How to do it...

After starting your freshly installed digital forensics tool, the first window you see is Welcome. Here we have three main options:

• Create New Case - this option will create a new case for you
• Open Recent Case - this option will open the last case you worked on
• Open Existing Case - this option allows you to choose one of the cases present on your workstation

As we just installed Autopsy, we don't have any cases, so our choice is the Create New Case option. Now you will see a New Case Information window.

1. In the first step, Case Info, we have two fields to fill in; the third will be completed automatically. You should type your case number or name in the first field, Case Name, and choose the directory for your case files in the second, Base Directory (use the Browse button). The third field will show the path to your case files (base directory + case name).

1. The second step, Additional Information, is optional: you can leave both fields blank. However, it is usually better to fill them in. The first field should contain your case number, the second your name.

1. Click Finish and the case will be created.
2. It's time to select the data source, here is the Add Data Source window. The first thing you should do is select the data source type. Three options are available:

• • Image or VM File - this option allows you to choose a forensic image in one of the supported formats, or a virtual machine disk, for example, that was found during the examination of an image
  • Local Disk - this option allows you to choose a physical drive connected to your workstation, or a mounted logical drive (for example, D:)

• • Logical Files - this option allows you to choose files and folders for analysis, for example, from a mounted forensic image

1. Don't forget to choose the right time zone.
2. In the next step, you should choose ingest modules to run. Autopsy ingest modules analyze the files on the data source and parse their contents. As the main aim of this recipe is to show you how to undelete files from NTFS, we have chosen just a few modules, including:

• • File type identification - identifies files based not on their extensions, but their internal signatures
  • Extension mismatch detector - uses File Type Identification Module results to flag the files with an extension that is not usually associated with the detected file type
  • Embedded file extractor - extracts data from different archive formats, including DOCX, XLSX, PPTX, and others

1. Click Next and data source processing will start.
2. After some time, depending on the size of the data source, the Finish button will become active: click it and you are ready to analyze the file system(s).

The point of this recipe is to teach you how to undelete files from NTFS. The thing is, when a file is deleted, it's not erased; it is simply marked as deleted in the MFT entry for the file. So, until the file is overwritten, it can be recovered, and Autopsy can help digital forensic examiners with this. It even sorts out all the deleted files for you: just go to Views - Deleted Files on the left pane (the Tree Viewer).

You can use this option to recover files, or browse the file system(s) via the Data Sources option. Deleted files have red cross icons on the left. To recover a file or files:

1. Right-click on the file or files (mark all the files you want to recover beforehand)

2. Choose Extract File(s)

3. Choose the destination folder

4. Click Save

Yes, it is that easy!