THM — Autopsy

Case Scenario: An employee was suspected of leaking company data. A disk image was retrieved from the machine. You were assigned to perform the initial analysis. Further action will be determined based on the initial findings.

What is the full name of the operating system version?

We can find that information under Results in the Operating System Information tab.

What percentage of the drive are documents? Include the % in your answer.

Clicking on the Data Source, we can use the Summary tab to display a pie chart of our entire case.

The majority of file events occurred on what date? (MONTH DD, YYYY)

In the summary tab we can check User Activity and see that the majority of events occurred on March 25, 2015.

What is the name of an Installed Program with the version number of 6.2.0.2962?

To find this we could either search through installed programs tab or we can do a keyword search to find the program.

A user has a Password Hint. What is the value?

Checking User accounts we see that the Username informant has a password hint.

Numerous SECRET files were accessed from a network drive. What was the IP address?

Checking the IP Addresses tab we can see the amount of hits a certain IP has

What web search term has the most entries?

Web Search tab shows us that informayion leakage cases has the most entries

What was the web search conducted on 3/25/2015 21:46:44?

Checking the Date Accessed we can find what search happened at what time.

What binary is listed as an Interesting File?

Autopsy automatically flagged two interesting executables.

What self-assuring message did the ‘Informant’ write for himself on a Sticky Note? (no spaces)

Accessing User/Informant/AppData/Roaming/Microsoft/StickyNotes we can see what the informat wrote in the Text tab

Using the Timeline, how many results were there on 2015–01–12?

Setting the date we can see that there are 46 results that occured on the 12th.

cyber enthusiast