• Forensic data
  • Write protection
  • Storage
  • Exchange of data / images
• Autopsy
  • What is Autopsy?
  • Where do I get Autopsy?
  • Configuring Autopsy
  • What are Ingestmodules?
  • Plugins for Autopsy?
  • Which surveys are good for?
  • Add an image for study
  • Try it yourself
  • A few tips

Write protection

Write protection is a security so that data on a medium is not tampered with. You can read but not write. This ensures that no time stamps are made on the medium.

When a media needs to be secured according to best practices. Then it must be optimally secured with write protection to ensure that the proof is not tampered with. Write protection is used for this.

If you do not use it, then your system will make time stamps and thereby "contaminate" the proof.

If for some reason you can not make a data fuse correctly, then you need to start up and secure the proof with normal connection. It is important that what has been done is described correctly and preferably with witnesses and perhaps even consider filming the session.

It does not always go as planned, so it is the second best solution you have to resort to

& gt; Can not plant the proof? & gt; & gt; Yes, you can easily do that. It's easy, just connect the device to a system and copy data as with an external hard drive. & gt; & gt; Hiding it has happened ... It's hard and to my knowledge not done yet by anyone!

Storage

How is data stored? It is everything from the handing over of the proof, to the storage of data digitally and physically. Where is the data located? Who has access to data? Is it locked securely in a room where there is a code lock with a log of who enters and leaves the room?

Exchange of data / images

How to exchange data between partners and authorities.

Autopsy

What is Autopsy?

Autopsy is a forensic framework that originated from The Sleuth Kit (TSK) which is known from the Linux world. Autopsy has been used worldwide, by various investigators within digital investigation. It can provide a number of useful features like carve for data, extract web cache, visited websites, data from hives like registry, hashing of data and compare with known files and much more. It can do a lot, here I will cover the areas that we need in the course attack management. Du indlæser data fra imagefiler som ofte er E01 (encase 01) og DD (linux, står for Data Definition*)

wget * Source: https://en.wikipedia.org/wiki/Dd_(Unix)

Where do I get Autopsy?

Autopsy can be downloaded [free here] (https://www.autopsy.com/) Run the installation and click OK for the popup banners that require java and internet access.

Configuring Autopsy

There is not much to configure in autopsy, it works directly after installation.

You need to tell Autopsy where the output is to be saved. That folder will contain data which is indexed from the readings and can fill a part. Which is several gigabytes, so make sure there is enough space if you do multiple studies. It is also the output folder to which data is exported when you extract evidence from an image.

What are Ingestmodules?

Ingest modules are the automation built into autopsy. These are modules that are designed to look for specific data, such as databases, GPS data, carve data (such as old deleted files), search history, etc.

There are a number of pre-installed ingest modules in the program that you can use right away. I would recommend that you take a look at the other modules one can download.

Github - Autopsy - Ingestmodules

Plugins for Autopsy?

Download a module and copy them to

C:\Users\UserFolder\AppData\Roaming\autopsy\python_module

Which surveys are good for?

You can do a number of surveys, such as what has been searched for on the web, you can search for malware. Which files have been accessed, encrypted containers and images.

What is important to know with Autopsy is that it requires training to use the program, as it requires you to know what you are looking for. Other software has developed search filters for different scenarios, it is often licensed software and costs a lot of money. As it requires a lot of development.

• What are the files on the secured image *

Add an image for study

Coming later

Try it yourself

You can play around a bit with Autopsy. Download one of the image files from the links below and let autopsy index the files.

Cfreds er NIST´s reference filer.

ENISA is ENISA´ s database over reference files.

A few tips

When you need to let Autopsy look through data, it is tempting to just select all the modules. I personally can not recommend it, as it requires quite a lot of computing power and often takes a really long time to run a module through (Depending on the nature of your hardware).

If you choose several modules, you can be lucky that it works. I have just experienced that they crash / stall and nothing more happens. It's a little boring to find out after many hours of driving.

I recommend that you take 1-3 modules at a time. Then the probability of a positive outcome is greater.