welcome back students today we'll try to learn autopsy software which is one of the best softwares available in the market it's free you can download it for digital investigation or the forensics analysis of any computer or a device so in order to get a free copy of it you'll go to their website called autopsy.com download and then you can choose either 32-bit or 64-bit variant of it to be installed on your machine now it's recommended to have 64-bit version of it since you know that on 32-bit you have a limitation of 4gb ram and if the software is consuming the resources of your pc it should be powerful enough to consume more than 4 gb of ram on your computer so that you can conduct the analysis uh in a comfortable manner now we are working on a virtual machine which is windows 7 in our scenario and this is our digital forensics workstation where we have a couple of different softwares installed on the computer itself now uh that's the first interface of the software which is autopsy which is open extensible and fast and the normal interface that we have in most of the softwares is that first thing is that you'll have to create a case if you have a previous case which you have saved somewhere you can open it from here since we are working on it for the first time we'll click on new case and as usual we'll give it a name for example we are going to analyze the disk so i'll give it a name like disk analysis and then we'll change the path of it to our d drive on our folder and we'll select the folder now keep in mind that uh you will be connecting a evidence drive to the computer or you will be conducting a static acquisition of a computer so make sure that you're selecting the disk which is connected to your computer as a foreign disk since we are conducting it on the same computer and just for the testing purposes or as a demo we are going to select a drive which is the drive c of this computer on which we have installed the operating system so it's not recommended to keep the base directory in the c drive because you'll be investigating the c drive for any possible evidence so that's why i have selected a different partition and i'll be keeping all the files related to that in that partition press next you'll give it a case number then you'll write the name of the person who's investigating the phone number and the email address whatever you have and any specific notes that you might have now organization analysis belongs to it's not defined but if you want you can create the name of your organization with the details that would look very professional for example being say forensics lab and name is mr ali and the email address will be for example abc at ali dot com and then phone number would be 0 0 0 now you can use this information in your case now we once that's done we'll press finish and it would create a case for us now that's the initial interface of the software and we'll go through it in a while now it's asking to select a host the difference between it is if you want to generate a new host file based on the computer on which you are working you can select the first option if you have a host name defined you can name it for example test case over here or you can use an existing case which you have it on your computer since we are doing it for the first time on the computer i'll keep it as it is and i'll press next now you have different options appearing over here disk images that if you have an image file already existing on your computer now you can create a disk image using lots of different softwares like ftk imager a video about that is already there on our channel or you can use nks in order to create a forensics image of the hard drive so if we press next it would ask for the path of it if you'll select it it would just load the file and then it would select the sector size of it as well and will give you the hash values of the disk image so that once the investigation is complete you can match that if it's matching the original disk or not so since we are not going to the already image file that we have we will be selecting a local file on the computer and we will be selecting the image for example the drive c which is the drive zero on my computer if your drives are not appearing over here you can press refresh local drives and it would show you the drives that are connected to the computer now keep in mind that if you are working it on a virtual environment just like me i'm using virtualbox your usb will not show over here i'll release a video on how to add usb drives to the virtual machines you can watch it later on the channel now we'll be selecting the drive over here as drive c of the computer and that's an excellent option appearing in our autopsy software which is that we have a vhd image over here which it can create now once the image is created you can run this image which is a virtual hard disk on hyper-v or vmware workstation or virtual box so it would create a virtual image of the same hard disk which can be used later now uh once that's done we impress next and we'll continue but i want to show you the other options that if you have a logical files for example if you have a logical evidence this file that's what i was talking about that if you have created an image of it you can select it and load it over here within extension l01 or if you have an unallocated space image file you can load it in the same way 2gb chunk files or you can create one file altogether you if you have autopsy logical image or results you can use them as well if you are using any of the disk drives which are listed over here now the last option is xry txt export files if you have them and you want to analyze them you can simply load them by clicking on it so we'll go to the local disk we'll go to next and then we'll select the disk which is the c drive on our computer we'll press ok and then we'll select the time zone select the time zone which is matching your area i'll be selecting the saudi arabian time zone and then i'll press next here it's giving you all options like what you want to investigate in this computer hash lookup file types and all those things and an interesting