Which is the best way to perform a logical acquisition on Autopsy? I don’t need to run a full physical - all I need is a few files (Windows Event Viewer: Security & Open SSH) and registry keys.
It’s probably easiest to use the Logical Files data source processor. You can point it at the exact files and folders you want to analyze and only run ingest on those files and folders.
http://sleuthkit.org/autopsy/docs/user-docs/4.14.0/ds_page.html#ds_log
1 Like
Thanks for your quick and helpful response
Forgot to say in the original question, can this apply to Virtual Machines?
If your VM is mounted you can use the logical files data source processor.
One thing I’ll mention though is that if you’re trying to process the registry you might need to point at the whole windows folder and not the individual hive files. Because some of the hive names are pretty common (“system”, “security”, etc) the Recent Activity module requires that they’re found under “system32/config”.
1 Like
Thanks a lot! Just in the middle of getting around the annoying file permissions in VMware now