WEBVTT 0:00:02.700000 --> 0:00:08.060000 In this video, we will see how easy it is to generate a report using Autopsy. 0:00:08.060000 --> 0:00:11.720000 Autopsy is a toolkit that analyzes your forensic image and provides you 0:00:11.720000 --> 0:00:14.900000 with results you can investigate, allowing you to see what happened on 0:00:14.900000 --> 0:00:18.560000 a machine. We will do three types of reports. 0:00:18.560000 --> 0:00:21.300000 The first is a generic report for everything. 0:00:21.300000 --> 0:00:24.480000 To generate this type of report, all we need to do is click the generate 0:00:24.480000 --> 0:00:28.760000 report button. We have several features available to us. 0:00:28.760000 --> 0:00:35.740000 For instance, we have HTML, Excel, tagtashes, and file text features. 0:00:35.740000 --> 0:00:39.840000 We also have Google Earth, KML file format which can be used for Google 0:00:39.840000 --> 0:00:47.180000 Earth views. We also have STIX, which is for threat information expression. 0:00:47.180000 --> 0:00:51.640000 And lastly, we have the TSK body file, which is an intermediate file before 0:00:51.640000 --> 0:00:53.280000 a complete timeline. 0:00:53.280000 --> 0:00:55.600000 We will come back to this one later. 0:00:55.600000 --> 0:01:00.340000 Let's go ahead now and generate an HTML report. 0:01:00.340000 --> 0:01:04.460000 Here we have the option to toggle between all results and tagged results. 0:01:04.460000 --> 0:01:08.840000 Currently, I don't have specific tags, so I'll select all results. 0:01:08.840000 --> 0:01:11.840000 Now, let's click the finish button. 0:01:11.840000 --> 0:01:15.920000 It will now generate a report for everything that it's analyzed, and it 0:01:15.920000 --> 0:01:17.920000 will store it in this location. 0:01:17.920000 --> 0:01:21.600000 We will see how to find the location of this file. 0:01:21.600000 --> 0:01:25.440000 It's not very hard because for every case created, there will be a directory 0:01:25.440000 --> 0:01:27.680000 within it called reports. 0:01:27.680000 --> 0:01:30.980000 In that directory, you will see all of your reports. 0:01:30.980000 --> 0:01:34.640000 It may take a bit of time to generate the report. 0:01:34.640000 --> 0:01:37.680000 It depends on the speed of your machine, plus the size of your forensic 0:01:37.680000 --> 0:01:43.000000 image. We'll wait for it to complete, as it shouldn't take that much longer. 0:01:43.000000 --> 0:01:48.200000 Man, now it's done. 0:01:48.200000 --> 0:01:53.120000 Let's go ahead and close this and find our report. 0:01:53.120000 --> 0:02:02.760000 Here, we have the reports directory, and if you extracted any files, it 0:02:02.760000 --> 0:02:04.800000 would be in the export directory. 0:02:04.800000 --> 0:02:08.800000 In the modules output folder, we can see the output for the module that 0:02:08.800000 --> 0:02:15.880000 was running. Now, let's go to this directory, as well as the HTML report 0:02:15.880000 --> 0:02:18.160000 and open index HTML. 0:02:18.160000 --> 0:02:25.480000 We're now presented with the autopsy forensic report, which was generated 0:02:25.480000 --> 0:02:28.260000 on 1 December 2017. 0:02:28.260000 --> 0:02:33.160000 This may not be your final digital forensics report, but it could be an 0:02:33.160000 --> 0:02:35.740000 addendum to your digital forensics report. 0:02:35.740000 --> 0:02:38.120000 It depends on how you will use it. 0:02:38.120000 --> 0:02:42.300000 Looking at the report, we see the case, the case number, the examiner, 0:02:42.300000 --> 0:02:45.700000 and the number of files, which are the number of images. 0:02:45.700000 --> 0:02:49.440000 Below, we see the time zone, as well as the path where the file is located, 0:02:49.440000 --> 0:02:52.660000 and here, we have the autopsy icon. 0:02:52.660000 --> 0:02:56.140000 Looking at the report navigation on the left, the first option we have 0:02:56.140000 --> 0:02:59.200000 is the case summary, which is currently up. 0:02:59.200000 --> 0:03:04.300000 Next is devices attached, which provides all the device attachment details. 