analyzing-disk-image-with-autopsy
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAnalyzing Disk Image with Autopsy
使用Autopsy分析磁盘镜像
When to Use
适用场景
- When you have a forensic disk image and need structured analysis of its contents
- During investigations requiring file recovery, keyword searching, and timeline analysis
- When non-technical stakeholders need visual reports from forensic evidence
- For examining file system metadata, deleted files, and embedded artifacts
- When building a comprehensive case from multiple disk images
- 当你拥有取证磁盘镜像并需要对其内容进行结构化分析时
- 在需要文件恢复、关键词搜索和时间线分析的调查过程中
- 当非技术利益相关者需要从取证证据中获取可视化报告时
- 用于检查文件系统元数据、已删除文件和嵌入式Artifacts
- 当需要从多个磁盘镜像构建完整案件时
Prerequisites
前置条件
- Autopsy 4.x installed (Windows) or Autopsy 4.x with The Sleuth Kit (Linux)
- Forensic disk image in raw (dd), E01 (EnCase), or AFF format
- Minimum 8GB RAM (16GB recommended for large images)
- Java Runtime Environment (JRE) 8+ for Autopsy
- Sufficient disk space for the Autopsy case database (2-3x image size)
- Hash databases (NSRL, known-bad hashes) for file identification
- 已安装Autopsy 4.x(Windows系统)或搭配The Sleuth Kit的Autopsy 4.x(Linux系统)
- 原始(dd)、E01(EnCase)或AFF格式的取证磁盘镜像
- 至少8GB内存(大型镜像建议16GB)
- Autopsy所需的Java Runtime Environment (JRE) 8+
- 足够的磁盘空间用于存储Autopsy案件数据库(镜像大小的2-3倍)
- 用于文件识别的哈希数据库(NSRL、已知恶意哈希)
Workflow
工作流程
Step 1: Install Autopsy and Configure Environment
步骤1:安装Autopsy并配置环境
bash
undefinedbash
undefinedOn Linux, install Sleuth Kit and Autopsy
On Linux, install Sleuth Kit and Autopsy
sudo apt-get install autopsy sleuthkit
sudo apt-get install autopsy sleuthkit
Download Autopsy 4.x (GUI version) from official source
Download Autopsy 4.x (GUI version) from official source
wget https://github.com/sleuthkit/autopsy/releases/download/autopsy-4.21.0/autopsy-4.21.0.zip
unzip autopsy-4.21.0.zip -d /opt/autopsy
wget https://github.com/sleuthkit/autopsy/releases/download/autopsy-4.21.0/autopsy-4.21.0.zip
unzip autopsy-4.21.0.zip -d /opt/autopsy
On Windows, run the MSI installer from sleuthkit.org
On Windows, run the MSI installer from sleuthkit.org
Launch Autopsy
Launch Autopsy
/opt/autopsy/bin/autopsy --nosplash
/opt/autopsy/bin/autopsy --nosplash
For Sleuth Kit command-line analysis alongside Autopsy
For Sleuth Kit command-line analysis alongside Autopsy
sudo apt-get install sleuthkit
undefinedsudo apt-get install sleuthkit
undefinedStep 2: Create a New Case and Add the Disk Image
步骤2:创建新案件并添加磁盘镜像
1. Launch Autopsy > "New Case"
2. Enter Case Name: "CASE-2024-001-Workstation"
3. Set Base Directory: /cases/case-2024-001/autopsy/
4. Enter Case Number, Examiner Name
5. Click "Add Data Source"
6. Select "Disk Image or VM File"
7. Browse to: /cases/case-2024-001/images/evidence.dd
8. Select Time Zone of the original system
9. Configure Ingest Modules (see Step 3)bash
undefined1. 启动Autopsy > "新建案件"
2. 输入案件名称:"CASE-2024-001-Workstation"
3. 设置基础目录:/cases/case-2024-001/autopsy/
4. 输入案件编号、检查人员姓名
5. 点击"添加数据源"
6. 选择"磁盘镜像或VM文件"
7. 浏览至:/cases/case-2024-001/images/evidence.dd
8. 选择原始系统的时区
9. 配置Ingest Modules(见步骤3)bash
undefinedAlternatively, use Sleuth Kit CLI to verify the image first
Alternatively, use Sleuth Kit CLI to verify the image first
img_stat /cases/case-2024-001/images/evidence.dd
img_stat /cases/case-2024-001/images/evidence.dd
List partitions in the image
List partitions in the image
mmls /cases/case-2024-001/images/evidence.dd
mmls /cases/case-2024-001/images/evidence.dd
