Autopsy is one of the digital forensics tools use to investigate what happened on a computer. It offers a GUI access to variety of investigative command-line tools from The Sleuth Kit including image file hashing, deleted file recovery, file analysis and case management. Autopsy produces results in real time, making it more compatible over other forensics tools.
When you select autopsy, it will open a prompt where you see a program information, the version number listed as 2.24 with the path to the Evidence Locker folder as /var/lib/autopsy and an address http://localhost:9999/autopsy to open it on a web browser.
Click on that link and open it in your Kali web browser, you will be redirected to the home page of autopsy. This tool is running on our local web server accessing the port 9999.
Create a New Case
There will be three options on the home page: ‘OPEN CASE’, NEW CASE’, ‘HELP’
For forensic investigation, we need to create a new case and arrange all the information and evidences. Select ‘NEW CASE’
It will direct you to a page where you have been asked to add case name, description and investigator names. Note that you can add more than one investigator name because in these scenarios usually a team of forensic investigators work on a single case.
After adding all the required information, select ‘NEW CASE’
This simply showing us the name of the case, the destination where it will be stored i.e. /var/lib/autopsy/case01/, and the destination where its configuration file will be stored i.e. /var/lib/autopsy/case01/case.aut
Select ‘ADD HOST’ option below.
Now you will be asked to enter the name of the computer you are investigating and the description of the investigation. After that it will ask you the time zone (leaving it blank will select the default setting), timeskew adjustments means a value in seconds to compensate for differences in time, path of alert hash means a path to the created database of bad hashes and a path of ignore hash database means specifying a path to the database of good hashes. Select ‘ADD HOST’ to continue.
Select ‘ADD IMAGE’ here.
Creating a Image File
We need to import an image file of the system we want to investigate. Creating this image file is the first step of forensic investigation. The reason for doing this is analysis cannot be conducting on an original storage device. A disk Image can be defined as a file that stores the contents and structure of a data storage device such as a hard drive, CD drive, phone, tablet, RAM, or USB. This image file can be taken locally or remotely.
There are several ways to get the image file. You can get this by different tools such as FTK imager or guymager. Or you can use CLI to acquire your image by using dd (disk-to-disk) command:
# dd if=/dev/sda of=ehacking.img
Where /dev/sda is the source and ehacking.img is the destination file.
Once you get an image file, select ‘ADD IMAGE’ option here.
Import the image to autopsy by specifying the location of the file and selecting the type whether it is Disk or Partition.
Select the import method ‘Copy’ to copy it into the evidence locker and click on ‘NEXT’.
To maintain the integrity of the image file we must calculate its Hash value. It is important to calculate the Hash so that we may be able to prove that the file has not been tampered.
This showing the hash value of the image file and links the image into the evidence locker. Select ok to continue.
The Case Management Prompt
Now we have successfully imported the file for investigation. Let’s check the integrity by selecting an option ‘IMAGE INTEGRITY’.
This showing the name and the hash value of the file. Select ‘VALIDATE’.
The validation is successful, displaying the same MD5 hashes in the bottom.
Let’s click on ‘ANALYZE’.
It will ask which type of analysis I want. Select ‘FILE ANALYSIS’.
It gives me the list of files and directories that are inside in this file. From here you can analyze the content of the target image file and conduct the required investigation.
In this article we have learned how to use a forensic tool Autopsy to investigate an image file and analyze the contents inside that file. We also calculated the hash value of the image file so that in future if there is a need to prove the integrity of the image file you can easily validate it by matching the hash values to maintain evidence integrity.