 Welcome back everyone. Okay, so I've gone through and I've processed the case and this disc is, you know, not overly large, but also not very small. So it took, I think on my computer, on this virtual machine that I'm running, about maybe, I think, an hour possibly. Okay. And what it's doing whenever it's processing it is going through the entire, all of the data in the hard drive and trying to extract files, trying to get keywords, trying to pull out all the information it possibly can. So what does this data actually look like? Well, in this, the first screen that you'll get in autopsy, let me maximize this, the first screen that you'll get in autopsy. If you click on the actual disk image that we've processed, first we can see the MD5 hash, the device ID time zone that we set, sector size, size and bytes, image, things like that. Okay. This is just information about the disk itself, disk image. Okay. Now, if we look down here, this is a hexadecimal view of the entire disk that we are processing. All of this is the data that is stored basically on the disk. Yeah. So all of this is the data that's stored inside the disk. We store data basically in ones and zeros. And whenever we're looking at it to analyze it, we look at it in this hex view. This is called hexadecimal. This at the left hand side is the address in the data file. So the point or the position in the data file that we're currently at. This information here is in hexadecimal format and it is the raw data that's on the disk. Okay. Now, if we look on this side, this is the ASCII view of the raw data. Now, notice sometimes you can see what looks like sentences or words inside the ASCII view. And that's because ASCII characters show up. In Korean, for example, you're probably using UTF-8 or something like that. And they most likely won't show up because this is showing a very, very simplistic view of the data. So while we won't talk about it too much, but basically what we can do with this is see different structures or gain pieces of information. So for example, at offset 5.0, if I understand what f7c1 at offset 5.0 means, then that tells me something about the state of the rest of the data. So basically we have codes that tell us what each of these points of data mean on a disk. And they can help us to make or to get more information out of the disk. So we won't do too much more with this. But if you want to be, let's say, an extreme investigator, especially if you're doing things like malware analysis or you're trying to write your own tools, most investigators have to look at this kind of level to be able to develop those kind of tools. So that's hexadecimal viewing. I really recommend looking into it further. So on this left-hand side, we have a lot of different options available. We have views, for example, we might want to see in this deleted files. So file system or all, we have quite a few deleted files. And remember, this was probably mostly pulled out partially with the SleuthKit because on the back end of autopsy, it's running SleuthKit libraries, but also from Photorec. So Photorec and the SleuthKit are pulling out these things. Here we have, let's see, Starbucks buttons, we have some PNG files. You might not be able to actually extract any data because the data might not be there. So the entry, whatever the file system is, the entry might still be available in the file system. It might be retrievable from the file system, but the original data might not be available. Or the data might be available on the disk, but the entry is no longer available in the file system. That's also possible. So there's a lot of different possibilities. You might be able to see, for example, the file name, but not get the data or vice versa. So here we have some PNGs that were apparently deleted or moved or whatever. If we do thumbnail view, it looks like we can recover some of the thumbnails. I'm not sure what. So we have a map here that could potentially be interesting. It's also called a DLL. So I'm not sure why this would be a DLL, but show an image. Right. And then something else. Looks like Thailand, I think. So first off, we have this table view that actually lists all of the data. So there's a lot of files on here. And then we have the thumbnail view that just shows potential images, but it doesn't show us everything. We usually use the table view and then thumbnail view, obviously, if you want to look specifically for images. So these are all deleted files. Like I said, we might not be able to get all of the data. And it tells us potentially where these were actually located. So here we have this IMG, this E01 file you can probably think of like C drive. So we know that this is a Windows image already because it has program files, x86. Now, most likely this is a Windows image because OS X and Linux do not have a program files folder. They store their data in a different structure. So we have this, this image, we have one of the volumes on the image, probably the C drive, we have program files x86 and then in Java, Java runtime to Africa, we have all of that is the location of this, that this particular file was in. We can, yeah, okay. So let's get out of deleted files because basically there was no data, there was only information. Okay. If we go into results, results of extracted content, we can see devices attached. Now, this is a really interesting, I guess, point. Why do we care about the devices that are attached to the system? Now, let's, let's first look at the device model. Okay. So we have this root hub, we have a keyboard, optical wheel mouse hub, another keyboard, another keyboard. See if we see anything interesting. Another keyboard, which may or may not actually be a keyboard, but it looks like it probably is a couple of different mice, a couple of different keyboards. Yeah. So actually a lot of different keyboards and a lot of different mice were plugged into this. That's not necessarily, well, that already kind of tells us potentially something