 Welcome back everyone. Okay, so I've gone through and I've processed the case and this this disk is you know Not overly large, but also not very small. So it took I think on my computer on this virtual machine that I'm running about maybe I Think an hour possibly, okay? And what it's what it's doing whenever it's processing it is going through the entire all of the data in The hard drive and trying to extract files trying to get keywords trying to pull out all the information It possibly can't so what does this data actually look like well In this the first screen that you'll get in autopsy Let me maximize this the first screen that you'll get an autopsy if you click on the actual disk Image that we've processed first we can see the MD5 hash the device ID time zone that we've set Sector size size and bytes image things like that, okay? This is just information about the disk itself disk image, okay now if we look down here This is a hexadecimal view of the entire disk That we are processing all of this is the data that is stored Basically on the disk Yeah, so all of this is the data that's stored inside the disk We we store data basically in ones and zeros and whenever we're looking at it to analyze it We look at it in this hex view. This is called hexadecimal This at the at the left hand side is the address In the the data file so the point or the position in the data file that we're currently at this Information here is in hexadecimal format, and it is the raw data that's on the disk Okay, now if we look on this side This is the ASCII view of the raw data now notice sometimes you can see What looks like you know sentences or words inside the ASCII view and that's because ASCII characters show up in Korean for example, you're probably using UTF-8 or something like that and They most likely won't show up because this is showing a very very simplistic view of the data. So While we we won't talk about it too much But basically what we can do with this is see different structures or gain pieces of information So for example at offset 5.0 if I understand what f7c1 at offset 5.0 means Then that tells me something about the state of the rest of the data So basically we have codes that tell us what what each of these Points of data mean on a disk and they can help us to make Or to get more information out of the disk So we won't do too much more with this but if you want to be let's say an extreme investigator Especially if you're doing things like malware analysis or you're trying to write your own tools Most investigators have to look at this kind of level to be able to develop those kind of tools. Okay, so that's hexadecimal viewing I Really recommend looking into it further So on this left-hand side, we have a lot of different options available We have views for example, we might want to see in this deleted files So file system or all we have quite a few deleted files and Remember, this was probably mostly pulled out Partially with the sleuth kit because on the back end of autopsy. It's running sleuth kit libraries, but also from photo rec Okay, so photo rec and the sleuth kid are pulling out these things Here we have let's see Starbucks buttons. We have some PNG files. You might not Be able to actually extract any data because the data might not be there, right? So the entry Whatever the file system is the entry might still be available in the file system It might be retrievable from the file system, but the original data might not be available or The data might be available on the disc, but the entry is no longer available in the file system That's also possible. So there's a lot of different Possibilities you might be able to see for example the file name but not get the data or vice versa. Okay, so here we have Some PNGs that were apparently deleted or moved or whatever if we do thumbnail view we can looks like we can recover some Some of the thumbnails. I'm not sure what yeah, so we have a map here that could potentially be interesting It's also called a DLL. So I'm not sure why this would be a DLL but be show an image And then something else looks like Thailand, I think Okay, so this first off we have this table view that actually lists all of the data, right? So there's a lot of files on here And then we have the thumbnail view that just shows Potential images, but it doesn't show us everything. Okay, so we usually use the table view and then thumbnail view obviously if you Want to look specifically for images. So these are all deleted files Like I said, we might not be able to get all of the data And it tells us potentially where these were actually located. So here we have This IMG this this E01 file you can probably think of like C drive Okay, so we know that this is a Windows image already because it has program files x86 now Most likely this is a Windows image because OS X and Linux do not have a program files folder Right, they store their their data in different structure. So we have this This image we have one of the volumes on the image Probably the C drive we have program files x86 and then in Java Java runtime to Africa We have all of that is the location of this that this particular file was in, okay? We can yeah, okay, so let's get out of deleted files because Basically, there was no data. There was only information. Okay, if we go into result results of extracted content We can see devices attached. Now. This is a really interesting I guess point. Why do we care about the devices that are attached to the system now? Let's let's first look at the device model. Okay, so we have this root hub root hub. We have a keyboard optical wheel mouse hub Another keyboard another keyboard See if we see anything interesting another keyboard Which may or may not actually be a keyboard, but it looks like it probably is a couple different mice a couple different keyboards Yeah, so actually a lot of different keyboards and a lot of different mice were plugged into this That's not necessarily