>> Welcome back to digital forensic concepts. In this course, we're talking about Keyword incorrect searching. In this module, Module four, we're going to talk about Keyword searching with the open source tool Autopsy. Autopsy has built in keywords capabilities. You can search for an exact match. You can search for a substring match and you can search using regular expression. Like we talked about in our last module. Autopsy has built in and user created keyword lists. You can use the built in keyword lists or you can create your own keyword list. It also has built in regular expressions for phone numbers, IP addresses, email addresses, URL's and credit card numbers. We're going to do a demo with autopsy, and we're going to do some keywords and grew up searches. The version of autopsy we're using is 4.170 and we're going to use the Ivan the mdk image. Let's start our walk through. >> Hello and welcome to our keyword searching with autopsy demo. As you can see. We've opened up autopsy And our version is 4.17.0 which is the most recent version of autopsy. We can see up here in the right hand corner. We have a selection called keyword lists. And if we click on that, we can see we have built in keyword lists and they are regular expressions for phone numbers, IP addresses, email addresses URL's and credit card numbers. Now you can search for as many of these as you like at one time. You can also go to manage lists and you can create a new list. You would have to name it. And we're going to name our list hacking, and we're going to say Ok. And now we can create our new keywords And we'll just put some keywords in here. Hacking, hackers, Russian grid and we could keep going on. There are also some drugs in this case. So we could use the word drugs, narcotics. And you have the choice of doing an exact match, a sub string match, which would be part of a word. Or we can use the regular expression, but we didn't choose regular expressions. But we could have, we say Ok. And it creates our list hacking. So now when we reopen keyword lists, we see our hacking keyword list here, and we can choose that and we can choose search and it will search for those keywords. We can also do a keyword search, for just a single word. And in this case I'm going to use the word hacking, and I'm going to go with an exact match. And I'm going to click search, and we can see we get a lot of hits right away in the web cache artifacts and we can see we get a lot of hits. We have 350 hits right off the bat. Now I'm going to go back to my keyword lists and we choose my hacking list, and I'm going to click search, and this is going to take a little bit longer because it's searching more than one key word, when it comes back pretty fast. And now we can see our hits and when we click on one of our files, we can see the hit highlighted. We can see the file that comes from, and it gives us information about the file like the creative date and some other information down below. And we have a full path to the file, and this is in web cache. We also have web history and it tells us the URL, the title, this was a download tells us the program that it was downloaded with, and the domain it came from. Okay, now we're going to do some grip searches. So we're going to use our keyword search list, and we're going to do some phone number searches and some email address searches. And we're going to go ahead and search and see what we get for hits. And we have 114 results. And let's take a look. This is email and we can see we've got a Vladimir Oler email address, and we have the Ivan zero democracy email address. You notice that Vladimir has a .RU. That usually means it's coming from Russia. And we also found another email address agendas6120 @gmail.com. So you can go through here and find some email addresses. You can look at account artifacts and we have some reg ripper results. We have a new email address, djohndeb2005@gmail.com. And we have our path, we don't seem to have any phone numbers in this particular image. And we can go ahead and we could do a search for I. P addresses and you can see these hits because of the way the IP address. This is not an IP address. But because of the way that regular expression is written, it is hitting on this. Because remember it was one or three and a dot one or three on the 30.1 or three on the 30.1 or three on the dot, and this is 111. So you are going to get some false hits and you will get that with keyword searching tool, you'll get hits on Keywords that may not be related to your case. So we can uncheck that one and we can look at URL's and search, and I'm sure we will get quite a bit back on URL's and start the search completes. And we've got something in web bookmarks and this gives us the URL, the title, the date the bookmark was created, the application that created it which is Internet Explorer and the domain. Again we have web history which we've seen before. We have the URL. The access state, the reference URL and the domain. And we have cookies, Web cookies and we'll talk more about what cookies are in another course. But we do have the WWW Wired.com. We have the date and time. We have a name. We have the process program name which is Firefox. So we've seen Firefox, Chrome and Internet Explorer running. So this gives us an idea of what browses are installed also. And we have a date that this cookie was created. So this website was visited on the state when the cookie was created. And we have the domain name. So you can get quite a bit of information out of these hits. We found email addresses, we've seen websites visited. It's also web form history artifact, and we can see the domain, the date created and the date access. You can see a web search artifact. And the text was Russian hack is what he was searching for. And that was with the Firefox browser and that is the date and time of the search, is also a hit in recent docks and we have the path and the date and time. We have web cache and in our web cache we have the date that was created. We have the data expires and we have our URL. And that's we're actually getting a hit on is the URL. We do have 1002. I'm sorry. We have 12,039 hits. So this would be a lot to go through manually. You might want to narrow your search criteria little bit. We also have a hit in our red ripper report, and we have that email address, and it's hitting in the SAM file under a user Dennis. So just from doing these keyword searches we were able to get email addresses. We were able to see domains that the user visited with dates and times. We're able to see bookmarks, what he had on his bookmarks bar, which might be interesting to us. And with the web cookie, the date on the cookie shows that a website, this happens to be google.com. But it does show us the date it was visited, the date and time. We've also found out that there were three different browsers used. And this is just from doing a URL regular expression search. If we search our hacking keyword list, and I am going to go ahead and go to the top of this list, and I'm going to sort on names for a minute, when I'm trying to find downloads but I'm not seeing some right here. But we do have recent documents and he have a drugs hit on our drugs keyword and this is in the sea users Ivan downloads drug dealing 101 We can see it's a recent document but it is coming from downloads. These are coming from downloads, and this is the hit on grid, grid cyber attack. And we can see the date and time, is a hit on our hacking, hacking the US tried it, pdf and that would be in Ivan's google drive. So we now know there's a google drive and play, and we have a date and time when it was accessed on the google drive. This is the basics of hacking and penetration pdf. And again it's in downloads,, and we have date and time it was accessed, and we still will have our Mac times are modified. Change time is referring to a change made to the master file table. Access time and created time and they are all pretty much the same and our web auto fill artifacts. We have a search history for images of drugs, drug images and we have a date and time when that was done. So keyword searches do give us a lot of information and they're going to add a lot of relevance to our cases. There's a lot of things you're going to find in a keyword search that you might not find had you just manually look through the different artifacts in the file system. And we will cover this in another path, all the artifacts in the file system. In our next course, we're going to cover report writing and peer review. End of demonstration.