about whether this was, you know, a desktop or not or, yeah, I'm not sure. So you can also see that there's a date and time that these devices were attached. Okay. So this is potentially very interesting, especially if we're looking for, for example, USB sticks, maybe somebody was copying data onto a USB stick, if they were, we want to know was a USB stick attached and what was the device ID? So if we get the USB stick, then we can get its device ID and see if that USB stick was actually associated with this computer. Or if we have the computer, we can say, okay, this product 4D22 was connected. Let's go see if we can find it. What, what exactly is in it? It might be a USB stick. I'm not really sure what this Primax electronics thing is. Okay. And then we can also say, okay, this device was attached in 2011 1031. So Halloween for some reason, relatively late at night GMT. Okay. But remember the time stamp might be a little bit off. So yeah. So think about, think about what devices from this we can figure out what devices were actually attached when the device was attached. And that can potentially tell us something about the user activities on the system. Now, the question is for this week, where is this data coming from? Okay. And you see this source file, the source file has all of the information. So what is system? System is the Windows registry. Okay. System is the Windows registry file. Let's see if it comes up. Yeah. Okay. So system is the Windows registry file. And it's located inside Windows system 32 config. And in this case, reg back, it's pulling it from. And we have the system file, we have software, we have security, SAM, all of these are Windows registry files. And the Windows registry is basically a database of all of the activities that happen in a Windows system. Digital forensic investigators, a lot don't really know a lot about the Windows registry, but the ones that learn about the registry, it's actually full of information relevant to user activities. So learning more about the Windows registry and what kind of content is there is very useful for investigations. So it's coming from this single system file. And this system file contains a lot of information about the computer and the user who is using the computer. Okay. Right. So we were in attached devices. So system, this is all coming from the Windows registry, specifically the system hive. Okay. This tells us basically when and what the user was connecting to, to a computer. And it's a very good starting point. If you think that somebody's been stealing data or maybe somebody attached to USB stick and then installed a virus or something like that. Okay. XF metadata, we've already talked about a little bit before. So these are all of the JPEG images that have XF metadata associated with them or at least have the tag for XF metadata. If we load it, it's obviously a JPEG image, we can see it in the viewer. If we look at the hex viewer, we have JFIF and this basically tells us that it's a JPEG image. If we look at the hex view, this FFD8, FF E0 is a good indication that this is a JPEG image, basically this whole, this whole line here. And then we have digital vision, Getty images. We have a lot of information that we can actually read, copyright. All of this information that we can read past JFIF, past here, everything here basically is XF data. So we have description, we have signature, and then I think, I'm not sure, but I think the actual image starts around here. I think so. Okay. So basically inside the data, the beginning of the data is extra information for extra metadata. We call it metadata. And it's before the actual image data. But if we look at media, you see that it doesn't affect the image at all. So it's all in there, but it doesn't affect the image. If we look at indexed text, this is the text that's been indexed by autopsy. It's not very interesting because it's an image. If we have results, this is just results about the file. If we say file metadata, then we can see the times on the disk. So all of these JPEGs have some type of metadata XF information associated with them. This one specifically has the camera, so device model, device make, Nikon 7000, Nikon Corporation. So you can already tell these are different than this one. So what exactly is this? If we go into results here, XF, yeah, okay. So results, sorry, I missed the tab results. So if we click on the results tab, we can see the XF metadata date created. Now this is the date created from XF metadata. If we go to file metadata, notice this is 2011-113. This is 2011 created 2011-119. So the results inside metadata, this was the time that the camera added the date. This is the time that the camera added the date, whereas file metadata is the time that it was created on the computer's file system. So metadata is very interesting to us, because there's metadata of the computer, the file system, and the file system basically keeps track of files itself, but there's also metadata inside some types of files. In this case, it's called application metadata. So this date created is different than the date created on the disk. So this is basically the first time that the computer saw this image was 2011-119. This is the time that the image was actually taken was 2011-113, okay. Yeah, and then Nikon Corporation D700. So we know that we're looking for a D700 Nikon, and we know that this image was taken at 113 2011, and we know that these people were together at that particular time, assuming that that time is actually correct, okay. So metadata can tell us a lot of things. Most of these other ones don't have any interesting metadata, I think. Yeah, just date created. That's pretty much it, right. Okay. So next, XF metadata extension, missed match detection. Remember, we found, we looked at it before. So a lot of times you'll have, yeah. So here we have zip files, but they're RAR compressed. And that could just be because of the application that created them was probably maybe