🧪 Analysis of Data Source Using Autopsy – Autopsy Forensic Tool

🎯 Main Idea

Once a disk image is loaded, Autopsy automatically begins analyzing it using a series of modules, and the results are displayed in a clean graphical interface.

🔄 Key Terminology in Autopsy

Term	Description
Data Source	The original digital image being analyzed (e.g., disk clone or image).
File Views	Different ways to explore files inside the image.
Ingest Results	Results generated by automatic analysis when the data source is added.
Tags	Labels added by the investigator to mark important files or content.
Timeline	A chronological view of system events.

🧱 Analysis Structure in Autopsy

1. Importing Data Source (Original Image)

You import a disk image (.E01 or .img) as the starting point.
You can browse the content as if navigating a live system.
Filtering options include:
Extension
File Header
File Size

2. Ingest Results

Autopsy automatically analyzes the image and extracts:

📂 Recovered Files (File Carving)

Extracts files even if deleted or corrupted.
Includes images, documents, system files.
Some files may appear with size "0" → indicates failed recovery.

Example:

Autopsy recovered 3 images using File Carving and showed them under the Images tab.

♻️ Deleted / Recycle Bin Items

Identifies files deleted from Recycle Bin.
Shows deletion/modification timestamps.

🛑 How to Identify Deleted Files?

Deleted files often begin with an underscore _.
This is due to how file systems (e.g., NTFS) mark deleted files.

🧠 DF Tip:

When a file is deleted in Windows, its first character is replaced with _, but its data remains until overwritten.

📧 Email and Keyword Extraction

Autopsy can extract:

Email addresses from scripts, configs, or logs (e.g., inside netcat or SQL scripts).
Keywords that appear in context.

Example:

Two email addresses were extracted from a netcat-related SQL script, appearing in a help message from the developer.

🖼️ Image and Video Analysis

1. Image/Video Analysis

Found under a dedicated tab.
You can:
Browse recovered media.
Identify if it's user-generated or system-generated.

2. Geo-location Metadata

If images include GPS metadata, Autopsy displays the geographic data.

🗓️ Timeline Analysis

One of the most powerful features in Autopsy.

✅ Why Is It Important?

Understanding the sequence of events helps determine:

When a website was visited.
When a tool was executed.
When a file was deleted.

🧠 Timeline Analysis Examples

Date	Event
2011	File named "cat" was created — later marked as deleted.
2023	Tools were modified; Recycle Bin accessed.

🔍 All extracted events are shown as Time Points.\ 📌 Always set the correct time zone for accurate results.

🔁 Discovery Tool – Advanced Search

To re-analyze a file group (e.g., images, videos, logs), use the Discovery tab to filter and review results.

📊 Generating Final Report

After analysis is complete:

📋 Steps to Generate a Report

Go to Generate Report.
Choose:
Report type: HTML, Excel.
Report name (e.g., "Draft_Analysis").
What to include:
- Tags only,
- Custom results,
- or All analysis results.
Report is saved under /Reports inside the case folder.

🔎 The report includes:

Original file paths
Extracted keywords
Images and media
Tags
Timestamps

🧠 Pro Tips for Using Autopsy

💡	Tip
⏱️	Use the Timeline to understand event sequences.
🔍	Always start with Ingest Results for a high-level overview.
🧹	Filter files by type or size to save time.
🗑️	Review zero-byte files — they may be corrupted evidence.
🏷️	Use Tags and notes to organize your findings.