Recent Activity Module in Autopsy

Recent Activity Module

Overview

The recent activity module in Autopsy focuses on user-centric data, contrasting with content-focused modules like hash lookup or keyword search. It aims to uncover what a user was doing on a system, extracting information from web activity, registry analysis, and recycle bin data.

Key Features
  • Web Artifacts: History, bookmarks, cookies, downloads, and autofill data.
  • Registry Analysis: USB device IDs, user accounts, program execution, etc.
  • Recycle Bin Analysis: Recovery of deleted files.

When to Enable

Enable this module when you need to understand user activities such as websites visited or external devices connected. If the focus is solely on hash hits, this module might not be necessary.

Data Location

All data extracted by this module is located in the tree structure under the "Extracted Content" section.

Configuration

The module operates on an on/off basis. There are no specific configuration options for tweaking registry or web settings. It is designed for fast execution.

Web Artifacts

Browser Support

Autopsy supports various browsers including Chrome, Firefox, IE, Edge, and Safari. It also provides some support for Android browsers like the Android browser and Samsung's S browser, although these are covered in more detail within the Android module.

Capabilities
  • History, Cookies, Bookmarks: Supported across all listed browsers.
  • Downloads: Primarily supported for Chrome, Firefox and Safari.
  • Cache: Supported for Chrome.
  • AutoFill Information: Supported for Chrome and Firefox.
Merging Results

Autopsy merges results from different browsers, focusing on the what (websites visited, files downloaded) rather than the which (specific browser used). To identify the source of an artifact, check the "program name" column.

Attribution

Artifacts are linked to their source database, enabling tracing back to the specific file, program, and user.

Web Bookmarks
  • Columns include: Source File, URL, Title, Date Created, Program Names (e.g., Chrome, Firefox), and Domain.
  • Additional columns may appear based on the data stored by different browsers.
Cookies
  • Columns include: Source File, URL, Date, Name, and Value.
  • Primarily used to identify user interaction with specific sites and interaction dates.
Web Downloads
  • Columns include: Source File, URL, Download Date, Local Path, and Program Name.
  • Right-clicking allows navigation to the downloaded file’s location.
  • Zone identifier files are parsed, especially for files copied across network domains without corresponding web history entries.
Web History
  • Columns include: Source File, URL, Date, Referrer URL (previous page), Title, and Program Name.
Web Form Autofill
  • Displays name-value pairs that users entered into web forms.
  • Can contain a large amount of data, with potential identifying information.
  • Shows name, value, dates, and when information was added.
Web Cache
  • Browsers save supporting files like images and JSON data in the cache.
  • Autopsy can identify and decompress these files, even without explicit browser support.
  • Chrome has additional support, associating files with their origin.
  • Cache artifacts show the URL, date, and header information.
Web Search Analyzer
  • This analyzer runs after parsing all browsers and queries the Blackboard for web history artifacts (URLs).
  • It identifies search queries (e.g., Google searches) and creates corresponding artifacts.
  • For example, a search for "autopsy" on Google will create a search term artifact labeled "autopsy".
  • Columns include: Source file, domain, and search term.

Registry Analysis

Tool

Autopsy leverages RegRipper, an open-source tool, to analyze Windows registry hives.

  • RegRipper: https://github.com/keydet89/RegRipper3.0https://github.com/keydet89/RegRipper3.0
Functionality

RegRipper parses registry key-value pairs and generates reports.

  • Note: This is not an interactive registry analysis tool.
Artifacts

Artifacts extracted include connected USB devices (make, model, ID, dates), installed programs (names, dates), executed programs, and user accounts (credentials).

Process
  1. Autopsy queries the database for all hives:
    • System32\config\system
    • System32\config\software
    • System32\config\security
    • SAM
    • NTUSER.DAT (in user folders)
  2. Appropriate RegRipper profiles are run based on the hive type.
Results
  • Results are located in the tree under "Extracted Content" (devices attached, installed programs, etc.).
  • Raw RegRipper output is available in the "Reports" section.
Accessing RegRipper Output
  1. Click on the "Reports" node in the tree.
  2. Identify the relevant hive from the paths (NTUSER.DAT for user-specific data).
  3. Double-click on the first column ("Recent Activity") to open the text file in a text editor.

Recycle Bin

Functionality

When a file is deleted in Windows, it is moved to the recycle bin. These files have new names starting with "$R".

Autopsy's Role
  • The recent activity module parses the "$I" files in the recycle bin folder.
  • For each file, it creates a recycle bin artifact containing the original path and the time of deletion.
  • It also adds a deleted file entry in the original folder.
Recycle Bin Artifacts
  • Clicking on a recycle bin artifact displays the "$R" files (parsed files) and their original paths and deletion dates.
  • The original location now shows a deleted file entry, indicating the file existed there.