Analysis of Data Source Using Autopsy

The Sleuth Kit (TSK) is a collection of command-line tools used in digital forensics to analyze disk images, examine file systems, and recover deleted data without altering the original evidence. Autopsy provides a graphical interface for TSK, making analysis more accessible and efficient while preserving forensic integrity.

Supports file systems like NTFS, FAT, and EXT
Recovers deleted files and extracts hidden data
Provides timeline analysis of system activity
Enables keyword searching and indexing for faster investigations
Operates on disk images to maintain evidence integrity

Steps for Data Analysis Using Autopsy

Follow the below steps to do analysis of data using autopsy:

1. Getting Started

Launch Autopsy
Create a new case by entering case details
Click Finish to initialize the investigation environment

2. Adding a Data Source

Autopsy supports multiple types of data sources:

Disk Image / VM File: Exact copies of storage devices or virtual machines
Local Disk: Hard drives, USB drives, memory cards
Logical Files: Specific folders or files
Unallocated Space Image: Raw data without a file system

The data source used here is a disk image. Add the data source destination.

3. Configuring Ingest Modules

Ingest modules define how the data will be analyzed. Selecting the right modules is critical for effective investigation.

Important Ingest Modules

Recent Activity: Tracks recently accessed files and operations
Hash Lookup: Identifies known files using hash values
File Type Identification: Detects files based on internal signatures
Extension Mismatch Detector: Finds files with altered extensions
Embedded File Extractor: Extracts hidden files (e.g., ZIP inside DOC)
EXIF Parser: Retrieves image metadata (date, location, device)
Keyword Search: Finds specific keywords or patterns
Email Parser: Extracts data from email databases (PST/OST)
Encryption Detection: Identifies encrypted or password-protected files
Interesting File Identifier: Flags files based on custom rules
Correlation Engine: Links related data across cases
PhotoRec Carver: Recovers deleted files from unallocated space
Virtual Machine Extractor: Detects and analyzes VM files
Data Source Integrity: Verifies hash values for authenticity
Plaso: Extracts timeline-based timestamps
Android Analyzer: Analyzes Android-specific data

After selecting relevant modules, click Next and then Finish.

Exploring the Data Source

Once ingestion is complete, Autopsy organizes data into structured views.

Data Source Information

Displays metadata and technical details
Supports viewing in hex, metadata, and structured formats

Partition Analysis

Disk images are divided into volumes/partitions
Each partition can be explored individually

Each volume can be browsed for its contents, results for which are displayed in the section at the bottom. For example, the content shown below belongs to Data Sources -> Mantooth.E01 -> MSOCache-> [Parent Folder].

Views in Autopsy

1. File Type View

Categorizes files based on type or MIME
Includes deleted files

2. Deleted Files

Displays recoverable deleted files
Recovery: Right-click → Extract File(s) → Save

3. File Size View

Groups files by size (e.g., large files >50MB)
Helps identify suspicious or important files

Note: It is usually advised to not scan or extract any suspected files/ disks such as payload files, etc. in the main system, rather scan them in safe environments such as a virtual machine, and then extract the data, as they hold the possibility of being corrupt and may infect the examiner's system with viruses.

Results Section

The Results panel provides extracted and analyzed insights:

Key Artifacts

EXIF Metadata: Image details like timestamp and geolocation
Encryption Detection: Identifies protected files
Extension Mismatch: Flags suspicious file types
Installed Programs: Extracted from system registry
OS Information: Details about the operating system
Recent Documents: Recently accessed files
Recycle Bin: Deleted but recoverable files
USB Devices: External device usage history
Web Activity: Cookies, browsing history, searches

HashSet Hits: Here the search can be made using hash values.
Email Messages: Here all the outlook.pst files can be explored.

Interesting Items: As discussed before, these are the file results based upon the custom rules set by the examiner.
Accounts: Here all the details regarding the accounts present on the disk are shown. This disk has the following email accounts.

Reports: Reports about the entire analysis of the data source can be generated and exported in many formats.

Advanced Features

Multiple Data Sources: Add multiple disk images to a single case

Media Analysis: View images and videos in gallery mode

Communications: All the communications made using the source device are displayed here. This device had communications only in the form of emails.

Geolocation: This window displays the artifacts that have longitude and latitude attributes as waypoints on a map. Here the data source has no waypoints.
Timeline: Information about when the computer was used or what events took place before or after a given event can be found, this greatly helps in investigating events near about a particular time.

Best Practices for Forensic Analysis

Always analyze disk images, not live systems
Use virtual machines for suspicious file analysis
Avoid opening unknown files on the main system
Validate evidence using hash verification
Use multiple ingest modules for comprehensive results