WinRAR or something like that, but it has the extension dot zip. So these look like, to me, they look like false positives, but I'm not necessarily sure. We would basically extract each of these, so we could extract them. If we click on one, we're not sure about it. If we right click on it, we can extract files and save the file outside. Now, this is another important point. If we extract the file, so I'm going to extract it, just for example's sake, I'm going to save it to the desktop. Okay. So I've saved this file to my desktop. Now I have, where'd it go? Now I have this zip file on my desktop. This zip file is from a suspect system. So if I double click on the zip file and open it up, then if there's a virus in this file, my forensic workstation is now compromised, probably compromised, right? So we don't extract files and open them up directly. You should use a protected system, maybe a virtual machine or something like that, and open up the file in the virtual machine. I think if we double click on it, we can actually go into the file. So let's say, these are actually in the live update. Yeah. So it looks like program data, Symantec live update downloads. So this looks like it's probably a Symantec, maybe an antivirus download. Let's try to open it up. Yeah. So we can actually open up the zip file inside autopsy and then see what's inside of it. Do not extract something and try to open it up. If you do extractions and you try to open them, make sure you're opening any files inside a protected maybe a virtual machine or just make sure you're protecting your forensic workstation in some way. Do not execute code from the suspect's computer. So extension mismatch detection going down. We have this text HTML looks like HTML file, but it has a JavaScript extension, probably not a big problem. So we have what look to be a lot of probably what look to be a lot of probably false positives. A false positive is it looks like it's something, but it's actually not. So it looks like there's a lot of false positives here. What we're quite most likely interested in are, well, I'd be maybe interested in those. Why is that? So we'd be interested in something like images, videos, possibly some of this stuff I would go and look at, but a lot of it looks like it's probably not a big deal. So extension mismatch, basically this is just a filter that tells us, hey, these files are potentially suspicious. Now you go through and look at them. Depending on what type of case we were looking at, I might go through each of those just to make sure, but you know, in this case, maybe not. Okay. Installed programs. So yeah. Okay. So extension mismatch, where is this data actually coming from? And the source file is actually just files on the computer. So it's coming from the file system itself. We scanned the entire file system. Installed programs. Where is this coming from? Well, again, just like before with the devices attached, we have the system registry hive. Here we have the software registry hive. So we're using the same program. I believe it's a regripper. I think they're using regripper to parse out the Windows registry. And this is the software hive. This is also the Windows registry to extract all of the different programs that are installed in this computer. Okay. So this is interesting because we want to know what types of programs were installed in this computer. We could go through and just open up the disk. So let's say volume, let's say volume four, open up the disk and then go into program files and then go through and look here. But this might not tell us everything. Maybe somebody installed something in a different directory. So this software hive tells us everything that's been installed. Now there could be some programs on the computer that aren't installed, but you can still run. But this gives us a good idea everything that's already installed in the system. So this can tell us a lot about the user and the type of user that we're dealing with. Operating system information. Where is this data coming from? Well, the system registry hive and the software registry hive. So here we have the name of the computer, the domain. So now we have nps.edu. Okay, that might be interesting. We have the version, which is Windows in T. So we know that it's, you know, I think it's Windows XP or above or Windows 2000 and above I should say processor architecture AMD 64. So we know it's probably not a Windows XP system. It's probably newer than that. System root. So temporary files directory is system root temp. Okay, that could be interesting. Data source, the disk image that we're processing, program name, Windows 7 professional. Okay, so now we know that we're dealing with a Windows 7 computer. Date and time I believe of install was 2011 6 10. Okay, 2011 6 10. Yeah, and then the path, the path is C drive windows. So we know that whatever the C drive was, we have a win the system folders in Windows. This is the system drive. Product ID. Okay, and owner ITAC 3. Whoever that is, we need we could look that up and organization is nps. So now we have some some information about the user or the organization that this computer should belong to or where it came from. We also know that it's a Windows 7 computer. So we know a little bit about what to expect from the system itself. Okay, so this is all coming from again the Windows registry. Operating system user. Yeah, operating system and user accounts. We have a couple here index.dat. This is associated with basically Internet Explorer or yeah, Internet Explorer. So index.dat associated with Internet Explorer. So they've parsed out Internet Explorer. They found Barenjee local admin. I'm not sure. Looks like looks like some Google MT1. I'm not sure. And then local admin and then RM admin and Kana or basically these are websites, I think that Scott got put in there. But I think the username. So username, maybe there's a username in this string somewhere. But basically the username is Barenjee and local