Question Details

[answered] Autopsy- Easy to Use Autopsy was designed to be intuitive o


Can you help me with a work instruction document for Autopsy, In other words, simple instructions on how to install and setup and use ?Autopsy 4.1.1, Here is the link http://www.sleuthkit.org/autopsy/ ?There's info below


Autopsy- Easy to Use

 

Autopsy was designed to be intuitive out of the box. Installation is easy and wizards guide you

 

through every step. All results are found in a single tree. See the intuitive page for more details. Extensible

 

Autopsy was designed to be an end-to-end platform with modules that come with it out of the box

 

and others that are available from third-parties. Some of the modules provide: Timeline Analysis - Advanced graphical event viewing interface (video tutorial included). Hash Filtering - Flag known bad files and ignore known good. Keyword Search - Indexed keyword search to find files that mention relevant terms. Web Artifacts - Extract history, bookmarks, and cookies from Firefox, Chrome, and IE. Data Carving - Recover deleted files from unallocated space using PhotoRec Multimedia - Extract EXIF from pictures and watch videos. Indicators of Compromise - Scan a computer using STIX. See the Features page for more details. Developers should refer to the module development

 

page for details on building modules.

 

There is currently a Autopsy Module Writing Contest going on right now before OSDFCon 2016.

 

Start writing modules for cash prizes. Fast

 

Everyone wants results yesterday. Autopsy runs background tasks in parallel using multiple cores

 

and provides results to you as soon as they are found. It may take hours to fully search the drive, but

 

you will know in minutes if your keywords were found in the user's home folder. See the fast

 

results page for more details. Cost Effective Autopsy is free. As budgets are decreasing, cost effective digital forensics solutions are essential.

 

Autopsy offers the same core features as other digital forensics tools and offers other essential

 

features, such as web artifact analysis and registry analysis, that other commercial tools do not

 

provide. Autopsy Intuitive

 

Digital forensics tools should be intuitive and approachable so that they can be effectively used by nontechnical investigators. Autopsy 3 uses wizards to help the investigator know what the next step is, uses

 

common navigation techniques to help them find their results, and tries to automate as much as

 

possible to reduce errors. Several features were added to make sure Autopsy was easy to use for non-technical users. Wizards are used in several places to guide the user through common steps. History is maintained so that the user can use back and forward buttons to back track after they have

 

gone down an investigation path.

 

Previous settings are often saved with the modules so that you can more easily analyze the next image

 

with the same settings as the last image.

 

Autopsy's default view is a simple interface where all of the analysis results can always be found in a

 

single tree on the left(screen shot). When the examiner is looking for something, he should immediately

 

review the tree. He doesn't have to dig through menus or layers of tabs to find the information. Autopsy tries to be non-invasive with popups and messages from the background tasks that are running.

 

The motivation for this is that you could be focusing on an investigation path based on some web activity

 

or keyword search results. By having to deal with messages from background ingest modules, you could

 

get distracted. The ingest inbox is where modules send messages. You can then open the inbox when

 

you are ready to see the results, review what has been found since you last opened it, and choose which

 

results to start focusing on. Timeline Analysis

 

Timeline analysis is useful for a variety of investigation types and is often used to answer questions

 

about when a computer is used or what events occurred before or after a given event. Autopsy

 

contains an advanced timeline interface that was built with funding from DHS S&T. It pulls timestamp

 

info from the following places: Files Web artifacts Other Autopsy extracted data, such as EXIF and GPS It has two display modes. The first is a bar chart that answers questions about how much data

 

occurred in a given time frame. This interface is less about details of what occurred, but rather how

 

much occurred. The second interface gives you details about events. It has a unique approach of clustering similar

 

events together to prevent data overload. Many timelines will overwhelm the user when they bring in

 

data from many sources because it is too much to make sense of. Autopsy has a unique approach of

 

clustering events so that, for example, all files in the same folder are shown as a single event and all

 

URLs from the same domain are shown as a single event. If the user wants to see more details

 

about that folder or domain, then they can zoom into it. Otherwise, it is hidden. Regardless of the display mode, you can view file contents in a variety of viewers and have full

 

access to the tagging abilities from Autopsy.

