The completion of this lab 1 indicates you are able to download and use the Autopsy program for the digital forensic analysis.

Autopsy for Windows (a free digital forensics tool) is available on Sleuth Kit download website.

For detailed information on installing and using Autopsy, you may visit the Autopsy User’s Guide the Autopsy User Documentation. You can find an instruction for installing Autopsy.

<Note: If the user experiences difficulties and issues related to installing Autopsy, the follow the following steps to resolve issue: Use the link you provided on the Word document (autopsy-4.3.0-64bit.msi ) and then click the button that states problems downloading and then click please use this direct link. It should then finish installing with no issues.>

The Digital Lab 1 assignment is the George Montgomery’s USB drive analysis exercise in the pages 43 to 52 of “Guide to Computer Forensics and Investigations” by Nelson et al.

Before beginning this exercise, create a C:WorkChap01Chapter folder (referred to as your “work folder” in steps). Download the zip file contains Ch01InChap01.exe file from Module 3, the Digital Lab Project #1 folder, the Ch01InChap01 data subfolder. (Please download the zip file and find the Ch01InChap01.exe file. Save it in your “work folder”.)

Double-click the Ch01InChap01.exe file in File Explorer to uncompress it into Ch01InChap01.dd. Start Autopsy for Windows.

In Autopsy’s main window, click the Create New Case button. In the New Case Information window, enter InChap01 in the Case Name text box (see Figure 1-12 in the Nelson p. 44), and click Browse next to the Base Directory text box. Navigate to and click your work folder. Make sure the Single-user option button is selected for Case Type, and then click Next

In the Additional Information window, type InChap01 in the Case Number text box and your name in the Examiner text box (see Figure 1-13, Nelson p. 44), and then click Finish to start the Add Data Source Wizard

In the Select Data Source window (see Figure 1-14), click the Select data source type list arrow, and click Disk Image or VM file. Click the Browse button next to the “Browse for an image file” text box, navigate to and click your work folder and the Ch01InChap01.dd file, and then click Open. Click Next

Keep the default settings in the Configure Ingest Modules window. Click Next and then Finish.

Next, follow these steps to display the contents of the acquired data:

In the Tree Viewer pane on the left, click to expand Views, File Types, By Extension, and Documents (see Figure 1-15).

Under Documents, click Office. In the Result Viewer (upper-right pane), click the first file, Billing Letter.doc, to display its contents in the Content Viewer (lower-right pane).

Right-click Billing Letter.doc, point to Tag File, and click Tag and Comment.

In the Create Tag dialog box, click the New Tag Name button shown in Figure 1-16. In the New Tag section, type Recovered Office Documents in the Tag Name text box, click OK, and then click OK again.

In the Result Viewer pane, Ctrl+click Billing Letter.doc, Income.xls, Regrets.doc, f0000000.doc, and f0000049.doc to select these files, and then release the Ctrl key. Right-click the highlighted files shown in Figure 1-17, point to Tag File and then Quick Tag, and then click Recovered Office Documents.

Under Documents in the Tree Viewer pane, click Plain Text to display more recovered files.

In the Result Viewer pane, select the files listed in Step 5 again, right-click the selection, point to Tag File and then Quick Tag, and then click Follow Up. Leave Autopsy running for the next activity.

With Autopsy, you can search for keywords of interest in the case. For this case, you need to find any files associated with George Montgomery. Follow these steps to search for any reference to the name “George”:

Click the Keyword Search button at the far upper right, type George in the text box (see Figure 1-18), and then click Search.

In the Result Viewer pane, a new tab named Keyword search 1 opens. Click each file to view its contents in the Content Viewer (see Figure 1-19). Look for files containing the name “George.”

1. Click the Keyword Lists button at the far upper right, click the Email Addresses check box, and then click Search.
2. In the Result Viewer pane, a new tab named Keyword search 2 opens. Click each file to view its contents in the Content Viewer pane and examine all e-mail addresses found in the search. Leave Autopsy running so that you can learn about more of its features in the next section.
3. Autopsy’s Report Generator Autopsy has several styles of reports, including a plain text file, an HTML Web page with links to artifacts, and an Excel spreadsheet.
4.  you have to generate a report in Excel.
5. To generate a report in the Excel format, you can follow this procedure:

If you exited Autopsy, start it again, and click Open Recent Case. Click InChap01 and then click Open in the Recent Case window. In Autopsy’s main window, click the Generate Report button at the top menu bar.

In the Generate Report window, select the Results – Excel format in the Report Modules section (see below). It will create an Excel file. When you’re finished, click Next.

1. 
2. Select the All Results in the Configure Artifacts Report window. After you make your selections, click Finish to generate the report.
3. 
4. After the report is generated, Autopsy displays the Report Generation Progress window. Click the link to open the report, and then click Close after you’ve reviewed it.
5. The Excel report file will be located in your work subfolder InChap01Reports in your work folder (the C:WorkChap01 folder).