F 200: Examining a Forensic Image with Autopsy (15 pts.)

What You Need for This Project

A Windows machine

Installing Autopsy

Install Autopsy in single-user mode, as explained here:

http://sleuthkit.org/autopsy/docs/user-docs/4.19.3/installation_page.html

Troubleshooting
If a box pops up saying "Windows protected your PC", right-click the Autopsy installer file, click Properties, and check Unblock. Then run the installer again.

Troubleshooting
If the font is tiny when launching Autopsy, right-click the its desktop shortcut, and click Properties.
On the Compatibility tab, click "Change high DPI settings".
Try various settings. On my system, I got the best appearance by checking the "Override high DPI scaling behavior" box and selecting "System" below it.

Downloading the Evidence File

On your Windows machine, download this file:

F200.E01

Creating a Case

Launch Autopsy. In the Welcome box, click "New Case", as shown below.

Make these selections:

Name your case F200.
Select your Documents folder and click Next.
Assign it a case number of F200 and click Finish.
In the "Select Host" page, click Next.
In the "Select Data Source Type" page, accept the default of "Disk Image or VM File" and click Next.
In the "Select Data Source" page, click Browse, navigate to the F200.E01 file, and double-click it. Then click Next.
In the "Configure Ingest" page, click Next.
Click Finish.

F 200.1: Flag 1 (15 pts)
Use the left pane to explore the data Autopsy found, as shown below.
Do not turn in the image shown below. Instead, examine all the files Autopsy found.
There's a file containing a message beginning with "The flag is".
Find it and capture an image showing the flag.

Posted: 8-19-22
Folder selection step added 9-15-22
Typo fixed 10-12-22
Documents selection error fixed 2-6-23
Video added 3-12-23
Flag description updated 2-13-24