 

You can see the timeline in action from our tutorial video:

 

A common question is if we will integrate with Plaso. The short answer is yes. The longer answer is

 

that we need to do some more research first because our approach of using clustering to group

 

similar items does not currently work for any arbitrary input type that we may get from Plaso. It is

 

currently hard coded for the input types that Autopsy produces. We will be working on a more

 

advanced clustering approach though so that we can leverage the parsing support from Plaso. Keyword Search and Indexing

 

Autopsy uses the powerful text indexing engine Apache SOLR to power its fast and robust keyword

 

searching features. Pre-defined lists of keywords and regular expressions can be configured to run

 

while the image is being ingested. By default, Autopsy includes regular expression searches for: Email Addresses Phone Numbers IP Addresses URLs In addition, ad-hoc keyword searches can be run directly from the content bar during an investigation

 

after (or even during) ingest of the disk image. Multiple concurrent keyword searches can be run

 

against the search index. Instead of searching the raw data, keyword searching in Autopsy is performed on the output of text

 

extraction modules. Autopsy uses Tika and other libraries to extract text from HTML, Microsoft

 

Office, PDF, RTF, and more. This approach is more effective at finding text than the byte-level

 

searching for non-English PDF files and docx files whereby the data is compressed.

 

Any results from the searches that are enabled (regular expression or user defined lists) will appear

 

in the 'Keyword hits' node in the Autopsy navigation tree.

 

Thanks to Apache SOLR, all of the files Autopsy identifies that have text content in them will be

 

indexed for searching by either the pre-defined regular expression lists, user defined keyword lists,

 

or ad-hoc queries. Web Artifact Analysis

 

Autopsy is configured to search for common web artifacts from today's major browsers, including: Firefox Chrome Internet Explorer Autopsy extracts the following information and posts it to the blackboard: Bookmarks Cookies History Downloads Search queries To make it easier to find this data, results from all browsers are merged together. So, if you want to

 

see the user's history, go to the history node. You don't need to go through folders for different

 

browsers before you can find the history.

 

These are all categorized and displayed automatically in the Autopsy tree view under the 'Results'

 

node. This feature gives an investigator automated quick access to the application level details of

 

what a user was doing via web browsers and could lead to additional keyword search queries and

 

investigation hypothesis to explore. Indicators of Compromise - Scan a computer using STIX.

 

Structured Threat Information eXpression (STIX?)

 

A structured language for cyber threat intelligence. Analysis Features

 

Below is the list of Autopsy features. Multi-User Cases: Collaborate with fellow examiners on large cases. Timeline Analysis: Displays system events in a graphical interface to help identify activity. Keyword Search: Text extraction and index searched modules enable you to find files that

 

mention specific terms and find regular expression patterns. Web Artifacts: Extracts web activity from common browsers to help identify user activity. Registry Analysis: Uses RegRipper to identify recently accessed documents and USB

 

devices. LNK File Analysis: Identifies short cuts and accessed documents Email Analysis: Parses MBOX format messages, such as Thunderbird. EXIF: Extracts geo location and camera information from JPEG files. File Type Sorting: Group files by their type to find all images or documents. Media Playback: View videos and images in the application and not require an external

 

viewer. Thumbnail viewer: Displays thumbnail of images to help quick view pictures. Robust File System Analysis: Support for common file systems, including NTFS,

 

FAT12/FAT16/FAT32/ExFAT, HFS+, ISO9660 (CD-ROM), Ext2/Ext3/Ext4, Yaffs2, and UFS

 

from The Sleuth Kit. Hash Set Filtering: Filter out known good files using NSRL and flag known bad files using

