WEBVTT 0:00:02.700000 --> 0:00:07.540000 In this video, we will introduce various features of the autopsy toolkit, 0:00:07.540000 --> 0:00:10.820000 which is very useful when investigating digital crimes. 0:00:10.820000 --> 0:00:14.300000 Autopsy is one of the best tools because it's an open source toolkit and 0:00:14.300000 --> 0:00:20.400000 when compared to other tools like NKs and FTK, it really does a good job. 0:00:20.400000 --> 0:00:23.320000 Let's go ahead and open autopsy. 0:00:23.320000 --> 0:00:26.880000 In this video, we will use autopsy to analyze a forensic image of a digital 0:00:26.880000 --> 0:00:31.820000 crime. During the video, I will also go through most of the features available 0:00:31.820000 --> 0:00:36.140000 in autopsy, so you can use the toolkit later to solve labs and help you 0:00:36.140000 --> 0:00:38.500000 in your work to solve digital crimes. 0:00:38.500000 --> 0:00:45.300000 When we start the tool, we get this welcome message, which gives us the 0:00:45.300000 --> 0:00:50.140000 option to create a new case, open a recent case, or open an existing case. 0:00:50.140000 --> 0:00:56.020000 Let's let create new case so that we can see all the steps from the beginning. 0:00:56.020000 --> 0:00:59.900000 Here, we see the new case information window and its prompting us to create 0:00:59.900000 --> 0:01:03.980000 a case name. As mentioned in the slides, we must give every case a name 0:01:03.980000 --> 0:01:07.300000 as it allows us to differentiate between cases. 0:01:07.300000 --> 0:01:11.820000 For this particular case, let's name it case 01. 0:01:11.820000 --> 0:01:15.800000 Next, we see the base directory, which allows us to select where we'd 0:01:15.800000 --> 0:01:17.300000 like to store the case. 0:01:17.300000 --> 0:01:21.280000 Let's click the browse button and, for this case, let's select this PC. 0:01:21.280000 --> 0:01:25.560000 Then, the D drive and then create a directory here, which we'll call case 0:01:25.560000 --> 0:01:39.220000 analysis. Now, let's click the next button. 0:01:39.220000 --> 0:01:41.340000 Here we need to enter a case number. 0:01:41.340000 --> 0:01:45.080000 Since this is the first case, let's type in 01. 0:01:45.080000 --> 0:01:48.640000 The next entry field is examiner, and here we can enter our name as the 0:01:48.640000 --> 0:01:50.940000 examiner, who will be examining this case. 0:01:50.940000 --> 0:01:55.540000 I'll enter my name here and then click the finish button. 0:01:55.540000 --> 0:02:00.100000 Autopsy is now creating a database so it will contain all of the results, 0:02:00.100000 --> 0:02:02.700000 and the analysis will be stored here. 0:02:02.700000 --> 0:02:05.720000 The speed of this process depends on the speed of your computer, as well 0:02:05.720000 --> 0:02:08.780000 as the size of the forensic image being analyzed. 0:02:08.780000 --> 0:02:13.480000 Here we have a couple of options that we can select. 0:02:13.480000 --> 0:02:16.200000 The first option is disk image, or VM file. 0:02:16.200000 --> 0:02:19.160000 And this is the one that we'll be going through, meaning we'll be selecting 0:02:19.160000 --> 0:02:21.540000 a forensic image as our case. 0:02:21.540000 --> 0:02:24.020000 Next is local disk. 0:02:24.020000 --> 0:02:27.480000 If we have a local disk that we wanted to do live analysis on, we could 0:02:27.480000 --> 0:02:29.560000 select this option. 0:02:29.560000 --> 0:02:33.520000 The third option is logical files, and would use this option if we have 0:02:33.520000 --> 0:02:36.880000 several logical files that we wanted to analyze. 0:02:36.880000 --> 0:02:40.440000 And the last option is unallocated space image file. 0:02:40.440000 --> 0:02:44.820000 If we collected an allocated space from a suspect system, Autopsy has 0:02:44.820000 --> 0:02:48.560000 a feature that will allow us to load and analyze it. 0:02:48.560000 --> 0:02:52.080000 Let's go ahead and proceed with the disk image or VM file selection and 0:02:52.080000 --> 0:02:53.880000 click the next button. 