0:03:04.300000 --> 0:03:07.300000 Here, we have extension mismatch detected. 0:03:07.300000 --> 0:03:11.100000 We have a total of 11 for this report, and to the right, we can see the 0:03:11.100000 --> 0:03:15.220000 associated details of each, as well as where they can be found. 0:03:15.220000 --> 0:03:19.840000 Next up is keyword hits, which shows us what keywords were applied. 0:03:19.840000 --> 0:03:22.580000 And here we have operating system information. 0:03:22.580000 --> 0:03:25.560000 Just a quick call out all the results that are found here, we will be 0:03:25.560000 --> 0:03:27.480000 able to find them in the reports. 0:03:27.480000 --> 0:03:33.480000 So, this is a useful report that you can add to your investigation. 0:03:33.480000 --> 0:03:37.180000 One of the great things about autopsy is the ability to specify the type 0:03:37.180000 --> 0:03:40.860000 of evidence you want to acquire and add to the report. 0:03:40.860000 --> 0:03:44.420000 As an example, let's say that this case involves a company in which it 0:03:44.420000 --> 0:03:48.120000 does not allow a user or an employee to install a web server. 0:03:48.120000 --> 0:03:52.140000 So, this here might be something suspicious and is evidence. 0:03:52.140000 --> 0:03:55.760000 We can right-click and select tag result, and then quick tag, and then 0:03:55.760000 --> 0:03:57.800000 add it as evidence. 0:03:57.800000 --> 0:04:01.480000 A tag called evidence will be created here, and when we click on it, we'll 0:04:01.480000 --> 0:04:04.100000 find our recently added evidence and result tags. 0:04:04.100000 --> 0:04:06.640000 Let's do another example. 0:04:06.640000 --> 0:04:09.700000 Let's look at web cookies and find one we can use a tag to. 0:04:09.700000 --> 0:04:12.640000 Let's add a tag to this one here. 0:04:12.640000 --> 0:04:17.520000 So, let's right-click, select tag result, and quick tag, but this time, 0:04:17.520000 --> 0:04:19.360000 let's select new tag. 0:04:19.360000 --> 0:04:23.500000 In the tag name field, let's type cookie. 0:04:23.500000 --> 0:04:27.060000 And here, we can see our new tag called cookie. 0:04:27.060000 --> 0:04:34.800000 Looking at the web history, let's say that we found these two to be suspicious. 0:04:34.800000 --> 0:04:38.620000 Now that they're both selected, let's select the tag and comment option. 0:04:38.620000 --> 0:04:45.200000 Here we have the option to select the tag or create a new tag name. 0:04:45.200000 --> 0:04:52.660000 Let's click the new tag name button and create a tag called web stuff. 0:04:52.660000 --> 0:04:54.920000 Now, we can add a comment for it. 0:04:54.920000 --> 0:04:57.280000 Here I'll put web attacking evidence. 0:04:57.280000 --> 0:05:06.340000 We can see that our web stuff tag was created and our evidence is within. 0:05:06.340000 --> 0:05:09.900000 There's a lot more information that we can go through and potentially 0:05:09.900000 --> 0:05:11.820000 add to our report. 0:05:11.820000 --> 0:05:21.600000 For now, we'll proceed with what we have. 0:05:21.600000 --> 0:05:24.940000 Let's go ahead and generate another report by clicking on the generate 0:05:24.940000 --> 0:05:29.440000 report button. We'll leave the results HTML option selected. 0:05:29.440000 --> 0:05:33.940000 This time, let's select tag results, as well as the select all, and then 0:05:33.940000 --> 0:05:40.720000 click finish. So, autopsy is generating the report for us, and this time, 0:05:40.720000 --> 0:05:46.780000 the report will only include the tags. 0:05:46.780000 --> 0:05:51.080000 Now, let's go to the appropriate directory and open the index file. 0:05:51.080000 --> 0:05:58.380000 Here we can see that we have fewer results, and all of the case details 0:05:58.380000 --> 0:06:03.400000 are the same. Under installed programs, we have this. 0:06:03.400000 --> 0:06:06.800000 And this is what we have for tagged images. 0:06:06.800000 --> 0:06:11.120000 Here we have tagged results, and we can see the tag category of each, 0:06:11.120000 --> 0:06:14.500000 as well as any comments we added, which are helpful if an investigator 0:06:14.500000 --> 0:06:17.780000 reads your report, or when you pass a report to the final destination 0:06:17.780000 --> 0:06:20.320000 that we'll be reading it. 0:06:20.320000 --> 0:06:27.460000 Here we have web cookies, and lastly, web history. 