Volume 8, Issue 1, January – 2023 International Journal of Innovative Science and Research Technology

ISSN No:-2456-2165

Forensic Computer Analysis by

Performing an Autopsy on Flash Disk
Edy Supriyadi*, Iriandi Ilyas Andi Suprianto, Tatang Suromenggolo Ronggo
Department of Electrical Engineering Department of Informatics Engineering
National Institute of Science and Technology, Indonesia National Institute of Science and Technology, Indonesia

Abstract:- Computer forensics is one of the sciences evidence uses a set of procedures to conduct thorough
used to track digital evidence on hardware or software. testing on a computer system using software and tools to
Flashdisk is widely used because it is easy to carry and extract and preserve evidence of criminal acts.
can store various kinds of files with large storage
capacity. To be able to analyze, recover, and view Not a few digital evidence is hidden, encrypted and
hidden files, software such as AccessData FTK Imager even disguised by criminals with the aim that the process of
3.4, Autopsy 4.0, and additional software, 7-Zip 17.0, is finding digital evidence makes it difficult for investigations
required to compress and extract files. In this study, by forensic analysts and investigators (such as police and
scenario testing and experiments were carried out on a people conducting investigations) so that the evidence
flash disk in which there was an excel file that had been cannot be presented at trial because it is not strong and
compressed using 7-Zip and disguised in a foto.jpg file irrelevant to the case being filed. The way to disguise this
using file merging steganography techniques. By using evidence can be done by using steganography methods,
Access Data FTK Imager, an image file is created on ranging from simple methods to the use of encrypted files.
electronic evidence. The image file was analyzed using The method used will slow down the analysis process on
Autopsy. The result of this research is that there is a forensic computers, because forensic analysts have to
difference in the capacity of the foto.jpg file because it is search for suspicious files and dissect the files one by one
a merger of 2 (two) files. In addition, in the excel file with certain software.
there is evidence of crime, namely the sale of illegal
motorbikes, the place of the transaction, the coordinates II. LITERATURE REVIEW
of the location and the phone number of the suspect. A. Digital Forensic
Keywords:- Computer forensics, flashdisk, digital evidence, Digital forensics or computer forensics is a combination
steganography of legal and computer science disciplines in collecting and
I. INTRODUCTION analyzing data from computer systems, networks,
communications, wireless and storage devices. Digital
With the rapid development of technology, so that forensics is also an application of the field of computer
some industries have even gone to technology 4.0, where science and technology for the benefit of legal evidence.
the role of computer and cyber systems is more widely used
to carry out their activities. Forensic computers are used by law enforcement
because of the many legal cases that require the role of
Technological advances will certainly result in the computer science in making it easier to find evidence so
occurrence of new, more modern crimes. One of these that it can be submitted in court.
crimes is cyber crime, where the perpetrators of this crime
use computer media and networks to launch their actions. B. Electronic Evidence
The patterns of crime that they use vary greatly, from the Electronic evidence or often called electronic evidence
use of internet media, telecommunications to conventional is evidence that is physical and visually recognizable.
methods they use to smooth their efforts in committing Therefore, investigators and forensic analysts must already
crimes. Criminals will hide evidence of their crimes at all understand and recognize each - each electronic evidence
costs. Although the perpetrators hide the evidence of their when searching for evidence at a crime scene.
crimes, digital records can be searched and traced using
forensic computer methods by forensic analysts. Therefore, C. Digital Evidence
the role of computer forensics is needed to reveal the Digital evidence or also called digital evidence is data
perpetrators of the crime. stored or transmitted using a computer that can support or
refute a particular offense, or it can also be referred to as
Computer forensics is a derivative discipline of clues that point to important elements related to an offense
computer security that discusses the finding of digital [8].
evidence after an event occurs. Computer forensic activity
itself is a process of identifying, maintaining, analyzing, The digital evidence is digital and can be extracted or
and using digital evidence according to applicable law. [7] recovered from electronic evidence. The digital evidence
must be sought by investigators and forensic analysts to
Disclosure of a case event requires strong evidence. then be researched and analyzed so that there is a
Evidence obtained from computer storage media is referred connection between the files obtained and the case at hand
to as digital evidence, which can be accounted for in court in order to reveal crimes related to electronic evidence.
proceedings. The process of tracking and analyzing digital