thing for this version is that it's even checking for android analyzer and you have ios analyzer here as well now that's an excellent option which is appearing on it because if you are investigating anything related to the ios version or android you can easily select those options from here as this is the one appearing for ios and this is the one appearing for android so we'll press next and it will start processing it now depending on the size of your c drive it would take some time at the moment it's checking the status of it and creating a case to be saved in the destination which is the d drive again i'm repeating it that since we are creating an image or we are analyzing the c drive it should save the image file or the analysis results in another partition which is other than the c drive now as you can see that it has created the file and then you can press finish and it's analyzing it at the moment you can see the recent activity of the software over here it's showing you that six percent has been analyzed so far and if you want to see further details this would keep on populating as it's investigating your c drive you can further click over here and it will show you the physical disk which is connected and you can see further details about the hard disk uh different views and it would populate all these results over here of course it would take some time to analyze the hard drive so you'll have to leave the computer um like this for a while so that it should conduct all the detailed analysis on the computer if you click over here it would show you the actual progress and the files which are being analyzed at the moment so we leave it at the moment and we'll check it later once it's done just note another thing that we have some messages appearing over here they are very helpful if it's having any issues in extracting some information you can check it over here further you can save the table results in a csv file once we have all the results over here i'll go through rest of the options and we'll conduct or we'll continue the session after that okay guys as you can see the analysis is a complete and we'll go through it that what is it all about first of all as i told you that if you click on it you'll be able to see the sources and the hard drive which is connected and further it would give the details of it now if you come here further and you'll see the file types it has segregated them by the images that it has discovered over here videos and audio files databases and etc if you click on it it would show you the preview of it further you can check the hexadecimal code of it the text details of it for the the picture itself and the file metadata you know the file metadata is very important because it gives you the exact date when it was created accessed and although those relevant details which are required for any investigative report now you can check other tabs which is giving the details about it if you'll simply click on thumbnails it would show all the thumbnails of the images that it has acquired further if you want to save the details of all these things into a csv format you can do that as well on the top here we have the images of the messages which were appearing on it but since once it's completed it they were all cleared if you want to search it by any specific keyword on it you can run the search through this command over here now it has segregated the documents pdf files each and everything and even it has discovered that there were some files which were deleted from the computer and you can further sort them according to the flags and other information i would highly recommend that you can save the table in a csv format and then you can view it in your microsoft excel to see the exact details of it and then as you can see here we have the md5 and sha appearing here as well so if you want to um have the verification of the hashes you can check them using that as well it's selecting it by all files further you can see the files as per the size here by 200 mb or gb the bigger files which it found uh during the investigation and if we go further down we have the artifacts and it's very important because we want to see that which softwares are installed on the computer so it's giving all the details about the softwares and if you'll see the metadata that information is there operating system information giving you all the details about the operating system since it's windows 7 ultimate date and time see windows and the product id and other information is appearing further if we go down we'll see the recent documents which were accessed on this computer are also shown so it helps you in checking that if anyone penetrated on the computer actually which files did they open and what they were trying to do actually with that now the running programs are listed over here which are in the memory of the computer which are currently executed on the computer at the time when we conducted the analysis then we have shell bags appearing for all the information about the paths and the registry values of it where they are appearing further we have the usb devices which were ever connected to this virtual machine it's even maintaining records of it if you bookmarked any of the websites on the browser that information is also here even the web cache details since the user might have browse certain websites on the computer so all those details are also shown up here not only that we have the information about the cookies as you know some are persistent cookies and some are not so you can get the basic details about them if the user downloaded any files that information is also being captured in it even the web history if they try to browse any websites they are here and if they try to search certain things as i search for digital forensics and different websites so that information is appearing now minded that default browser of the computer is internet explorer but since i used google chrome to search for the files it's giving me exactly that which browser i used for those things now it's checking that it found that some encrypted suspected files are also appearing on the computer so you