DIGITAL FORENSICS

A project submitted in partial fulfilment of the

Requirements of the award of the degree of
Bachelor of Technology
In
COMPUTER SCIENCE AND ENGINEERING

Submitted by: Mohit Singh and Ayush Dwibedy

Roll number: 12211003 and 12211001
Supervised by: Dr. Bhupesh Singh Bhati
INDIAN INSTITUTE OF INFORMATION
TECHNOLOGY,
SONEPAT – 131001, HARYANA, INDIA
 ACKNOWLEDGEMENTS

The success and the outcome of this project required ceaseless guidance and
assistance, my team members and I are extremely privileged to have got this all
along the project.

We would like to take this opportunity to acknowledge all the people who have
helped us whole heartedly in every stage of this project.

We are indebtedly grateful to (Dr.) Bhupesh Singh Bhati, Assistant professor,

IIIT SONEPAT for providing this opportunity in the first place and giving us all
the support and guidance possible, in spite of having a busy schedule.

Mohit Singh and Ayush Dwibedy

 SELF DECLARATION

I hereby state that work contained in the project titled ”DIGITAL FORENSICS”
is original. I have followed the standards of the project ethics to the best of my
abilities. I have acknowledged all sources of knowledge which I have used in
the project.

Name of team lead: Mohit Singh

Roll number: 12211003
Name of member: Ayush Dwibedy
Roll number: 12211001
Department of Computer Science and Engineering,
Indian Institute of Information Technology,
Sonepat-131001, Haryana, India
 CERTIFICATE

This is to certify that Mr. Mohit Singh has worked on this project entitled
“DIGITAL FORENSICS” under my supervision and guidance.

The contents of the project, being submitted to the Department of Computer

Science and Engineering, IIIT Sonepat, Haryana, for the award of the degree of
B. Tech in Computer Science and Engineering, are original and carried out by
candidate himself. This project has not been submitted in full or part for award
of any other degree or diploma to this or any other university.

Dr. Bhupesh Singh Bhati

Supervisor

Department of Computer Science and Engineering

India Institute of Information Technology,
Sonepat-131001, Haryana, India
 ABSTRACT

Name of team lead: Mohit Singh

Roll number: 12211003
Name of member: Ayush Dwibedy
Roll number: 12211001
Department of Computer Science and Engineering
Indian Institute of Information Technology, Sonepat

Project Title: Digital Forensics

Name of project supervisor: Dr. Bhupesh Singh Bhati
Month and year of the project submission: May, 2024

This project investigates the potential of Autopsy, an open-source digital

forensics tool, in recovering deleted data from hard drives linked to criminal
activities. Through a blend of controlled experiments and practical case studies,
Autopsy's efficacy in retrieving a diverse range of file types is evaluated. While
showcasing its proficiency in unearthing critical evidence, the study also
illuminates persistent challenges such as encrypted files and fragmented data.
Despite these hurdles, Autopsy emerges as a vital asset in law enforcement's
arsenal against cybercrime, playing a pivotal role in upholding justice in the
digital age.
 TABLE OF CONTENTS

Chapter 1 Introduction 1
1.1 Introduction 2
1.2 Problem Outline 2
1.3 Project Methodology 3
1.4 Scope of Project 4
1.5 Limitations 5
Chapter 2 What is Digital Forensics? 7
2.1 Digital Forensics 8
2.2 Type of Digital Forensics 9
2.3 Autopsy Software 10
Chapter 3 Implementation 12
3.1 Familiarization with Autopsy 13
3.2 Data acquisition and 14
Preservation
3.3 Data Recovery 16
3.4 Analysis 22
Chapter 4 Result and Conclusion 25
4.1 Validation and Interpretation 26
4.2 Documentation and Reporting 27
4.3 Analysis and Conclusion 28
References 29
 Chapter 1
Introduction

1
1.1 INTRODUCTION

Brief introduction to the topic:

This project investigates the potential of Autopsy, an open-source digital

forensics tool, in recovering deleted data from hard drives linked to criminal
activities. Through a blend of controlled experiments and practical case studies,
Autopsy's efficacy in retrieving a diverse range of file types is evaluated. While
showcasing its proficiency in unearthing critical evidence, the study also
illuminates persistent challenges such as encrypted files and fragmented data.
Despite these hurdles, Autopsy emerges as a vital asset in law enforcement's
arsenal against cybercrime, playing a pivotal role in upholding justice in the
digital age.

