How to use Autopsy to process and examine the Compromised Windows Server 2022 image.
Setup case file and process E01
Download, install, and run Autopsy.
New Case > Enter case information > Next > (complete optional information) > Finish
This results in a new Autopsy case being created in the location you specific. Now we need to add our data source/E01 image file.
Add Data Source > Disk Image or VM File > Next
This is where our previous examination of the SYSTEM hive is important - the timezone defaults to GMT -8 but the image is of a system whose timezone offset is GMT/UTC. Change this to GMT+0/UTC.
De-select irrelevant modules and it should look like this
We'll look at installing additional ingest modules shortly.
Click Next and wait for Autopsy to ingest the E01.
