Autopsy — Digital Forensics & Disk Analysis

Open-source digital forensics platform with GUI for disk image analysis and triage.

What is Autopsy?

Autopsy is a graphical open-source digital forensics platform built on top of The Sleuth Kit (TSK). It enables investigators to analyze disk images, file systems, and storage media for evidence of malicious activity, data breaches, or policy violations. Autopsy automates much of the triage process — recovering deleted files, extracting browser history, parsing email, identifying known bad files via hash databases, and generating timeline views of filesystem activity. It is widely used by law enforcement, incident responders, and CTF competitors alike.

⚠ Legal Notice

Only use on systems you own or have explicit written permission to investigate. Unauthorized forensic analysis violates Pakistan's PECA 2016 and international cybercrime laws.

Installation

# Install on Kali Linux
sudo apt update
sudo apt install autopsy -y

# Launch the browser-based interface (Autopsy 2.x / Sleuth Kit)
sudo autopsy
# Then open: http://localhost:9999/autopsy

# For Autopsy 4.x (recommended — full GUI, Windows primary)
# Download the installer from:
# https://www.autopsy.com/download/
# Linux users: install via .zip and run autopsy.sh

Basic Workflow

Autopsy is case-based — every investigation begins by creating a case, then adding one or more data sources (disk images, local drives, logical files).

# Supported image formats:
# .dd / .raw  — raw disk images (created with dd or dc3dd)
# .E01        — EnCase evidence files
# .vmdk       — VMware virtual disk images
# .vhd / .vhdx — Hyper-V virtual disks

# Create a raw disk image from a drive (before opening in Autopsy)
sudo dd if=/dev/sdb of=evidence.dd bs=4M status=progress

# Verify image integrity with hash
md5sum evidence.dd > evidence.md5
sha256sum evidence.dd > evidence.sha256

# Then open Autopsy GUI → New Case → Add Data Source → select image

Key Ingest Modules

Hash Lookup — Flags known malware and known-good files using NSRL and custom hash sets
File Type Identification — Detects files by magic bytes regardless of extension
Keyword Search — Full-text index search across all extracted content
Web Artifacts — Parses Chrome, Firefox, Edge browser history, bookmarks, and downloads
Recent Activity — Extracts Windows registry run keys, prefetch, and recently accessed files
Email Parser — Extracts and indexes .pst, .mbox, and EML email archives
Exif Parser — Pulls GPS coordinates and metadata from images
Timeline Analysis — Visual chronological view of all filesystem and activity events

Common Use Cases

Incident response — analysing compromised disk images post-breach
CTF (Capture The Flag) forensics challenges involving disk images
Malware investigation — recovering dropped files and persistence artifacts
Insider threat investigations and employee policy violation cases

Tips & Best Practices

Always work from a forensic copy — never mount or analyze an original evidence drive directly. Hash the image before and after acquisition with sha256sum to prove integrity in any legal proceeding. Run all ingest modules in a single pass when opening a new case to save time; re-running them later on a large image can take hours. For faster triage on large images, enable only the modules relevant to your investigation hypothesis rather than running everything.

Practice on legal disk images from TryHackMe, HackTheBox, or hackzia.site labs before using in live investigations.