No video
Starting a New Digital Forensic Investigation Case in Autopsy 4.19+
Рет қаралды 129,038
Күн бұрынThis is a mini-course on Autopsy. See chapter times below.
Autopsy is a free, open-source, full-features digital forensic investigation tool kit. It is developed by Basis Technology and a large open-source community. You can use Autopsy as the basis to conduct a full digital forensic investigation. You can also expand Autopsy with modules written in Java and Python.
Thank you to our Members and Patrons, but especially to our Investigators, TheRantingGeek and Roman! Thank you so much!
We take you through how to start a digital investigation case in Autopsy. From organizing your data, starting your forensic documentation, processing case data, forensic analysis workflow, and generating reports.
00:00 Starting a digital investigation with Autopsy
00:11 Setting up your forensic workstation
00:37 Organize case files
02:42 Start your documentation!
03:06 Organizing suspect image data
04:33 Starting a new case in Autopsy
04:42 Autopsy: Case Information
05:59 Autopsy: Optional Information
06:57 Autopsy: Select Host
07:39 Autopsy: Select Data Source Type
09:02 Autopsy: Select Data Source
10:27 Autopsy: Configure Ingest
10:46 Modules: Recent Activity
11:09 Modules: Hash Lookup
12:29 Modules: File Type Identification
14:10 Modules: Extension Mismatch Detector
16:03 Modules: Embedded File Extractor
16:24 Modules: Picture Analyzer
16:45 Modules: Keyword Search
19:34 Modules: Email Parser
19:42 Modules: Encryption Detection
19:58 Modules: Interesting Files Identifier
20:41 Modules: Central Repository
22:10 Modules: PhotoRec Carver
22:42 Modules: Virtual Machine Extractor
23:00 Modules: Data Source Integrity
23:17 Modules: ALEAPP
23:34 Modules: Plaso
23:51 Modules: YARA Analyzer
24:17 Modules: iLEAPP
24:33 Modules: Android Analyzer
24:38 Autopsy module selection strategy
25:13 Autopsy: Add Data Source
25:42 Autopsy: Processed Data View
25:58 Autopsy: Main file view
26:18 Autopsy: File detail view
27:58 Autopsy: Filters and views
28:55 Autopsy: Deleted files filter
29:59 Autopsy: Data Artifacts, etc
30:22 Example investigation workflow
30:43 Case-specific keyword search
31:21 Tagging relevant items
34:46 Generate findings report
37:33 Analysis procedure overview
37:55 Autopsy: Images/Videos tool
38:17 Conclusions
Learn how to do forensic keyword searching, entropy testing, YARA basics, file carving, and more with Autopsy digital forensic software.
🚀 Full Digital Forensic Courses → learn.dfir.sci...
Links:
* Autopsy Software: www.autopsy.com/
* HxD Hex Editor Software: mh-nexus.de/en...
* Practice Data: dfir.science/a...
Related Books:
* Practical Linux Forensics: A Guide for Digital Investigators (amzn.to/3gzXCh9)
* Digital Forensics with Open Source Tools (amzn.to/34FBrUe)
#Autopsy #forensics #investigation #case #dfir
010001000100011001010011011000110110100101100101011011100110001101100101
Get more Digital Forensic Science
👍 Subscribe → bit.ly/2Ij9Ojc
❤️ YT Member → bit.ly/DFIRSci...
❤️ Patreon → / dfirscience
🕸️ Blog → DFIR.Science
🤖 Code → github.com/DFI...
🐦 Follow → / dfirscience
📰 DFIR Newsletter → bit.ly/DFIRNews
010100110111010101100010011100110110001101110010011010010110001001100101
Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please link back to the original video. If you want to use this video for commercial purposes, please contact us first. We would love to see what you are doing.
@j.s.3414 2 жыл бұрын
Seriously the best introductory/basic-workflow Autopsy video I've watched. I absolutely love that you give additional detail about the modules, and that you explained your workflow.
@mr_daihatsu 2 жыл бұрын
I just got my sec+ cert CompTIA and decided forensics is what I love and need to do so I agree! When I watched this video it made me entrench myself in my decision to pursue forensics in the cyber security community. Thank you
@sergiopico3828 9 ай бұрын
agreed!
@cybercatlabs 6 ай бұрын
Exactly what I was looking for to complete an assignment. Thank you!
@thanhphuongle8229 2 жыл бұрын
after trying around 5-11 videos this is the only one that i found working
@DFIRScience 2 жыл бұрын
I hope it was helpful. Let me know if you have any questions.
@margalocaris Жыл бұрын
Very thorough explanation! Your videos have been pointed to by one of my college professors.
@margalocaris Жыл бұрын
Love the cat pictures as a stand-in for criminal evidence. Very cute.