1.2 PROBLEM OUTLINE

The project aims to address the effectiveness and challenges of utilizing

Autopsy, an open-source digital forensics tool, in recovering deleted data from
hard drives associated with criminal activities. Through a combination of
controlled experiments and practical case studies, the study seeks to evaluate
Autopsy's capability in retrieving various file types crucial for forensic
investigations.

Key objectives include assessing Autopsy's proficiency in uncovering critical

evidence, analysing persistent obstacles such as encrypted files and data
fragmentation, and highlighting its significance as a valuable asset in combating
cybercrime. By examining Autopsy's role in contemporary criminal
investigations, the project aims to provide insights into the evolving landscape
of digital forensics and underscore the importance of ongoing tool development
to ensure effective law enforcement in the digital realm.

2
1.3 PROJECT METHODOLOGY

Preparation Phase:
1. Familiarization with Autopsy: Gain proficiency in Autopsy by
thoroughly studying its documentation, tutorials, and user guides to
understand its functionalities and capabilities.
2. Selection of Test Cases: Identify real-world case studies and design
controlled experiments to evaluate Autopsy's performance in data
recovery under varying conditions.
Data Acquisition and Preservation:
1. Acquisition of Digital Evidence: Collect hard drives or disk images
from criminal investigations, ensuring adherence to proper chain of
custody protocols to maintain evidentiary integrity.
2. Preservation of Evidence: Create forensic copies of the acquired data to
prevent any alteration or corruption, thereby preserving the integrity of
the original evidence.
Data Recovery and Analysis:
1. Utilization of Autopsy: Employ Autopsy to conduct comprehensive
analysis and recovery of deleted data from the acquired hard drives or
disk images.
2. File Carving and Keyword Search: Utilize Autopsy's file carving and
keyword search functionalities to identify and recover relevant files
crucial to the investigation.
3. Timeline Analysis: Leverage Autopsy to establish accurate timelines and
sequences of events based on the recovered data, aiding in reconstructing
the digital footprint of the suspect's activities.
Validation and Interpretation:
1. Validation of Recovered Data: Verify the authenticity and integrity of
the recovered data using robust validation techniques to ensure its
admissibility as evidence.
2. Interpretation of Findings: Analyse the recovered data to discern
patterns, connections, and potential evidence relevant to the criminal
investigations, providing valuable insights for further analysis.

3
1.4 SCOPE OF PROJECT

1. Criminal Investigations: Digital forensics plays a critical role in

criminal investigations by analysing digital devices such as computers,
smartphones, and storage media to gather evidence. This evidence can
include emails, text messages, internet history, and deleted files, which
can help investigators reconstruct events, identify suspects, and establish
motives. For example, in cases of cybercrimes, digital forensics experts
analyse network logs and digital communications to track down
perpetrators.
2. Corporate Investigations: In the corporate world, digital forensics is
used to investigate incidents such as data breaches, intellectual property
theft, and employee misconduct. Digital forensics experts analyse
corporate networks, servers, and employee devices to identify security
breaches, unauthorized access, and data exfiltration. This information is
crucial for organizations to strengthen their cybersecurity measures and
prevent future incidents.
3. Civil Litigation: Digital forensics is frequently used in civil litigation
cases such as intellectual property disputes, employment lawsuits, and
contract disputes. Digital evidence, including emails, documents, and
electronic communications, can be analysed to support legal claims or
defences. For example, in cases involving intellectual property
infringement, digital forensics can uncover evidence of copyright or
patent violations.
4. Law Enforcement: Law enforcement agencies use digital forensics to
investigate a wide range of crimes, including fraud, theft, and terrorism.
Digital evidence obtained from computers, mobile phones, and other
digital devices can provide crucial leads and help solve cases. For
instance, in cases of financial fraud, digital forensics experts may analyse
banking records, online transactions, and communication logs to trace the
flow of funds and identify perpetrators.
5. Counterterrorism and National Security: Digital forensics is essential
for counterterrorism and national security efforts, as it allows authorities
to monitor and track terrorist activities online. Digital forensics experts
analyse communication channels, social media platforms, and encrypted
messages to identify potential threats and disrupt terrorist networks.