well that already kind of tells us potentially something about whether this was you know a desktop or not or Yeah, I'm not sure so you can also see that there's a date and time that these devices were attached Okay, so this is potentially very interesting, especially if we're looking for for example USB sticks Maybe somebody was copying data onto a USB stick if if they were We want to know was a USB stick attached and what was the device ID? So if we get the USB stick Then we can get its device ID and see if that USB stick was actually associated with this computer or If we have the computer we can say, okay, this product for D2 2 Was connected? Let's go see if we can find it. What what exactly isn't it? It might be a USB stick I'm not really sure what this Primax electronics thing is. Okay, and then we can also say, okay, this device was attached in 2011 1031 so Halloween for some reason relatively late at night in GMT. Okay, but remember the timestamp might be a little bit off So Yeah, so think about think about what devices from this we can figure out what devices were actually attached When the device was attached and that can potentially tell us something about the user activities on the system Now the question is for this week Where is this data coming from? Okay, and you see this source file the source file has all of the information. So what is system? System is the Windows registry. Okay system is the Windows registry file Let's see if it comes up Yeah, okay, so system is the Windows registry file and It's located inside Windows system 32 config and in this case reg back. It's it's pulling it from And we have the system file. We have software. We have security Sam all of these are Windows registry files and the Windows registry is basically a database of all of the activities that happen in a Windows system digital forensic investigators a Lot don't really know a lot about the Windows registry but the ones that learn about the registry it's Actually full of information Relevant to user activities. So learning more about the Windows registry and what kind of content is there? Is is very useful for investigations? So it's coming from this single system file and this system file contains a lot of information about About the computer and the user who is using the computer Right, so we were in attached devices. So system. This is all coming from the Windows registry specifically the system hive Okay, this tells us basically when and what the user was connecting to to a computer and It's a very good starting point if you think that somebody's been stealing data or maybe somebody attached to USB stick and then Install the virus or something like that. Okay Xf metadata we've already talked about a little bit before so these are all of the JPEG images that have Xf metadata associated with them or at least have The tag for Xf metadata if we load it. It's obviously a JPEG image We can see it in the viewer if we look at the hex viewer We have JFI f and this basically tells us that it's a A JPEG image if we look at the hex view this ff d8 ff e0 is a good indication That this is a JPEG image basically this whole this whole line here and Then we have digital vision getty images We have a lot of information that we can actually read copyright all of this information that we can read past JFI f past here everything here basically is Xf data, so we have description We have signature and then I think I'm not sure but I think the actual image starts around here Yeah, I think so Okay, so basically inside the data the beginning of the data is extra information For extra metadata we call it metadata. Okay, and it's before the actual image data But if we look at media you see that it doesn't affect the image at all So the it's all in there, but it doesn't affect the image if we look at indexed text This is the text that's been indexed by autopsy. It's not very interesting because it's an image If we have results This is just results about the file if we say file metadata, then we can see the the times on the disc So all of these JPEGs have some type of metadata Xf information associated with them This one specifically has the camera so device model device make Nikon 7000 Nikon corporation, right? So you can already tell like these are different than this one. So what exactly is this? If we go into results here Xf yeah, okay, so results. I'm sorry. I Missed the tab results. So if we click on the results tab, we can see the Xf metadata date created Now this is the date created from Xf metadata if we go to file metadata notice this is 2011-113 This is 2011 Created 2011-119 So the results inside metadata. This was the time that the camera added the date Okay, this is the time that the camera added the date Whereas file metadata is the time that it was created on the computer's file system Okay, so metadata is very interesting to us because there's there's metadata of The computer the file system and the file system basically keeps track of files itself, but there's also metadata inside Some types of files in this case. It's called application metadata. Okay, so this date created is different than the date created On the disk. So this is basically the first time that the computer saw this image was 2011-119 This is the time that the the image was actually taken was 2011-113 Okay Yeah, and then Nikon corporation d700 so we know that we're looking for a d700 Nikon and we know that this image was taken at You know 113 2011 and we know that these people were together at that particular time Assuming that that that time is actually correct. Okay, so metadata can tell us a lot of things Most of these other ones don't have any interesting metadata. I think yeah, just date created. That's pretty much it Okay, so next X of metadata extension missed match detection. Remember we found we looked at it before so a lot of times you'll have Yeah, so here we have zip files, but they're raw compressed and that could just