@TheMiejoe Жыл бұрын
Thanks for the tutorial! I'm a criminal law student so Digital Forensic Investigation is really interesting. I've always wondered how gathering digital evidence works. I learned a lot from your tutorial!
@filzaakhlaq3104 Жыл бұрын
The link in your description for sample data doesn't contain the hash file that is in the video. it only has an image .dd file. How do I proceed ?
@fa307 2 жыл бұрын
Glad that I found your channel 👍🏽👍🏽
@DFIRScience 2 жыл бұрын
Glad you're here! Let me know if you have any questions. :D
@butruscyprianooturoonyong7030 Жыл бұрын
thank you master for the basic introduction of using autospy in digital forensic. i have watch the video is very interesting. my gratitude and wish you all the best
@CT-zq3kz 2 жыл бұрын
Want to thank you for the time you put into your content. You are pretty much the only forensics KZfaq channel that consistently produces great content. Well done my friend, and thank you.
@DFIRScience 2 жыл бұрын
Thank you so much for the kind words. I appreciate it. Let me know if you have any questions or topics you'd like to see.
@zidanetribal2343 2 жыл бұрын
Found a new DFIR channel gem
@DEDEPLDEDE 11 ай бұрын
Very interesting material for someone starting in the IR team. Great video!
@Tomas-Montenovi 2 жыл бұрын
Thank you for this well made tutorial!
@DFIRScience 2 жыл бұрын
I hope it was helpful!
@NightShooter87 2 жыл бұрын
FTK and Autopsy are the one's I always use. Great vid.
@malemmutum5049 Жыл бұрын
I thoroughly enjoyed it! Thanks for the great tutorial.
@Bianchi77 8 ай бұрын
Nice video, well done, thanks for sharing it with us :)
@michalsedlacek560 Жыл бұрын
This is amazing video with great works very well
@bjazi085 5 ай бұрын
One word, amazing
@piyushsingh4071 18 күн бұрын
sir, I just wanted to know how did you downloaded the data artifacts module. Because when I do, my all files are extracted except data artifacts module
@RahulYadav-lu6sc Жыл бұрын
TNice tutorials was very helpful thankyou.
@temitopejoshua5675 4 ай бұрын
Thank You. This was helpful
@AniketAmdekar Жыл бұрын
awesome tutorial for learning the Autopsy tool! Can you also share some good sources for getting forensic images for data recovery challenges?
@NomaGodwin 6 ай бұрын
I want to learn how to track devices like phones and PC. Pls I need advice on how and where to start from. Thank you to anyone helping me out on this
@liveyourlifeplease Жыл бұрын
Great explanation, thanks
@BlueMonkey4n6 2 жыл бұрын
Excellent content as always!
@DFIRScience 2 жыл бұрын
Thank you so much!
@kcm100593 Жыл бұрын
Thank you so much for this! Do you happen to have a video or guide on how to upload an iPhone or Apple device into FTK imager to create a readable format for autopsy?
@rempairamore 2 жыл бұрын
Amazing video! Nevertheless, it would have been better to use the dd/ISO files that NIST put at disposal to see all the functionalities of the software
@DFIRScience 2 жыл бұрын
That's true. I used a smaller data set for fast processing, and realized my mistake when I wanted to show OS artifacts... I'll have to fix that! Thank you.
@DFIRScience 2 жыл бұрын
See part 2 - we process a Windows 10 disk image and go through data artifacts and analysis results: kzfaq.info/get/bejne/a7l4dZd53NG8Ymw.html
@mroell Жыл бұрын
Awesome tutorial, thanks a lot
@ckcyberwolf Жыл бұрын
I have an image file on an external HD I run autopsy and it parses through and says finished but it will never load the image in.
@GerobakAngkringan-lw1py 8 ай бұрын
Hello sir, I have a question. 4 days ago i was creating a new case with disk image file from a 500gb HDD, and it still anlyzing till today... what if when the analyzing progress is finished, then i close the autopsy and turn off my laptop and then open it again... does it need to re run the analyzing progress again or not? Please help me cuz my laptop is running for 4 days till now. Thanks :) Sorry for bad english :D
@RekhaJadhav-rk5oq Жыл бұрын
Thank you for the best video. I have one doubt, though. During the case creation, we can add M5. However, we cannot add SHA512. there is only the option of adding SHA256.
@IsaacFoster.. 6 ай бұрын
yea Let's go get some coffee
@Littlechicken30 2 жыл бұрын
Great tool for forensic .
@siew-mengkuea3336 9 ай бұрын
I installed libscca-tools and I want to analyze the Prefetch folder in autopsy, I am on Tsurugi how should I proceed?
@admoconnors859 2 жыл бұрын
This is good. Thanks for this.