4
 Additionally, digital evidence obtained from seized electronic devices can
provide valuable intelligence for preventing future attacks.

1.5 LIMITATIONS

1. Scope Constraints: The project may have limitations in terms of its

scope, particularly regarding the range of controlled experiments and
real-world case studies that can be included. Due to time and resource
constraints, it may not be possible to cover every possible scenario or
type of criminal activity, which could impact the comprehensiveness of
the findings.
2. Access to Data: Obtaining access to real-world digital evidence from
criminal investigations may pose challenges due to legal, ethical, and
privacy considerations. Access to sensitive data may be restricted,
limiting the scope of the project and potentially affecting the diversity of
case studies and experiments.
3. Tool-Specific Focus: The project's focus on evaluating Autopsy's
performance may limit the generalizability of the findings to other digital
forensics tools. While Autopsy is a widely used tool, its capabilities and
limitations may differ from other commercial or proprietary tools, thus
restricting the broader applicability of the project's conclusions.
4. Resource Limitations: The project may face constraints in terms of
access to specialized equipment, software licenses, and expertise in
digital forensics. Limited resources could impact the depth and rigor of
the experiments and analyses conducted, potentially affecting the
reliability and validity of the results.
5. Technical Challenges: Digital forensics investigations often encounter
technical challenges such as data encryption, file fragmentation, and anti-
forensic techniques employed by perpetrators. The project may encounter
difficulties in overcoming these challenges, which could affect the
effectiveness of data recovery efforts and the overall outcomes of the
project.
6. External Factors: External factors such as changes in technology, legal
regulations, and cybersecurity threats may impact the relevance and
timeliness of the project's findings. The rapidly evolving nature of digital

5
 forensics and the digital landscape may necessitate ongoing updates and
adjustments to the project's methodology and conclusions.
7. Ethical Considerations: The project must adhere to ethical guidelines
and principles, particularly regarding the handling and analysis of
sensitive digital evidence. Ethical considerations related to privacy,
confidentiality, and data protection may impose limitations on the types
of experiments conducted and the dissemination of findings.

6
 Chapter 2
What is Digital Forensics?

7
2.1 DIGITAL FORENSICS

Digital forensics is a multidisciplinary field of forensic science that involves the

identification, preservation, extraction, analysis, and interpretation of digital
evidence from electronic devices and digital media. It encompasses a wide
range of techniques, methodologies, and tools to investigate various types of
cybercrimes, security incidents, and legal disputes involving digital information.

At its core, digital forensics aims to uncover and interpret digital artifacts stored
on computers, mobile devices, storage media, and networks to reconstruct
events, establish timelines, identify suspects, and support legal proceedings.
These artifacts can include files, emails, documents, images, videos, internet
browsing history, chat logs, metadata, and system logs, among others.

Digital forensics investigations typically follow a systematic approach, starting

with the identification and preservation of digital evidence to prevent tampering
or alteration. This involves the use of specialized tools and techniques to create
forensic copies or images of storage media, ensuring that the original evidence
remains intact and admissible in court. Chain of custody protocols are followed
to maintain the integrity and authenticity of the evidence throughout the
investigation process.

