An Overview of Autopsy: Open Source Digital Forensic Platform
ABSTRACT
Digital forensics refers to the way toward recouping information from computerized gadgets, from PC hard drives to cell phones. This movement is frequently connected with criminal or common investigations. Advanced gadgets can give a wide range of kinds of data that are not clear to the casual user. Autopsy is the chief open source digital forensics platform that is anything but difficult to utilize, quick, and usable in every computerized examination. It analyzes hard drives, smart phones, media cards etc. It is primarily developed for Microsoft Windows, but there is minimal support for running on Linux and macOS. In this whitepaper, I am focusing about overview of Autopsy, installation of Autopsy and cases & data sources of an Autopsy.
Keywords: digital forensic, case, data source, ingest.
- INTRODUCTION
- Brief History
In 2001, first Open Source platform was released. It is interfaced to The Sleuth Kit. It is applicable for only Linux and OS X. And then in 2010, they started v3 from scratch as a platform. It is based on OSDFCon discussions. It is Windows-based and automated. Some US Army funding (with 42Six Solutions). Finally, v3.0.0 released in September, 2012.
- Basic Concept
This section will outline the following basic concepts:
- Investigation Workflow
- Deployment Types
- Central Repository
- Investigation Workflow
Analyzing data in Autopsy uses the following workflow:
Step 1: Make a Case
A case is a “container for one or more data sources. One must be created before data is analyzed”.
Step 2: Add a Data Source
One or more data sources are added to the case. Data sources include disk images and local files.
Step 3: Configure Ingest Modules
After the data source is included, ingest modules work out of sight to break down the information. Results are presented on the interface continuously and give cautions as important. Model ingests modules incorporate hash count and query, watchword looking, and web relic extraction. Third party modules can be created and added to the pipelines.
Step 4: Review of manually analyze Data
The user navigates “the interface, files contents, and ingest module results to identify the evidence”.
Step 5: Tag Results
Interesting items can be tagged for later reporting and analysis.
Step 6: Report Generation
The user initiates a final report based on selected tags or results.
- Deployment Types
There are two types of deployment. (a) Desktop/Single User (b) Cluster/Multiuser.
- Desktop/Single User:
Functionality: In this type, cases can be opened by only one person at a time.
Technical: Everything runs on a single computer. It works out of the box with a single installer. Launching Autopsy will start all embedded services (i.e. Data bases, Text indexing etc...)
- Cluster/Multiuser
Functionality: Cases can be opened by multiple users at the same time.It allows for “Auto Ingest” mode where new media is automatically analyzed 24×7 by multiple modes. It provides faster analysis because data base is often faster.
Technical: User experience is the exact same. It uses central level servers for database, text index etc. And also it uses central level high speed storage.
- Central Repository
In this case, Database that stores data from past cases. It contains MD5 hash values, comments and wifi SSIDs.
Autopsy typically has case-specific databases. It keeps databases smaller and easier to manage. It allows for archival etc.
Central Repository deployment types:
Two types are supported:
- (i) SQLite – It requires no other installations. It can be used by only one user at a time.
- (ii) PostgreSQL – Database is stored on a server. It can be used by multiple users at a time. It can use the same server for multi-user cases.
- Desktop/Single User:
- Brief History
- INSTALLATION OF AUTOPSY
Autopsy needs to be installed on an examiner’s computer (or Virtual machine). It applies to both Single/Multi user.
Steps:
Step 1: Download “.msi” installer.
Step 2: Use default values.
Step 3: It will install in a version-specific folder. You can have multiple versions of Autopsy installed at the same time.
Installing Autopsy on Linux/OS X
Basic flow:
- Install dependencies using package management tool: .Java, The Sleuth Kit, PhotoRec, etc.
- Download “.zip” file of Autopsy and expand.
- Run “unix_setup.sh” to copy files into Autopsy.
There are other things to setup on a new installation: hash sets, keywords etc.
Launch Autopsy and enable the central repository using a SQLite data base in the default App data location.
- CASES AND DATA SOURCES
- Cases
A case can contain at least information sources (disk image, disk devices and logical files). The data sources can be from various drives in a solitary PC or from numerous PCs.
A case groups the investigation data you are going to analyze. It's up to you how many cases you create: either it may be by investigation or by host within an investigation.
