The Sleuth Kit is “a collection of command line tools and a C library that allows you to analyze disk images and recover files from them.” (sleuthkit.org) Autopsy is the GUI frontend that runs on TSK (The Sleuth Kit) backend. In a nutshell, Autopsy allows you to do digital forensics investigations on device images.
When you start the program, you can create a new case. Cases are the individual investigation that you, or your organization, are currently a part of. An investigation will usually have a name, contact information of the investigators working on it, and a central location for the investigation files to sit. Once you create a new case, you can select the Host to be auto-generated, choose the “Disk Image or VM File” Data Source Type, provide the path to your USB image, then load your image into Autopsy, where it will begin analyzing it.
Now that the image file is loaded into Autopsy, you may start exploring it. You can look into each part of the USB image, including FAT files, and see the results in either text or hex. This is brilliant for being able to find data hidden in the parts of the USB drive that a normal file explorer would not allow you to see. An example of this is orphan files. These orphan files are files that are deleted and no longer in the parent folder. Autopsy will automatically analyze the image when you provide it and locate any orphan files. A practical example of when this may be useful would be if the person you are investigating deletes files but doesn’t go any further than that to hide their traces. Autopsy will locate most or all of the deleted remnants of these files and still allow you to view them.
A common method of anti-forensics is steganography. This is where you hide data within data, such as hiding text information within an image file. Because Autopsy has a Hex examiner, you can look through the hex or plain-text of a file to find information that may be hidden within it. Autopsy can also be configured to use Google or Bing to translate text, meaning that Autopsy can be used when investigating nation-state events.
Autopsy’s Application tab will display a file in what appears to be it’s native state. For example, if you find a JPEG file on the USB drive, you can view the image as is, instead of just analyzing hex. It will also display videos and HTML files. You can also view the file’s metadata easily, which is very useful for finding timestamps.
When I loaded up a peer’s USB drive image onto Autopsy, I went exploring into the file structure. I found images, which I could view as the image and as hex. The headers of the text results allowed me to verify it was a JPEG file. Additionally, I found an MP3 file that I could actually play on my machine! Listening to a jazz song while analyzing a device image isn’t a bad combination.
One last thing I will touch on, when you explore the file system, you can view change times and access times for each file. During an investigation, this may be important for attribution reasons. If you know that a crime occurred during a particular time window, you can better attribute that crime to a suspect. By being provided access and change times, you can attribute an event to the user of the device during that time.
References
Open Source Digital Forensics. The Sleuth Kit (TSK) & Autopsy: Open Source Digital Forensics Tools. (n.d.). Retrieved February 5, 2022, from https://www.sleuthkit.org/