Autopsy Digital Forensics
Hi Everyone
I have been having a look at the autopsy tool in backtrack, and im impressed with it:cool:.
I have been able to view pictures and files that i have deleted off of a USB thumb drive in the "file analysis" window.
But what i want to know, is there anyway to back up all of the pics, docs etc you recover, like a function that allows you to pull them all from the image your inspecting into a seperate folder and be able to view them one by one.
If used the "sorter Output" function, but all the links to the files it finds take me back to the initial image.
So in the end i want to fully recover lost files and copy them back to a USB drive to view again as normal.
Hope some one could help on this as this would be a really usefull peice of info to have..
thanks a lot.
Re: Autopsy Digital Forensics
I've only played with Autopsy and found it very lacking, so I stick with costly commercial Windows tools for forensic work. Having said that, I can't be positive, but Autopsy probably doesn't have the capacity to do what you want.
The reason has more to do with a the way forensic work is done, and with evidentiary procedure for courts. Normally, the way you work a forensics case, you work a forensically-correct image of the original disk. That image would be on a second disk, one that has specifically set up for forensics use. You recover the information there, and then transfer any files of interest to a third disk for presentation. This way the original disk is never harmed, as all work is done on the image on the second disk, and anything that gets touched by people after the fact is on third disk.
Really, what you want is a file-recovery tool, which is a very different function than forensic work. There are a number of other file recovery tools that will do what you want, and automatically move recovered files to a different disk/folder. A search for file recovery tools to find the feature you require, would probably be the best. One I use for Windows is Piriform's Recuva. http://www.piriform.com/recuva
Re: Autopsy Digital Forensics
I'll assume your USB drive is /dev/sdb "note I did NOT say sdb1, but sdb, that's better":
Code:
#foremost -T -i /dev/sdb
and enjoy the show.
if the disk is large, chose only the filetypes you are after and/or go for "scalpel" which is way smarter than foeremost in what they're doing but needs editing a .conf file unlike foremost that is ready-for-action out of the box.
do NOT issue this command if your working directory is on the drive you are recovering files from, and do it while the drive is unmounted.
and like Thorn said, if it's just for recovering a couple of files, just use Recuva.
Re: Autopsy Digital Forensics
Thanks for the reply guys.
@Thorn = Yeah it does seem that autopsy is not really the tool to use, i just want to recover lost data really, and this seems to be geared up to a whole different area.
@SherifEldeeb = Thanks for the advice, i noticed the foremost tool, but had a mess with autopsy first, actually the USB drive is /dev/sdc not a problem tho, and basically im going for the whole drive and not the partition..
Ill give it a go seems a lot simpler.
Thanks a lot..
Re: Autopsy Digital Forensics
Quote:
Originally Posted by
CeEe4
Thanks for the reply guys.
@Thorn = Yeah it does seem that autopsy is not really the tool to use, i just want to recover lost data really, and this seems to be geared up to a whole different area.
@SherifEldeeb = Thanks for the advice, i noticed the foremost tool, but had a mess with autopsy first, actually the USB drive is /dev/sdc not a problem tho, and basically im going for the whole drive and not the partition..
Ill give it a go seems a lot simpler.
Thanks a lot..
You're welcome.
Recovery is about getting back those files that have been deleted or otherwise lost.
Computer forensics really is about finding evidence items in a consistent and repeatable manner that can be presented in court. Sometimes those items need to be recovered from a hidden or deleted state, but not always.