be because of the Application that created them was probably maybe when raw or something like that But it has the extension dot zip. So these look like to me. They look like false positives, but I'm not necessarily sure We would basically extract each of these so we could extract them if we click on one. We're not sure about it If we right click on it We can extract files and save the file outside now This is another important point if we extract the file So I'm gonna extract it. I'm just for example sake. I'm gonna save it to the desktop, okay? So I've saved this file to my desktop now. I have Where to go now? I have this zip file on my desktop This zip file is from a suspect system So if I double click on the zip file and open it up then if there's a virus in this file my Forensic workstation is now compromised probably compromised, right? So we don't extract files and open them up directly We you should use, you know a protected system Maybe a virtual machine or something like that and open up the file in the virtual machine. I Think if we double click on it, we can actually go into Into the file, so let's say these are actually in the live update. Yeah, so It looks like program program data Symantec live update downloads So this looks like it's probably a Symantec maybe an antivirus download Let's try to open it up. Yeah, so we can actually open up the zip file inside Autopsy and then see what's inside of it. Do not extract something and try to open it up If you do extractions and you try to open them make sure you're opening any files inside a protected Maybe a virtual machine or make just make sure you're protecting your forensic workstation in some way Do not execute code from the suspects computer. Okay, so extension mismatch detection going down We have a This text HTML looks like a HTML file, but it has a JavaScript extension probably not a big problem so we have what look to be a lot of Probably What looked to be a lot of probably false? positives a false positive is it looks like it's something but it's actually not so it looks like there's a lot of false positives here What we're quite most likely interested in are Well, I'd be maybe interested in those why is that so we'd be interested in something like, you know images videos Possibly some of this stuff I would go and look at but a lot of it looks like it's probably not Not a big deal. Okay, so extension mismatch. Basically. This is just a filter that tells us Hey, these files are potentially suspicious now you go through and look at them Depending on what type of case we were looking at I might go through each of those just to make sure but You know in this case, maybe not. Okay installed programs so Yeah, okay, so extension mismatch Where is this data actually coming from and the source file is actually just files on the computer So it's coming from the file system itself. We scanned the entire file system installed programs Where is this coming from? Well, again, just like before with the devices attached with the system registry hive here We have the software registry hive. So we're using the same program. I believe it's Reg ripper. I think they're using red ripper to parse out the windows registry and this is the software hive This is also the windows registry to extract all of the different programs that are installed In this computer Okay, so this is interesting because We want to know, you know, what types of Programs were installed in this computer? We could go through and just open up the disk So let's say volume Say volume 4 open up the disk and then go into program files and then go through and look here But this might not tell us everything. Maybe somebody installed something in a different directory. So This software hive tells us everything that's been installed now There could be some programs on the computer that aren't installed, but you can still run But this gives us a good idea of everything that's already installed in the system So this can tell us a lot about the the user and the type of user that we're dealing with Operating system information Where is this data coming from? Well the system registry hive and the software registry hive. So here we have The name of the computer the domain. So now we have nps.edu. Okay, that might be interesting We have the version which is windows in T. So we know that it's you know, I think it's windows XP or above or windows 2000 and above I should say Processor architecture AMD 64. So we know it's probably not a windows XP system. It's probably newer than that System root so temporary files directory is system root temp. Okay, that's could be interesting Data source. Yeah, the the disk image that we're processing program name windows 7 professional Okay, so now we know that we're dealing with a windows 7 computer Date and time I believe of install was to that is 11 6 10 Okay, 2011 6 10 Yeah, and then the path the Path is C drive windows. So we know that whatever the C drive was we have a win the system folders in windows This is the system drive product ID Okay, and owner ITAC 3 Whoever that is we need we could look that up and organization is in ps So now we have some some information about the the user or the organization that this computer should belong to or where it came From we also know that it's a windows 7 computers and we know a little bit about what to expect from the system itself Okay, so this is all coming from again the windows registry Operating system user Yeah, operating system and user accounts. We have a couple here index dot dat. This is associated with a Basically Internet Explorer or yeah Internet Explorer so index dot dat associated with Internet Explorer So they've parsed out Internet Explorer. They found barangy local admin I'm not sure looks like looks like some Google MT1, I'm not sure and then local admin and then RM admin and Cona or basically these are websites. I think that Scott got put in there, but I think the username so username