AUTOPSY

Digital Forensics

“Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera’s memory card.”

Basically, the autopsy is a free open-source tool that supports a wide range of other digital forensics modules and tools.

The Autopsy is computer software that makes it simpler to deploy many of the open-source programs and plugins used in The Sleuth Kit. The graphical user interface displays the results from the forensic search of the underlying volume making it easier for investigators to flag pertinent sections of data. The tool is largely maintained by Basis Technology Corp. with the assistance of programmers from the community.

DOWNLOADS

SYSTEM REQUIREMENTS

RAM : Minimum 8GB (16GB recommended)

Storage : 335 KB for Archives, 1.2 GB for (GUI)

OS : Windows, macOS, Linux & many more.

Architecture : Supports both 32-bit and 64-bit architectures

Available On : PC


ADDITIONAL INFORMATION

Published By

Basis Technology

Release Date

2000

Approximate Size

1.1 MB (Terminal installation size)

Publisher Info

Basis Technology, known for digital forensics and cybersecurity

Supported Languages

English

Last Update

December 2024

Programming Language

Written in Java

Operating System

Cross-platform

License

Apache License 2.0

  1. Extensible : the user should be able to add new functionality by creating plugins that can analyze all or part of the underlying data source.
  2. Centralized : the tool must offer a standard and consistent mechanism for accessing all features and modules.
  3. Ease of Use : the Autopsy Browser must offer the wizards and historical tools to make it easier for users to repeat their steps without excessive reconfiguration.
  4. Multiple Users : the tool should be usable by one investigator or coordinate the work of a team.

  1. Autopsy analyzes major file systems (NTFS, FAT, ExFAT, HFS+, Ext2/Ext3/Ext4, YAFFS2) by hashing all files, unpacking standard archives (ZIP, JAR etc.), extracting any EXIF values and putting keywords in an index. Some file types like standard email formats or contact files are also parsed and cataloged.
  2. Users can search these indexed files for recent activity or create a report in HTML or PDF summarizing important recent activity. If time is short, users may activate triage features that use rules to analyze the most important files first. Autopsy can save a partial image of these files in the VHD format.

  1. Data Source : This node contains all the data sources from which the data is collected. It can be Disks, Logical Files, Registry data and other data sources.
  2. View : This node contains the details of files the scanner identified and the category like file types, extensions it have before extraction of raw information.
  3. Results : Results are the output of configured ingests to sort the data according to the required information. So in this node we will see key information.
  4. Tags : Tags are generally used if we have any data to be tagged with certain tags for future reference.
  5. Reports : Used for creating reports.

  1. Data Source Addition
    • Step 1 : Launch Autopsy and create a new case.
    • Step 2 : Select “Add Data Source” and choose the type (e.g., Disk Image or VM File).
    • Step 3: Browse to the selected data source (e.g., a disk image file) and add it to the case.

    Example : Adding a disk image file named “RHINOUSB.dd” to the case.

  2. Ingest Configuration
    • Step 1: Configure ingest modules to analyze the data source (e.g., disk image).
    • Step 2: Select default ingest modules or customize them as needed.

    Example : Leaving all ingest modules as default and clicking “Next.”

  3. Analysis
    • Autopsy analyzes the data source and extracts relevant information, such as file systems, metadata, and artifacts.
    • The platform provides a user-friendly interface to browse and examine the results.

    Example : After analysis, selecting the “Deleted Files” tab to retrieve deleted files, such as “f0106344.gif” and “f0106320.gif"

  4. File Carving
    • Autopsy includes built-in file carving capabilities to recover deleted files and extract files from unallocated disk space.
    • File carving is based on file signatures and header/footer patterns.

    Example : Recovering deleted files using file carving and verifying their integrity with hash calculations (MD5, SHA-1, SHA-256, etc.).

  5. Hashing and Integrity Checking
    • Autopsy calculates cryptographic hashes of files and disk images to verify data integrity and detect tampering or alterations.
    • This feature ensures that data has not been modified during analysis.