@DFIRScience 2 жыл бұрын
I hope it was helpful!
@CitizenZReincarnated 2 жыл бұрын
Thank you so much for this, you are very thorough and provide a high level overview in this video of the various ingest modules which is very helpful. I do have one question though and perhaps this comes later in the video or another video on your channel. When is the best time to configure the settings of Autopsy outside of a case? I would assume it would be prior to starting the first case on my machine. My question really applies to configuring things like the temporary directory of autopsy, changing the central repository, etc etc.
@DFIRScience 2 жыл бұрын
Great question. Some settings you will know what makes sense for your computer/lab setup. Some settings are more case-dependent, or you will learn to tweak to your specific needs over time. Open up a test case in Autopsy and configure the Autopsy global settings how you want. This is when I add NSRL hashes, configure remote repositories, etc. Then close/delete the test case and Autopsy will remember your global settings when you open your real case. Don't be afraid to go back and change settings to try to get better performance. Sometimes they also add new features that need configured.
@henchnerd9404 Жыл бұрын
how do i create a disk image, i want to practise on my own machine and recover things ive deleted from it but cant find anything on how to create a disk image that i can use for autopsy
@Lexzee_Lee 2 жыл бұрын
Great video! What other steps can be taken to be able to view content of a carved deleted file which was unallocated and not viewable using the application feature in Autopsy? Is it possible to rebuild those kinda files to view the contents? Thanks.
@DFIRScience 2 жыл бұрын
If some file data was successfully carved, but is not showing in the "Application" tab, then the data may not be complete or is otherwise corrupted. You can try exporting the file (right click on the file and click "Extract File(s)") and try to open it with a viewer on your computer. If that still doesn't work, then you can view the structure of the data in the hex viewer "Hex" tab. It really depends on what, where and how much data is missing or corrupt as to whether you can reconstruct the file. You might also try using PhotoRec directly to recover data of the file type you are interested in. You might get lucky. www.cgsecurity.org/wiki/PhotoRec
@anonvpn7542 Жыл бұрын
This is great stuff thanks. One question. At time code 33:24 when talking about substrings I noted 2 files of the same name however one has -slack on the end. Does this mean the file appears twice once in slack space?
@Philliesfan261 2 ай бұрын
Anyone else have issues installing it on Mac?
@Simplelifevlogg 3 ай бұрын
Kya is app ko mobile 📲 phone me use kr skte he
@kazalozaloo8307 8 ай бұрын
Thanks ❤❤
@lovlife5717 Ай бұрын
Can you help me I cant see my content
@ThomasHoward4thDuke Жыл бұрын
How can I do the parts using linux? I'm using a windows vm on mac
@dyarizadeh3 2 жыл бұрын
Fantastic!
@DFIRScience 2 жыл бұрын
Thank you!
@sufianmohammad2290 Жыл бұрын
@@DFIRScience How do i create a disk image?
@whaatisthis2023 2 жыл бұрын
Hi I am new to all of this. I downloaded the practice data and I think I don't have the right format as it does not look the same as what you are showing. I have a windows 11 machine. What should I open the file with? Thanks.
@DFIRScience 2 жыл бұрын
The practice data is in a "zip" file to make it a bit smaller. In windows you should be able to right click on the zip file and select "extract here" (or something similar). This will create a new file that is the original disk image. You should be able to load that into autopsy. Let me know if you have any trouble.
@ananddarekar5052 8 ай бұрын
sir please provide the sample data
@mallahata4331 Жыл бұрын
hi is it possible to use autopsy to repair corrupted video file ?
@stevenjeansonne3804 2 жыл бұрын
If you have a partition that is encrypted and have the key /password how do you ingest it or import it?
@DFIRScience 2 жыл бұрын
You will need to mount the encrypted partition first. If you are using Windows the easiest way is probably to use Arsenal Recon's Arsenal Image Mounter -> arsenalrecon.com/products/arsenal-image-mounter
@michaelpaul691 2 жыл бұрын
Thanks for overview, how well does Autopsy do with video?
@DFIRScience 2 жыл бұрын
You can do previews, and the media utility hash some additional functionality. For in-depth processing like video spliced in video there is not a default detector (might be an external plugin). What were you thinking?
@lapping78 2 жыл бұрын
Thank you
@DFIRScience 2 жыл бұрын
You're welcome! I hope it's useful for you.
@lapping78 2 жыл бұрын
@@DFIRScience yes absolutely, just another data in my toolset. Even though I don't use it now, I still find a way to enjoy learning and reenforcing the concepts. I am currently a Windows Forensics student at SANS. So much to learn for the GCFA. Thank you for sharing.