Maybe there's a username in this string somewhere, but basically the username is Barangy and local admin RM admin Yeah, that looks right. Okay, so this is coming from Internet Explorer information in index dot dat if we double click on it Then it shows us this is this index dot dat is in the history dot ie 5 folder, so I won't I won't go through this entire listing, but basically users this Barangy user right inside app data local Microsoft Windows on all the way down into history ie 5 It shows us index dot dat. Okay. I'm gonna go back Okay, then next is some information coming from software So this is the Windows registry and this is really the one you should trust because software contains the the user accounts on the system Yeah, okay, so then we have a system profile That's a default when local service default network service default test non default RM admin non default Local admin I believe is also not not default and then Barangy is also not default so we can see The user IDs we can see their user names That have been on the system and their path the path to their To their profile so at their profile there's also a registry hive called NT user Related to that user's activities. Okay, so here we know now all of the user names in the system I'm kind of wondering why these user names are in the system, but we would have to investigate that Why are these user names in there? So this is coming from the software registry hive and we have more from in index dot dat barangy RM admin Okay, so RM admin and local admin and barangy look like they were doing something Software looks The same network service is default. Yeah, so it looks like we basically have the same user names We know a little bit about them and the path for those users Close this up next recent documents This is coming from a lot of different places Basically recent documents. Yeah, just when was something last run Date and time data source for when things were run. We had DOD dot text. We have DOD dot link Date and time for the link was relatively recent. Okay, so if we click on a link The time the timestamp for that link gets updated And that's why it's showing this this. Okay, so we have a bunch of different links that were created These are Where were these created license? Let's see DOD link Yeah, so inside this Microsoft Windows recent so in the recent folder a link is created whenever we open up a file So if I open up DOD dot text this DOD dot link would be automatically created inside the recent folder now you can Clear it out, but they obviously didn't where is this connecting to? Well this allele Reckon birds DOD dot txt. Okay Looks like it's a Yeah, a network share. So this computer has been connecting to some share some some network and that Has shared information with this computer. Okay, so there's some interesting things here. All these are all shares basically So we might be looking at going back and trying to acquire a server or something like that Okay Recent documents so these are coming from a lot of different places But mostly those recent recent folders, but there's More basically that they can they can come from web bookmarks Web bookmarks this one's coming from Probably Mozilla Firefox, right? So SQL light I think is coming from Firefox. Yeah, Mozilla Firefox profiles so From Mozilla Firefox you have this database and SQL light is a small database And it gets all of the Recent activities out of this database. Okay, so they were going to BBC They were trying to go to local local addresses more BBC Microsoft now these are coming from probably Links inside recently accessed so favorites. Okay, these are the favorites So we can see the users favorites. We can see more from Mozilla BBC Yeah, okay, so this basically goes through and each of these so these URLs if we click on Any one of these that we're interested in we can see okay This is coming from users baron g favorites links website gallery website gallery. Okay, so this is coming basically from links the favorites links Which may be default or they may have added Places that SQL light is coming from app data roaming Mozilla Firefox profiles, right? So just be aware of where this data is actually coming from and what is it telling you? Well, in this case, it's telling you where they visited but also the date The date that they visited it. Okay Web cookies very similar cookies basically help to save information So you cookies are used to save information about users from sites They're very useful because if we can get cookies we can potentially get things like passwords or locations or when people were accessing things so Yeah, cookies are cookies are interesting. So here we have a bunch of cookies from SQL light. That's also the Firefox profile All of these are from Firefox this one's from Internet Explorer so Internet Explorer and Firefox was used and it looks like it's once from admin RM admin Bear and G local admin so We can go through and we can see all of the different People that have been going to different sites. What cookies have been set for them now cookies can be set for a particular domain Even if you don't go there if you go to a website that is Maybe has advertisements from some domain and they can set cookies as well. So Where are these things coming from? Well one's coming from the app data folder one's coming from Firefox SQL database again web downloads Downloads SQL light. This is also coming from Firefox. We can see that Looks like Adobe flash player was downloaded and installed in the Bear and G Account so Bear and G is probably the main user and then maybe other accounts were created to do something else. I'm not sure Okay Web history Yeah, sorry. This was a web bookmarks not web history. So all of these were coming from bookmarks in Firefox and Internet Explorer web histories the actual browser history basically coming from the same locations It's gonna be an SQL light database as well as Web history inside the Windows registry as