    Example : Calculating the MD5 hash of a recovered deleted file, “f0106344.gif”, to verify its integrity.

  6. Keyword Search
    • Autopsy allows for keyword searches across disk images and file systems to identify relevant files, documents, emails, chat logs, and other digital artifacts related to an investigation.
    • Searches can be performed using a graphical interface or through the command line.

    Example : Searching for a specific keyword, such as “password,” across a disk image to identify relevant files and documents.

  7. Timeline Analysis
    • Autopsy provides an advanced graphical event viewing interface (Timeline Analysis) to visualize the sequence of events and activities on a system.
    • This feature helps investigators understand the chronology of events and identify patterns or anomalies.

    Example : Using Timeline Analysis to visualize the sequence of file access and modifications on a system.

  8. Report Generation
    • Autopsy allows users to generate comprehensive reports summarizing their findings.
    • Reports can be customized and exported in various formats (e.g., PDF, CSV).

    Example : Generating a report detailing the recovered deleted files, including their location and MD5 hash.

  • binutils
  • perl
  • sleuthkit

Terminal Installation Commands ...

$ sudo apt-get update && upgrade

$ sudo apt install autopsy

$ sudo apt -y install autopsy

GUI Installation Steps ...
Linux
  1. Download the Linux package from the Autopsy download page.
  2. Extract the files and open Terminal in the extracted folder.
  3. Run the setup script or follow the detailed instructions in the README file.
    • For Debian-based systems (e.g., Ubuntu), use : sudo apt install autopsy.
  4. Start Autopsy with: ./autopsy.
Windows
  1. Visit the Autopsy download page and download the Windows .msi installer.
  2. Run the .msi file, and follow the on-screen instructions.
  3. Accept the license agreement and choose the installation directory.
  4. Complete the setup by clicking "Finish."
MacOS
  1. Download the macOS package from the Autopsy download page.
  2. Unzip the downloaded file.
  3. Open Terminal and navigate to the unzipped directory.
  4. Follow the instructions in the README file (this often involves running scripts or commands provided in the package).

Terminal Uninstallation Commands ...

$ sudo apt remove autopsy

$ sudo apt autoclean && apt autoremove

GUI Uninstallation Steps ...
Linux
  1. Open a terminal.
  2. Use the following commands :
    • To remove the package : sudo apt-get remove autopsy.
    • To remove dependencies : sudo apt-get remove --auto-remove autopsy.
    • To purge configuration files : sudo apt-get purge autopsy.
    • For a complete removal : sudo apt-get purge --auto-remove autopsy5.
Windows
  1. Via Control Panel:
    • Open the Control Panel.
    • Navigate to Programs > Programs and Features.
    • Locate Autopsy in the list, right-click, and select Uninstall.
  2. Via Settings:
    • Open Settings and go to Apps.
    • Find Autopsy in the list, click on it, and select Uninstall.
  3. Using Third-Party Tools:
    • Tools like Revo Uninstaller can help remove leftover files and registry entries.
MacOS
  1. Open the Applications folder.
  2. Locate the Autopsy application.
  3. Drag it to the Trash.
  4. To remove associated files :
    • Open Finder and press Command + Shift + G.
    • Enter ~/Library and search for files related to Autopsy (e.g., preferences or cache files).
    • Delete them to ensure a clean uninstallation3.

Copyright © 2025 HACKERSPOT

All original content, including tools, software, and other information, is protected by copyright and remains the property of its respective owners.

Subscribe for more Information
HACKERSPOT

HackerSpot is an informational platform that offers resources such as tools, software, courses, internships, and various other materials aimed at supporting individuals passionate about CyberSecurity and IT.

About Us
Docs / Links

Documentation

Tools

Softwares

Operating Systems

Learning

Courses

Internships

Virtual Labs

Colleges

Youtube Channels

Resources

Devices & Hardware

Browsers

Cyber Threat Maps

Other Resources

Contacts

Bapatla, Andhrapradesh, India 237101

bablunannam@gmail.com

+91 7995819235