IJISRT23JAN751 www.ijisrt.com 1926

Volume 8, Issue 1, January – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
D. File Systems scenarios in order to be able to reconstruct relevant actions
Every storage device must have one or more partitions that may be carried out by criminals.. The development of
that are 'organized' with a file system. This process will this scenario is based on the analysis of digital evidence at
empty system files of the same type on the device. System the scene of the crime. The scenario that is carried out
files are used to separate data on the drive into one part occurs as if the crime scene only gets one storage device,
called a file. It can also be used to store data about these namely the flash disk left by the perpetrator. And the digital
files, including file names and file attributes. evidence is made with simple steganography techniques by
utilizing cmd (command prompt) on Windows.
E. Metadata
Metadata is structured information that describes, B. Forensic Computer Analysis
explains, locates, or at least makes information easy to find, The research conducted is using analysis with forensic
use or manage. Metadata is often referred to as data about computer techniques, namely using the AccessData FTK
data or information about information. This metadata Imager application to create forensic images on digital
contains information about the content of data that is used evidence. The type of image file used in this research is
for file/data management purposes in a database. If the data .E01 or what is called EnCase Image. Digital data that has
is in the form of text, the metadata is usually a description been imaged is analyzed using the Autopsy application. In
of the field name, field length, and field type: integer, the Autopsy application, suspicious files will be detected.
character, date, etc. For image data, the metadata contains The Hex value and Metadata of the digital data will affect
information about who took the picture, when it was taken, the results of the investigation. The scope of the analysis in
and the camera settings at the time of shooting. Digital the form of digital data should be able to provide important
evidence in the metadata process will be used as an points in the investigation process. And 7-Zip is also used
important source of records in the disclosure of a crime. to analyze files that are used as evidence.

F. Analysis Tools
File Type File Name MD 5
The research conducted is themed Forensic Computer Images foto.jpg 577cbe24180a895fba3c01139305e412
Analysis by Performing Autopsy on Flashdisk Media, Videos - -
using various kinds of forensic tools commonly used to Audio - -
analyze forensic computers. The research only uses Archieves - -
freeware, shareware and opensource type tools. The HTML - -
software used in this research is AccessData FTK Imager, Office - -

Autopsy, and 7-Zip. PDF - -

Plain Text - -

III. RESEARCH METHODOLOGY Rich Text - -

Table 1: Photo.jpg files read by Autopsy application

The flow of this research will be described in the
form of a flowchart. The flow of this research is expected C. Analysis Results
to help in conducting research that is more structured and The results of the analysis have 3 (three) important
systematic in the figure 1. points in the investigation, namely the specification of the
evidence, the metadata of the digital evidence, and the
hexadecimal value of the digital evidence that shows the
existence of hidden files. The last step is to compile the
research results from the analysis in the research and
prepared reporting summarizing the results of all the steps
that have been carried out and making the conclusions
reached in the research.

IV. RESULTS AND DISCUSSION

A. Research Scenario
The scenario is that electronic evidence, namely a flash
drive, was found at the scene of the crime, and no other
electronic evidence was found. So that electronic evidence
is the only evidence in this scenario. Electronic evidence
will be investigated by forensic analysts and investigators
to shed light on who committed the crime.
Fig. 1: Flowchart of Research Methodology.
B. Research Experiment
A. Research Preparation The research conducted is that the file that will be
The preparation of the research made various kinds of targeted as digital evidence is a photo.jpg file which is a
literature studies, from digital evidence, forensic computer merger of files from Image.jpg and price.zip using file
tools and features used and the use of flash drives as digital merging steganography techniques.. After that the
evidence, the last is the preparation and implementation of photo.jpg file is viewed using windows properties, but
nothing suspicious is seen.