0:02:53.880000 --> 0:02:59.960000 Here we need to select and browse for the image file we're going to use, 0:02:59.960000 --> 0:03:13.560000 which is case 01. 0:03:13.560000 --> 0:03:18.040000 Next, we can select the time zone of where the image was acquired. 0:03:18.040000 --> 0:03:35.780000 If you don't know the time zone, it's best to select GMT-0. 0:03:35.780000 --> 0:03:38.240000 Here we have GMT-0. 0:03:38.240000 --> 0:03:40.840000 Let's go ahead and click the next button. 0:03:40.840000 --> 0:03:45.080000 Here we have a new window, with several different features that we can 0:03:45.080000 --> 0:03:48.820000 select from, that will be applied during the analysis stage. 0:03:48.820000 --> 0:03:51.840000 Autopsy will use these selections to apply the appropriate plugins to 0:03:51.840000 --> 0:03:53.820000 perform the selected task. 0:03:53.820000 --> 0:03:56.640000 Let's go ahead and explore these features. 0:03:56.640000 --> 0:04:00.500000 The first option here is reason activity, which says the selected module 0:04:00.500000 --> 0:04:05.260000 has no per run settings, meaning we don't need any settings to run it. 0:04:05.260000 --> 0:04:09.320000 This option will extract recent user activity, such as web browsing, recently 0:04:09.320000 --> 0:04:13.500000 used documents, and installed programs, and then analyze them. 0:04:13.500000 --> 0:04:16.060000 Let's look at the next option. 0:04:16.060000 --> 0:04:19.120000 Let's say that we found a file on another system, and we want to check 0:04:19.120000 --> 0:04:26.140000 out some hash files on our system, then we can select this module. 0:04:26.140000 --> 0:04:29.320000 Let's click the global settings button, and then the new database button 0:04:29.320000 --> 0:04:31.160000 to create a hash database. 0:04:31.160000 --> 0:04:34.680000 Let's name it test, and set the type to known. 0:04:34.680000 --> 0:04:41.960000 The database path must be entered, so let's store it here, and then click 0:04:41.960000 --> 0:04:49.760000 the OK button. Here we can add hashes to the database, and then index 0:04:49.760000 --> 0:04:51.980000 this database to be checked. 0:04:51.980000 --> 0:04:56.000000 While Autopsy is analyzing the forensic image, it will check every file's 0:04:56.000000 --> 0:04:59.820000 hash value to see if it matches the hash values in our databases. 0:04:59.820000 --> 0:05:02.520000 Let me provide an example. 0:05:02.520000 --> 0:05:05.780000 With the acquired hash value, we want to search for it on the suspect 0:05:05.780000 --> 0:05:07.780000 forensic images. 0:05:07.780000 --> 0:05:12.640000 What we will do is create a database, add the hash value to the database, 0:05:12.640000 --> 0:05:15.560000 and make sure that Autopsy indexes them. 0:05:15.560000 --> 0:05:21.020000 Then we can run Autopsy using these hash lookup values. 0:05:21.020000 --> 0:05:24.660000 This will check the forensic image for any file that has this hash value. 0:05:24.660000 --> 0:05:28.660000 If a value was found, that means that this file is a match, and is the 0:05:28.660000 --> 0:05:31.880000 same as the malware that we found on some of the other systems. 0:05:31.880000 --> 0:05:36.360000 We won't be doing this right now, we'll do it later, but I wanted to show 0:05:36.360000 --> 0:05:40.380000 you how. Let's also leave this unchecked so that Autopsy won't run this 0:05:40.380000 --> 0:05:46.680000 module. If you have another file type that Autopsy hasn't already identified, 0:05:46.680000 --> 0:05:50.620000 and you want Autopsy to identify it, then you can add a custom MIME type 0:05:50.620000 --> 0:05:52.800000 to represent that. 0:05:52.800000 --> 0:06:00.060000 Here is Embedded File Extractor. 