Each case has its own index (directory) that is named dependent on the case name. The index will contain configuration files, a database, reports, and different records that modules create.
The fundamental Autopsy case configuration file has an ".aut" augmentation.
Factors:
- Only one case can be open at a time.
- Reporting is done at a case level.
- Cases are automatically saved.
- Creating a Case
There are several ways to create a new case:
- The opening splash screen has a button to create a new case.
- The "File", "Create New Case" menu item
- Case directory
Each Autopsy case (Multi and Single user) has a directory. Either it has a notion of a ‘base’ directory or it makes a folder in the base directory with the case name.
Note: In a Multi-user cluster, all examiners need to have access to the case directory at the same path.
Case directory contents:
- Autopsy.db – SQLite database will store basic case information and data source information.
- Export folder - Default location to store exported files.
- Reports folder – Default location to store reports.
- Module output folder – Default location for modules to write output to.
- Data Sources
A data source the thing you need to examine. It tends to be a plate picture, some legitimate records, a neighborhood drive, and so forth. You should open a case preceding adding a data source to Autopsy.
- Adding a Data Source
You can include a data source in a few different ways:
- After you make a case, it naturally prompts you to include a data source.
- There is a toolbar thing to include a Data Source when a case is open.
- The "File", "Add Data Source" menu thing when a case is open.
Autopsy supports three types of data sources:
- Disk Image: A file (or set of files) that is a byte-for-byte copy of a hard drive or media card.
- Adding a Disk Image
Autopsy supports disk images in the following formats:
- Raw Single (For example: *.img, *.dd, *.raw, etc)
- Raw Split (For example: *.001, *.002, *.aa, *.ab, etc)
- EnCase (For example: *.e01, *e02, etc)
To add a disk image:
- Choose "Image File" starting from the pull.
- Browse to the first file in the disk image. You have to determine just the first file and Autopsy will discover the rest.
- Choose the timezone that the disk image originated from. This is generally significant for when including FAT record frameworks since it doesn't store timezone data and Autopsy won't realize how to standardize to UTC.
- Choose to perform orphan file finding on FAT file systems. This can be a time intensive procedure since it will necessitate that Autopsy takes a gander at every area in the gadget.
- Disk Image Analysis
It uses The Sleuth Kit (TSK) to analyze the contents of the image. And it detects volume systems that break the disk into partitions. And also it detects file systems that organize a partition so that files can be stored.
- Volume System Analysis
Volume systems organize the disk image into one or more volumes (or partitions). It is located near the beginning of the disk image. Autopsy/TSK supports: disk operating system (DOS), GUID Partition Table (GPT), Macintosh (Mac), Berkeley Software Distribution (BSD) and Solaris.
Autopsy will show areas of disk that are not in a volume.
Each volume is analyzed to look for a file system. If no volume is found, the entire image is analyzed for a file system.
- File System Analysis
It allows files to be stored. Typically it is located at beginning of disk image or inside of volume.
The supported formats are: NT File System (NTFS), File Allocation Table (FAT), Extensible File Allocation Table (EXFAT), The hierarchical file system (HFS+), ISO9660, Ext 2/3/4, Reverse Engineering of the Android File System (YAFFS2), Universal Flash Storage (UFS).
- Orphan Files
o Orphan files are those that are deleted and no longer have a parent folder. They are accessible in the “$OrphanFiles” folder. And finding orphan files in FAT file system is time intensive. Every cluster must be read and analyzed. And it can be disabled when image is added.
- Adding a Disk Image
- Local Drive: Local storage device (local drive, USB-attached drive, etc.).
- Adding a Local Drive
Autopsy can break down a local drive without expecting to initially make an image duplicate of it. This is most valuable while breaking down a USB-appended gadget through a compose blocker.
Note: on the off chance that you are breaking down a neighborhood drive that is being refreshed, at that point Autopsy won't see documents that are included after you include it as an information source.
You should be running Autopsy as an Administrator to see all gadgets.
To include a neighborhood drive:
- Choose "Local Drive" starting from the pull.
- Choose the gadget starting from the pull list.
- Choose to perform orphan file finding.
- Adding a Local Drive
- Logical Files: Local files or folders.
- Adding a Logical File
You can add files or folders that are on your local computer (or on a shared drive) without putting them into a disk image. This is useful if you have only a collection of files that you want to analyze.