Once the digital evidence is acquired and preserved, forensic analysts employ
various methods to analyze and interpret the data. This may include manual
examination of files and directories, as well as the use of automated tools and
software applications designed specifically for digital forensics. Common
analysis techniques include file carving, keyword searching, metadata analysis,
timeline reconstruction, and data visualization.

Digital forensics investigations often involve collaboration between forensic

analysts, law enforcement agencies, legal professionals, cybersecurity experts,
and other stakeholders. Analysts must adhere to legal and ethical guidelines
when conducting investigations, ensuring that privacy rights are respected and
sensitive information is handled appropriately. This includes obtaining proper

8
authorization for accessing and analyzing digital evidence, as well as protecting
the confidentiality of individuals involved in the investigation.

One of the key challenges in digital forensics is the rapidly evolving nature of
technology and the increasing complexity of digital systems and networks.
Investigators must stay abreast of emerging technologies, encryption
techniques, anti-forensic tools, and cybersecurity threats to effectively conduct
investigations and mitigate risks. Continuous training, research, and
collaboration within the digital forensics community are essential for staying
ahead of evolving threats and advancing the field.

Overall, digital forensics plays a crucial role in modern-day investigations,

cybersecurity efforts, and legal proceedings. By leveraging advanced techniques
and methodologies, digital forensics enables investigators to uncover valuable
evidence, identify perpetrators, and hold individuals accountable for
cybercrimes and other illicit activities in the digital realm.

2.2 Types of Digital Forensics

1. Computer Forensics: Computer forensics focuses on the examination of

digital evidence stored on computers and related devices such as hard
drives, solid-state drives (SSDs), and memory cards. It involves the
collection and analysis of data to uncover information related to criminal
activities, unauthorized access, data breaches, and other security
incidents. Computer forensics techniques include disk imaging, file
carving, keyword searching, and timeline analysis.
2. Mobile Device Forensics: Mobile device forensics deals with the
investigation of digital evidence stored on mobile phones, smartphones,
tablets, and other portable devices. It includes the extraction and analysis
of data from device memory, SIM cards, and external storage media to
recover deleted messages, call logs, contacts, photos, and application
data. Mobile device forensics techniques may involve physical extraction,
logical extraction, and file system analysis.

9
 3. Network Forensics: Network forensics focuses on the monitoring and
analysis of network traffic to detect and investigate security incidents,
intrusions, and cyberattacks. It involves the collection and analysis of
network packets, logs, and metadata to identify suspicious activities,
unauthorized access, and data exfiltration. Network forensics techniques
include packet capture, traffic analysis, intrusion detection, and log
analysis.
4. Memory Forensics: Memory forensics involves the analysis of volatile
memory (RAM) to extract and analyse digital evidence from running
processes, system services, and active network connections. It allows
investigators to uncover malware, rootkits, and other malicious artifacts
that may be concealed in memory. Memory forensics techniques include
memory dumping, process analysis, and artifact extraction.
5. Forensic Data Analysis: Forensic data analysis focuses on the
examination and interpretation of large datasets to uncover patterns,
trends, and anomalies related to criminal activities, financial fraud, and
other illicit behaviours. It involves the use of statistical analysis, data
mining, and visualization techniques to identify relevant information and
support investigative efforts.
These types of digital forensics are interconnected and may overlap in practice,
depending on the nature of the investigation and the type of digital evidence
involved. Each type of digital forensics requires specialized skills, tools, and
methodologies to effectively collect, analyse, and interpret digital evidence for
investigative purposes.

2.3 AUTOPSY SOFTWARE

Autopsy software falls primarily into the category of computer forensics tools.
Computer forensics tools are specifically designed to aid in the investigation
and analysis of digital evidence stored on computers and related devices. They
provide functionalities for acquiring, preserving, and analysing data from
storage media such as hard drives, solid-state drives (SSDs), and memory cards.
These tools often include features such as disk imaging, file carving, keyword
searching, metadata analysis, and timeline reconstruction, which are essential
for conducting forensic examinations of digital evidence.