0:06:00.060000 --> 0:06:07.020000 This feature will extract Embedded Files, like Doc, DocX, PPT, PPTX, and 0:06:07.020000 --> 0:06:10.320000 XLS to name a few. 0:06:10.320000 --> 0:06:14.340000 XF parser will extract metadata from JPEG files, like geographic tags 0:06:14.340000 --> 0:06:19.720000 from photos. The next option allows us to search for keywords in the forensic 0:06:19.720000 --> 0:06:24.120000 image. For example, we may be investigating a crime and have generated 0:06:24.120000 --> 0:06:28.380000 a list of words to search for and can add them here. 0:06:28.380000 --> 0:06:33.220000 Here, we can select various search options like IP addresses, phone numbers, 0:06:33.220000 --> 0:06:34.760000 and email addresses. 0:06:34.760000 --> 0:06:40.100000 This box is checked, as is URLs, so they will be extracted. 0:06:40.100000 --> 0:06:45.120000 If you suspect that this image has credit card numbers, you can select 0:06:45.120000 --> 0:06:50.740000 this option. If we go to email addresses and then select the Global Settings 0:06:50.740000 --> 0:06:55.780000 button, we can add information here, as well as update various settings. 0:06:55.780000 --> 0:06:59.520000 Like here, we can even select different languages that we could be using. 0:06:59.520000 --> 0:07:03.100000 Autopsy can identify several different languages other than English, so 0:07:03.100000 --> 0:07:10.640000 if you're investigating in another language, don't worry. 0:07:10.640000 --> 0:07:14.440000 Let's now select URLs and click the Global Settings button. 0:07:14.440000 --> 0:07:16.640000 This is where we can add URLs. 0:07:16.640000 --> 0:07:21.440000 Looking at the next module option, we see email parser, which will parse 0:07:21.440000 --> 0:07:27.440000 inboxes and PST and OST files, which are used by Outlook. 0:07:27.440000 --> 0:07:34.080000 Next is Extension Mismatched Detector. 0:07:34.080000 --> 0:07:38.180000 This checks for the file, the file magic number or header, and then it 0:07:38.180000 --> 0:07:41.820000 checks its signatures to see if they match or not. 0:07:41.820000 --> 0:07:46.160000 For example, the header is saying that this is a portable executable file, 0:07:46.160000 --> 0:07:49.020000 but the extension says it's a TXT file. 0:07:49.020000 --> 0:07:50.840000 We have an extension mismatch. 0:07:50.840000 --> 0:07:55.260000 This is what Extension Mismatched Detector will do. 0:07:55.260000 --> 0:08:00.640000 The E01 Verifier can be used to validate the integrity of E01 images. 0:08:00.640000 --> 0:08:05.460000 We will not be using an E01 in this video, so we will not select this 0:08:05.460000 --> 0:08:10.020000 option. Next up is Interesting Files Identifier. 0:08:10.020000 --> 0:08:12.800000 Here we can add rules to find interesting files. 0:08:12.800000 --> 0:08:17.060000 Photorect Carver. 0:08:17.060000 --> 0:08:20.940000 Here we can see that Photorect is embedded into Autopsy, so we can run 0:08:20.940000 --> 0:08:24.520000 PhotoRecover to carve files from the unallocated space that is found in 0:08:24.520000 --> 0:08:29.800000 this image. Correlation Engine saves properties to the central repository 0:08:29.800000 --> 0:08:32.020000 for later correlation. 0:08:32.020000 --> 0:08:37.480000 Virtual Machine Extractor extracts virtual machine files and adds it to 0:08:37.480000 --> 0:08:39.300000 a case as data sources. 0:08:39.300000 --> 0:08:43.440000 For example, if we know that the suspect is using a virtual machine, then 0:08:43.440000 --> 0:08:46.680000 we can select this option to extract the virtual machine from the forensic 0:08:46.680000 --> 0:08:53.540000 image. Finally, we have the Android Analyzer module, which extracts Android 0:08:53.540000 --> 0:08:58.220000 System and third-party application data, so we can even analyze Android 0:08:58.220000 --> 0:08:59.860000 stuff using Autopsy. 0:08:59.860000 --> 0:09:03.880000 We will not be using all of these modules and will stick to the ones that 0:09:03.880000 --> 0:09:05.280000 are already selected. 0:09:05.280000 --> 0:09:08.000000 Let's go ahead and click the next button. 0:09:08.000000 --> 0:09:13.220000 Now, Autopsy will start the analysis. 0:09:13.220000 --> 0:09:16.080000 So, let's click the Finish button. 