Windows Investigation with Autopsy

100 Points

Overview

In this assignment you will:

Setup

This week we will be using Autopsy to perform some analysis of a Windows system. Autopsy 3, which we will be using, is only available on Windows so you will need to install Autopsy on your Host or a Windows VM.

  1. Download Autopsy from www.sleuthkit.org
  2. Follow the prompts to install Autopsy on your machine.
  3. Create a Week7 folder in your cases directory.
  4. Download the following evidence files for the exercise and place them in your Week7 folder.

Instructions

Create a lab report that includes the answers and screen shots requested below. Be sure to number your responses and label them clearly. While you are finding answers to the questions below make sure to Tag the relevant items. There are two kinds of tags, Result tags and File tags. Make sure to use the appropriate tag for the data you are interested in.

  1. Create a new case using Autopsy.
    1. Add the CBARROW evidence file to the case
    2. You can uncheck the following ingest modules: Android Analyzer, PhotoRec Carve, Process Unallocated Space
    3. On the Hash Lookup ingest module make sure to check the option to calculate MD5 hash values
    4. Once the options are configured add the evidence to the case and let Autopsy finish processing.
  2. Answer the following questions about the disk image:
    1. What version of Windows is this?
    2. What is the install date and time of the system?
    3. Who is the owner of the system?
    4. What human useable user accounts exist?
    5. What version of WinZip is installed?
    6. Have any USB drives been used with this system? Provide a manufacturer if so.
  3. Create a new Hash Database under the Tools > Options menu.
    1. Click the Create Database button in the dialog.
    2. Name the hash set SuspiciousImages and save the database in your Week7 folder.
    3. The type should be Known Bad and check the box to send messages.
  4. In some cases you may receive hashes as part of some IoCs and you would add them directly to the case. Here we are going to build our own simulated IoC hashes by adding some hashes to our SuspiciousImages hash set.
    1. Using the tree pane on the left side of Autopsy expand the Data Sources item.
    2. Expand the tree to find the My Pictures folder of the user Clyde.
    3. Add all of the images with the yellow evidence banner into the SuspicousImages hash set.
  5. Once you have built the complete hash set we are going to rerun the hash ingest module to determine if there are any other suspicious images.
    1. Locate the CBARROW.E01 item under the Data Sources item in the tree view.
    2. Right click the E01 and choose the Run ingest modules option.
    3. Here you can run or re-run and of the available modules. Uncheck all of the modules except for the Hash module.
    4. In the options for the Hash module make sure that your SuspectImages hash set is selected. Run the module.
    5. In the tree view locate the Hashset Hits item. There you will find sub-items for each hashset that you have hits for.
    6. Answer the following: Were any additional images found? If so what were their filenames.
  6. Open the timeline viewer under the Tools menu and maximize it so it is full screen.
    1. Zoom in on the Date October 29, 2002
    2. At 3:00 o'clock there appears to be a significant amount of web activity. Zoom in to that activity and then switch to the Details view.
    3. Use the Screenshot button to capture an image of the timeline include this in your report.
    4. Use the Filters panel at the left to show only Web Searches. List the unique phrases that were searched for.
  7. Generate an html report of the tags that you have created. Include this report with your submission.

Deliverables

You should turn in a zip file that contains the following items. The file should be named with your last name and the assignment number like Berkley_Assign7.zip

Attach your file to the Assignment listed in Sakai and submit it there.