can investigate it and then x uh exif file which are the metadata files appearing extensions and then it has some interesting items which could be the encrypted files of the autopsy software itself further some keyword searches and stuff information is there and even the email addresses which it found during the investigation of different softwares or the programs which were used are also listed up here so that gives us an idea that if they used any email software or sent any emails out you can find it from here now suspected files are segregated by a different content folder over here and then you can go to web categories and os accounts now these os accounts are telling you about the accounts which were used in order to log in to this computer and further the same thing as we checked for the images if you click on an account for example an administrator account it would give you the address of it of the os account it would give the other details about who logged in what was the time which profile was used and other details which are there related to the account further you can tag certain files and you can generate a report of it i'll generate a report in in a minute i want to just go through rest of the options which are appearing over here if you click on images and videos so it would show and group all the videos and images in this investigative report that it has generated so you can check all the details specifically related to the pictures and the videos now you can set different priorities on it you can have different filters as per your own requirements [Music] you can even click on the discovery and search the files based on the size of the file videos or documents or details or the domains so you can group them and sort them as per your own requirements now if you want to search certain theme within a time parameters you can define it over here and it would tell you all the details about the files which were saved on the computer as you can see the maximum file saved were in 2021 or in 2009 when they used it for the last time on this virtual machine so all those details are shown up here further if you want to click on the communications it would show you that any kind of email programs which were installed on the computer you'll get all the details the messages logs media attachments and all these other things should be appearing on this computer now geolocation is only giving you the location or the geographical parameters of it uh we are not using it that much since this computer is not live and it's not on the internet so we won't be able to get any information out of it if you click on the settings icon you can further change the settings of this report before you can generate a report and it's giving you the details about the tag area score and even if you want to change the area specific to the time and zone you can make the modifications up here now on the case we have these files over here the case details can be viewed again in this under the case it would even tell you details about the data summary that what kind of hard disk was used how many audio files images and the files were there you can further click on the analysis recent files geolocations times and stuff to get all details for most uh this is the software that we have used it has given me the detailed report as compared to the other software that we have analyzed so far on on our course on computer forensics and investigations now if you'll go to the tools it's again showing the images and stuff you can run the digest mode as well generate a report if you want to install any plugins um you can do it by directly going and downloading them some of them are available for free like which are installed if you want to purchase them there are lots of other plugins you can read the details about it add them for a detailed analysis on the computer itself now you can run even the python plugins and you can create a live triage drive image of it by clicking on this one click on and it would create the image of it as well now if you want to create a logical image you can create it by clicking on create logical imager and as i showed you earlier you can click on it and continue with creating the image of it rest of the things are related to the listings and the stuff like how you want to group the items on the screen and stuff so that's pretty much about the software so now once the investigation is complete we want to either close the case or we want to generate a report if we want to generate a report we'll click on the generate report button and it would ask us that which format we would like to create a report on you can create an excel report you can have it on text files tag extract the unique words and all those things i would prefer having an html file you can further change the header of it over here and the footer i'll keep it as default i'll click next it it's asking that which source you want to select i'll press next over here which specific results you want to have i'll say i want to have all reports all results whatever i have found it in the investigation and press finish now it would generate an html file and you'll be able to generate the html file and it would have all the relevant details of each and everything that we have conducted as you can see the report is complete you can click on it and it would open the report which you can view in your browser now as you can see data analysis disk analysis report autopsy forensics report we name it disk analysis case number is appearing the name that we gave and the software information for this software and it's generated using autopsy software then you can see the images about different uh things for example the encrypted files that found all the interesting artifacts and the metadata even the shell results and the web browser bookmarks web categories as we saw on there so all those details can be used later or can be presented in front of the code for any further investigation so that was it about the software which is autopsy we use the latest version of it which is 4.5 and i hope you learned some new things in it that's it for today thank you very much