 

custom hashsets in HashKeeper, md5sum, and EnCase formats. Tags: Tag files with arbitrary tag names, such as 'bookmark' or 'suspicious', and add

 

comments. Unicode Strings Extraction: Extracts strings from unallocated space and unknown file types

 

in many languages (Arabic, Chinese, Japanese, etc.). File Type Detection based on signatures and extension mismatch detection. Interesting Files Module will flag files and folders based on name and path. Android Support: Extracts data from SMS, call logs, contacts, Tango, Words with Friends,

 

and more. Input Formats

 

Autopsy analyzes disk images, local drives, or a folder of local files. Disk images can be in either

 

raw/dd or E01 format. E01 support is provided by libewf. Reporting

 

Autopsy has an extensible reporting infrastructure that allows additional types of reports for

 

investigations to be created. By default, an HTML, XLS, and Body file report are available. Each are

 

configurable depending on what information an investigator would like included in their report: HTML and Excel: The HTML and Excel reports are intended to be fully packaged and

 

shareable reports. They can include references to tagged files along with comments and

 

notes inserted by the investigator as well as other automated searches that Autopsy

 

performs during ingest. These include bookmarks, web history, recent documents, keyword

 

hits, hashset hits, installed programs, devices attached, cookies, downloads, and search

 

queries. Body File: Primarily for use in timeline analysis, this file will include MAC times for every file

 

in an XML format for import by external tools, such asmactime in The Sleuth Kit. An investigator can generate more than one report at a time and either edit one of the existing or

 

create a new reporting module to customize the behavior for their specific needs. Fast Results

 

As media grows in size, it takes longer to analyze all of it. Physics prevents us from getting all of the

 

evidence before we get a cup of coffee, but Autopsy will tell you about evidence as soon as it knows

 

it and will try to find the most relevant evidence first.

 

Autopsy has several features to get you evidence faster: Multiple ingest modules run in parallel to take advantage of multi-core systems. Time intensive steps can be disabled for a faster, but less thorough analysis (i.e. triage). For

 

example, you can skip searching for orphan FAT files and skip analysis of unallocated space. User folders and files are prioritized over system folders and files. Results from ingest modules are, in general, given as soon as they are found. The ingest

 

inbox provides feedback on what modules are reporting.

 


Solution details:
STATUS
Answered
QUALITY
Approved
ANSWER RATING

This question was answered on: Sep 18, 2020

PRICE: $15

Solution~0001005367.zip (25.37 KB)

Buy this answer for only: $15

This attachment is locked

We have a ready expert answer for this paper which you can use for in-depth understanding, research editing or paraphrasing. You can buy it or order for a fresh, original and plagiarism-free copy from our tutoring website www.aceyourhomework.com (Deadline assured. Flexible pricing. TurnItIn Report provided)

Pay using PayPal (No PayPal account Required) or your credit card . All your purchases are securely protected by .
SiteLock

About this Question

STATUS

Answered

QUALITY

Approved

DATE ANSWERED

Sep 18, 2020

EXPERT

Tutor

ANSWER RATING

GET INSTANT HELP/h4>

We have top-notch tutors who can do your essay/homework for you at a reasonable cost and then you can simply use that essay as a template to build your own arguments.

You can also use these solutions:

  • As a reference for in-depth understanding of the subject.
  • As a source of ideas / reasoning for your own research (if properly referenced)
  • For editing and paraphrasing (check your institution's definition of plagiarism and recommended paraphrase).
This we believe is a better way of understanding a problem and makes use of the efficiency of time of the student.

NEW ASSIGNMENT HELP?

Order New Solution. Quick Turnaround

Click on the button below in order to Order for a New, Original and High-Quality Essay Solutions. New orders are original solutions and precise to your writing instruction requirements. Place a New Order using the button below.

WE GUARANTEE, THAT YOUR PAPER WILL BE WRITTEN FROM SCRATCH AND WITHIN YOUR SET DEADLINE.

Order Now