Eventually, you will greeted by a screen like that below. Yours may be different.Īfter adding the image click next and Autopsy will begin to do its analysis of the image. I saved mine in a directory c:\forensic images. Since we will be using the image file created in the previous module, select "Image File" and then Browse for the image file you created in Module 1. When you do, a "Add Data Source" window will open. Next, click on "Add New Data in the upper left corner. Give it a case number of 101 and your name or initials for the examiner. This will open another window asking you for a case number and the examiner name. Enter "New Case 101" and put it in the base directory of c:\Cases When you do, you will greeted by a new window asking you to name your new case and what directory you want to place your cases.
You can download it here.Īfter installing Autopsy then starting it, you will be greeted with a screen similar to the above. The Sleuth Kit was first developed for Linux, but has now been ported for Windows, so we will be using it with our Windows examination system. In this tutorial, we will be using open source The Sleuth Kit for identifying and recovering deleted files.
This means that if the suspect deleted evidence files, until they are overwritten by the file system, they remain available to us to recover. Deleting these file simply makes the cluster available to be overwritten by the filesystem. As you know, files that are "deleted" remain on the storage medium until overwritten. Among the most fundamental skills necessary for a forensic investigator, recovering deleted files is the most basic.