0:09:16.080000 --> 0:09:24.240000 Here we can see that Autopsy is analyzing the system, the forensic image. 0:09:24.240000 --> 0:09:27.460000 If we turn our attention to the left side of the window, we can see the 0:09:27.460000 --> 0:09:31.540000 data sources and that we have one case, which is an image type. 0:09:31.540000 --> 0:09:36.540000 Here we can see the size and bytes, and that the sector size is 512 bytes. 0:09:36.540000 --> 0:09:40.200000 We also see the time zone we have selected, and here we see the device 0:09:40.200000 --> 0:09:43.880000 ID, which is the volume series number of this image. 0:09:43.880000 --> 0:09:47.180000 If we expand data sources, we can dig deeper. 0:09:47.180000 --> 0:09:48.820000 We now see the type of volumes. 0:09:48.820000 --> 0:09:52.860000 The first volume we see is for the unallocated space. 0:09:52.860000 --> 0:09:55.920000 Next is an NTFS volume. 0:09:55.920000 --> 0:09:59.960000 And this volume here is also an NTFS volume. 0:09:59.960000 --> 0:10:03.280000 The last volume is also another unallocated space. 0:10:03.280000 --> 0:10:09.060000 As you may recall, this volume is the system volume used by Windows. 0:10:09.060000 --> 0:10:17.540000 This volume here is also system volume that's used by Windows. 0:10:17.540000 --> 0:10:21.140000 If we drill down into this volume, we can browse through the files where 0:10:21.140000 --> 0:10:23.520000 we can see file names and time stamps. 0:10:23.520000 --> 0:10:28.520000 We have the modified time, change time, access time, and created time. 0:10:28.520000 --> 0:10:31.940000 We also have the size and flags of the directory, which tells us if it's 0:10:31.940000 --> 0:10:38.440000 allocated or unallocated. 0:10:38.440000 --> 0:10:43.200000 We have a lot of useful data here, and we only browse the directories. 0:10:43.200000 --> 0:10:48.580000 Let's go to Views and expand file types. 0:10:48.580000 --> 0:10:53.820000 Here we can see that they're categorized. 0:10:53.820000 --> 0:10:59.560000 Within, by extension, it's categorized by images, videos, audio, and archives. 0:10:59.560000 --> 0:11:03.320000 Let's select Videos. 0:11:03.320000 --> 0:11:06.360000 To the right, we get a list of all the videos that have been found on 0:11:06.360000 --> 0:11:09.100000 this forensic image, regardless of their path. 0:11:09.100000 --> 0:11:12.500000 In the location column, we can see where they are found. 0:11:12.500000 --> 0:11:14.920000 Now, let's expand Documents. 0:11:14.920000 --> 0:11:18.180000 Here we can see that it's categorized based on document type, making it 0:11:18.180000 --> 0:11:22.160000 very easy for us to analyze documents or find certain files on a system, 0:11:22.160000 --> 0:11:32.900000 like PDFs. Or, we can look for executable files, which are also categorized. 0:11:32.900000 --> 0:11:36.880000 There's even a categorized by MIME type, but since we didn't run this 0:11:36.880000 --> 0:11:40.980000 module, we don't have anything in here. 0:11:40.980000 --> 0:11:46.440000 Next, let's expand deleted files. 0:11:46.440000 --> 0:11:48.240000 Here we can see deleted files. 0:11:48.240000 --> 0:11:51.700000 We can easily tell that a file is deleted by the icon, which is a white 0:11:51.700000 --> 0:11:55.480000 piece of paper with a red X mark. 0:11:55.480000 --> 0:12:00.140000 So if we click All, there are 4,103 deleted files. 0:12:00.140000 --> 0:12:03.660000 If we select a file, the details for this selection will appear in the 0:12:03.660000 --> 0:12:17.860000 window below. Within Views, we also have the option to see the Views based 0:12:17.860000 --> 0:12:23.620000 on file size. We can search for files with sizes between 50 to 200 megabytes, 0:12:23.620000 --> 0:12:29.320000 200 megabytes to 1 gigabyte, and even files over 1 gigabyte in size. 0:12:29.320000 --> 0:12:34.000000 This particular file, the pagefile .sis, is more than 1 gigabyte. 