IJISRT23JAN751 www.ijisrt.com 1927

Volume 8, Issue 1, January – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165

Fig. 4: Full Preview of Autopsy application

Fig. 2: Properties of the photo.jpg file
Figure 4 shows that on the flashdisk with the forensic
If the file is viewed in detail in the properties, it can image file FD SD.E01 there is only 1 (one) image file, and
be found that there is no visible irregularity because the 1 (one) deleted File System. This indicates that the flash
image dimentions 2592 x 1944 is an image with a disk has been fully formatted before the image file was
resolution of 5 MP. transferred to the flash disk

No Findings Description
1 There is only 1 image file photo.jpg
2 There is a file system on vol2 FAT 32
3 The existence of a formatted file there is a Deleted Files directory
systemssystem
system and cannot be recovered
and cannot be recovered

Table 2: Findings on digital evidence

From the findings table above, the analysis will be

more aimed at the photo.jpg file. By using the Autopsy
Application, several findings are obtained which will later
be used as digital evidence. These findings can be seen in
Figure 5.

Fig. 3: Details Properties of the photo.jpg file

Therefore, an in-depth analysis is needed on this

photo.jpg file by conducting computer forensics on the
digital evidence.

C. Analysis with Autopsy Application

After the digital data is taken and has been made into a
forensic image, then an initial analysis is carried out using
the Autopsy application. By using the Autopsy application, Fig. 5: Difference in pixels in the image
it will help in finding files that will be used as digital
evidence. In the Autopsy application, the investigator can The picture above shows the difference between exif
freely see the contents of the forensic image. Due to its image and image pixels. With the Autopsy application, you
ability, Autopsy is often used by forensic investigators. can see the info from the photo.jpg file in Indexed Text.
Figure 4 shows a fragment of the full preview of the Shown in Figure 5, there is a difference between the Exif
directory tree in the Autopsy application. image size and the image size. Where the size of the Exif
image has a smaller value than the image value. From the
picture above, it can be explained using the following table.

IJISRT23JAN751 www.ijisrt.com 1928

Volume 8, Issue 1, January – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
Exif Image Image
Height 480 pixels 1944 pixels
Weidth 640 pixels 2592 pixels
Height x Weidth 0.3 MP 5 MP
Table 3: Comparison of Exif Image and Image sizes

From the table above, it is concluded that the

photo.jpg file is a file modified by the camera device so
that it produces a large number of pixels but has a small
resolution size. Furthermore, by using the Hex
(Hexadecimal) tool, it can be seen that there is a hidden file
on page 156 in the photo.jpg file. This can be seen in
Figure 6.

Fig. 7: File attribute on photo.jpg

It can be seen that in the photo.jpg attribute there is an

Archive with a value of True. This indicates that the
photo.jpg file has an archive, which can be opened using
the 7-Zip application.
Fig. 6: Hex on photo.jpg file
The way to do this is to remove the foto.jpg file from
From figure 6 above, it can be written using table 4. the digital data. This step can be done by exporting the
image into the folder that has been created. In Figure 8, it is
File Offset Signature ASCII shown how to export images from digital data to the
Motorcycle 26e6b0 44 61 66 74 61 Motorcycle intended folder. After the image is exported, the next step is
price 72 20 68 61 72 price list.xlsx to remove the office file from the photo.jpg file.
list.xlsx 67 61 20 6D 6F
74 6F 72 2E 78
6C 73 78
Table 4: Offset and signature on photo.jpg file

From the data found, the results of research using the

Autopsy application can be made in tabular form. The
following is an explanation of the findings.
No Analyzed results Remarks
1 On the flashdisk found 1 image file, Photo.jpg files have pixel and
namely photo.jpg resolution differences
2 There is a formatted (deleted) file The file cannot be recovered