@simranjita 2 жыл бұрын
where to get hash values and other data shown in video, only dd file is downloadable in the given link
@DFIRScience 2 жыл бұрын
Here are the hashes for SuspectData.dd %%%% HASHDEEP-1.0 %%%% size,md5,sha256,filename ## $ hashdeep SuspectData.dd ## 31457280,efbf30672c4eb3713b7f639f16944fd3,6baed29520499d2d5c44c32a0f3a8a08cbe92c47b4e00101b1041d14f9a579e2,SuspectData.dd
@testuc375 2 жыл бұрын
good stuff
@DFIRScience 2 жыл бұрын
Thanks a lot!
@eltoruan 10 ай бұрын
cool
@user-rp4re3fm5o Жыл бұрын
cannot able forensic about encript ios buck up
@CatSmiling 2 жыл бұрын
wow
@sahilpatel4357 Жыл бұрын
everytNice tutorialng. It was still interesting. Wish I had tNice tutorials video when I started out
@Sigmabuzz08 2 жыл бұрын
Hi can this be used to view video aswell
@DFIRScience 2 жыл бұрын
Yes, Autopsy has a media viewer that can preview videos.
@DEIVID01VIDEOS 2 жыл бұрын
Love it, thank you for the content
@DFIRScience 2 жыл бұрын
Thank you so much!
@user-mc2qh9yb2y 8 ай бұрын
@DFIRScience can my ex bf use this to spy on me. He sent me a text with an autopsy image and I clicked on it.
@tammyrhodes3823 2 жыл бұрын
How do you view emails? I don’t see an option for it because I keep getting a “read error”
@DFIRScience 2 жыл бұрын
What are you clicking on before you get the read error? If you processed with the emails ingest module they should show in the main file view.
@tammyrhodes3823 2 жыл бұрын
@@DFIRScience any of the emails. I don’t have the same options as you do in the video. I processed with the emails ingest but I don’t see a section for it in your video or in my Autopsy. The last one (4.18) had a section that said “Emails”
@DFIRScience 2 жыл бұрын
@@tammyrhodes3823 The image I used this time did not have a local email container PST/OST. That's why it didn't show up in my view. For example, if the user always uses email in their browser, they likely won't have a PST file locally. If they use an application like Microsoft Outlook, then they probably will. What application do you think the user was using on the system you are looking at?
@batmanasdasd 2 жыл бұрын
Love the video! I'm 15 and I wanna getting to dfir any advices for learning. Should I go college etc?
@batmanasdasd 2 жыл бұрын
Also where can I get practice for right now and what can I do to practice
@DFIRScience 2 жыл бұрын
Thank you so much! One of the easiest things you can do is create a Twitter account and follow people that talk about digital forensics. A lot of DFIR-related people are there and always posting some amazing information. Going to college really depends on what kinds of investigations you want to do. Some people go to college and some people don't. Either can be successful, and both require a lot of work. This field does take a lot of study, so being able to do experiments is a good skill. Email me if you have any specific questions: bit.ly/DFIRSciContact
@DFIRScience 2 жыл бұрын
In the description of this video I give a link to the test disk image. Download Autopsy and the test data and try for yourself! Let me know if you have any questions or need any help!
@batmanasdasd 2 жыл бұрын
@@DFIRScience Thank you for responding
@sreerajk9477 2 жыл бұрын
can I do with android images?
@DFIRScience 2 жыл бұрын
Yes. Autopsy has modules to process Android data. You can add the data source as a file structure, not a disk image.
@chinz3614 2 жыл бұрын
How to quickly paste timestamp for documentation in linux?
@DFIRScience 2 жыл бұрын
@Chinz In notepad, you can just hit the F5 key and it will add the timestamp for you.
@chinz3614 2 жыл бұрын
@@DFIRScience I tried in Linux but it didn't worked 🙁
@DFIRScience 2 жыл бұрын
@@chinz3614 Yeah, notepad in Windows, unfortunately. For Linux check out github.com/MattETurner/DFIRlogbook
@chinz3614 2 жыл бұрын
@@DFIRScience okay thanks, I will have a look
@BlueMonkey4n6 2 жыл бұрын
depending on what editor you are using. if you are taking notes in a text document, from the shell you can do "date >> filename" to get a timestamp added to the end of the file. If you are using vi, you can do :r !date to add a date stamp into the file you are editing.
@AyallaEnglish 16 күн бұрын
📌8:57
@mvs9549 7 ай бұрын
pls send cat photos 😀
@8VT0 2 жыл бұрын
Now we know that the evil cat abused the dog... The dog, curiously named jack, was the victim.
@DFIRScience 2 жыл бұрын
hahahah :D
Family Games Media
Рет қаралды 28 МЛН
UnixGuy | Cyber Security
Рет қаралды 73 М.