0:12:34.000000 --> 0:12:37.220000 If we scroll to the right, we can see its exact size. 0:12:37.220000 --> 0:12:44.400000 If we scroll down, under Results, we see extracted contents. 0:12:44.400000 --> 0:12:48.500000 The first option will show us devices attached to the system, like USB's, 0:12:48.500000 --> 0:12:50.660000 devices, tablets. 0:12:50.660000 --> 0:12:54.740000 Next is XF metadata. 0:12:54.740000 --> 0:12:58.160000 If we select an image, we can view the image and can see the details of 0:12:58.160000 --> 0:13:02.540000 its results, as well as the extracted metadata, like flags and creation 0:13:02.540000 --> 0:13:21.860000 times. We can see information on strings that have been embedded into 0:13:21.860000 --> 0:13:27.400000 this file. We can even find the hex representation. 0:13:27.400000 --> 0:13:36.600000 Now let's explore installed programs. 0:13:36.600000 --> 0:13:39.440000 This allows us to find what type of files or applications were installed 0:13:39.440000 --> 0:13:44.520000 on the system. Here we can see that Adobe Flash Player 11 ActiveX, along 0:13:44.520000 --> 0:13:47.540000 with its version, was installed on the system. 0:13:47.540000 --> 0:13:54.500000 Beneath this, we can see that C Cleaner version 4.04 was also installed. 0:13:54.500000 --> 0:14:00.440000 The next selection, under extracted content, is operation system information. 0:14:00.440000 --> 0:14:03.660000 This lets us know that we are dealing with Windows 7 Professional Service 0:14:03.660000 --> 0:14:10.020000 Pack 1. Looking in the window below, we see several pieces of information, 0:14:10.020000 --> 0:14:15.220000 like installation location, product ID, and owner. 0:14:15.220000 --> 0:14:19.600000 Next, we have Operating System User Account, which shows us the users 0:14:19.600000 --> 0:14:21.220000 found on the system. 0:14:21.220000 --> 0:14:22.760000 We can see the user name. 0:14:22.760000 --> 0:14:25.020000 Here we see a user name called Suspect. 0:14:25.020000 --> 0:14:28.400000 It's called Suspect for a reason, as this is a testing image that we are 0:14:28.400000 --> 0:14:30.720000 using to record this video. 0:14:30.720000 --> 0:14:34.940000 Actually, I'm using David Cohen's forensic image for this video. 0:14:34.940000 --> 0:14:41.120000 Here we have recent documents, which shows the recently accessed documents. 0:14:41.120000 --> 0:14:44.420000 Next up is Bookmarks. 0:14:44.420000 --> 0:14:48.720000 Here we see a list of bookmarks that are found in the forensic image. 0:14:48.720000 --> 0:14:53.220000 And web cookies can be found here. 0:14:53.220000 --> 0:14:59.680000 Lastly, here we can find web history and user activity in this tab. 0:14:59.680000 --> 0:15:01.360000 Autopsy is a great tool. 0:15:01.360000 --> 0:15:04.640000 It provides so much information. 0:15:04.640000 --> 0:15:10.300000 If we look at the bottom right, we can see that autopsy hasn't even finished. 0:15:10.300000 --> 0:15:14.860000 It has only finished around 7% of the analysis. 0:15:14.860000 --> 0:15:18.120000 I have one more thing to show you, and then the video will be paused so 0:15:18.120000 --> 0:15:19.940000 the process has time to finish. 0:15:19.940000 --> 0:15:26.900000 We'll resume it once the analysis is complete. 0:15:26.900000 --> 0:15:30.520000 Let's go to Users and expand Suspects, so I can show you this final feature 0:15:30.520000 --> 0:15:32.460000 before we pause the video. 0:15:32.460000 --> 0:15:48.220000 Let's say we want to add a tag to one of these so we can come back to 0:15:48.220000 --> 0:15:49.640000 it later with just a click. 0:15:49.640000 --> 0:15:53.140000 Plus, doing this will be helpful, especially if we want to add this to 0:15:53.140000 --> 0:15:58.440000 a report later. To demonstrate this, let's select pictures as there are 0:15:58.440000 --> 0:16:04.360000 files here. Now, let's right-click, select Tag File, and then Tag and 0:16:04.360000 --> 0:16:09.680000 Comment. In the Comment field, let's type in pictures and then click the 0:16:09.680000 --> 0:16:17.000000 OK button. Now, let's scroll down to Tags. 0:16:17.000000 --> 0:16:19.560000 Expand Bookmarks and click on File Tags. 0:16:19.560000 --> 0:16:22.560000 Here we can see a tag for pictures. 