[Music] in this demonstration we'll take a look at how to use autopsy to perform an analysis on a local hard drive now to launch autopsy after you've installed it you can click on the start button type Au and you'll see the autopsy program what you're going to do those you're going to right click on the autopsy program and choose run as an administrator once to know are you sure you want to run this as an administrator yes and it'll launch our autopsy program now while this is loading I should mention that in this demonstration I'm performing the analysis on the local hard drive that's on the system uh from a computer forensics point of view you would always perform the analysis from a copy of a suspect's drive you would never perform the analysis directly on the drive um so typically what would happen is you create an image of the drive first and then in autopsy you would add the image as a data source so first thing I'm going to do here is I'm going to create a new case for us to work on and I'm going to type in the case name so it's 2021 827 and let's say this is the second case of the day so uh underscore 002 and then I choose next we fill in the case number and maybe it's the same so we'll do 20218 27002 and then we fill in the examiner's information so um the name of the person their phone number their email address and any additional notes that you want to add about the case so then I choose finish now once I create the case it's going to pop up with the add data source dialogue box a data source is what is it that you're analyzing is it going to be an image is it going to be a local hard drive um so you can can see here dis image or VM file is our first option local hard drive is the second option you can also do things like add logical files if you wanted to now what I'm going to do here is I'm going to cancel this and I'm going to show you at any point in time you can invoke that add data source dialog box um with the add data source button up top on the toolbar I'm going to add the local hard drive or local disk and choose next then I go and select the disk and I should mention I'm going to choose Drive zero here I should mention that if you did not run autopsy as an administrator you won't have the local hard drives you'll just have that Lexar dis uh in the list so I'm going to choose okay here after choosing Drive zero and then I'm going to go and choose next then it want to know what injest modules we want to go and execute um these inest modules are used to extract or parse through the drive and extract relevant data so for instance um web recent activi is an inest module that'll go and retrieve things like their browsing history and that um so I'm going to leave all those selected and I do want to stress that it does take a while for those injust modules to execute and um extract the data and even when you get access to the data with autopsy um you will find that they will the inest modules do run in the background so I'm going to hit next here and what it's stud as it's processing the data source and it's going to add it to the local database for analysis um and so within you know quite some time a little bit of time is going to go by um we'll have this um uh a hierarchial structure of the drive and its contents and also the results of the inest modules executing for us to do our analysis so this will take some time so because it does take some time for the inest modules to uh execute and process and parse through all the data um that exist on the drive what I'm going to do here is I switched over to a um an instance of autopsy running where I've actually been running those inest modules for quite some time so it has collected some information um on my system so I just want to show you the types of information that you can see here with autopsy um so over on the left we do have our data sources and you can expand out the physical drive that you've added as a data source and you can browse through the data on each of the volumes that exist on that physical drive if you wanted to um but also they have the views and with views you can see things like deleted files if you wanted to um so it's a nice quick way to uh locate deleted files and to browse through the deleted files on the system and then down below that we do have our results and the results is where you'll find the extracted content that the inest modules have have um parsed through on the drive and um and locate so if I expand out extracted uh content I just want to show you a couple examples of types of information that you'll find here um so for instance you can see the installed programs and I should mention these numbers just changed in front of my eyes um and it's because down bottom you can see that we're 88% executing those injust modules so it it is going to take some time and so you may see these numbers adjust as a as I'm talking here as it parses through the content and collects more information but I could select this and I could see a list of the installed programs that exist on the system uh and that's important for an investigator because those installed programs will also let the investigator know where else they should be looking for uh information uh or evidence right so there's a list of install programs uh as I go through here I'll just highlight a few other things so you can see operating system if information um you can take a look at system user accounts so if I go to operating system user accounts you can see the different usernames that are configured on the system um so that's very use useful for investigators um you can see a list of recent documents as well so you can see I have 249 recent documents so when I select that node it's going to go and display in a second here uh a list of all the documents that have been recently used and again that's very helpful to the investigator because now they can go um search for evidence in those documents you see your recycle bin there so you can see the contents the recycle bin any programs that the user has has run as well also down bottom here we have USB devices that have been attached um so you could go and select that and get a list of the devices that have been connected to the system so here when I select this in my example you'll notice over here that we do have the uh I have a Logitech headset that's been connected as a device um so the G35 headset um user content has been detected so I can select that and I can see the different uh images that exist on the system and then they also have a thumbnail view that you can use to view that content as well so here you can just see it's a few pictures I have of our heat pump uh in the siding that was dirty that I had cleaned up we also have user accounts uh like web user accounts um this is very useful so you can see any websites that they've logged into down bottom here also we have bookmarks we have the uh cookies and the cache from the browser um any downloaded files from the web we have form field um form field addresses so web form addresses that have been filled in so we can see email addresses here that have been entered on the system again that's very useful because a lot of times those are log on names to access uh stuff so you can you can use that also we have the web form autofill so the autofill feature for web forms you can extract that data and very important we also have our web history um so you can see the websites that the uh person has visited so that should refresh here in a second right so there's some of the websites that have been visited and then also you can take a look at the web search as well right um so you can see any web uh searches that are performed so lots of good information if I come down here they also have email messages so um autopsy could extract emails from the from the data source and uh and allow you quick easy access to the email messages as well uh user accounts are there so email accounts and phone numbers that the that the user is using so if we go to email there's four email accounts that have been uh detected on this system in the data source so in this demonstration you saw how to use autopsy to browse the local hard drive and locate [Music] evidence