Digital Forensics Investigation using Autopsy In Kali Linux

Autopsy is one of the digital forensics tools use to investigate what happened on a computer. It offers a GUI access to variety of investigative command-line tools from The Sleuth Kit including image file hashing, deleted file recovery, file analysis and case management. Autopsy produces results in real time, making it more compatible over other forensics tools.

It comes preinstalled in kali linux so Lets start the Kali Virtual Machine. You will find the option ‘forensics’ in the application tab. Select ‘autopsy’ from the list of forensics tools.

Open Autopysy

Open Autopysy

When you select autopsy, it will open a prompt where you see a program information, the version number listed as 2.24 with the path to the Evidence Locker folder as /var/lib/autopsy and an address http://localhost:9999/autopsy to open it on a web browser.

When you select auto

Click on that link and open it in your Kali web browser, you will be redirected to the home page of autopsy. This tool is running on our local web server accessing the port 9999.

port 9999

Create a New Case

There will be three options on the home page: ‘OPEN CASE’, NEW CASE’, ‘HELP’

For forensic investigation, we need to create a new case and arrange all the information and evidences. Select ‘NEW CASE’

Create a New Case

It will direct you to a page where you have been asked to add case name, description and investigator names. Note that you can add more than one investigator name because in these scenarios usually a team of forensic investigators work on a single case.

single case

After adding all the required information, select ‘NEW CASE’

NEW CASE

This simply showing us the name of the case, the destination where it will be stored i.e. /var/lib/autopsy/case01/, and the destination where its configuration file will be stored i.e. /var/lib/autopsy/case01/case.aut

Select ‘ADD HOST’ option below.

ADD HOSTNow you will be asked to enter the name of the computer you are investigating and the description of the investigation. After that it will ask you the time zone (leaving it blank will select the default setting), timeskew adjustments means a value in seconds to compensate for differences in time, path of alert hash means a path to the created database of bad hashes and a path of ignore hash database means specifying a path to the database of good hashes. Select ‘ADD HOST’ to continue.

ADD A NEW HOST

ADD A NEW HOST 1

Select ‘ADD IMAGE’ here.

ADD IMAGE 1

Creating a Image File

We need to import an image file of the system we want to investigate. Creating this image file is the first step of forensic investigation. The reason for doing this is analysis cannot be conducting on an original storage device.  A disk Image can be defined as a file that stores the contents and structure of a data storage device such as a hard drive, CD drive, phone, tablet, RAM, or USB. This image file can be taken locally or remotely.

There are several ways to get the image file. You can get this by different tools such as FTK imager or guymager. Or you can use CLI to acquire your image by using dd (disk-to-disk) command:

# dd if=/dev/sda of=ehacking.img

Where /dev/sda is the source and ehacking.img is the destination file.

Once you get an image file, select ‘ADD IMAGE’ option here.Creating a Image File

Import the image to autopsy by specifying the location of the file and selecting the type whether it is Disk or Partition.

Select the import method ‘Copy’ to copy it into the evidence locker and click on ‘NEXT’.

NEXTTo maintain the integrity of the image file we must calculate its Hash value. It is important to calculate the Hash so that we may be able to prove that the file has not been tampered.

tampered

This showing the hash value of the image file and links the image into the evidence locker. Select ok to continue.

evidence locker

The Case Management Prompt

Now we have successfully imported the file for investigation.  Let’s check the integrity by selecting an option ‘IMAGE INTEGRITY’.

The Case Management Prompt

This showing the name and the hash value of the file. Select ‘VALIDATE’.

VALIDATE

The validation is successful, displaying the same MD5 hashes in the bottom.

MD5

File Analysis

Let’s click on ‘ANALYZE’.

File Analysis

It will ask which type of analysis I want. Select ‘FILE ANALYSIS’.

FILE ANALYSIS

It gives me the list of files and directories that are inside in this file. From here you can analyze the content of the target image file and conduct the required investigation.

File Browsing Mode

In this article we have learned how to use a forensic tool Autopsy to investigate an image file and analyze the contents inside that file. We also calculated the hash value of the image file so that in future if there is a need to prove the integrity of the image file you can easily validate it by matching the hash values to maintain evidence integrity.

Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

Top 5 Techniques Hackers Use to hack Social Media Accounts

These days, Social Media have become a significant need in our everyday life. It encourages us to associate and connect with anyone over the...

5 Top Programming Languages for Hacking

We live in the 21st century, which is very fast-changing. This is a century of competition for information and computing resources. Every year the...

OSINT Tutorial to Track An Aircraft And Flight Information In Real-Time

No doubt Internet is said to be the world's largest repository of data and information. It contains an enormous amount of data related to...

Preventing SQL Injection in PHP Applications

SQL injection is one of the most common cybersecurity threats and as the name suggests, it is a form of injection attack. Injection attacks, on...