Digital Forensic Analysis Using Autopsy 4.21.0

Oct 3, 2023

By Paulo Pereira, DIFIR

I. Introduction

This article shows a forensic analysis using Autopsy 4.21.0. The SUSPECT.EO1 file is a disk image case study and is evidence used in Belkasoft's X training and CTF challenge. The article is not intended to be a complete analysis of this image because this image has a lot of detail and has an investigative complexity that would require more than one article. In this way, some parts will be analyzed with the intention of showing the use of Autopsy.

II. Operating System Details

Forensic analysts often ask, “Where do we start?” This question does not have one correct answer; for example, start here or start with this evidence. Often, the analyst's expertise defines where an investigation begins. 

Starting with the operating system (Figure 1) can be a decision that helps the analyst in identifying the name of domain accounts, structure of accounts registered in the system and the specific artifacts that were intended for the compromise of that system.

Figure 1: OS information

A screenshot of a computer

Description automatically generated

The suspicious laptop is registered with the name DESKTOP-23PS6ES in the praivacymatrix.com domain (Figure 2).

Figure 2: Desktop name and domain account

A screen shot of a computer

Description automatically generatedSource: Autopsy output

A few additional questions come to mind by the forensic analyst:

  • What user accounts are associated with this device? 
  • Is it a single account or more than one....

Author

Paulo Pereira
Paulo Pereira is an independent malware analyst, Cyber Security Professional, EXIN Instructor.
Subscribe
Notify of
guest

0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023