0:16:22.560000 --> 0:16:25.160000 Let's select and right-click it. 0:16:25.160000 --> 0:16:28.900000 Then choose View File and Directory, which will take us directly to its 0:16:28.900000 --> 0:16:33.440000 location. This is very useful when you're analyzing a disk and you suspect 0:16:33.440000 --> 0:16:36.680000 something interesting and want to add it, so it can be extracted later 0:16:36.680000 --> 0:16:41.580000 or added to a report. 0:16:41.580000 --> 0:16:46.680000 If we right-click this tag, we have an option to extract the file. 0:16:46.680000 --> 0:16:50.220000 If the tag is no longer needed or nothing of use was found, we can simply 0:16:50.220000 --> 0:16:54.600000 delete the tag. The video will be paused now and will continue once the 0:16:54.600000 --> 0:16:58.200000 analysis is complete. 0:16:58.200000 --> 0:17:01.160000 Autopsy is finished analyzing the forensic image. 0:17:01.160000 --> 0:17:05.260000 To give you an idea of how long the analysis took, let's click on the 0:17:05.260000 --> 0:17:07.780000 Ingest Messages icon at the top left. 0:17:07.780000 --> 0:17:11.580000 Here, we can see when the investigation started and ended. 0:17:11.580000 --> 0:17:15.220000 So, it took about three hours to analyze this disk, but, as mentioned 0:17:15.220000 --> 0:17:18.780000 earlier, it depends on your computer specs and case size. 0:17:18.780000 --> 0:17:23.720000 If we have a big disk, then the analysis can take a long time. 0:17:23.720000 --> 0:17:28.740000 If it's not a big disk, then it won't take that long. 0:17:28.740000 --> 0:17:35.000000 Earlier, we added a chance to explore some options here on the left. 0:17:35.000000 --> 0:17:40.000000 If we look under Views at File Types and then, by MIME Types, we can now 0:17:40.000000 --> 0:17:42.320000 see that it's categorized. 0:17:42.320000 --> 0:17:49.180000 Here, we see file types based on the application. 0:17:49.180000 --> 0:17:53.460000 Beneath that, we see audio and types of audio that we managed to find 0:17:53.460000 --> 0:17:54.980000 on this forensic image. 0:17:54.980000 --> 0:18:04.880000 We also see images and text messages. 0:18:04.880000 --> 0:18:08.360000 We now have files for web bookmarks and web cookies. 0:18:08.360000 --> 0:18:11.420000 Web cookies show us the cookies for all the websites that were visited, 0:18:11.420000 --> 0:18:14.260000 including their value and what program used them. 0:18:14.260000 --> 0:18:23.900000 Here, we see what domain it belongs to. 0:18:23.900000 --> 0:18:30.480000 And here, we see the user's web history and what websites the user was 0:18:30.480000 --> 0:18:35.860000 browsing. A bit further down, we have URLs. 0:18:35.860000 --> 0:18:38.560000 The system managed to extract all of the URLs. 0:18:38.560000 --> 0:18:42.100000 If we double click it, it uses this regular expression to extract all 0:18:42.100000 --> 0:18:47.140000 of these URLs. So, these are all of the URLs found in this forensic image. 0:18:47.140000 --> 0:19:00.040000 It also provides a count of how many times the URL was found. 0:19:00.040000 --> 0:19:05.180000 We can even sort them. 0:19:05.180000 --> 0:19:10.560000 We can see that this URL was found 7 ,195 times within this forensic image. 0:19:10.560000 --> 0:19:13.520000 This gives us a great idea of the browsing history. 0:19:13.520000 --> 0:19:19.220000 For websites like this one here that contain the w3.org, don't forget 0:19:19.220000 --> 0:19:19.940000 that it's related to the web site. 0:19:19.940000 --> 0:19:23.480000 It's related to standards and you may find it in most websites you visit, 0:19:23.480000 --> 0:19:26.940000 so it may not be directly related to the investigation. 