Output example:
Output example:
DOS Partition Table
DOS Partition Table
Offset Sector: 0
Offset Sector: 0
Units are in 512-byte sectors
Units are in 512-byte sectors
Slot Start End Length Description
Slot Start End Length Description
00: ----- 0000000000 0000002047 0000002048 Primary Table (#0)
00: ----- 0000000000 0000002047 0000002048 Primary Table (#0)
01: 00:00 0000002048 0001026047 0001024000 NTFS (0x07)
01: 00:00 0000002048 0001026047 0001024000 NTFS (0x07)
02: 00:01 0001026048 0976771071 0975745024 NTFS (0x07)
02: 00:01 0001026048 0976771071 0975745024 NTFS (0x07)
List files in a partition (offset 2048 sectors)
List files in a partition (offset 2048 sectors)
fls -o 2048 /cases/case-2024-001/images/evidence.dd
undefinedfls -o 2048 /cases/case-2024-001/images/evidence.dd
undefinedStep 3: Configure and Run Ingest Modules
步骤3:配置并运行Ingest Modules
Enable the following Autopsy Ingest Modules:
- Recent Activity: Extracts browser history, downloads, cookies, bookmarks
- Hash Lookup: Compares files against NSRL and known-bad hash sets
- File Type Identification: Identifies files by signature, not extension
- Keyword Search: Indexes content for full-text searching
- Email Parser: Extracts emails from PST, MBOX, EML files
- Extension Mismatch Detector: Finds files with wrong extensions
- Exif Parser: Extracts metadata from images (GPS, camera, timestamps)
- Encryption Detection: Identifies encrypted files and containers
- Interesting Files Identifier: Flags files matching custom rule sets
- Embedded File Extractor: Extracts files from ZIP, Office docs, PDFs
- Picture Analyzer: Categorizes images using PhotoDNA or hash matching
- Data Source Integrity: Verifies image hash during ingestbash
undefined启用以下Autopsy Ingest Modules:
- Recent Activity:提取浏览器历史记录、下载记录、Cookie、书签
- Hash Lookup:将文件与NSRL和已知恶意哈希集进行比对
- File Type Identification:通过签名而非扩展名识别文件
- Keyword Search:为内容建立索引以支持全文搜索
- Email Parser:从PST、MBOX、EML文件中提取邮件
- Extension Mismatch Detector:查找扩展名错误的文件
- Exif Parser:提取图片的元数据(GPS、相机信息、时间戳)
- Encryption Detection:识别加密文件和容器
- Interesting Files Identifier:标记符合自定义规则集的文件
- Embedded File Extractor:从ZIP、Office文档、PDF中提取文件
- Picture Analyzer:使用PhotoDNA或哈希匹配对图片进行分类
- Data Source Integrity:在导入过程中验证镜像哈希bash
undefinedConfigure NSRL hash set for known-good filtering
Configure NSRL hash set for known-good filtering
wget https://s3.amazonaws.com/rds.nsrl.nist.gov/RDS/current/rds_modernm.zip
unzip rds_modernm.zip -d /opt/autopsy/hashsets/
wget https://s3.amazonaws.com/rds.nsrl.nist.gov/RDS/current/rds_modernm.zip
unzip rds_modernm.zip -d /opt/autopsy/hashsets/
Import into Autopsy:
Import into Autopsy:
Tools > Options > Hash Sets > Import > Select NSRLFile.txt
Tools > Options > Hash Sets > Import > Select NSRLFile.txt
Mark as "Known" (to filter out known-good files)
Mark as "Known" (to filter out known-good files)
undefinedundefinedStep 4: Analyze File System and Recover Deleted Files
步骤4:分析文件系统并恢复已删除文件
bash
undefinedbash
undefinedIn Autopsy GUI: Navigate tree structure
在Autopsy GUI中:导航树形结构
- Data Sources > evidence.dd > vol2 (NTFS)
- 数据源 > evidence.dd > vol2 (NTFS)
- Examine directory tree, note deleted files (marked with X)
- 检查目录树,标记为X的是已删除文件
Using Sleuth Kit CLI for targeted recovery
使用Sleuth Kit CLI进行定向恢复
List deleted files
列出已删除文件
fls -rd -o 2048 /cases/case-2024-001/images/evidence.dd
fls -rd -o 2048 /cases/case-2024-001/images/evidence.dd
