🔍

Mobile Forensics with Autopsy Overview

Mar 2, 2025

View transcript

Module 4: Mobile Forensic Analysis with Autopsy

Overview

  • Autopsy: A GUI-based program for analyzing hard drives and smartphones.
    • Used by law enforcement, military, and corporate examiners.
    • Features include case management and various analysis modules.

Lesson 1: Using Autopsy

Key Features

  • Ease of Use: Intuitive design with wizards for guidance.
  • Extensibility: Supports third-party modules, including:
    • Timeline Analysis
    • Hash Filtering
    • Keyword Search
    • Web Artifacts extraction
    • Data Carving
    • Multimedia analysis
    • Indicators of Compromise
  • Cost: Free and cost-effective compared to other tools.

Interface

  • Tree Viewer: Displays file contents and generated results.
  • Result Viewer: Shows details based on Tree Viewer selection.
  • Content Viewer: Displays specific file formats.
  • Keyword Search: Allows search for terms in case data.
  • Status Area: Displays processing progress.

Additional Features

  • Image Gallery: Designed for child exploitation cases and image sorting.
  • Timeline Feature: Organizes events by time.
  • Communication and Visualization: Displays communication event graphs.
  • Geolocation: Maps artifacts with location data.
  • Discovery Tool: Configures filters for images, videos, documents.

Lesson 2: Forensic Analysis of Android Artifacts

Time Analysis in Digital Forensics

  • Importance of timestamps for establishing chronology.
  • Identify the correct time zone before evidence extraction.
  • Epoch time and SQLite timestamps are commonly used.

Android Artifacts

  • Device Information: Stored in build.prop file.
  • User Accounts: Accessible via accounts.db.
  • Application Data: Packages and installation metadata stored in packages.list and packages.xml.
  • Network Configurations: Details in telephony.db and Wi-Fi information in wpa_supplicant.conf.

Communications

  • Contacts and Call Logs: Stored in contacts2.db.
  • SMS/MMS: Information in mmssms.db and telephony.db.
  • Email: Managed by default Gmail app; data stored in various databases.

Third-Party Applications

  • Chrome: Browser data including history, bookmarks, cookies.
  • Maps: Location and search history.
  • Social Media Apps: Twitter, Facebook, Messenger, Snapchat, and Skype artifacts reveal user activities and interactions.

Conclusion

  • Autopsy is a powerful tool for digital and mobile forensics.
  • Understanding its features and modules enhances the ability to conduct comprehensive forensic investigations.
  • Key digital artifacts, especially from Android devices, can provide crucial evidence for investigations.

View note sourcehttps://drive.google.com/file/d/1bLzV6lpIrZo76V6ZMzYLrJkv2P9ruP1h/view?usp=drivesdk