0:19:26.940000 --> 0:19:32.060000 Let's look at email addresses next. 0:19:32.060000 --> 0:19:34.260000 Here we see that they are also sorted out. 0:19:34.260000 --> 0:19:53.040000 We can also see how many times a particular email was used. 0:19:53.040000 --> 0:20:04.880000 So, for example, we see two here, meaning that it was found in two files. 0:20:04.880000 --> 0:20:07.680000 Here we see email messages. 0:20:07.680000 --> 0:20:16.200000 As we scroll up, let's quickly check the places we visited earlier. 0:20:16.200000 --> 0:20:34.320000 We can now see the total of files for these. 0:20:34.320000 --> 0:20:36.500000 Let's now do a keyword search. 0:20:36.500000 --> 0:20:40.960000 Here is an example of a search that I did during the analysis of the system. 0:20:40.960000 --> 0:20:46.060000 If we go to single literal keyword search and expand it, we will find 0:20:46.060000 --> 0:20:50.320000 that the keyword, verisine.com, was found in nine files. 0:20:50.320000 --> 0:20:54.320000 Let's try an example search and type in garden. 0:20:54.320000 --> 0:20:57.140000 It will now search the forensic image for files where the word garden 0:20:57.140000 --> 0:21:12.460000 is found. If we click on this file, it even highlights the word garden 0:21:12.460000 --> 0:21:25.820000 for us. The search found the word garden in 46 files. 0:21:25.820000 --> 0:21:33.660000 Again, if we click a file, it will highlight the word for us and show 0:21:33.660000 --> 0:21:45.820000 us where the word was found. 0:21:45.820000 --> 0:21:48.200000 Let's now look at installed programs. 0:21:48.200000 --> 0:21:51.920000 The count was at 16 before we paused the video, but after autopsy finished 0:21:51.920000 --> 0:21:56.860000 analysis, it was able to find new results, and the total is now 31. 0:21:56.860000 --> 0:22:04.420000 Also, if you're interested in a particular file and you want to extract 0:22:04.420000 --> 0:22:06.960000 it, you can simply select it and right click it. 0:22:06.960000 --> 0:22:10.160000 This allows us to save the file where we can access it later for another 0:22:10.160000 --> 0:22:14.420000 analysis or use it with a different tool. 0:22:14.420000 --> 0:22:25.300000 Like with ntuser.dat, this can be used to analyze the user profile settings 0:22:25.300000 --> 0:22:27.980000 that are found here. 0:22:27.980000 --> 0:22:31.360000 Extraction is not limited to files. 0:22:31.360000 --> 0:22:34.880000 We can also extract a directory. 0:22:34.880000 --> 0:22:39.060000 As you can see, there are a lot of things we can do using autopsy, like 0:22:39.060000 --> 0:22:42.480000 search for files based on categories, types, extensions, or whether they 0:22:42.480000 --> 0:22:44.580000 were deleted or not. 0:22:44.580000 --> 0:22:55.860000 We can also search based on size. 0:22:55.860000 --> 0:22:59.540000 Here we already have some extracted content based on what specific type 0:22:59.540000 --> 0:23:03.720000 they are, like an attached device or XF metadata on an image. 0:23:03.720000 --> 0:23:06.480000 We can even look at recent documents. 0:23:06.480000 --> 0:23:16.900000 Before we conclude the video, I want to add two final points. 0:23:16.900000 --> 0:23:21.040000 If you ever want to stop analysis and work on it later, click on the close 0:23:21.040000 --> 0:23:24.840000 case button here, so it properly shuts down, so all the analysis that's 0:23:24.840000 --> 0:23:28.440000 been done will be stored in a container created by autopsy. 0:23:28.440000 --> 0:23:31.540000 You can then come back later and begin working where you left off, so 0:23:31.540000 --> 0:23:35.040000 make sure you close the case, not exit it. 0:23:35.040000 --> 0:23:39.000000 Next, should you want to add another data source, like another disk image 0:23:39.000000 --> 0:23:40.080000 to the same case? 0:23:40.080000 --> 0:23:45.380000 You can go to case, then add other sources, select this image or VM file, 0:23:45.380000 --> 0:23:48.800000 and proceed to add it. 0:23:48.800000 --> 0:23:52.340000 And this concludes our video lesson on working with autopsy. 0:23:52.340000 --> 0:23:53.260000 Thank you for joining us.