Lab 5: AutopsyFall 2022

This lab will introduce you to the Autopsy program, which you will use for dead analysis in project 5. You will be using Autopsy to analyze a provided disk image, without having to actually boot the operating system.

Setup

If you haven’t already, follow our Docker guide to learn how to set up Docker on your computer. You’ve probably already done this for previous labs and projects.

To get the code for this lab, create a repo using the GitHub template. Make sure to make this repo private. Clone the repo onto your system, then open it in VS Code. If you successfully set up Docker, you should be greeted with a pop-up in the bottom right asking you to reopen the directory in the development container; do so now! After some time taken to build the container, you should be greeted with the lab file in a directory and a terminal connected to the container (as shown in the Docker guide). If you’re having trouble at this point, please come to office hours or put up a post on Piazza describing in as much detail as possible what is going wrong—having a working Docker installation is essential for the course.

Disk Image

  1. Download the disk image file: lab5.vhd.xz

  2. Decompress the file (xz -d -v lab5.vhd.xz).

Dead Analysis

In dead analysis, the forensic investigator examines data artifacts from a target system without the system running. We will be conducting dead analysis with the Autopsy open-source forensics tool, which we ship as a Docker image.

Running Autopsy in Docker

Autopsy requires considerably more resources to run than past tools in the course. If you are experiencing freezes or other instability on macOS, try increasing the number of CPU cores and/or the amount of RAM dedicated to the Docker VM in the “Resources” tab of Docker Desktop’s settings. (If you are on Windows and use WSL 2, this can be configured through WSL’s settings, though the default resource allocations in WSL 2 are higher, so this is unlikely to be necessary.)

  1. Open your project directory in VS Code, then reopen the directory in the development container. See the Docker guide for more information.

  2. Once the container has booted, navigate to http://localhost:3880 in your web browser (or vnc://localhost:3881 in a VNC client). After clicking “OK” to the first pop-up, you may be greeted with an empty gray window for some time. It is loading behind the scenes; after a minute or so, you should see the Autopsy home screen pop up.

  3. Create a new case under the /workspaces/lab5 directory. From the “Add Data Source” window, import the VHD disk image. When importing the VHD disk image into Autopsy, your project directory will be accessible at /workspaces/lab5, just as where you created the case.

  4. Deselect all the Ingest Modules except “Recent Activity”, “File Type Identification”, and “Keyword Search” for now; you can run whichever ones you want later from the Tools menu.

  5. After the disk image has been added, the tree on the left gives you various ways of examining the data. You can also try running a keyword search using the button in the upper right corner of the window.

During the initial import and ingest phases, closing the container may result in the case becoming corrupted. The initial import cannot be interrupted; plan for an uninterrupted block of time to allow this to complete. Ingest happens in the background after the disk image is ingested and takes much longer; while it is underway (you will see a progress bar in the bottom right), make sure to select “File > Close Case” before exiting the container. Head to “Tools > Run Ingest Modules > lab5.vhd” to restart this process when you return. If you receive an error about Autopsy being unable to open the case, you will need to redo the case creation process from step 3.

Tasks

You will write all answers in one file (submit.txt). The line number for each task’s responses is indicated in bolded brackets before each question.

[1] Locate the keyword search button in the top right corner. Search for a Substring Match for the substring “confidential”. What is the name of the .txt file that contains this substring? (Hint: You can sort the results by column.) Record the answer (including the ‘.txt’) on line 1 of submit.txt.

[2] Search for the .bash_history file and open up the text of the file. What is the fourth-to-last command that was used? Record the answer on line 2.

[3] Take a look at the directory tree on the left side of the screen. The Data Artifacts section contains information regarding the user’s web activity. What is the Text of the most recent web search? Record the answer on line 3.

[4] What is the Domain name of the most recent item in the user’s web history? Record the answer on line 4.

[5] Still within the directory tree, look at the files organized under File Types. What is the name of the most recently created jpg? (Hint: There is a ‘Change Visible Columns’ button right above the vertical scroll bar.) Record the answer (including the ‘.jpg’) on line 5.

Submission

Submit the following file to the Autograder by the deadline:

  • submit.txt