10
Autopsy, being an open-source digital forensics platform, is designed to serve
the needs of computer forensics investigators by providing a comprehensive
suite of tools and capabilities for analysing digital evidence. It allows
investigators to examine file systems, recover deleted files, analyse internet
history, and extract valuable information from various types of digital media.
Autopsy's versatility and extensive feature set make it well-suited for
conducting in-depth forensic examinations of computers and related devices,
thereby aiding in criminal investigations, incident response, and cybersecurity
efforts.

11
 Chapter 3
Implementation

12
3.1 FAMILIARIZATION WITH AUTOPSY

Download and install Autopsy by following the instructions on website

https://www.autopsy.com/download/

13
3.2 DATA ACQUISITION AND PRESERVATION

1. Identification of Digital Evidence:

Digital forensic analysts identify potential sources of digital evidence relevant
to the investigation, including electronic devices such as computers, mobile
phones, and storage media like hard drives or USB drives.

2. Legal Authorization and Collection:

Once potential evidence sources are identified, legal authorization, such as
warrants, is obtained to collect the evidence. This involves seizing electronic
devices and storage media from crime scenes, suspects, or third-party entities.

3. Chain of Custody Documentation:

Chain of custody documentation is maintained throughout the collection
process, documenting each step of the evidence's custody, transfer, and storage.
This documentation includes details such as who collected the evidence, where
it was stored, and any individuals who had access to it.

4. Preservation Measures
Preservation measures are taken to prevent alteration, tampering, or corruption
of the original data. Forensic copies or images of the acquired devices or storage
media are created using specialized imaging tools. These forensic copies are
exact replicas of the original data and are used for analysis while preserving the
integrity of the original evidence.

5. Forensic Imaging Process

Forensic imaging involves creating a bit-by-bit copy of the entire storage
media, including allocated and unallocated space, file system metadata, and
deleted data. Verified and validated forensic imaging tools and techniques are
used to ensure the accuracy and reliability of the forensic copies.

14
6. Storage and Security
Once created, forensic copies are securely stored in a controlled environment
with restricted access. Strict security measures, including encryption and access
controls, are implemented to prevent unauthorized access, tampering, or loss of
the evidence. Backup copies may also be created to protect against data loss or
corruption.

7. Documentation and Reporting

Detailed documentation is maintained throughout the acquisition and
preservation process, including chain of custody logs, imaging reports, and
evidence seizure records. This documentation provides a comprehensive record
of the handling and storage of digital evidence and serves as crucial
documentation for legal proceedings. A comprehensive report summarizing the
acquisition and preservation process is prepared for inclusion in the case file.

15
3.3 DATA RECOVERY

Utilization of Autopsy:
After creating RAW backup of evidence, plug your in your evidence copy

Now create new case

16
Fill in required information

Select copy of evidence

(IMPORTANT !! DO NOT USE EVIDENCE DIRECTLY)

Select which type of file you want to extract

17
Let it scan through your copy of evidence

After scan your screen should look like this

18
Now you can look through the deleted files by selecting “Deleted files” from
navigation panel.

Not just photos but videos, previously connected WiFi, deleted/installed

programs, saved html, bookmarks, history, text files, code in any language and
many more things can be extracted from evidence.
19
In case some file is not running in preview tab,

You can extract them for playback in another application

20
For example, this video file was not playing in preview tab, so we extracted it
into “Export” folder inside the case folder and then playback in other video
player like VLC.

