Understanding the Digital Forensics Profession and Investigations

1.1 Installing Autopsy for Windows Objectives

Introduction:
Investigating digital evidence is time-intensive due to the large storage capacity of
modern hard drives. Autopsy for Windows consolidates numerous digital forensics
tools into a single suite, allowing investigators to analyze storage devices, recover
deleted files, and search for evidence like emails and documents. It also generates
unique hash values for file integrity and supports importing known file sets for
identification, such as the NSRL. Installing Autopsy is key to starting digital
investigations effectively.

How I installed Autopsy ?

1- I opened https://sourceforge.net/projects/autopsy/files/autopsy/4.3.0/
and installed the target file autopsy-4.3.0-64bit.msi .
2- Open Autopsy file and go to autopsy4.3.0 bit.msi , click right and click on install .

3- Then click next on setup page and locate where you want to install file.
4- Then click install .

5- In the Completing the Autopsy Setup Wizard window, click Finish, and then exit
Autopsy.
 Review

1. Why is Autopsy an important forensics tool?

a. It can be used to troubleshoot a computer.

b. It can be used to test a computer’s operability.

c. It can be used to help digital forensics investigators find potential evidence.

d. It can be used to recover human DNA.

2. Autopsy can search for which of the following types of files? (Choose all that apply.)

a. E-mail

b. Graphics

c. Deleted files

d. Registry files

3. What’s a file hash?

a. A hexadecimal value obtained mathematically from a file

b. The name of a software program’s vendor or manufacturer

c. The size of a computer’s hard disk

d. The file size of potential evidence

4. Which of the following statements is true?

a. File hash information can be found in File Explorer.

b. File hashes can verify that the chain of custody has been maintained.

c. File hashes can indicate that software has been purchased legally.

d. File hashing values aren’t important to a digital investigator

5. Autopsy can’t recover deleted or corrupted files and display their contents. True or
False? False
 1.2 FTK Imager Lite:

Introduction
Forensic investigators must ensure the integrity of digital evidence from seizure to trial
by maintaining the chain of custody and using bit-stream imaging to create exact copies
of storage devices. This process preserves files and unpartitioned space, allowing safe
examination and generating hash values to verify data integrity.

FTK Imager Lite is a compact tool that runs from small storage devices or Windows
computers. It previews files to check for evidence and can duplicate storage devices if
evidence is found. It supports various file systems and produces several image formats.
While it copies encrypted files, it cannot decrypt them. In this lab, you will download
FTK Imager Lite, with installation covered in Chapter 3 of the textbook.

How I downloaded FTK imager ?

1- Go to exterro.com and then select digital forensics  FTK  FTK imager 

download .
2- Fill your email after click download and then the file will download .

3- After download it open the file and make a setup

4- Click finish at end .
 Review

1. FTK Imager can be used to search all the following except what?

a. Deleted files

b. Documents

c. Graphics

d. Encrypted files

2. FTK Imager is used primarily to produce which of the following?

a. Hard disk images that can be analyzed by forensics software

b. Forensic evidence

c. Device manufacturer information

d. DNA evidence

3. Why do forensics investigators work with bit-stream images?

a. Image files are smaller than the actual hard disk files.

b. Only image files contain forensic evidence.

c. An image file can be examined without damaging the original evidence.

d. The original storage device can’t be analyzed without the original computer.

4. FTK Imager can detect and view encrypted files. True or False? False

5. Bit-stream imaging is the process of .

a. Creating hash values from files on a storage device

b. Extracting readable information from encrypted files

c. Duplicating data on storage devices for forensic analysis

d. Determining the forensic nature of digital evidence

 1.3 Downloading WinHex

Introduction :
Forensic investigators often use WinHex alongside other tools to analyze and
manipulate data stored on disks. It offers advanced data interpretation and
manipulation features, despite not being designed specifically as a digital forensics
tool. In this lab, you will download and install WinHex as outlined in Chapter 5 of the
textbook.

The licensed version of WinHex supports FAT, NTFS, Ext2 to Ext4, Next3, CDFS, and UDF
file systems, while the evaluation version reads FAT12, FAT16, FAT32, exFAT, and NTFS.
It includes a RAM editor, data interpreter, editing functions, file hashing, data recovery,
and search capabilities for text and hexadecimal values. The program and its files can
be stored on a USB drive for portable use on any Windows OS.

How I downloaded it WinHex?

1- Start a Web browser, go to http://x-ways.com/winhex/index-m.html, and click

Download.

2- After download it extract it .

3- Then make a shortcut on Desktop.
 Review

1. The evaluation version of WinHex can be used to search all the following file
systems

except which one?

a. FAT16

b. HFS+

c. NTFS

d. exFAT

2. The evaluation version of WinHex can write up to how many bytes of data?

a. 200 KB

b. 200 MB

c. 2 TB

d. An unlimited number of bytes

3. The licensed version of WinHex includes a RAM editor. True or False?

4. WinHex can’t produce file hash values. True or False?

5. Which of the following statements is correct? (Choose all that apply.)

a. WinHex has advanced data manipulation features.

b. WinHex can’t concatenate or split files.

c. WinHex can’t perform hexadecimal searches on a disk drive.

d. WinHex includes hashing algorithms.

 1.4 Using Autopsy for Windows

Introduction : Digital forensics tools can seem daunting, even with clear
instructions. Autopsy for Windows aims to simplify this with a user-friendly
interface, though some features may still be complex, especially for newcomers to
digital forensics.

1- We Open The Autopsy and create new case .

2- Then we decide the file and detect Image that we use it.

3- After finish the last step , the screen will devide to three parts as show in this
figure .
4- As we see , the image have a files inside it like tables and images , we can see the
images when change to thumbnail

5- In below we can see the way that we view the data in the photo , data maybe
hexa, string, file metadata and media.
 6- And additional feature is timeline , timeline can show data on details , counts ,
and lists

Review

1. The Result Viewer pane in Autopsy displays which of the following?

a. File contents

b. Folder names, filenames, and dates

c. Log data about Autopsy’s activities

d. Timelines of file accesses

2. What type of information is displayed under the Data Sources item in the Tree
Viewer?

a. Folder names and pathnames

b. Filenames and directory paths

c. Sorted predefined files

d. Cataloged file types

3. Which file extension is used for Autopsy case files?

a. .atp

b. .aup

c. .apy

d. .aut

4. The Ingest Messages window provides what information?

a. File metadata that’s also available in the Content Viewer

b. A log of activities performed in Autopsy

c. Timeline information about files listed in the Result Viewer

d. A listing of predefined search values, such as e-mail addresses

5. The Keyword Lists feature offers which of the following search parameters? (Choose
all

that apply.)

a. Phone numbers

b. IP addresses

c. Street addresses

d. Credit card numbers