Some things to note when doing this:
- Autopsy ignores the time stamps on files that it adds this way because they could be the timestamps when they were copied onto your examination device.
- If you have a USB-attached device that you are analyzing and you choose to add the device's contents using this method, then note that it will not look at unallocated space or deleted files. Autopsy will only be able to see the allocated files. You should add the device as a "Logical Drive" to analyze the unallocated space.
To add logical files:
- Choose "Logical Files" from the pull down.
- Press the "Add" button and navigate to a folder or file to add. Choosing a folder will cause all of its contents (including sub-folders) to be added.
- Continue to press "Add" until all files and folders have been selected.
All of the files that you added in the panel will be grouped together into a single data source, called "LogicalFileSet" in the main UI.
- Adding a Logical File
- Adding a Data Source
- Cases
- CONCLUSION
The Autopsy Forensic Browser empowers you to lead an advanced criminological examination. It is a graphical interface to The Sleuth Kit and different devices. Autopsy permits you to look at a hard drive or cell phone and recuperate proof from it. This whitepaper should help you with using Autopsy. Current version of Autopsy works better with good system configuration.
REFERENCES
- https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493741001.pdf
- https://sleuthkit.org/autopsy/docs/user-docs/3.1/index.html
- http://www.sleuthkit.org/autopsy/
- https://www.softpedia.com/get/Others/Miscellaneous/Autopsy.shtml
- http://en.wikipedia.org/wiki/Autopsy_%28 software%29
- http://www.sleuthkit.org/autopsy/intuitive.php
- https://www.basistech.com/basistechnology-enhances-digital-mediainvestigations-with-autopsy-3-1/
- http://www.sleuthkit.org/autopsy/download.php
- https://sourceforge.net/projects/autopsy/file%20s/autopsy/3.1.1/
- http://wiki.sleuthkit.org/index.php?title=M_ain_Page
- http://wiki.sleuthkit.org/index.php?title=T_he_Sleuth_Kit
- http://digitalforensics.sans.org/blog/2009/05/11/a-stepby-step-introduction-to-using-the-autopsyforensic-browser/
- Incident Response and Computer Forensics, Second Edition[11] http://articles.forensicfocus.com/2013/08/29/autopsy-3-windows-based-easy-to-useand-free/
- https://www.softpedia.com/get/Others/Miscellaneous/Autopsy.shtml
- http://www.basistech.com/medium-divemedex/
- http://wiki.sleuthkit.org/index.php?title=A utopsy_3_Logging_and_Error_Checking
- http://www.sleuthkit.org/autopsy/v2/[16]Digital Evidence & Computer Crime - Forensic Science, Computers, & the Internet, 2nd Edition
- http://www.sleuthkit.org/autopsy/features.php"
- http://www.sleuthkit.org/autopsy/history.php
AUTHOR WRITE UP
Dr.S.Balakrishnan, (CSI Membership I1505405) is a Professor and Head, Department of Computer Science and Business Systems at Sri Krishna College of Engineering and Technology, Coimbatore, Tamilnadu, India. He has 17 years of experience in teaching, research and administration. He has published over 15 books, 3 Book Chapters, 21 Technical articles in CSI Communications Magazine, 1 article in Electronics for You (EFY) magazine, 3 articles in Open Source for You Magazine and over 100 publications in highly cited Journals and Conferences. Some of his professional awards include: Faculty with Maximum Publishing in CSI Communications 2017-2019, International Data Science Writer of the Year 2019, MTC Global Outstanding Researcher Award, Contributors Competition Winner July 2019, August 2019 and September 2019 by DataScience Foundation, with cash prize of £100, 100 Inspiring Authors of India, Deloitte Innovation Award - Cash Prize Rs.10,000/- from Deloittee for Smart India Hackathon 2018, Patent Published Award, Impactful Author of the Year 2017-18. His research interests are Artificial Intelligence, Cloud Computing and IoT. He has delivered several guest lectures, seminars and chaired a session for various Conferences. He is serving as a Reviewer and Editorial Board Member of many reputed Journals and acted as Session chair and Technical Program Committee member of National conferences and International Conferences at Vietnam, China, America and Bangkok. He has published more than 19 Patents on IoT Applications.