Recover a specific deleted file by inode
通过inode恢复特定已删除文件
icat -o 2048 /cases/case-2024-001/images/evidence.dd 14523 > /cases/case-2024-001/recovered/deleted_document.docx
icat -o 2048 /cases/case-2024-001/images/evidence.dd 14523 > /cases/case-2024-001/recovered/deleted_document.docx
Extract all files from a directory
提取目录中的所有文件
tsk_recover -o 2048 -d /Users/suspect/Documents
/cases/case-2024-001/images/evidence.dd
/cases/case-2024-001/recovered/documents/
/cases/case-2024-001/images/evidence.dd
/cases/case-2024-001/recovered/documents/
tsk_recover -o 2048 -d /Users/suspect/Documents
/cases/case-2024-001/images/evidence.dd
/cases/case-2024-001/recovered/documents/
/cases/case-2024-001/images/evidence.dd
/cases/case-2024-001/recovered/documents/
Get detailed file metadata
获取详细文件元数据
istat -o 2048 /cases/case-2024-001/images/evidence.dd 14523
istat -o 2048 /cases/case-2024-001/images/evidence.dd 14523
Shows: creation, modification, access, MFT change timestamps, size, data runs
显示:创建时间、修改时间、访问时间、MFT变更时间戳、大小、数据运行
undefinedundefinedStep 5: Perform Keyword Searches and Tag Evidence
步骤5:执行关键词搜索并标记证据
In Autopsy:
1. Keyword Search panel > "Ad Hoc Keyword Search"
2. Search terms: credit card patterns, SSN regex, email addresses
3. Example regex for credit cards: \b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})\b
4. Example regex for SSN: \b\d{3}-\d{2}-\d{4}\b
5. Review results > Right-click items > "Add Tag"
6. Create tags: "Evidence-Critical", "Evidence-Supporting", "Requires-Review"
7. Add comments to tagged items documenting relevancebash
undefined在Autopsy中:
1. 关键词搜索面板 > "临时关键词搜索"
2. 搜索词:信用卡模式、SSN正则表达式、电子邮件地址
3. 信用卡正则示例:\b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})\b
4. SSN正则示例:\b\d{3}-\d{2}-\d{4}\b
5. 查看结果 > 右键点击项目 > "添加标签"
6. 创建标签:"关键证据"、"辅助证据"、"需复查"
7. 为标记项目添加注释说明相关性bash
undefinedUsing Sleuth Kit for CLI keyword search
Using Sleuth Kit for CLI keyword search
srch_strings -a -o 2048 /cases/case-2024-001/images/evidence.dd |
grep -iE '(password|secret|confidential)' > /cases/case-2024-001/keyword_hits.txt
grep -iE '(password|secret|confidential)' > /cases/case-2024-001/keyword_hits.txt
srch_strings -a -o 2048 /cases/case-2024-001/images/evidence.dd |
grep -iE '(password|secret|confidential)' > /cases/case-2024-001/keyword_hits.txt
grep -iE '(password|secret|confidential)' > /cases/case-2024-001/keyword_hits.txt
Search for specific file signatures
Search for specific file signatures
sigfind -o 2048 /cases/case-2024-001/images/evidence.dd 25504446
sigfind -o 2048 /cases/case-2024-001/images/evidence.dd 25504446
25504446 = %PDF header signature
25504446 = %PDF header signature
undefinedundefinedStep 6: Build Timeline and Generate Reports
步骤6:构建时间线并生成报告
In Autopsy:
1. Timeline viewer: Tools > Timeline
2. Select date range of interest (incident window)
3. Filter by event type: File Created, Modified, Accessed, Web Activity
4. Zoom into suspicious time periods
5. Export timeline events as CSV for external analysis
Generate Report:
1. Generate Report > HTML Report
2. Select tagged items and data sources to include
3. Configure report sections: file listings, keyword hits, timeline
4. Export to /cases/case-2024-001/reports/bash
undefined在Autopsy中:
1. 时间线查看器:工具 > 时间线
2. 选择感兴趣的日期范围(事件窗口)
3. 按事件类型筛选:文件创建、修改、访问、网络活动
4. 放大可疑时间段
5. 将时间线事件导出为CSV用于外部分析
生成报告:
1. 生成报告 > HTML报告
2. 选择要包含的标记项目和数据源
3. 配置报告章节:文件列表、关键词命中结果、时间线
4. 导出至/cases/case-2024-001/reports/bash
