I am trying to analyze a USB drive just for testing purposes on a Windows 10 PC.
I have opened Autopsy and created a new case.
I have selected the logical disk that I plugged into the PC.
Autopsy seems to go through the motions and runs the ingest modules, all of which are selected apart from one, but when it has finished, there are no results.
The Autopsy window is open, the icons at the top are colored but when I click one, I get a message saying there is no data, or something like that.
I have tried reset windows but nothing happens.
I have tried a logical files. This produces results, but doesn’t show deleted files, even though I deleted some files as a test.
Any help would be much appreciated.
I’ll offer an opinion. If I’m wrong, I hope someone corrects me so I don’t mislead you.
-
When reading a ‘logical disk’ as a data source you should not expect to see deleted files. The logical data structure of a disk does not include any deleted folders or files. The act of deleting files removes them from the file structure of the disk so that Windows can then re-use the space that the deleted files were occupying.
-
To confirm or deny my theory…Use FTK Imager or Magnet Acquire to create an image file of your USB drive. That is, make a .E01 format backup of all the data storage areas of the USB drive and save it as a device image file in a format that Autopsy handles well (.E01).
-
Then run Autopsy, create a case and add the .E01 image file(s) to the case as a image file. Since the files contains ALL the contents of the USB drive, then Autopsy should show you any deleted files on the USB drive.
If you wish to learn more…Be sure you understand allocated space, un-allocated space and slack space (or file slack space) as these terms apply to storage devices.
Best Regards,
Bob
Buenas!
Cree un archivo .docx con elcontenido “hola” para realizar pruebas con Autopsy 4.19.3 en Windows.
Borré el archivo y un par de copias que realicé del mismo, pero tras correr Autopsy… no tuve suerte con la búsqueda. Autopsy no entuentra ni rastros de los archivos. La configuracion de la ingesta que utilicé, que creo es la correcta fueron 2 chequeos: Embedded File Extractor; y Keyword Search, donde cree un Keyboard List que llamé “doc” con la clave de búsqueda: Substring Match = “Hola”).
Entiendo que Windows utiliza una estructura lógica para determinar que el archivo exista, y entiendo también que el archivo no ha sido eliminado totalmente, pero… creo si es como decis, que Autopsy se estaria saltando una parte importante de la busqueda.
Creo que estoy cometiendo un error: ¿Cómo debo realizar la búsqueda?
Desde ya, gracias por adelantado!
Mariano