3 There is a file system in vol2 FAT 32

4 In the photo.jpg file there is a Motorcycle price list.xlsx
compromised file

Table 5: Analysis result using Autopsy

Due to the existence of the motorcycle price list.xlsx

file in the photo.jpg file, additional data is needed to find Fig. 8: How to export images to the destination folder
out the attributes of the photo.jpg file, namely by utilizing
the Access Data FTK Imager application. In Figure 8 is the D. Analysis with 7-Zip Application
properties tool on the Access Data FTK Imager. 7-Zip is an application to compress files and also extract
files. This application can be used to read files that are in
the file. After digital evidence has been obtained in the
form of an office file, using 7-Zip, we open the contents of
the photo.jpg file. The step to do is to open the file directly
using 7-Zip. Figure 9 shows that there is an office file in
the photo.jpg file.

IJISRT23JAN751 www.ijisrt.com 1929

Volume 8, Issue 1, January – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165

Fig. 9: Office file Excel on photo.jpg

After the file is visible, we can open it using an office

application, here the author uses Excel. The contents of the
file on the motorcycle price list.xlsx can be seen in Figure
10.

Fig. 11: File fragment Motorcycle price list.xlsx

From the picture above, it can be seen in Excel that

the motorbikes do not have STNK and it is known that the
number 0888 - 888 - 999 is the "boss" (suspect) of the
illegal motorbike seller without papers. And in the picture it
can be seen that there is a place for transactions opposite
the PP Layer Cake shop on Jalan Alpukat IV Parung
Panjang. If you look closely, you can see that there are
coordinates on the map, namely -6.359617, 106.560093.
These coordinates can be seen in the fragment of figure 12.

Fig. 12: Image fragments 10 - 11.

To be clearer, the results of the analysis using 7-Zip

can be made in the form of table 5.
Fig. 10: Motorcycle price list.xlsx file fragment
No Analysis Result Remarks
1 The photo.jpg file Motorcycle price list.xlsx
can be extracted
from an office file - Illegal motorcycle sales
2 There is important - Suspect's phone number
data in the office - Address and coordinates
file of the suspect's place
Table 6: Analysis results using the 7-Zip tool

IJISRT23JAN751 www.ijisrt.com 1930

Volume 8, Issue 1, January – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
E. Compiling Analysis Results
After all the evidence has been obtained, the results of the analysis are compiled based on the evidence that has been obtained.
For more details, shown in table 7.

Analysis Result
Electronic evidence Flashdisk Sandisk
Model Name Cruizer Slice 8 GB
Serial Number SDCZ37-008G
Digital Data photo.jpg
The application used 1. AccessData FTK Imager
2. Autopsy
3. 7-Zip
Details of Findings 1. There is only 1 (one) image file in the electronic evidence
2. There is a file system, namely FAT 32
3. There is a file system that cannot be recovered
4. The photo.jpg file has differences in pixels and resolution
5. There is a file that is infiltrated in the photo.jpg file
6. There is an office file, namely Motorcycle Price List.xlsx which is inserted
in the photo.jpg with the file merging method
Detailed analysis of findings (office 1.Illegal motorcycle sales without papers
file) 2.The contact number (whatsapp) used as evidence is: 0888 888 999
3.Place of transaction opposite PP Layer Cake Shop Jl. Avocado IV Parung
Panjang
4.Coordinates of the transaction location -6.359617, 106.560093
5.Password at the time of transaction "Buy 2 PP layers for selling"
Conclusions By using forensic applications, it can make it easier for forensic analysts to
find digital evidence that is hidden using simple steganographic methods.
Table 7: Compilation of analysis results