undefinedUsing Sleuth Kit mactime for CLI timeline
Using Sleuth Kit mactime for CLI timeline
fls -r -m "/" -o 2048 /cases/case-2024-001/images/evidence.dd > /cases/case-2024-001/bodyfile.txt
fls -r -m "/" -o 2048 /cases/case-2024-001/images/evidence.dd > /cases/case-2024-001/bodyfile.txt
Generate timeline from bodyfile
Generate timeline from bodyfile
mactime -b /cases/case-2024-001/bodyfile.txt -d > /cases/case-2024-001/timeline.csv
mactime -b /cases/case-2024-001/bodyfile.txt -d > /cases/case-2024-001/timeline.csv
Filter timeline to specific date range
Filter timeline to specific date range
mactime -b /cases/case-2024-001/bodyfile.txt
-d 2024-01-15..2024-01-20 > /cases/case-2024-001/incident_timeline.csv
-d 2024-01-15..2024-01-20 > /cases/case-2024-001/incident_timeline.csv
undefinedmactime -b /cases/case-2024-001/bodyfile.txt
-d 2024-01-15..2024-01-20 > /cases/case-2024-001/incident_timeline.csv
-d 2024-01-15..2024-01-20 > /cases/case-2024-001/incident_timeline.csv
undefinedKey Concepts
核心概念
| Concept | Description |
|---|---|
| Ingest Modules | Automated analysis plugins that process data sources upon import |
| MFT (Master File Table) | NTFS metadata structure recording all file entries and attributes |
| File carving | Recovering files from unallocated space using file signatures |
| Hash filtering | Using NSRL or custom hash sets to exclude known-good or flag known-bad files |
| Timeline analysis | Chronological reconstruction of file system and user activity events |
| Deleted file recovery | Restoring files whose directory entries are removed but data remains |
| Keyword indexing | Full-text search index built from all file content including slack space |
| Artifact extraction | Automated parsing of browser, email, registry, and OS-specific artifacts |
| 概念 | 描述 |
|---|---|
| Ingest Modules | 导入数据源时自动处理数据的分析插件 |
| MFT (Master File Table) | NTFS元数据结构,记录所有文件条目和属性 |
| File carving | 使用文件签名从未分配空间中恢复文件 |
| Hash filtering | 使用NSRL或自定义哈希集排除已知正常文件或标记已知恶意文件 |
| Timeline analysis | 按时间顺序重建文件系统和用户活动事件 |
| Deleted file recovery | 恢复目录项已删除但数据仍存在的文件 |
| Keyword indexing | 基于所有文件内容(包括空闲空间)构建的全文搜索索引 |
| Artifact extraction | 自动解析浏览器、邮件、注册表和操作系统特定的Artifacts |
Tools & Systems
工具与系统
| Tool | Purpose |
|---|---|
| Autopsy | Open-source GUI forensic platform for disk image analysis |
| The Sleuth Kit (TSK) | Command-line forensic toolkit underlying Autopsy |
| fls | List files and directories in a disk image including deleted entries |
| icat | Extract file content by inode number from a disk image |
| mactime | Generate timeline from TSK bodyfile format |
| mmls | Display partition layout of a disk image |
| NSRL | NIST hash database for identifying known software files |
| sigfind | Search for file signatures at the sector level |
| 工具 | 用途 |
|---|---|
| Autopsy | 用于磁盘镜像分析的开源GUI取证平台 |
| The Sleuth Kit (TSK) | Autopsy底层的命令行取证工具包 |
| fls | 列出磁盘镜像中的文件和目录,包括已删除条目 |
| icat | 通过inode号从磁盘镜像中提取文件内容 |
| mactime | 从TSK bodyfile格式生成时间线 |
| mmls | 显示磁盘镜像的分区布局 |
| NSRL | 用于识别已知软件文件的NIST哈希数据库 |
| sigfind | 在扇区级搜索文件签名 |
Common Scenarios
常见场景
Scenario 1: Employee Data Theft Investigation
Import the employee workstation image, run all ingest modules, search for company-confidential file names and keywords, examine USB connection artifacts in Recent Activity, check for cloud storage client artifacts, review deleted files for evidence of data staging, generate HTML report for legal team.
