 |
| dark osint forensics |
Create a Case in Autopsy
Every investigation begins with setting up a new case. This step organizes all findings, reports, and evidence under one project.
Steps to create a case:
- Launch Autopsy and select “New Case.”
- Enter a case name (e.g., “Fraud Investigation – Case 2025-01”).
- Provide a case number for tracking purposes.
- Assign case to an investigator name for accountability.
Concrete Example: If investigating a phishing attack, a case might be named “Phishing Investigation – Employee Mail Server” with a unique case number to ensure proper tracking and reporting.
Load Data Source
After creating case, next step is to import forensically sound disk image or data source into Autopsy.
Data sources may include:
- Disk images (E01, RAW, DD, etc.)
- Memory dumps
- Logical files and folders
- Mobile phone backups
Steps to load a data source:
- Click “Add Data Source” in Autopsy case dashboard.
- Select type of evidence (e.g., disk image).
- Navigate to location of forensic image and import it.
Verify Hash Values
One of most important steps in forensic acquisition is verifying that image has not been tampered with. Autopsy allows investigators to check image’s hash values against those generated during acquisition.
- Common hash algorithms: MD5, SHA-1, SHA-256
- Hash values ensure forensic image is an exact replica of original.
- If hash matches, evidence is valid and admissible in court.
Following proper data acquisition and loading steps ensures that:
- Evidence remains reliable and admissible in court.
- Investigators can perform deeper analysis with confidence.
- Digital investigations maintain transparency and credibility.
