Auditing your PC: Autopsy

Quick dive into forensics

Open source software has brought us a long way, and with no doubt forensics aren’t lagging behind.

Autopsy is a great tool for Windows-oriented environments. Autopsy enables the ability to tag files as “evidence, create reports, and more.

I chose Logical Files to inspect, and ended up with the results below. I’ve blurred out the directory, but the two on the right are tagged files. You can tag any files by right-clicking.

There are a few tools for Windows to inspect and recover files, but this is one of the first to be this simplistic. From their site:

  • Timeline Analysis – Advanced graphical event viewing interface (video tutorial included).
  • Hash Filtering – Flag known bad files and ignore known good.
  • Keyword Search – Indexed keyword search to find files that mention relevant terms.
  • Web Artifacts – Extract history, bookmarks, and cookies from Firefox, Chrome, and IE.
  • Data Carving – Recover deleted files from unallocated space using PhotoRec
  • Multimedia – Extract EXIF from pictures and watch videos.
  • Indicators of Compromise – Scan a computer using STIX.

View their site.

Generated report

Autopsy makes copies of tagged files, in this case “evidence.”

The picture above shows the generated report and Windows directory Autopsy creates.

Hope you enjoy!

Tagged: ,