UWEBIC IY467 Digital Evidence

Lab 5 Introduction to Autopsy

Adapted from Week 13-15 Practical Sessions 2022 –
2023
Computer Crime and Digital Evidence
Issued: 25th October 2022 by Jay Murphy

Contents
1 Aim and Objectives.....................................................................3
Objectives........................................................................................................3

2 Introduction...............................................................................3

3 Task 1: Introduction to Autopsy.................................................4

4 Task 2: Perform dual verification..............................................10

5 Conclusions...............................................................................12

Page 2
UWEBIC IY467 Digital Evidence

1 Aim and Objectives

The aim of today’s lab session is for you to become familiar with an
alternative forensic application, Autopsy. You will be using Autopsy to
perform dual verification of some of your key pieces of evidence.

Objectives

By the end of this session, you should:

• Be able to use Autopsy to create a case and add and examine evidence
• Have used Autopsy to perform dual verification on some of the key items of
evidence for your Hunter coursework
• Have recorded this work in your Contemporaneous Notes

2 Introduction
Please note that the “Hunter XP for Dongled v6” E01 evidence file you are
working on (that contains the Hunter Case image) is the one you are using to
complete your coursework. You should already have opened this with EnCase. If you
still do not know how to access this file and how to copy it onto your VM, please go
back to the previous lab sessions and complete them first.

This week we are looking at Autopsy, which is an alternative forensic tool, and using
it to perform dual verification. Why is dual verification important? Remember that
software is written by human beings – mistakes are possible. If we get a different
result by two different tools, we will spot the error.
It has been observed that when tools make errors, the same error is not made
by different tools. When comparing the outcome of two tools, errors are
revealed and the item in question will have to be examined in more detail.

(Friheim, 2016)
If you have dual verified the key pieces of evidence that your case depends on,
you make it much harder for a defence team to discredit them.

Note: Remember that dual verification is an important step, and you should
document it in your contemporaneous notes for the Hunter XP Case.

Page 3
UWEBIC IY467 Digital Evidence
3 Task 1: Introduction to Autopsy
Download the Autopsy software from Autopsy - Download
(https://www.autopsy.com/download/)

For this task you will use an image acquired from a USB drive. If you still
have it, you can also use the USB image you created with FTK Imager in
the Lab 2 practical session. Alternatively, you can use either of the USB
images here:

https://kaplanint-my.sharepoint.com/:f:/g/personal/
eleanor_combley_aspectworld_com/
ErGfSIRi93RLoVDF6mGLGhEBt7NTFZrl6J13AYtEzdvu0A?e=7FAXyL

When you start Autopsy you will see the Autopsy Welcome screen (Figure
21).

Figure 21: The Autopsy Welcome screen.

Figure 22: Provide a case name and the destination folder.

Page 4
UWEBIC IY467 Digital Evidence
Click on the Create New Case button and provide the Case Name and the
Base Directory, which is the place where relevant data will be stored. I chose
my Desktop as the Base directory for this demonstration (see Figure 22).

Page 5
UWEBIC IY467 Digital Evidence

Hit Next and provide additional information for the case. Hit Finish when
you are done (Figure 23).

Figure 23: Provide additional information.

Autopsy will create the case. Be patient as it needs some time to do that.
Then you will see a pop- up window asking you to add the evidence file
(just like EnCase). Choose “Disk Image or VM file” and then browse to the
USB image file when prompted to “Select Data Source”; it should be the
USBimage.001 file you just downloaded, or the one you created during the
previous week. The provided file is 492 MB (see Figure 24).

Figure 24: Provide the evidence file for the case.

Page 6
UWEBIC IY467 Digital Evidence

Ensure that the timezone is GMT (+0:00) Europe/London and click Next
as figure 25 shows.

Figure 25: Setup the timezone to GMT London time.

Figure 26: Uncheck the Android module.

Then Autopsy loads the evidence and a pop up window presents the options
for the evidence processing. There is no need to go through these options
now in details. You can do that in your own time if you are interested.
Uncheck the Android Analyzer option. Although there might be a possibility
that the USB contained an image from an Android device, we will skip this
step now. Ensure that the Process Unallocated Space field is checked and
hit Next (see figure 26) and then Finish.

Page 7
UWEBIC IY467 Digital Evidence

Autopsy will start analysing files from the imported image as you can see in
Figure 27. When it is done you can see a report clicking on the yellow tri-
angular shape (indicated in black in Figure 28). Note that the user interface
might have changed a bit since the screenshot (figure 26) was taken...

Figure 27: Autopsy processes the evidence.

Figure 28: Configure Ingest Modules.

Autopsy launches the evidence processor when we start a new case. Note
that the USB image file was very small. You should expect longer
processing times when you are dealing with real evidence.

Page 8
UWEBIC IY467 Digital Evidence

Clicked on the Exif Metadata (under the Results section) from the Tree
structure. You will see similarities with EnCase, although Autopsy has less
functionality, as seen in Figure 29.

→ Experiment with the View Images/Videos and Timeline tabs.

→ Did you find any deleted data?
→ Did you find any pdf files? Provide the provenance of the acmguide.pdf
(Hint: Figure 30).

Figure 29: Viewing images with Autopsy.

Figure 30: Getting details about evidence items.

Page 9
UWEBIC IY467 Digital Evidence

4 Task 2: Perform dual verification

Create a new case on Autopsy using the Hunter E01 file as the evidence file
(see the previous lab sheet for information about how to do this). Autopsy
needs some time to process the Hunter case (it took about 10 minutes in
my old machine). When processing is done, choose a couple of key evidence
items and perform dual verification (see Figures 19-21).

Figure 19: Create a case on Autopsy.

Page 10
UWEBIC IY467 Digital Evidence

Figure 20: Choose an important evidence item.

Figure 21: Perform dual verification.

Page 11
UWEBIC IY467 Digital Evidence

5 Conclusions
Today you carried out your best practices by verifying your evidence
acquisition and setting the proper time zone offset to your evidence. You
learned how to use the Evidence Processor and you did your first analysis on
Email and Internet artifacts. You should also understand that dual
verification is important and it must be performed regularly to ensure data
integrity and maintain best standards. Additionally, you have started taking
detailed contemporaneous notes of your investigation that would ensure its
repeatability.

References

Friheim, Ivar. (2016). Practical use of dual tool verification in computer

forensics. 10.13140/RG.2.2.33300.81288.

Page 12