Of course just recovering files is not enough in proving someone guilty,

for example,

1. Possession of porno, under section 292 of IPC, will put you behind bars
for 2 years and a fine extending to INR 2000 on first conviction and up to
5 years and INR 5000 on subsequent conviction.
2. Sale/distribution of porno, under section 67 of IT Act, will put you behind
bars for 5 years and a fine extending to INR 10,00,000 on first conviction
and up to 7 years and INR 10,00,000 on subsequent conviction.

That is why we need to look at the timeline since it can show when and where
the file was created ,when it was accessed or modified, this information is
important in order to determine whether the accused just downloaded porno
from internet or it was created locally.

21
3.4 ANALYSIS

Utilization of Timeline:
1. Open Autopsy:
Launch the Autopsy software on your computer.

2. Create or Open a Case:

Create a new case or open an existing one where you have already added a
data source (such as a disk image or file system).

3. Navigate to the Timeline View:

Once inside the case, locate and click on the "Timeline" tab or view. This
should be located alongside other tabs like "Summary," "File Analysis," etc.

4. Select the Data Source:

If you have multiple data sources added to the case, select the one you want to
analyse using the timeline. This could be a disk image or file system.

5. Configure Timeline Options (Optional):

Autopsy provides options to configure the timeline display based on your
preferences. You can adjust settings such as the time range, granularity, and
filters to refine the data displayed on the timeline.

6. View Timeline Events:

Autopsy will display a chronological timeline of events based on the data
source you selected. These events may include file creation, modification,
access times, and other relevant activities extracted from the digital evidence.

7. Analyse Timeline Events:

22
 Review the timeline events to identify patterns, anomalies, or suspicious
activities. You can navigate through the timeline using various controls and
filters to focus on specific time frames or types of events.
8. Interpret Timeline Data:
Analyse the timeline data to reconstruct the sequence of events, establish
timelines, and identify potential leads or evidence relevant to the investigation.
Pay attention to correlations between timeline events and other forensic artifacts
to build a comprehensive understanding of the case.
9. Document Findings:
Document any significant findings or observations from the timeline analysis.
This documentation is crucial for reporting and presenting findings in legal
proceedings or investigative reports.
10. Further Analysis:
Use the insights gained from the timeline analysis to guide further
examination of digital evidence using other features and tools available in
Autopsy, such as keyword search, file analysis, and metadata examination.
By following these steps, you can effectively utilize the timeline feature in
Autopsy to analyse digital evidence and reconstruct timelines of events relevant
to your investigation.

23
24
 Chapter 4
Result and Conclusion

25
4.1 Validation and Interpretation:

Validation of Recovered Data:

Ensuring the authenticity and integrity of the recovered data is paramount in
digital forensics to uphold its admissibility as evidence in legal proceedings.
Robust validation techniques are employed to meticulously verify the accuracy
and reliability of the recovered data. This process involves comparing the
recovered data against known sources of truth, such as original files or system
backups, to identify any discrepancies or inconsistencies. Additionally,
cryptographic hashing algorithms may be used to generate unique hash values
for the recovered data, allowing for verification of data integrity. By
meticulously validating the recovered data, forensic analysts can establish
confidence in its reliability and suitability for use as evidence in criminal
investigations.

Interpretation of Findings:
Once the recovered data has been validated, forensic analysts embark on the
critical task of interpreting the findings to extract valuable insights relevant to
the criminal investigation. This involves analysing the recovered data to discern
patterns, connections, and potential evidence that may shed light on the
circumstances surrounding the case. Analysts meticulously examine digital
artifacts, such as files, emails, chat logs, and system logs, to identify suspicious
activities, timelines of events, and relationships between individuals or entities
involved. By drawing upon their expertise in digital forensics and investigative
techniques, analysts provide valuable insights that can inform further analysis,
corroborate witness statements, and support the development of investigative
leads. The interpretation of findings plays a pivotal role in uncovering crucial
evidence and building a compelling case narrative, ultimately contributing to
the successful resolution of criminal investigations.

