Article Search...

Loading Images and File Recovery with Autopsy (Part 2)

Extracting files, and or recovery of critical forensic information is key within the process of computer forensics. Out in the wild there are a plethora of tools that a forensic examiner may choose to utilize in order to do so. Although this does not directly relate to recovery of files from a forensic stand point, it can also be utilized for users who have lost data and want to try their hand at recovery of information. The focus of this document will be around Autopsy and how to use the free tool in order to recover said files.

Obtain Disk Image With Linux

Although stated in a previous writeup concerning computer forensics, it can be quite an expensive endeavor. Some of the things that you may come across whereby an expense is needed you may be able to get away with utilizing, Linux. When we discussed the need for write-blockers, it was said that you needed to purchase an expensive write-blocker that would allow you to make a disk image with ease of mind. However, you don't really need to do this. This article will explain how you can utilize Linux in order to pull a disk image and then feed it into ProDiscover and of course, bypass the need for a write blocker. This document will also detail how you can recover files that were deleted for a forensic investigation.

Recovering Files in Autopsy

Recovering files with Forensic tools can be a great help when putting together a case, or even when you need to recover files that have been accidentally deleted. This paper will discuss how to utilize autopsy in order to recover, and pillage for files that have been deleted.

Cracking Passwords in Forensics

This document highlights some of the issues that forensic examiners face when dealing with encrypted files. Ideally, it will also point out how a forensic examiner may procure access to items that are encrypted with the use of a small browser trick which may be commonly overlooked by attackers. Although it's directed at the common person when engaging, it can also be applied to those who are not well versed with forensic obfuscation techniques. This focus herein will be centric around zip, browsers and other types of access.

Windows Live Analysis

Sometimes in computer forensics you will come across an issue where you may need to interact with the RAM within a computer. This example does not take the efforts into discussing an attack and the steps that you need to set up, but rather, it discusses tracking an event in memory. This is normally seen when a service, or application has been attacked. Once an exploit has been executed against the system, and if the attack is happening when the investigator is present – a forensic examiner may take the following steps as a sort of outline to assist.


This article serves as a general guideline, rule-set and other details regarding the grounds of computer forensics. We will aim to answer many of the questions in the field, as well as to point out what may be needed. We will provide forms, and labels that you can utilize during your own investigations, some legal issues jurisdiction effects, content to be viewed, and a brief over-view of the Wire Tap Act. If you plan to follow any of these guides please do so for educational purposes and not in a real environment if you cannot procure the hardware or software to perform a digital forensics. Within this documentation I will also aim to provide case studies through mockup hacks and attacks on a privately owned network and virtual system to provide details as to how evidence collection works, what to look for and how to assess the situation upon arrival.

Encase Forensic Data Recovery

Document details obtaining files that have been deleted with the usage of Encase forensic tools.

ProDiscover Forensic Data Recovery

This article covers information regarding ProDiscover Forensic tools to retrieve files from a computer whose data has been destroyed. . The main purpose of this document is for forensic file recovery with ProDiscover. Although this is an older version it may in fact be the same in the newer versions -- if however, it is not we will attempt to get a newer version of ProDiscover in order to demonstrate the use of the software in another article.

Linux Forensics & Incident Response Introduction

The main purpose of this document will be to combine both incident response and Linux forensics into one single article. Please keep in mind that the information presented in this segment will require intractions with the suspect machine. While we would prefer that analysts utilize the script here: if you feel any other tools would work best for you. Please use those.


A set of tools, tutorials and other information that detail how to conduct a forensics from and against a Linux / Unix operating system.