Autopsy Forensic Use Case on the Acorn
The Autopsy forensic use case featured here shows how Squirrel Forensics’ Acorn empowers investigators to examine digital evidence, recover deleted files, and reconstruct user activity using powerful open-source tools.
By combining Autopsy with the Acorn, forensic examiners can efficiently analyse forensic disk images, identify unauthorised data transfers, track USB activity, and review web artifacts making Autopsy an essential tool in digital forensic investigations.
Context
A corporate security team suspects that an employee has exfiltrated sensitive company files. Digital forensics examiner, Jane Smith, is assigned to investigate. She acquires a forensic image of the suspect’s workstation using a disk imaging tool and loads it into Autopsy on the Acorn for in-depth analysis.
Loading the Forensic Image into Autopsy
• Jane launches Autopsy on the Acorn forensic workstation and creates a new forensic case.
• She loads the forensic image (E01, raw, or AFF format) into Autopsy, allowing the tool to automatically parse and extract metadata.
• Autopsy begins scanning and indexing the image, enabling faster searches and analysis.
Analysing Files & Activity Logs
1. Keyword Search for Sensitive Files
• Jane uses Autopsy’s keyword search to look for confidential company documents by filtering:
– File names and extensions (e.g., .pdf, .docx, .xlsx).
– Keywords related to intellectual property or financial data.
– Recently modified or accessed files.
• The search reveals deleted but recoverable documents, which she extracts for further examination.
2. File Timeline Analysis
• Autopsy’s timeline analysis feature helps Jane visualise:
– When sensitive files were last accessed, modified, or deleted.
– Periods of high activity that may indicate unauthorised transfers.
– Any unusual spikes in USB device connections or file access patterns.
3. USB Device & File Transfer History
• Jane examines USB device logs to determine:
– Which external drives were connected.
– What files were transferred or deleted before the drive was removed.
• The logs confirm that a USB drive was used to transfer multiple company documents shortly before the suspect left the office.
4. Web Activity & Email Attachments
• Using Autopsy’s web artifacts module, Jane reconstructs:
– Recent browsing history, revealing searches for “how to securely transfer files.”
– Web-based email activity, including attachments of sensitive documents sent to a personal email account.
– Cloud storage logins, indicating files may have been uploaded to Google Drive or Dropbox.
Identifying the Digital Evidence & Reporting
• Jane compiles a preliminary forensic report, documenting:
– Recovered deleted files and their metadata.
– USB device activity linked to unauthorised file transfers.
– Web activity showing intentional data exfiltration.
– Email attachments of sensitive files sent externally.
• Using LibreOffice, she formats the report, embeds Autopsy screenshots, and exports it as a secure PDF.
• The findings are submitted to corporate security and HR, who use the evidence for internal disciplinary actions or legal proceedings.
Why the Acorn Wins Here
• Comprehensive Forensic Analysis – Autopsy’s built-in modules enable file recovery, keyword searching, and user activity reconstruction.
• Automated Investigation Tools – Reduces manual workload by automating searches and flagging anomalies.
• Intuitive Interface for Faster Processing – Autopsy provides a GUI for streamlined forensic analysis.
• Seamless Integration with the Acorn – The Acorn’s DFIR toolkit allows investigators to image, analyse, and report findings in one workflow.
Learn more about Autopsy
