyword Search or Single Regular Expression Search options which are under the Keyword Hits in the Results category. This is great for your one off searches which you may not need to reference multiple times across cases. With our image, we created an example of building a new list and adding a keyword to that list.
By default, the lists consists of Phone Numbers, IP Addresses, Email Addresses and URLs. Clicking on each one, you’ll notice that they are all regex based and are great points of reference for building your own. I wanted to create an easy search for the term android. To do so, I had to hit the Manage Lists button which will bring up the Search Configuration.
Here we created a New List which will request to add a list name. The most important part of this next window is that the Keyword Options field is populated with a keyword and the Add button is hit. If the Add button is not pressed, the list will be empty. The best way to tell if the keyword was added is to make sure it is displayed in the top right table which identifies the keywords and whether it’s regex based or not. When we’ve finished adding our keyword, we hit the OK button and head back to the Keyword Lists. You can select which lists you want to add to your search by checking their boxes and then hit the search button to kick off the search.
After a few moments, the Navigation pane will update with some new information in the Results category. We see the keyword lists which were used as well as the specific keywords set as a child object as seen in the figure to the right. When selecting the keyword, the Directory Listing window should update with the artifacts which contain the keywords. These will possess the same expected metadata as when previewing the artifact in their respective categories.
When the artifact is selected, the Data Content window will open to the Indexed Data tab and display the match from the keyword. Clicking on the Results tab will display the keyword used to match on the artifact as well as a preview of exactly where the match occurred.
Tagging All the Way!
Another very important part of building out an investigation is bookmarking artifacts of interest. With a large data set, a report could have thousands upon thousands of artifacts which may have no relevance to a case. Being able to pull a subset of artifacts which you have tagged as relevant may assist you when writing out your observations and conclusion. Tagging data in Autopsy is very simple.
Right click and head to the Tag File section. This will slide out and allow you to either tag the data with populated tags or manually tag and comment the artifact. By default, Bookmark is the quick tag which is available however it does not give you the option to add a comment. Adding a comment will not only help you recollect why the tag was added but, if a third party requires access to the report, it will help others understand the importance of the artifact which was bookmarked.
When Tag and Comment is selected, a list of the tags are presented in a drop down menu fashion with the ability to add a comment. When finished, the artifact will be added to the Tags section of the Navigation Pane and contain the comment that was added to the file in the Directory Listing windows.
As the case winds down, reports may be required. Clicking on the Generate Report button below the menu bar will present multiple possible actions.
- Results – HTML creates an easy to navigate web environment with the details of your case. Click here for output preview.
- Results – Excel separates the data via worksheets. Click here for output preview.
- Files – Text is a tab delimited report which allows field selection. Click here for output preview.
- Google Earth/KML – Extracts coordinates and builds a KML file which can be imported into Google earth.
- STIX – This will allow you to scan the image or files in your data source against a repository of STIX indicators. STIX is an XML structured file which contains observables such as file names, e-mail addresses, IP addresses, domains, hashes etc… Click here to read more about STIX!
- TSK – Allows for an output associated with The Sleuth Kit which can be used for a timeline view of the data.
That’s all for the intro! I hope this was useful as I am very excited to utilize Autopsy in our work environment. If there are any questions, please feel free to contact me via comment or e-mail firstname.lastname@example.org. Thank you for checking out this post!