There are several types of incident where it may be necessary to examine a system for evidence of malicious activity conducted by a user. Previously discussed, for example, was the accessing of cloud-based storage where a malicious insider has uploaded confidential documents. In other circumstances, social engineering attacks may have an unsuspecting employee navigate to a compromised website that subsequently downloads malicious software. In either case, Autopsy provides the ability to examine several areas of web artifacts that may be of use to examiners.

The first of these web artifacts is the web history. In the event of a social engineering attack that involves a user navigating to a malware delivery site, this data may provide some insight into the specific URL that was navigated to. This URL can then be extracted and compared with known malicious website lists from internal or external sources. In other cases, where an insider has accessed an external cloud storage site, the web history may provide evidence of this activity. For example,

1. Clicking on the Web History section in the left-hand pane opens up the center pane and shows detailed information concerning a URL that was accessed by the system:

2. In the preceeding screenshot, Autopsy indicates that the iCloud service was accessed by this system. Further information provided by Autopsy allows the analyst to evaluate other information, such as the location of the artifact and what type of browser was used. This information can be accessed via the Results tab in the lower pane:

3. In addition, Autopsy provides the metadata of the specific file under examination.Clicking on the File Metadata tab produces the following data:

4. As the preceding screenshot shows, there are some more details concerning that file. For example, the analyst has time information, file location, and an MD5 hash that can be utilized to compare any extracted files that are examined further. In some circumstances, a suspect may decide to delete the browsing history from the system in an effort to hide any malicous activity. Another location that may provide evidence of sites accessed by a malicous insider is in web cookies. These can be accessed in the left pane under Web Cookies. Clicking on this produces a list of the cookies that are still on the system:

Depending on the type of incident, web artifacts can play an important role. Autopsy has some functionality but analysts may find that other commercial solutions provide a much more robust platform. Tools such as Evidence Finder by Magnet Forensics (www.magnetforensics.com) scours the entire system for Internet artifacts and then presents it in a way that is easy for the analyst to view. Another key advantage to commercial solutions such as this is the continued updating of functionality. Depending on the frequency of Internet and web artifact searching, the inclusion of tools such as this may be beneficial.