admin, RM admin. Yeah, that looks right. Okay, so this is coming from Internet Explorer information in index.dat. If we double click on it, then it shows us this is this index.dat is in the history.ie5 folder. So I won't I won't go through this entire listing. But basically users, this Barenjee user, right, inside app data, local Microsoft Windows on all the way down into history.ie5, it shows us index.dat. Okay, so I'm going to go back. Okay, then next is some information coming from software. So this is the Windows registry. And this is really the one you should trust because software contains the user accounts on the system. Yeah, okay, so then we have a system profile that's a default when local service default, network service default, test non default, RM admin, non default, local admin, I believe is also not not default and then Barenjee is also not default. So we can see the user IDs, we can see their user names that have been on the system, and their path, the path to their to their profile. So at their profile, there's also a registry hive called NT user related to that user's activities. Okay, so here we know now all of the user names in the system. I'm kind of wondering why these user names are in the system. But we would have to investigate that why are these user names in there. So this is coming from the software registry hive. We have more from index.dat, Barenjee, RM admin. Okay, so RM admin, and local admin and Barenjee look like they were doing something. Software looks the same network service as default. Yeah, so it looks like we basically have the same user names, we know a little bit about them and the path for those users. Okay, let me close this up next recent documents. This is coming from a lot of different places. Basically recent documents. Yeah, just when was something last run, date and time data source for when things were run, we had DoD dot text, we have DoD dot link, date and time for the link was relatively recent. Okay, so if we click on a link, the time stamp for that link gets updated. And that's why it's showing this this. Okay, so we have a bunch of different links that were created. These are where were these created? License, let's see DoD link. Yeah, so inside this Microsoft Windows recent. So in the recent folder, a link is created whenever we open up a file. So if I open up DoD dot text, this DoD dot link would be automatically created inside the recent folder. Now you can clear it out, but they obviously didn't. Where is this connecting to? Well, this allele recon birds DoD dot txt. Okay, looks like it's a, yeah, a network share. So this computer has been connecting to some share, some, some network, and that has shared information with this computer. Okay, so there's some interesting things here. All these are all shares basically. So we might be looking at going back and trying to acquire a server or something like that. Okay, recent documents. So these are coming from a lot of different places, but mostly those recent folders, but there's more basically that they can, they can come from web bookmarks. Web bookmarks, this one's coming from probably Mozilla Firefox, right? So SQL light, I think is coming from Firefox. Yep, Mozilla Firefox profiles. So from Mozilla Firefox, you have this database and SQL light is a small database. And it gets all of the recent activities out of this database. Okay, so they were going to BBC. They were trying to go to local local addresses, more BBC, Microsoft. Now these are coming from probably links inside recently access. So favorites. Okay, these are the favorites. So we can see the users favorites, we can see more from Mozilla BBC. Yeah, okay, so this basically goes through and each of these, so these URLs, if we click on any one of these that we're interested in, we can see, okay, this is coming from users baron g favorites links, websites gallery, websites gallery. Okay, so this is coming basically from links, the favorites links, which may be default or they may have added places that SQL light is coming from app data, roaming Mozilla Firefox profiles, right? So just be aware of where this data is actually coming from. And what is it telling you? Well, in this case, it's telling you where they visited, but also the date, the date that they visited it. Okay. Web cookies very similar. cookies basically help to save information. So cookies are used to save information about users from sites. They're very useful. Because if we can get cookies, we can potentially get things like passwords or locations or when people were accessing things. So yeah, cookies are cookies are interesting. So here we have a bunch of cookies from SQL light. That's also the Firefox profile. All of these are from Firefox. This one's from Internet Explorer. So Internet Explorer and Firefox was used. And it looks like it's once from admin, RM admin, baron g local admin. So we can go through and we can see all of the different people that have been going to different sites, what cookies have been set for them. Now, cookies can be set for a particular domain, even if you don't go there. If you go to a website that is maybe has advertisements from some domain, then they can set cookies as well. So where are these things coming from? Well, one's coming from the app data folder, one's coming from Firefox SQL database again. Web downloads, downloads SQL light. This is also coming from Firefox. We can see that it looks like Adobe Flash Player was downloaded and installed in the baron g account. So baron g is probably the main user. And then maybe other accounts were created to do something else. I'm not sure. Web history. Yeah, sorry. This was web bookmarks, not web history. So all of these were coming from bookmarks in Firefox and Internet Explorer. Web history is the actual browser history, basically coming from the same locations. It's going to be an SQL light database, as well as web history inside the Windows registry, as well as, yeah, so places SQL light, that's going