Autopsy

Autopsy is an open-source tool for forensic filesystem analysis

Cases

Cases are collections of data of previously occurred events/data which are organized in several different ways.

Example case (click for bigger image):

Existing cases can be opened on startup, or by clicking "Case" and "Open Case."

You can also create new cases by clicking "Case" and "New Case."

Data Sources

Ingest Modules

Ingest modules are various fields that Autopsy can use to retrieve specific data from the drive

By default, ingest modules are configured to run on all files, directories, and unallocated space

Autopsy adds metadata about files to the local database, not the file contents

User Interface

Tree Viewer

The tree viewer has five top level nodes:

• Data Sources - All data organized as would be seen in File Explorer
• Views - Files will be organized based on file types, MIME types, file sizes, and so on
• Results - Results from the ingest modules will appear here
• Tags - Will display files and results based on tags
• Reports - Will display reports generated by modules or the analyst

Example tree viewer below (click for bigger image):

Result Viewer

Volumes, files, folders, data selected from the tree viewer will be displayed with additional corresponding information here (to the right)

There are three tabs in the result viewer:

• Table
• Thumbnail
• Summary

Example result viewer below (click for full image):

Contents Viewer

Clicking any folder/file from the table tab in the result viewer will display additional information in the contents viewer

• S (Score) - Will show a red exclamation point for for folders/files marked/tagged as "notable" and a yellow triangle when marked as "suspicious"
• C (Comment) - If a yellow page is visible in the comment column, this is the indication that there is a comment for said folder/file
• O (Occurrence) - The number of times the folder/file has been seen in past cases (requires a central repository)

Keyword Search

In the top-right, the analyst can search via keywords

Status Area

In the bottom-right, the analyst can see the status of the ingest modules being run

Data Sources Summary

Provides summaries of the data into nine different categories

Image below courtesy of btautopsye0 room on TryHackMe (click for full image):

Generate Report

Clicking on the "Generate Report" button will generate a report that will be listed in the tree viewer, and then subsequently in the result viewer under the name that was chosen for the report

Image below courtesy of btautopsye0 room on TryHackMe (click for full image):