Results 1 to 5 of 5

Thread: Autopsy Digital Forensics

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Mar 2010
    Posts
    18

    Default Autopsy Digital Forensics

    Hi Everyone

    I have been having a look at the autopsy tool in backtrack, and im impressed with it.

    I have been able to view pictures and files that i have deleted off of a USB thumb drive in the "file analysis" window.

    But what i want to know, is there anyway to back up all of the pics, docs etc you recover, like a function that allows you to pull them all from the image your inspecting into a seperate folder and be able to view them one by one.

    If used the "sorter Output" function, but all the links to the files it finds take me back to the initial image.

    So in the end i want to fully recover lost files and copy them back to a USB drive to view again as normal.

    Hope some one could help on this as this would be a really usefull peice of info to have..

    thanks a lot.

  2. #2
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default Re: Autopsy Digital Forensics

    I've only played with Autopsy and found it very lacking, so I stick with costly commercial Windows tools for forensic work. Having said that, I can't be positive, but Autopsy probably doesn't have the capacity to do what you want.

    The reason has more to do with a the way forensic work is done, and with evidentiary procedure for courts. Normally, the way you work a forensics case, you work a forensically-correct image of the original disk. That image would be on a second disk, one that has specifically set up for forensics use. You recover the information there, and then transfer any files of interest to a third disk for presentation. This way the original disk is never harmed, as all work is done on the image on the second disk, and anything that gets touched by people after the fact is on third disk.

    Really, what you want is a file-recovery tool, which is a very different function than forensic work. There are a number of other file recovery tools that will do what you want, and automatically move recovered files to a different disk/folder. A search for file recovery tools to find the feature you require, would probably be the best. One I use for Windows is Piriform's Recuva. http://www.piriform.com/recuva
    Thorn
    Stop the TSA now! Boycott the airlines.

  3. #3
    Junior Member
    Join Date
    Jan 2010
    Posts
    31

    Default Re: Autopsy Digital Forensics

    I'll assume your USB drive is /dev/sdb "note I did NOT say sdb1, but sdb, that's better":

    Code:
    #foremost -T -i /dev/sdb
    and enjoy the show.

    if the disk is large, chose only the filetypes you are after and/or go for "scalpel" which is way smarter than foeremost in what they're doing but needs editing a .conf file unlike foremost that is ready-for-action out of the box.

    do NOT issue this command if your working directory is on the drive you are recovering files from, and do it while the drive is unmounted.

    and like Thorn said, if it's just for recovering a couple of files, just use Recuva.
    Last edited by SherifEldeeb; 04-24-2011 at 06:10 AM.

  4. #4
    Just burned his ISO
    Join Date
    Mar 2010
    Posts
    18

    Default Re: Autopsy Digital Forensics

    Thanks for the reply guys.

    @Thorn = Yeah it does seem that autopsy is not really the tool to use, i just want to recover lost data really, and this seems to be geared up to a whole different area.

    @SherifEldeeb = Thanks for the advice, i noticed the foremost tool, but had a mess with autopsy first, actually the USB drive is /dev/sdc not a problem tho, and basically im going for the whole drive and not the partition..

    Ill give it a go seems a lot simpler.

    Thanks a lot..

  5. #5
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default Re: Autopsy Digital Forensics

    Quote Originally Posted by CeEe4 View Post
    Thanks for the reply guys.

    @Thorn = Yeah it does seem that autopsy is not really the tool to use, i just want to recover lost data really, and this seems to be geared up to a whole different area.

    @SherifEldeeb = Thanks for the advice, i noticed the foremost tool, but had a mess with autopsy first, actually the USB drive is /dev/sdc not a problem tho, and basically im going for the whole drive and not the partition..

    Ill give it a go seems a lot simpler.

    Thanks a lot..
    You're welcome.

    Recovery is about getting back those files that have been deleted or otherwise lost.

    Computer forensics really is about finding evidence items in a consistent and repeatable manner that can be presented in court. Sometimes those items need to be recovered from a hidden or deleted state, but not always.
    Thorn
    Stop the TSA now! Boycott the airlines.

Similar Threads

  1. Digital Forensics Framework
    By arcus2005 in forum Tool Requests
    Replies: 2
    Last Post: 02-15-2011, 06:54 AM
  2. Dff - Digital Forensics Framework
    By firebits in forum Tool Requests
    Replies: 1
    Last Post: 12-04-2010, 10:43 AM
  3. digital forensics
    By pelaito in forum Soporte en Software
    Replies: 1
    Last Post: 02-25-2010, 06:17 PM
  4. Autopsy update
    By iceman_3233 in forum Beginners Forum
    Replies: 2
    Last Post: 01-22-2010, 06:18 PM
  5. Need help for a Digital Forensics job interview
    By s1lang in forum OLD General IT Discussion
    Replies: 2
    Last Post: 06-12-2008, 05:21 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •