By Paulo Pereira, DIFIR
I. Introduction
This article shows a forensic analysis using Autopsy 4.21.0. The SUSPECT.EO1 file is a disk image case study and is evidence used in Belkasoft's X training and CTF challenge. The article is not intended to be a complete analysis of this image because this image has a lot of detail and has an investigative complexity that would require more than one article. In this way, some parts will be analyzed with the intention of showing the use of Autopsy.
II. Operating System Details
Forensic analysts often ask, “Where do we start?” This question does not have one correct answer; for example, start here or start with this evidence. Often, the analyst's expertise defines where an investigation begins.
Starting with the operating system (Figure 1) can be a decision that helps the analyst in identifying the name of domain accounts, structure of accounts registered in the system and the specific artifacts that were intended for the compromise of that system.
Figure 1: OS information
The suspicious laptop is registered with the name DESKTOP-23PS6ES in the praivacymatrix.com domain (Figure 2).
Figure 2: Desktop name and domain account
Source: Autopsy output
A few additional questions come to mind by the forensic analyst:
- What user accounts are associated with this device?
- Is it a single account or more than one....
Author
- Paulo Pereira is an independent malware analyst, Cyber Security Professional, EXIN Instructor.
Latest Articles
- OfficialJune 6, 2024Dark Web File Sharing: Basic Forensics Using CSI Linux
- OfficialOctober 24, 2023The LockBit 3 Black Forensics Analysis Part II
- OfficialOctober 24, 2023The Lockbit 3 Black Forensics Analysis (Part III)
- OfficialOctober 17, 2023Reflections on Artificial Intelligence and Digital Forensics