Part 6 of 6

Practical Lab: Autopsy & FTK Imager

🕑 180-240 minutes 📖 Hands-on Practice

Introduction

This practical lab brings together the concepts learned throughout Module 3. You will use two essential forensic tools - FTK Imager for disk imaging and Autopsy for analysis - to perform a complete forensic examination workflow.

📚 Lab Objectives

Create forensic disk images, verify integrity with hash values, analyze images using Autopsy, extract Windows artifacts, investigate browser history, and generate a forensic report.

Tools Setup

💾
FTK Imager
Free forensic imaging tool from Exterro (formerly AccessData). Creates forensic images in multiple formats (E01, DD, AFF) with hash verification.
Download FTK Imager
🔍
Autopsy
Open-source digital forensics platform. Provides comprehensive analysis including file recovery, timeline analysis, keyword search, and artifact extraction.
Download Autopsy

System Requirements

  • OS: Windows 10/11 (64-bit recommended)
  • RAM: Minimum 8GB, recommended 16GB+
  • Storage: SSD recommended, sufficient space for images (2x target drive size)
  • Practice Image: Download a test image or create from a USB drive
Practice Image Sources

For practice, you can use:
- Digital Corpora (digitalcorpora.org) - free forensic images
- NIST CFReDS (cfreds.nist.gov) - reference data sets
- Create your own from a USB drive with sample data

Lab 1: Forensic Imaging with FTK Imager

In this lab, you'll create a forensic image of a storage device and verify its integrity.

Step 1

Launch FTK Imager and Add Evidence

Open FTK Imager and add the source evidence:

  • File > Add Evidence Item
  • Select "Physical Drive" for full disk or "Logical Drive" for partition
  • Choose the target drive from the list
Step 2

Create Forensic Image

Configure the imaging settings:

  • Right-click on the evidence item > Export Disk Image
  • Add destination: Click "Add" to set output location
  • Select image type: E01 (Expert Witness format) recommended
  • Fill in case information (Case Number, Evidence Number, Examiner, etc.)
  • Set fragment size (default 1500 MB is usually fine)
  • Enable compression for storage efficiency
Step 3

Verify Hash Values

After imaging completes:

  • Review the verification results
  • Compare computed hash with acquired hash
  • Save the log file for documentation
  • MD5 and SHA1 hashes should match exactly
# Expected FTK Imager Output Creating image... Image created successfully Verifying... Computed MD5: d41d8cd98f00b204e9800998ecf8427e Computed SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 Report MD5: d41d8cd98f00b204e9800998ecf8427e Report SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 Hash values match - Image verified successfully!

Lab 1 Checklist

  • Added evidence source to FTK Imager
  • Configured E01 image format with case info
  • Successfully created forensic image
  • Verified MD5 and SHA1 hashes match
  • Saved imaging log for documentation

Lab 2: Analysis with Autopsy

Use Autopsy to analyze the forensic image and extract artifacts.

Step 1

Create New Case

  • Launch Autopsy
  • File > New Case
  • Enter Case Name, Base Directory, and Case Number
  • Add Examiner Information
  • Click Next to proceed
Step 2

Add Data Source

  • Select "Disk Image or VM File"
  • Browse to your E01 image file
  • Leave timezone as detected or set to relevant timezone
  • Select ingest modules to run
Step 3

Configure Ingest Modules

Enable these modules for comprehensive analysis:

  • Recent Activity: Browser history, downloads, recent docs
  • Hash Lookup: Compare against known hash databases
  • File Type Identification: Identify file types by signature
  • Extension Mismatch Detector: Find disguised files
  • Embedded File Extractor: Extract embedded content
  • Keyword Search: Search for specific terms
  • Email Parser: Extract email artifacts
  • Windows Registry: Parse registry hives
Step 4

Analyze Results

Explore the analysis results in the left panel:

  • Data Sources: Browse the file system structure
  • Views: File types, deleted files, archive files
  • Results: Extracted artifacts organized by category
  • Tags: Your tagged items of interest

Key Areas to Examine

🌐

Web Artifacts

Results > Extracted Content > Web History, Web Bookmarks, Web Downloads, Web Cookies

📋

Recent Documents

Results > Extracted Content > Recent Documents - shows recently accessed files

🔒

USB Devices

Results > Extracted Content > USB Device Attached - connected devices history

🗑

Deleted Files

Views > Deleted Files - recoverable deleted content

Lab 2 Checklist

  • Created new Autopsy case with proper metadata
  • Added forensic image as data source
  • Configured and ran ingest modules
  • Examined browser history and bookmarks
  • Reviewed USB device connection history
  • Explored deleted files for recovery
  • Tagged items of interest

Lab 3: Generating Forensic Reports

Create a professional forensic report documenting your findings.

Step 1

Tag Important Evidence

  • Right-click on relevant items > Add Tag
  • Create meaningful tag names (e.g., "Suspicious Activity", "User Documents")
  • Add comments explaining the significance
Step 2

Generate Report

  • Tools > Generate Report
  • Select report format: HTML (recommended for review)
  • Choose what to include: All Results, Tagged Items, or specific categories
  • Select output location
  • Click Finish to generate
Step 3

Review and Document

  • Open the generated HTML report in a browser
  • Verify all relevant findings are included
  • Export additional screenshots if needed
  • Note hash values and timestamps for documentation

Report Contents Checklist

  • Case information and metadata
  • Evidence source details with hash values
  • Analysis methodology description
  • Key findings with supporting evidence
  • Timeline of significant events
  • Screenshots of important artifacts
  • Examiner signature and date

Practice Exercises

📝 Exercise 1: Timeline Analysis

Use Autopsy's Timeline feature (Tools > Timeline) to create a visual timeline of file system activity. Identify clusters of activity that might indicate significant events. Document the timestamps in your local timezone.

📝 Exercise 2: Keyword Search

Use the Keyword Search module to find specific terms. Search for common indicators like "password", "confidential", or domain-specific terms. Export the search results and analyze the context of each hit.

📝 Exercise 3: File Carving

Examine unallocated space for recoverable files. Use Views > Deleted Files to find files that may be recoverable. Note which files have content versus just MFT entries.

📝 Exercise 4: Registry Analysis

Navigate to the Registry hives in Autopsy. Examine NTUSER.DAT for the UserAssist key (program execution). Look at SYSTEM hive for USB device history. Document your findings with screenshots.

📚 Key Takeaways
  • FTK Imager creates forensically sound images with hash verification
  • Always verify MD5 and SHA1 hashes match between source and image
  • Autopsy provides comprehensive analysis with automated artifact extraction
  • Ingest modules automate extraction of browser history, registry data, and more
  • Tag important findings for easy report generation
  • Document everything - case info, methodology, findings, and hashes
Previous: Email Forensics Take Module Quiz