 Welcome back, everyone. I had a request to list all files and folders along with metadata recursively using autopsy so you can load it into a spreadsheet for detailed time analysis. And this actually, we do this quite a bit in forensics. Timeline analysis is a really powerful way to get an understanding of what's going on in whatever system you're looking at. So I thought I'd do a video about it showing how to basically export file metadata, all of the files and folders, and the metadata associated with those files and folders in autopsy. So I already have a case loaded up and I have actually an image of a Samsung Note 2. And once you have the image loaded up and all of the ingest modules have run, you just have to go to, I believe it's Tools, Tools and Generate Report. Now, before I generate report, I want to show you a quick timeline. So autopsy does have a built-in timeline tool. And it's not bad for getting to know what's going on in the system if we go to Counts. Then we can see file access times and we can zoom in by year, for example. In 2017, I know this phone was not used until April, actually, so if my slow computer will load this. So basically, what we can do here is use this timeline view built into autopsy and it's relatively powerful. We can do a lot of queries and we can also see the files and file metadata associated with those files based on the timeline. So you might want to use this already built into autopsy, pretty good little tool. If you don't want to use that, however, because there are other tools that are very good for timeline analysis, then you might need to export the files and file metadata. So to do that, we can go to tools and generate report. And there's two main reports that I guess we'll focus on here. The results report, of course, would be if we were doing the investigation in autopsy, but we are going to do first off files and files text. If we select files and text, then click Next, then we can select all of the different file metadata that we want. I'm just gonna select all for now and then click Finish. And then it exports it into wherever we created our case file in autopsy, whatever that directory is, you'll find a reports directory. And inside that reports directory, you will get an individual folder created with the time that you created the report and then something called in this case file report because we did a file report. Let me show you what that looks like. This is my case folder on my host workstation. So I have here just a test folder. And inside this, this has case 001 FB test. And then this is actually the autopsy case folder. And inside the autopsy case folder, automatically generated is this reports folder. Inside the reports folder are all of the reports that I've run. And this is the report, just a text file, which should be tab separated, a tab separated text file called file report that will contain the file list and all of the metadata. Okay, so before I actually show you what's in that, I want to talk about another type of export or report that we can create. So go back to generate report and TSK body file and then click Finish. And it will export what's called a body file from the Sleuth kit. And body files are basically used, supported by a lot of different timeline analysis programs to generate timelines with a body file. The structure is a little bit different. Let me show you the difference between those now. So here is the file report that is exported. And basically it just has the file name, file extension, if we can detect it, the file type, whether it's deleted or not, last access, created, modified time, as we would expect, the size. See address information, hash value. I didn't calculate known status. If you have your hash database, if you have your hash databases loaded into autopsy, then it will show the hash status, permissions and then the full path. So that has, yeah, basic information about the file and whether hashes match the size, the timestamps related to it, okay? So this is the file report that we exported, the first one, if we select all of this information. And then the body file, okay. So this is the body file format and basically this first column should be the MD5 value. But again, I didn't calculate MD5 hashes for this so it doesn't show the MD5. And next is the name. The name of, in this case, this is a folder and then this looks like, so for example, zero zero zero three dot PRV, this is a file. Let's see, so we have MD5 name and then this should be the iNode column, the iNode that it's detected on. And then basically the permissions, whether it's a directory, whether it's a file and the permissions that are on there, the UID, the GID size and then A time, M time, C time and CR time. So basically the time values. Now, yeah, okay. So I'll actually make another video on specifically what the body file is about and what all of this means. But if you have any experience with generating timelines, body file is supported by a lot of different time-lining programs. So they actually give a little bit different information. So you might just be aware that both of these different file types exist or report types exist that you can export and then import into whatever program you actually want to analyze it in. Notice that I've loaded both of these into LibreOffice Calc, which is basically kind of like Microsoft Excel. So if you wanna do your analysis, I don't know in Excel, you certainly can. But there's a lot of, again, good timeline analysis programs that you could use with this as well. So that's very basically how to export a full list of files and the file metadata into essentially two different formats depending on what your needs are. So I recommend you have a look at tools, generate reports and then files, text and TSK body. Yeah, so that's it for today. Thank you very much. If you liked this video, please subscribe for more.