Autopsy User Documentation  3.1
Graphical digital forensics platform for The Sleuth Kit and other tools.


This document outlines the use of the STIX feature of Autopsy. This feature allows one or more Structured Threat Information Exchange (STIX) files to be run against a data source, reporting which indicators were found in the data source. More information about STIX can be found at This document assumes basic familiarity with Autopsy.

Quick Start

  1. Create a case as normal and add a disk image (or folder of files) as a data source. To get the most out of the STIX module, ensure that the following ingest modules are selected:
    • Recent Activity
    • Hash Lookup (Check box to calculate MD5 hashes even with no database selected)
    • File Type Identification
    • Keyword Search (URL, IP, and Email addresses)
    • Email Parser
    • Extension Mismatch Detector
  2. After the image has been added and ingest is complete, click the Report button then select STIX. Next choose either a single STIX file or a directory of STIX files to run against the image. It is possible to do this while ingest is running but the results will be incomplete.
  3. Once the STIX report module is complete, there will be two sets of results:
    • Entries will be created under Interesting Items in the Autopsy tree, under a subheading for each indicator.
    • A log of which indicators/observables were found is generated by the report module (Follow the link on the Report Generation Progess window)

Supported CybOX Objects

See for more information on CybOX Objects.


Copyright © 2012-2015 Basis Technology. Generated on Mon Oct 19 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.