well as yeah, so places SQL light That's going to be Firefox again located in the user's directory index.dat is Internet Explorer all of the different locations they've gone to see if we can see anything else Yeah, so basically everything is coming out from places SQL light, which is Firefox and the user's application directory or index.dat So not a lot more information Web searches we can also potentially see what searches have taken place Here we have Places SQL light. This is coming from Firefox. We have hotmail set up an outlook hotmail PGP So if we see PGP, we know that they're interested in security That's a security tool. So we might be looking for some type of encryption KB245030 this is Basically a knowledge base We would have to look up what that actually is, but it's probably related to Dell support Okay, so nothing else really looks too suspicious, I guess inside Firefox Let's look at index.dat DoD warning banner regedit home page. So somebody here regedit home page They know about regedit, which means they might know how to modify their Windows registry Somebody was looking for Bangkok can't encrypt Emails with PGP. So this might mean that they're trying to encrypt it for an emails. They might try to you know Who know who knows what they're trying to encrypt But we know we're probably having to deal with encryption, which means we might want to look for a PGP key Samet Sun they're searching for somebody. I'm not sure why Searching for Bangkok DNS flush Potentially interesting again more more of the same Yeah, okay, so we have a pretty good idea of what they were searching for now We would have to do some research on what these different search terms are because we don't know But web search can tell us a lot about what the user was intending to do Yeah, okay Email addresses remember we were talking about search terms So a lot of these look like email addresses, but they probably won't be There's a lot of false positives usually in the emails because we're looking for patterns not for a Specific email. Okay, so this tattoo motive to at 0 0 8 that the e possibly could be security creeper dog Yeah, yeah, maybe not so we would have to go through and actually look This one so Betty mellick Usma edu that's probably a real one right so what what file is that associated with well this hyperfill It looks like it's probably part of the Windows system itself We would have to look into it more, but basically this gives you a really quick Let's say overview. I guess of Emails if you sort it by files with hits then test deal at hotmail.com Is that the top hit so the more hits you have the more likely it is to be obviously an email So all of these top ones look like a real Yeah, probably a real email address or maybe not a real email address, but at least the correct Correct and used multiple times address Okay See if we can find anything in accounts now we haven't set up anything in terms of interesting items We didn't set any filters email messages See if there's a user Yeah, so there's an outlook PST So the outlook PST was parsed which means that we can search we can do keyword searches over basically every file So exact match. Let's say Test underscore deal. Let's say I want to find test underscore deal First I'll show you Test underscore deal. Okay, so if we click on test underscore deal, this is coming from Outlook PST and that is in if we double click on it that is in the outlook folder inside Microsoft Outlook Outlook PST So that's the default location for outlook Click on it test deal and we can see the original headers as well as The message itself, which isn't apparent. That's the message ID This is the message. It looks like a HTML actual document So so date receive date sent we can see basically the entire email as well as a lot of other information about it Okay, so let's imagine that we go down. I can see all of the communications So test ill actually we got a lot So I'm gonna search for test underscore deal go up to this keyword search And do I want to do an exact match for test underscore deal Okay, we can do exact match substring match or regular expression regular expression is a Pattern basically I can types hit search. Ah, yeah, so I need to do actually under test underscore deal And then instead of exact match to substring match because it was test deal underscore something else, right? So instead of that I'm gonna search for test So now it's searching through everything so this was just a quick overview of the different types of information you can get and Where they're pulling all of this information from so what I really would recommend that you do is open up autopsy Get an image of maybe even a real computer Analyze your your own disk. Just don't don't delete everything so analyze, you know a virtual machine or something like that and See what kind of files you can get out and or what kind of information you can get out and try to figure out Where is this information coming from so? Basically on all of these if you just double click anywhere So I'm running I'm running the search now, so it's gonna take a while So if you just double-click anywhere, then it will take you directly to the folder That contains the file that you double-clicked on okay So try to go through and for the default settings figure out where the data is coming from what information Can I get and where is it located? Why is it located there? Okay, so for example, we have this config folder and it also has Windows registry, but this reg back folder also has windows registry, so there's lots of different places. We can get more information So everything that you see here There's still much much more that we can dig out and there's tools that can help us dig it out But if you don't know where to look you won't be able to find it. Okay, so that's an overview of Of autopsy and where to find potential evidence from the basic modules Thank you very much. If you liked this video, please subscribe for more