0:06:27.460000 --> 0:06:29.780000 Let's do one final report. 0:06:29.780000 --> 0:06:31.620000 It will be for a body file. 0:06:31.620000 --> 0:06:34.960000 We'll use the sluice kit to transfer it to a timeline format. 0:06:34.960000 --> 0:06:39.640000 Then, we'll use our Eximmeriments timeline explorer to open it again. 0:06:39.640000 --> 0:06:42.980000 So, let's go ahead and click on the generate report button, and select 0:06:42.980000 --> 0:06:47.440000 TSK body file. This will be a report for everything, and autopsy is now 0:06:47.440000 --> 0:06:49.480000 generating our report. 0:06:49.480000 --> 0:07:00.560000 Let's go ahead and close this, and find our report. 0:07:00.560000 --> 0:07:04.960000 Here we have the body file. 0:07:04.960000 --> 0:07:10.220000 I'm going to copy it to the desktop. 0:07:10.220000 --> 0:07:14.240000 When we open the body file, we can see that it is separated with the pipe. 0:07:14.240000 --> 0:07:17.880000 So, this is an intermediate file between the actions and the events that 0:07:17.880000 --> 0:07:20.520000 happened on the disk for a specific file. 0:07:20.520000 --> 0:07:25.080000 And this is before we transfer them to a timeline. 0:07:25.080000 --> 0:07:39.200000 So, let's take this file and go to Linux. 0:07:39.200000 --> 0:07:44.080000 Now, let's copy it from the desktop. 0:07:44.080000 --> 0:07:52.940000 This can easily be converted into a body file, using the MacTime tool, 0:07:52.940000 --> 0:07:54.900000 which comes with sluice kit. 0:07:54.900000 --> 0:07:57.820000 We'll want to say that this is a body file, and we want to make it comma 0:07:57.820000 --> 0:07:59.420000 separated values. 0:07:59.420000 --> 0:08:05.300000 Before we do that, though, let me bring up the different fields. 0:08:05.300000 --> 0:08:10.960000 Okay, so we have MacTime and then minus B, which is for the body file. 0:08:10.960000 --> 0:08:14.120000 And then, let's type in bodyfile.txt. 0:08:14.120000 --> 0:08:21.380000 Next, we'll use minus D, so that it opens in timeline explorer. 0:08:21.380000 --> 0:08:25.240000 And as you may recall, this case is using specific standard time, so I'll 0:08:25.240000 --> 0:08:29.200000 type in minus ZPST. 0:08:29.200000 --> 0:08:34.980000 Now, I'm going to say to store it in hackbox-tl.csv. 0:08:34.980000 --> 0:08:40.540000 MacTime will now transfer this for us into CSV. 0:08:40.540000 --> 0:08:46.540000 When we open it, we'll see that it is comma separated. 0:08:46.540000 --> 0:08:53.760000 Now, let's copy back to our machine, the desktop, so that we can open 0:08:53.760000 --> 0:09:01.880000 it in Eric's tool. 0:09:01.880000 --> 0:09:04.460000 Let's go ahead and open timeline. 0:09:04.460000 --> 0:09:11.860000 Now, let's open the timeline we created. 0:09:11.860000 --> 0:09:19.860000 Our timeline is now displayed in timeline explorer, and we can use this 0:09:19.860000 --> 0:09:37.100000 tool to analyze it. 0:09:37.100000 --> 0:09:39.340000 We can use this tool to filter our timeline. 0:09:39.340000 --> 0:09:45.980000 We can even save a session if we wanted to come back later, so we don't 0:09:45.980000 --> 0:09:48.020000 have to load and analyze it again. 0:09:48.020000 --> 0:09:50.300000 We can just pick up where we left off. 0:09:50.300000 --> 0:09:54.860000 And that's it for this video. 0:09:54.860000 --> 0:09:57.120000 In this video, we had a chance to generate this tool. 0:09:57.120000 --> 0:09:59.700000 We have three different reports using autopsy. 0:09:59.700000 --> 0:10:03.360000 As I mentioned earlier, this does not have to be your final report. 0:10:03.360000 --> 0:10:07.020000 It can be an addendum to a report, but autopsy really makes the generation 0:10:07.020000 --> 0:10:09.480000 of reports very easy for us. 0:10:09.480000 --> 0:10:15.580000 And this concludes our video lesson on creating a report in autopsy. 0:10:15.580000 --> 0:10:16.340000 Thanks for joining us.