Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Week-2 Lab - Data Acquisition and Duplication

Part-2: Autopsy Forensic Tool.

Overview

This lab introduces the core functionality of the open-source Autopsy forensic tool - a graphical interface for the Sleuth Kit command-line suite.

Investigators use Autopsy to examine disk images, organise evidence into cases, bookmark artefacts, and generate forensic reports.

Autopsy runs on Windows, Linux, macOS, and UNIX systems, and can:

  • Analyse disk images and perform detailed file system investigations (NTFS, FAT, EXT).
  • Identify and recover deleted files.
  • Bookmark key evidence for later reporting.
  • Generate forensic reports summarising findings and tagged artefacts.

Autopsy supports image formats such as RAW (.dd) and E01 (EnCase format).

Pre-Lab Reading

Learning Objectives

By completing this lab, you will:

  • Apply appropriate forensic practices and tools to analyse digital evidence.
  • Create and manage a case in Autopsy.
  • Identify deleted files and build a timeline of file system activity.
  • Generate and interpret an investigator’s report.

Activity 1 - Create an Autopsy Case

  1. Log in to your Cyber Lab workstation.
  2. From Moodle -- Week 2 > Lab 2, download the forensic image file ntfs_pract.E01 from your Moodle page-Week2. You can access from here.
  3. Launch Autopsy.
    Interface
  4. Choose Create New Case.
    • Case Name: NTFS_Capture
    • Base Directory: your Documents folder
    • Examiner Name: your Student ID
    • Case Number: DF-LAB02
      Create Case
  5. Click Finish to open the Add Image wizard.
    Add Image Wizard
  6. Add Image Source -- Image File, then browse to select ntfs_pract.E01.
  7. Set Time Zone: (GMT +0:00) Europe/London.
    Select Image
  8. Leave all modules selected to enable full analysis.
    Modules
  9. Click Finish to begin processing the image.
    Processing

Quick Check

  • What happens if you add the wrong time zone?
  • Why might this affect your ability to reconstruct a timeline later?

Activity 2 - Examine the Image in Autopsy

Autopsy’s interface resembles Windows Explorer: the left pane shows the case tree; the right pane lists files and artefacts.

Layout

  1. Expand the image (ntfs_pract.E01) -- right-click -- Properties.
    • Volume starts at sector 59 and length = 1,023,001 sectors.
      Properties
  2. Expand vol2 (NTFS) -- right-click -- Properties.
    Volume Details Vol 1 and Vol 3 are unallocated (unused).
  3. Highlight vol2 (NTFS) in the right pane and open it.
    Volume View
  4. Locate NTUSER.DAT in the Table view.
    The NTUSER.DAT file stores Windows user-profile data such as login timestamps and user preferences.
    NTUSER.DAT
  5. Switch to Hex View to inspect the raw hexadecimal data.
    Hex View
  6. Expand Views > File Types > By Extension > Images to display picture files.
    Images Files shown here include active and deleted images recovered from the volume.
  7. Click the Thumbnail tab to preview images visually.
    Thumbnails
  8. Expand Videos and play one in the Media View window.
  9. Expand Documents > Office - deleted documents are marked with a red X.
  10. Highlight the last document and switch to Text View to preview its content.

Task - Evidence Interpretation

Record short answers in your notes:

  1. What might NTUSER.DAT reveal about user activity?
  2. What could deleted Office documents suggest about user intent or concealment?

Activity 3 - Keyword Search

Autopsy’s Keyword Lists tool allows pattern-matching searches using regular expressions.

  1. Open Keyword Lists from the top menu.
  2. Select URLs -- click Search.
  3. Review the returned results in the tree.

Question:
How could keyword searches help investigators identify traces of web browsing, email, or messaging activity?

Activity 4 - Generate a Report

Producing a clear, verifiable report is one of the most important forensic tasks.

  1. Under File Types > Images, right-click an image --
    Tag File -- Tag and Comment.
    • Tag: Bookmark
    • Comment: brief description of relevance.
  2. Repeat for two or three documents under Documents > Office.
  3. Go to Tools > Generate Report.
    • Choose HTML format -- Next.
    • Select Tagged Results -- Bookmark -- Finish.
  4. Click the generated report link to open it in a browser.
  5. Review:
    • Case metadata (examiner, evidence source, image info).
    • Tagged artefacts and their comments.

Ensure your report clearly documents each artefact and its relevance to the investigation.

Extra Activity - Correlate Findings

  • Compare file timestamps using Autopsy’s Timeline View.
  • Identify one deleted file and note its creation, modification, and deletion times.
  • Discuss what these timings indicate about the sequence of user actions.

References

  1. Autopsy Download Page
  2. Autopsy User Guide (v3.1)
  3. The Sleuth Kit
  4. E01 File Format Explained

Reminder: Always document every step, tool version, and observation - detailed documentation is as important as the analysis itself.

Best,

Ali.

Copyright © 2026 • Created by Ali Jaddoa

Page last updated: Tuesday 27 January 2026 @ 10:30:47 | Commit: 53f9309