Autopsy is a graphical interface to The Sleuth Kit and other analysis tools. It was designed to be an extensible platform so that it can be an end-to-end digital forensics solution that incorporates plug-in modules from both open and closed source projects.

Documentation

Autopsy Features

Autopsy was designed to be intuitive out of the box. Installation is easy and wizards guide you through every step. All results are found in a single tree.

Extensible

Autopsy was designed to be an end-to-end platform with modules that come with it out of the box and others that are available from third-parties. Some of the modules provide:

  • Timeline Analysis – Graphical event viewing interface.
  • Hash Filtering – Flag known bad files and ignore known good.
  • File System Forensic Analysis – Recover files from most common formats.
  • Keyword Search – Indexed keyword search to find files that mention relevant terms.
  • Web Artifacts – Extract history, bookmarks, and cookies from Firefox, Chrome, and IE.
  • Multimedia – Extract EXIF from pictures and watch videos.

Fast

Everyone wants results yesterday. Autopsy runs background tasks in parallel using multiple cores and provides results to you as soon as they are found. It may take hours to fully search the drive, but you will know in minutes if your keywords were found in the user’s home folder.

Cost Effective

Autopsy is free. As budgets are decreasing, cost effective digital forensics solutions are essential. Autopsy offers the same core features as other digital forensics tools and offers other essential features, such as web artifact analysis and registry analysis, that other commercial tools do not provide.

overview

Input Formats

Autopsy analyzes disk images, local drives, or a folder of local files. Disk images can be in either raw/dd or E01 format. E01 support is provided by libewf.

Analysis Features

Below is the list of Autopsy features.

  • Timeline Analysis: Displays system events in a graphical interface to help identify activity.
  • Keyword Search: Text extraction and index searched modules enable you to find files that mention specific terms and find regular expression patterns.
  • Web Artifacts: Extracts web activity from common browsers to help identify user activity.
  • Registry Analysis: Uses RegRipper to identify recently accessed documents and USB devices.
  • LNK File Analysis: Identifies short cuts and accessed documents
  • Email Analysis: Parses MBOX format messages, such as Thunderbird.
  • EXIF: Extracts geo location and camera information from JPEG files.icon_sleuthkit
  • File Type Sorting: Group files by their type to find all images or documents.
  • Media Playback: View videos and images in the application and not require an external viewer.
  • Thumbnail viewer: Displays thumbnail of images to help quick view pictures.
  • Robust File System Analysis: Support for common file systems, including NTFS, FAT12, FAT16, FAT32, HFS+, ISO9660 (CD-ROM), Ext2, Ext3, and UFS from The Sleuth Kit.
  • Hash Set Filtering: Filter out known good files using NSRL and flag known bad files using custom hashsets in HashKeeper, md5sum, and EnCase formats.
  • Tags: Tag files with arbitrary tag names, such as ‘bookmark’ or ‘suspicious’, and add comments.
  • Unicode Strings Extraction: Extracts strings from unallocated space and unknown file types in many languages (Arabic, Chinese, Japanese, etc.).

Reporting:

Autopsy has an extensible reporting infrastructure that allows additional types of reports for investigations to be created. By default, an HTML, XLS, and Body file report are available. Each are configurable depending on what information an investigator would like included in their report:

  • HTML and Excel: The HTML and Excel reports are intended to be fully packaged and shareable reports. They can include references to tagged files along with comments and notes inserted by the investigator as well as other automated searches that Autopsy performs during ingest. These include bookmarks, web history, recent documents, keyword hits, hashset hits, installed programs, devices attached, cookies, downloads, and search queries.
  • Body File: Primarily for use in timeline analysis, this file will include MAC times for every file in an XML format for import by external tools, such as mactime in The Sleuth Kit.

An investigator can generate more than one report at a time and either edit one of the existing or create a new reporting module to customize the behavior for their specific needs.

downloadsDownload

Print Friendly, PDF & Email