- Windows Virtual Machine
- Autopsy forensics tool
Tasks:
1- Find the full name of the "other" xlxs file.
2- Find the name of the text file that was deleted.
3- Recover the deleted text file.
Starting Autopsy:
By launching the tool from the desktop. If this is the first time to use it, we will have the second option ( open recent case greyed out). We will Select a New case. First option.
As any new file is created we will have to select the location to save the case ( I created a folder on the desktop on the spot called Autopsy)
Then fill in the case number and basic investigation information. Then click finish.
There is a disk image saved on the desktop to be opened usb.001
De-Select all the configure and inject options as we do not need them for the project.
Finish selecting the image source.
The tree view on the left side will show the deleted files ( with a red x next to the folder as an indication).
1- TryHackme.xlsx
By right-clicking on a deleted file we can select extract files - to recover or export selects rows to CVS if we need to view it in EZ viewer.
to answer task #1 the name of the xlsx is TryHackme.xlsx
2- TryHackMe2.txt is the name of the txt file that was deleted.
3- TryHackMe2.txt
to recover it, right-click and select extract file(s) it will be recovered and saved in a desired location.
If we opened it the text inside it is:
this completes task# 3