From table 7, it is clear that the results of the analysis REFERENCES

show that there are hidden files, which turn out to be
evidence of curanmor crimes that are traded, which is [1.] Ahwan Ahmadi, T. A. (2021). Comparison of
indicated by the sale and purchase of motorbikes without Forensic Tool Results on Android Smartphone Image
papers. From this digital evidence, the investigator can be Files Using the NIST Method. JIKO (Journal of
forwarded to the Police Criminal Investigation Unit for Informatics and Computers), pp. 92-97.
further action. This digital evidence is very important to [2.] Desti Mualfah, R. A. (2020). Forensic Analysis of
assist the police in arresting suspects. Digital evidence is CCTV Camera Metadata as Digital Evidence. Journal
very valuable so that as little as possible the evidence of Information and Communication Technology, pp.
obtained must be utilized and used in court later. 257-267
[3.] Husni Mubaro, N. W. (2017). Digital Forensic
V. CONCLUSION Analysis of Steganography Files (Case study: Drug
Distribution). Journal of Informatics Engineering and
Based on the results of forensic computer analysis Information Systems (JUTISI).
research on flashdisk media, several conclusions are [4.] Imam Riadi, R. U. (2018). Digital Forensic Analysis
obtained that the author can explain based on the points. on Froezen Solid State Drive with National Of Justice
 Forensic image is a copy of the contents of electronic (NIJ) Method. Electrinics, Informatics and Vocational
evidence (flashdisk) that can be analyzed using forensic Education (ELINVO), pp. 70-8
computer applications, so by utilizing the tools on [5.] Computer Forensics : Definition and Purpose
AccessData FTK Imager, namely the properties tool and (Complete). (2021, 11). Retrieved from
on Autopsy, namely Indexed Text and Hex, digital https://www.seputarpengetahuan.co.id
evidence is obtained, namely the motorcycle price list.xlsx /2021/11/komputer-forensik-pengertian-dan-
file which is inserted into the photo.jpg file. tujuan.html
 The AccessData FTK Imager and Autopsy applications [6.] Mark Reith, C. C. (2002). An Examination of Digital
have the disadvantage that electronic evidence (flashdisk) Forensic Models. International Journal of Digital
that is full format (not quick format), the data in it cannot Evidence.
be recovered. [7.] Pratomo Djati Nugroho, S. M. (2017). IT: DIGITAL
 By using the properties tool on AccessData FTK Imager, FORENSIC. IPSIKOM JOURNAL.
files that are hidden by compressing will be read, then by [8.] M. PUSFID. (2016, December 17). Center for Digital
using the 7-Zip application, the file is extracted so that the Forensics Studies. Retrieved from Center for Digital
hidden file can be seen. Forensics Studies, Universitas Islam Indonesia:
https://forensics.uii.

IJISRT23JAN751 www.ijisrt.com 1931

Volume 8, Issue 1, January – 2023 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
[9.] Riskiyadi, M. (2020). Forensic Investigation of
Digital Evidence in Uncovering Cybercrime.
CyberSecurity and Digital Forensics, pp. 12-21.
[10.] Sleuthkit. (2022). Retrieved from Autopsy User
Documentation:
http://sleuthkit.org/autopsy/docs/user-docs/4.19.2/
[11.] Sleuthkit. (2022). Autopsy. Retrieved from
http://www.sleuthkit.org/sleuthkit/docs.php
[12.] Sunardi, I. R. (2020). National Journal and
Information Systems, pp. 1-18.
[13.] Vidila Rosalina, A. S. (2016). Analysis of Data
Recovery Using Forensic Software: Winhex And X-
WAYS Forensic. PROSISKO.
[14.] Wikipedia. (2021, 10 3). Wikipedia The Free
Encyclopedia. Retrived from Digital Forensics:
https://id.wikipedia.org/wiki/Forensik_digital
[15.] Yinita Sartika Sari, N. R. (2015). Steganography with
File Merging Method through Command Prompt and
Steganalysis of Results with Image Recognition
Pattern Method, Image Culture, 24 Bit RGB and Size
Range on Jpeg Files. MKOM TELEMATICS.

IJISRT23JAN751 www.ijisrt.com 1932