Lab 5: AutopsyFall 2024

This lab will introduce you to the Autopsy program, which you will use for dead analysis in the forensics project. You will be using Autopsy to analyze a provided disk image, without having to actually boot the operating system.


Setup

If you haven’t already, follow our Docker guide to learn how to set up Docker on your computer. You’ve probably already done this for previous labs and projects.

To get the code for this lab, create a repo using the GitHub template. Make sure to make this repo private. Clone the repo onto your system, then open it in VS Code. If you successfully set up Docker, you should be greeted with a pop-up in the bottom right asking you to reopen the directory in the development container; do so now! After some time taken to build the container, you should be greeted with the lab file in a directory and a terminal connected to the container (as shown in the Docker guide). If you’re having trouble at this point, please come to office hours or put up a post on Ed Discussion describing in as much detail as possible what is going wrong—having a working Docker installation is essential for the course.

Dead Analysis

In dead analysis, the forensic investigator examines data artifacts from a target system without the system running. We will be conducting dead analysis with the Autopsy open-source forensics tool, which we ship as a Docker image. We have already performed the intensive disk image ingest process using the drive, and have provided an Autopsy case which has the analysis available to you to explore.

Running Autopsy in Docker

  1. Download the Autopsy case: forensics-lab-case.tar.xz.

  2. Place this file in the root of your lab directory (i.e. on the same level as submit.txt).

  3. Decompress the case directory: tar -xJf forensics-lab-case.tar.xz.

    Make sure to decompress the case file in your host, rather than in the development container, as copying files into the development container appears to happen instantaneously but actually takes more time in the background, often causing issues related to decompressing the file while it is still being copied.

  4. Open your project directory in VS Code, then reopen the directory in the development container. See the Docker guide for more information.

    The container may take longer than previous containers to start, this is expected.

  5. Once the container has booted, navigate to http://localhost:3235 in your web browser. After clicking “OK” to the first pop-up, you may be greeted with an empty gray window for some time. It is loading behind the scenes; after a minute or so, you should see the Autopsy home screen pop up.

  6. Select “Open Case”, then navigate to /workspaces/forensics-lab/forensics-lab-case and open forensics-lab-case.aut.

  7. After the case has been opened, the tree on the left gives you various ways of examining the data. Try expanding “Data Sources” to view the partitions and file system. You can also try running a keyword search using the button in the upper right corner of the window.


Tasks

You will write all answers in one file (submit.txt). The line number for each task’s responses is indicated in bolded brackets before each question.

[1] Locate the keyword search button in the top right corner. Search for a match for the substring “confidential”. What is the name of the .txt file within the user’s home directory that contains this substring in its text body? (Hint: You can sort the results by column.) Record the answer (including the ‘.txt’) on line 1 of submit.txt. 20 pts

[2] Search for the .bash_history file and open up the text of the file. What is the second-to-last command that was used? Record the answer on line 2. 20 pts

[3] Take a look at the directory tree on the left side of the screen. The Data Artifacts section contains information regarding the user’s web activity. What is the Text of the most recent web search? Record the answer on line 3. 20 pts

[4] What is the Domain name of the most recent item in the user’s web history? Record the answer on line 4. 20 pts

[5] Still within the directory tree, look at the files organized under File Types. What is the name of the most recently created jpg in the user’s home directory? (Hint: There is a ‘Change Visible Columns’ button right above the vertical scroll bar.) Record the answer (including the ‘.jpg’) on line 5. 20 pts


Troubleshooting

Autopsy Freezing

Autopsy is a heavy and complex application, and components of it may freeze sometimes. If this happens, restart the container by closing your project directory in VS Code and reopening it.

You can also try to restart the Autopsy container directly, using the following steps:

For Docker Desktop (Windows and macOS)
  1. Navigate to the Containers tab, and find the container for this assignment (usually, it should be the only one running).
  2. For this container, click on the three dots under the Actions column.
  3. Click the Restart button.
For Linux hosts on Docker Engine
  1. In a terminal window, run docker ps to see all running containers. This assignment’s container is usually the only one running.
  2. Note the container ID of this container (first column of output).
  3. Run: docker restart <container ID>

Submission

Submit the following file to the Autograder by the deadline: Wednesday, November 20th at 11:59 PM

  • submit.txt