If you can see this check that

Main Page

Intro to Autopsy

Introduction to Caine



This is a gentle introduction to Caine Autopsy.

Remember when you need to run things as the administrator, you should put the command "sudo" at the front of the command in question. However there should be no need for this in this lab.

If things go wrong: There is no delete button in Autopsy. So if you go wrong you have to get to a terminal prompt and delete the mistake by hand. In Autopsy return the the top screen, then at the command prompt visit /usr/share/caine/report/autopsy. Cases appear here as directories, and can be completely deleted using an administrator level

To delete a host from a case delete the hostname directory from within the case directory, e.g.
Or just dont make a mistake!

Question 1: Create your first Autopsy report

Autopsy is a web-based investigation tool. Autopsy uses the concept of a case to allow you to manage images involved in an investigation. This activity will walk you through creating your first autopsy case, and adding an image to it

  1. Start the Autopsy interface by accessing it through:
    1. Main Menu > Forensic Tools > Autopsy
  2. You may be asked for the super user password. This is the password you used to login with.
Tests - not attempted
Autopsy running on port 9999 UNTESTED
  1. The main page gives you a set of options. You may have to scroll down in the browser in your vnc window to see the options. The options are:
    1. Open case
    2. New Case
    3. Help
  2. Now create your own new Case
    1. Click on New Case
    2. Type a new Case Name (no spaces, letters and numbers only). Make the case name "introduction"
    3. Give it a description
    4. Type your name into one of the Investigator Name boxes
    5. Click New Case
  3. Autopsy shows you that the Case File has been created. Check the locations displayed by Autopsy to ensure they exist:
Tests - not attempted
Case file exists for 'introduction' UNTESTED
Case file has a description UNTESTED
  1. Go back to Autopsy. Click on the Add Host button
    1. For each case you can add multiple hosts. A host can represent an entire disk, a disk image, a partition image, and so on.
  2. Give the host the name "host1", and add a description. Ignore the other options. We will deal with these in later labs. Click Add Host.
Tests - not attempted
Host file exists for 'host1' UNTESTED
  1. Each Host must be associated with an image. We are going to associated our host with the image fat-img-kw.dd
  2. Click Add Image File
  3. Type in the full path location of the file fat-img-kw.dd. It can be found in /images.
  4. Select the Type to be Partition.
  5. Select the Import method to Symlink.
  6. Click Next
  7. File System Details
    1. It should identify the File System Type as fat16. It will identify it as Mount Point C: - but this can be changed.
  8. In the Data Integrity option, select Calculate. Leave the other options and click Add
  9. Autopsy will now calculate the MD5 sum for the file you added.
    1. Make a note of the MD5 is produces. Click OK when it finishes.
Tests - not attempted
Image has been symlinked UNTESTED
Image parameters are correct UNTESTED

What was the md5 sum for this image file? Use uppercase hexadecimal.

Enter the md5 sum:

Tests - not attempted
Sum is correct UNTESTED
  1. Autopsy should return to the Case Gallery, which lists all the hosts added to the case, along with the associated image name.

Once you have managed successfully to get the image file loaded into Autopsy, go to the Host Manager Screen (Figure 1) and click on the Analyze button.

Select a Volume
Figure 1: Select a volume

Once in the analyse menu, click on the Keyword Search button (Figure 2). Make sure ASCII and Unicode are selected.

keyword search
Figure 2: keyword search

Enter the following search string into the text box: first

Click on the Search button. Autopsy will report that it is searching for both ASCII and Unicode strings.

Once it has finished searching, the side panel should look like Figure 3 (depending on the screen size - it may not have the scroll bar).

keyword found
Figure 3: keyword found

Autopsy will report whether it finds the string for both ASCII and Unicode. Was it ASCII or UNICODE?

Tests - not attempted
Encoding found UNTESTED

Next to the result, click on the Hex link. In the right-hand pane, a hex view of Sector 271 should appear (Figure 4). Depending on your screen size, you may need to use the scroll bars to see the additional information.

keyword sector
Figure 4: keyword sector

What was the offset of the string you just searched for?

Enter the offset:

Tests - not attempted
Offset of string UNTESTED

What is the full path name of the file which contains this keyword? Specify it in the form DRIVE:/pathname, e.g. D:/mystuff.com. You get this from the metadata address link (again you may have to scroll in one of the frames).

Enter the path:

Tests - not attempted
File path of keyword UNTESTED

Linux tutorials: intro1 intro2 wildcard permission pipe vi essential admin net SELinux1 SELinux2 fwall DNS diag Apache1 Apache2 Mail
Caine 6.0: Essentials | Basic | Search | SysIntro | 5a | 5b | 5c | 6 | 7a | 7b | 8a | 8b | WebBrowserA | WebBrowserB | Registry | Browser
Digital Investigation: Editing | Email | Logs | Strength
Kali: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7a | 8a | 8b | 9 | 10 |
Useful: Quiz | Forums | Privacy Policy | Terms and Conditions
Site Links:XMLZoo ActiveSQL ProgZoo SQLZoo

Linuxzoo created by Gordon Russell.
@ Copyright 2004-2017 Edinburgh Napier University