to be Firefox again, located in the user's directory index.dat is Internet Explorer, all of the different locations they've gone to. See if we can see anything else. Yeah, so basically everything is coming out from places SQL light, which is Firefox in the user's application directory or index.dat. So not a lot more information. Web searches, we can also potentially see what searches have taken place. Here, we have places SQL light, this is coming from Firefox, we have hotmail setup and outlook, hotmail, PGP. So if we see PGP, we know that they're interested in security. That's a security tool. So we might be looking for some type of encryption. KB245030. This is basically a knowledge base. We would have to look up what that actually is, but it's probably related to Dell support. Okay, so nothing else really looks too suspicious, I guess, inside Firefox. Let's look at index.dat. DoD warning banner, regedit home page. So somebody here, regedit home page, they know about regedit, which means they might know how to modify their Windows registry. Somebody was looking for Bangkok, can't encrypt emails with PGP. So this might mean that they're trying to encrypt it for emails, they might try to, you know, who knows what they're trying to encrypt. But we know we're probably having to deal with encryption, which means we might want to look for a PGP key. Samet Sun, they're searching for somebody, I'm not sure why, searching for Bangkok, DNS flush, potentially interesting, again, more of the same. Yeah, okay, so we have a pretty good idea of what they were searching for. Now we would have to do some research on what these different search terms are, because we don't know. But web search can tell us a lot about what the user was intending to do. Yeah, okay. Email addresses, remember, we were talking about search terms. So a lot of these look like email addresses, but they probably won't be. There's a lot of false positives, usually in the emails, because we're looking for patterns, not for a specific email. Okay, so this tattoo motive two at 008.d possibly could be security creep photographer. Yeah, maybe not. So we would have to go through and actually look this one. So Betty Melick, usma.edu, that's probably a real one, right? So what file is that associated with? Well, this hyperfill, it looks like it's probably part of the Windows system itself. We would have to look into it more. But basically, this gives you a really quick, let's say overview, I guess, of emails. If you sort it by files with hits, then testdeal.hotmail.com is the top hit. So the more hits you have, the more likely it is to be obviously an email. So all of these top ones look like a real, yeah, probably a real email address, or maybe not a real email address, but at least the correct, correct and used multiple times address. Okay, let's see if we can find anything in accounts. Now we haven't set up anything in terms of interesting items. We didn't set any filters, email messages, see if there's a user. Yeah, so there's an Outlook PST. So the Outlook PST was parsed, which means that we can search, we can do keyword searches over basically every file. So exact match, let's say, test underscore deal, let's say I want to find test underscore deal. First, I'll show you test underscore deal. Okay, so if we click on test underscore deal, this is coming from Outlook PST, and that is in, if we double click on it, that is in the Outlook folder inside Microsoft Outlook, Outlook PST. So that's the default location for Outlook. Let's click on it, test deal, then we can see the original headers, as well as the message itself, which isn't apparent, that's the message ID. This is the message, it looks like a HTML actual document. So date received, date sent, we can see basically the entire email as well as a lot of other information about it. Okay, so let's imagine that we go down, I can see all of the communications. So test deal, actually, we got a lot. So I'm going to search for test underscore deal, go up to this keyword search, and do, I want to do an exact match for test underscore deal. Okay, we can do exact match, sub string match, or regular expression, regular expression is a pattern, basically, I can type hit search. Ah, yeah. So I need to do actually under test underscore deal. And then instead of exact match to substring match, because it was test deal underscore something else, right. So instead of that, I'm going to search for test deal. Yeah, so now it's searching through everything. So this was just a quick overview of the different types of information you can get, and where they're pulling all of this information from. So what I really would recommend that you do is open up autopsy, get an image of maybe even a real computer, analyze your own disk, just don't, don't delete everything. So analyze, you know, a virtual machine or something like that, and see what kind of files you can get out, and, or what kind of information you can get out, and try to figure out where is this information coming from. So basically, on all of these, if you just double click anywhere, so I'm running, I'm running the search now, so it's going to take a while. So if you just double click anywhere, then it will take you directly to the folder that contains the file that you double clicked on. Okay, so try to go through and for the default settings, figure out where the data is coming from, what information can I get, and where is it located? Why is it located there? Okay, so for example, we have this config folder. And it also has Windows registry, but this reg back folder also has Windows registry. So there's lots of different places, we can get more information. So everything that you see here, there's still much, much more that we can dig out. And there's tools that can help us dig it out. But if you don't know where to look, you won't be able to find it. Okay, so that's an overview of autopsy and where to find potential evidence from the basic modules. Thank you very much.