We covered Disk analysis and forensics using Autopsy. We extracted forensic artifacts about the operating system and uses. This was part of Disk Analysis & Autopsy.
Full blog post is here
What is a Disk Image?
A disk image file is a file that contains a bit-by-bit copy of a disk drive. A bit-by-bit copy saves all the data in a disk image file, including the metadata, in a single file. Thus, while performing forensics, one can make several copies of the physical evidence, i.e., the disk, and use them for investigation. This helps in two ways. 1) The original evidence is not contaminated while performing forensics, and 2) The disk image file can be copied to another disk and analyzed without using specialized hardware.
Disk Forensics Methodology
When performing an investigation on a disk, all we need is to parse the MFT to understand what exactly happened on the disk at the time of the attack: which files were modified, created, hidden, etc. The main advantage of directly parsing the MFT over simply mounting the partition using regular tools (mount on Linux) is to be able to inspect every corner of the sectors allocated to the system. We can thus retrieve deleted files, detect hidden data (Alternate Data Streams), check the MFT’s integrity, inspect bad sectors, get slack space, etc.
Disk Forensics with Autopsy
Before diving into Autopsy and analysing data, there are a few steps to perform; such as identifying the data source and what Autopsy actions to perform with the data source.Basic&workflow:
Create/open the case for the data source you will investigate
Select the data source you wish to analyse
Configure the ingest modules to extract specific artefacts from the data source
Review the artefacts extracted by the ingest modules
Create the report
We start by creating a new case or opening an already saved case. You can do that easily by following the wizard that pops-up once you open the program.
Room Answers
Room answers can be found here.