Disk Analysis with Autopsy

Disk Forensics

  • Process of extracting forensics info for storage mediums like HDDs, USBs, firmwares, etc.

  • In order to forensically analyze a disk, you need to create a forensic image of the drive

  • Forensic image is an exact digital copy of a physical drive and data contained in it

  • Forensic image can be created with various tools like

    • FTK Imager

    • Encase Imager

  • Forensic imager tools do not change or modify any data. This is accomplished with use of bitstream

Autopsy

  • Free and open source digital forensics tool used to perform forensic analysis on disk images

  • Used to extract important information like

    • Deleted Files

    • Email Messages

    • Browser History and Cookies

    • Installed Programs

    • File Metadata

  • Used by LEAs worldwide to analyze and extract evidence from hard drives and other storage mediums used in crimes

PreviousMemory Acquisition with LIMENextData and Memory Collection with FireEye Redline