Basis Technology Autopsy Usage Guide – Analyzing Source

Autopsy Usage Guide

Finally we got to Autopsy usage guide, after the Basis Technology Autopsy and Plugins installation and after the Basis Technology Autopsy Ingestion Modules Configuration. We will cover the basic usage for you to start the investigation fast.

1. If you have VHD image (or alike) mount it first to see if there is a file system with files on it (if there are no folders we will use recovery module later). If you have a folder with files instead of an image – skip this step.
2. Open Autopsy.
3. Select [New Case] on the “Welcome” screen.
4. Follow these steps to pre setup case:

"Case Information"
    Case Name: <Input the Case Name>
    Base Directory: C:\Cases\
    *** This is a default path - you can change
    Case Type: (*) Single-User
    [Next]
"Optional Information"
    <Fill here the needed information>
    [Finish]

5. At this stage Autopsy will create the case and new window will open. If you have a folder with files – skip this step. If you have a VHD disk image or any other:

"Select Type of Data Source To Add"
    [V] Disk Image or VM File
    [Next >]
"Select Data Source"
    Path: [Browse] for the image file
    <Fill in the rest of the information as needed>
    [Next >]
"Configure Ingest Modules"
    [Deselect All]
    [Next >]
"Add Data Source"
    [Finish]

On the left pane expand the “Data Sources” and check if you can see the same folders as in your mounted image. If you did not have any files on the mounted image in step 1 – skip the next step. If you had files on the mounted image in step 1 then close this case and remove it, follow again the steps 2 to 4 (including), then skip the 5th. Basically, Autopsy was not able to read the files system in the image and if you want it to work properly – it is better to use the mounted drive as logical folder in the Data Source section.

6. If you have a folder with files or the Disk image does not show the file system in Autopsy:

"Select Type of Data Source To Add"
    [V] Logical Files
    [Next >]
"Select Data Source"
    [Local files and folders]
    [Add] => Navigate to your folder with files / mounted drive => [Select]
    [Next >]
"Configure Ingest Modules"
    [Deselect All]
    [Next >]
"Add Data Source"
    [Finish]

7. After we see that everything was imported fine, we will use the Ingest modules to analyze the source. You should check our guide about Autopsy and Plugins installation and recommendations for the set of Ingest modules and the Autopsy Ingestion Modules Configuration guide before continuing further.
Follow the next steps to apply the Ingest Modules on the source:

[Tools] => [Run Ingest Modules] => <Select your Data Source>
    "Configure Ingest Modules"
        Run ingest modules on: [All Files, Directories, and Unallocated Space]
        [Select All]

        <Uncheck the following>:
        [ ] VirusTotal Online Check
        [ ] ParseEvtx

        <Now go over each module and configure it as needed. You can see recommendations in the next block>

        [Finish]

As was stated in the Ingestion Modules Configuration article use the VirusTotal module only if you have small Data Source. If it is a big one – better use Sigcheck on such sources. Check our OptimizationCore SysInternals Sigcheck VirusTotal Offline Scan guide.
“ParseEvtx” ingestion module takes a lot of time. We will use it in the next step after the rest of the modules will finish processing.
Recommended Ingestion Modules Settings (the modules that are not in the list probably have no settings):

[V] Hash Lookup
    <Select All the needed Hash Sets that we imported in the modules section>

[V] Extension Mismatch Detector
    (*) Check all file types
    [V] Skip files without extension
    *** Basically, all the files without extension are mismatch, since they have no extension. Unless you look particularly for the extensionless files. If you want, you can also skip the "Known" files that appear in the "Known" Hash sets.

[V] Keyword Search
    [ ] Phone Numbers
    [V] IP Addresses
    [V] Email Addresses
    [V] URLs
    [ ] Credit Card Numbers
    [V] <Any other custom Keyword Sets that you created>
    *** Did not have luck with Phone numbers and Credit Cards. Any Country will have different set of Phone numbers. While both Phones and Cards are extracted by the Autopsy regex rules out of the files' content in the Data Source - it is not working properly with numerous false positives. You can try checking these any way if you want.

[V] Encryption Detection
    <Check that these settings are fine with you>

[V] Interesting Files Identifier
    <We set this up earlier in the options, check that everything is selected here>

[V] PhotoRec Carver
    *** This one will dig files from unallocated space or the ones that were deleted
    [V] Keep corrupted files
    *** You will want to keep partial files for all the modules to extract as much data as they can from it. You can also focus on certain file types if you want to save Ingestion time.

[V] Plaso
    *** As it says, checking the next boxes will slow down the ingestion time significantly, but if you want to see the full picture better select these:
    [V] winreg: Parser for Windows NT Registry (REGF) Files
    [V] pe: Parser for Portable Executable (PE) Files
    *** If you want to optimize your time, you can unselect the module at this time, wait for the ingestion to finish and do the ingestion process again while deselecting all the modules except for this one.

[V] YARA Analyzer
    (*) All files
    *** Off course it depends on your rules

[V] Log Forensics for Autopsy
    <Check all>

[V] Windows Internals
    <Check All>

At this stage you will see the Ingestion progress in the right bottom corner. Each time a module finish ingestion you will see a number rise on the “letter” icon at the top right corner.

8. After the modules finish ingestion – follow the process in step 7, [Deselect All] and select only the “[V] ParseEvtx” Ingestion Module, [Finish].
This one will take a long time to ingest. It takes all the Windows Event Log files, parses them and creates one big list of events from all the files, which you can sort by time later and follow all the event logs simultaneously.
After the module ingestion will finish – you will see the progress bar at the bottom right corner disappear. At this point Autopsy did not respond to any actions and in addition no new items / events were shown. So, needed to End the task and open Autopsy with the case again. After you open the case new items appear.

* IMPORTANT NOTE: Do not run this module more than once. There is no check for results that are already in the database. The events will be ingested once again and this will enlarge the database, making Autopsy slower.

9. You can better understand your content by viewing each button in the top Menu:

[Image/Videos]
[Communications]
[Geolocation]
[Timeline]
[Discovery]

10. You can save each category results to CSV:
Select a category on the left pane => On the right pane top right corner [Save Table as CSV].
If you want to save CSV with a table larger than 10000 results, check our OptimizationCore Autopsy Export CSV, XLSX – Large Sheets guide.

11. After you finish your investigation – you can [Generate Report] with all the results.

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.