Scenario 2: Malware Infection Forensics
Add the compromised system image, enable Extension Mismatch and Encryption Detection modules, examine the prefetch directory for execution evidence, search for known malware hashes, build timeline around the infection window, extract suspicious executables for further analysis in a sandbox.
Scenario 3: Child Exploitation Material (CSAM) Investigation
Import image with PhotoDNA and Project VIC hash sets enabled, run Picture Analyzer module, hash all image files against known-bad databases, tag and categorize matches by severity, generate law enforcement report with chain of custody documentation.
Scenario 4: Intellectual Property Dispute
Import multiple employee disk images as separate data sources in one case, perform keyword searches for proprietary terms and project names, compare file hashes between sources, build timeline showing file access and transfer patterns, export evidence for legal review.
场景1:员工数据盗窃调查
导入员工工作站镜像,运行所有Ingest Modules,搜索公司机密文件名和关键词,检查Recent Activity中的USB连接Artifacts,查看云存储客户端Artifacts,审查已删除文件以寻找数据暂存证据,为法律团队生成HTML报告。
场景2:恶意软件感染取证
添加受感染系统镜像,启用Extension Mismatch和Encryption Detection模块,检查预取目录中的执行证据,搜索已知恶意软件哈希,围绕感染窗口构建时间线,提取可疑可执行文件到沙箱中进一步分析。
场景3:儿童剥削材料(CSAM)调查
启用PhotoDNA和Project VIC哈希集导入镜像,运行Picture Analyzer模块,将所有图片文件与已知恶意数据库进行哈希比对,按严重程度标记和分类匹配项,生成包含监管链文档的执法报告。
场景4:知识产权纠纷
在一个案件中导入多个员工磁盘镜像作为独立数据源,针对专有术语和项目名称执行关键词搜索,比对不同数据源的文件哈希,构建显示文件访问和传输模式的时间线,导出证据供法律审查。
Output Format
输出格式
Autopsy Case Analysis Summary:
Case: CASE-2024-001-Workstation
Image: evidence.dd (500GB NTFS)
Partitions: 2 (System Reserved + Primary)
Total Files: 245,832
Deleted Files: 12,456 (recoverable: 8,234)
Ingest Results:
Hash Matches (Known Bad): 3 files
Extension Mismatches: 17 files
Keyword Hits: 234 across 45 files
Encrypted Files: 5 containers detected
EXIF Data Extracted: 1,245 images with metadata
Tagged Evidence:
Critical: 12 items
Supporting: 34 items
Review: 67 items
Timeline Events: 1,234,567 entries (filtered to incident window: 892)
Report: /cases/case-2024-001/reports/autopsy_report.htmlAutopsy Case Analysis Summary:
Case: CASE-2024-001-Workstation
Image: evidence.dd (500GB NTFS)
Partitions: 2 (System Reserved + Primary)
Total Files: 245,832
Deleted Files: 12,456 (recoverable: 8,234)
Ingest Results:
Hash Matches (Known Bad): 3 files
Extension Mismatches: 17 files
Keyword Hits: 234 across 45 files
Encrypted Files: 5 containers detected
EXIF Data Extracted: 1,245 images with metadata
Tagged Evidence:
Critical: 12 items
Supporting: 34 items
Review: 67 items
Timeline Events: 1,234,567 entries (filtered to incident window: 892)
Report: /cases/case-2024-001/reports/autopsy_report.html