Hello world. This is a short writeup of Autopsy(GUI) in Kali workstation
Download Autopsy from → https://www.autopsy.com/download/
Run Autopsy as root
It prompts a program information, the version number listed as 2.24 with the path to the Evidence Locker folder as /var/lib/autopsy and an address http://localhost:9999/autopsy to open it on a web browser.
The autopsy web-browser
After clicking on http://localhost:9999/autopsy , it will be redirected to the home page of autopsy. This tool is running on our local web server accessing the port 9999.
If the port is somehow not free, run : fuser -k 9999/tcp . This will kill any process running in port 9999
Creating a new case
There will be three options on the home page: ‘OPEN CASE’, NEW CASE’, ‘HELP’
For forensic investigation, we need to create a new case and arrange all the information and evidences. Select ‘NEW CASE’ and fill the necessary details
After filling the details click on New Case and Click on add host after then
This shows the destination where the case file will be stored i.e. /var/lib/autopsy/Diskimg_analysis/ , and the destination where its configuration file will be stored i.e. /var/lib/autopsy/Diskimg_analysis/case.aut
Adding the Host
After clicking on add host , fill the required details
After then, click on ADD HOST
Now we need to add an image file of the system or drive which we want to investigate. The reason for doing this is analysis cannot be conducting on an original storage device.
Click on Add Image file
Provide the destination of the Disk Image with its extention and click on NEXT
Calculating the HASH value
To maintain the integrity (make sure that data has not been altered) of the image file we must calculate its Hash value. It is important to calculate the Hash so that we may be able to prove that the file has not been tampered. Click on ADD
This is showing the hash value of the evidence image file and links the image into the evidence locker. Here we click “OK” to continue.
Check the Image Integrity
This showing the name and the hash value of the file. Select ‘VALIDATE’.
Its validated. Displaying the same MD5 hashes in the bottom.
It will ask which type of analysis I want. Select ‘FILE ANALYSIS’.
It gives me the list of all files and directories that are inside in this disk. From here you can analyze the content of the target image file and conduct the required investigation
The deleted files
To see the deleted files in the disk image click on “ALL DELETED FILES”
Click on expand directories, to view all the directories present