26
4.2 Documentation and Reporting:

Documentation of Procedures:
Thorough documentation of the data recovery process is essential in digital
forensics to ensure transparency, repeatability, and accountability. Forensic
analysts meticulously document every step taken, tool utilized, and observation
made during the investigation. This includes detailed records of the data
acquisition process, forensic imaging procedures, analysis techniques employed,
and any deviations from standard protocols. Documentation also encompasses
chain of custody logs, which track the custody, transfer, and storage of digital
evidence throughout the investigation. By maintaining comprehensive
documentation of procedures, forensic analysts provide a clear record of their
actions, facilitating peer review, quality assurance, and legal scrutiny of the
investigative process.

Reporting of Results:
Compiling a comprehensive report is a crucial aspect of the digital forensic
investigation process, providing stakeholders with valuable insights into
Autopsy's effectiveness in recovering deleted data and the overall outcomes of
the investigation. The report highlights key findings, challenges encountered,
and recommendations for future investigations. It includes a detailed analysis of
Autopsy's performance, including its ability to recover various types of deleted
data, the accuracy of recovered data, and any limitations or shortcomings
observed during the investigation. Additionally, the report discusses the
methodologies employed, the significance of recovered evidence to the case,
and any potential implications for legal proceedings. By presenting findings in a
clear, concise, and well-organized manner, the report serves as a critical tool for
informing decision-making, guiding further analysis, and supporting the
resolution of criminal investigations.

27
4.3 Analysis and Conclusion:

Analysis of Results:
The analysis of data recovery results is a critical step in assessing Autopsy's
performance and its implications for digital forensics. This analysis involves
carefully examining the recovered data, considering Autopsy's performance in
terms of data recovery accuracy, efficiency, and reliability. Forensic analysts
evaluate Autopsy's strengths and limitations, including its ability to handle
various file systems, recover different types of deleted data, and overcome
technical challenges such as data encryption or file fragmentation. By
conducting a thorough analysis, analysts gain a nuanced understanding of
Autopsy's capabilities and its potential impact on digital forensic investigations.

Conclusion and Recommendations:

Drawing upon the analysis, the project draws conclusive insights and offers
actionable recommendations for enhancing Autopsy's efficacy in recovering
deleted data from criminal hard drives. These recommendations may include
suggestions for optimizing Autopsy's algorithms, improving its user interface,
enhancing its compatibility with different file systems and storage media, and
addressing any identified limitations or shortcomings. Additionally, the project
may propose avenues for further research and development in the field of digital
forensics, such as exploring new techniques for data recovery, integrating
artificial intelligence or machine learning algorithms, or advancing forensic
analysis methodologies. By providing actionable recommendations, the project
aims to contribute to the continuous improvement of Autopsy and the broader
field of digital forensics, ultimately enhancing investigators' ability to recover
and analyse digital evidence in criminal investigations.

28
 References

[1] Carrier, B. (2005). File System Forensic Analysis. Addison-Wesley

Professional. Available at: https://www.pearson.com/us/higher-
education/program/Carrier-File-System-Forensic-Analysis/PGM335579.html
[2] Casey, E. (2011). Digital Evidence and Computer Crime: Forensic Science,
Computers and the Internet. Academic Press. Available at:
https://www.elsevier.com/books/digital-evidence-and-computer-
crime/casey/978-0-12-374268-1
[3] Nelson, B., Phillips, A., & Steuart, C. (2009). Guide to Computer Forensics
and Investigations. Cengage Learning. Available at:
https://www.cengage.com/c/guide-to-computer-forensics-and-investigations-5e-
nelson
[4] Sammons, J. (2012). The Basics of Digital Forensics: The Primer for Getting
Started in Digital Forensics. Elsevier Science. Available at:
https://www.elsevier.com/books/the-basics-of-digital-forensics/sammons/978-1-
59749-661-7
[5] SANS Institute. (2020). SANS Digital Forensics and Incident Response.
Retrieved from: https://www.sans.org/

29