Lab 5: AutopsyWinter 2023
This lab will introduce you to the Autopsy program, which you will use for dead analysis in project 5. You will be using Autopsy to analyze a provided disk image, without having to actually boot the operating system.
If you haven’t already, follow our Docker guide to learn how to set up Docker on your computer. You’ve probably already done this for previous labs and projects.
To get the code for this lab, create a repo using the GitHub template. Make sure to make this repo private. Clone the repo onto your system, then open it in VS Code. If you successfully set up Docker, you should be greeted with a pop-up in the bottom right asking you to reopen the directory in the development container; do so now! After some time taken to build the container, you should be greeted with the lab file in a directory and a terminal connected to the container (as shown in the Docker guide). If you’re having trouble at this point, please come to office hours or put up a post on Piazza describing in as much detail as possible what is going wrong—having a working Docker installation is essential for the course.
In dead analysis, the forensic investigator examines data artifacts from a target system without the system running. We will be conducting dead analysis with the Autopsy open-source forensics tool, which we ship as a Docker image. We have already performed the intensive disk image ingest process using the drive, and have provided an Autopsy case which has the analysis available to you to explore.
Running Autopsy in Docker
Download the Autopsy case: lab5-drive.tar.xz.
Place this file in the root of your lab directory (i.e. on the same level as
Decompress the case directory:
tar -xJf lab5-drive.tar.xz.
Make sure to decompress the case file in your host, rather than in the development container, as copying files into the development container appears to happen instantaneously but actually takes more time in the background, often causing issues related to decompressing the file while it is still being copied.
Open your project directory in VS Code, then reopen the directory in the development container. See the Docker guide for more information.
Once the container has booted, navigate to
http://localhost:3880in your web browser (or
vnc://localhost:3881in a VNC client). After clicking “OK” to the first pop-up, you may be greeted with an empty gray window for some time. It is loading behind the scenes; after a minute or so, you should see the Autopsy home screen pop up.
Select “Open Case”, then navigate to
After the case has been opened, the tree on the left gives you various ways of examining the data. Try expanding “Data Sources” to view the partitions and file system. You can also try running a keyword search using the button in the upper right corner of the window.
You will write all answers in one file (
submit.txt). The line number for each task’s responses is indicated in bolded brackets before each question.
 Locate the keyword search button in the top right corner. Search for a match for the substring “confidential”. What is the name of the .txt file that contains this substring in its text body? (Hint: You can sort the results by column.) Record the answer (including the ‘.txt’) on line 1 of
 Search for the .bash_history file and open up the text of the file. What is the fourth-to-last command that was used? Record the answer on line 2.
 Take a look at the directory tree on the left side of the screen. The Data Artifacts section contains information regarding the user’s web activity. What is the Text of the most recent web search? Record the answer on line 3.
 What is the Domain name of the most recent item in the user’s web history? Record the answer on line 4.
 Still within the directory tree, look at the files organized under File Types. What is the name of the most recently created jpg? (Hint: There is a ‘Change Visible Columns’ button right above the vertical scroll bar.) Record the answer (including the ‘.jpg’) on line 5.
Submit the following file to the Autograder by the deadline: