Command Line Ingest

Overview

The Command Line Ingest feature allows you to process a data source with Autopsy from the command line. Autopsy will automatically create a case with the settings you specify and will generate a CASE-UCO report.

Configuration

Go to Tools->Options and then select the "Command Line Ingest" tab.

First, enter the output folder for the cases. Next, use the button to open the ingest module settings. Here you can configure the Ingest Modules settings that will be used when running from the command line.

Running Autopsy

In a command prompt, navigate to the Autopsy bin folder. This is normally located at "C:\Program Files\Autopsy-version\bin".

Now run autopsy with the following parameters, substituting the path to your data source and your desired case name. Both disk images and logical files are supported. Note that the case name must be unique for each run.

autopsy64.exe --inputPath=(data source path) --caseName=(case name) --runFromCommandLine=true

In the example below, we're going to process a disk image with path "R:\work\images\xp-sp3-v4.E01" and name the case "xpCase".

You'll start seeing output in the command prompt and the Autopsy UI will open. In the middle of the UI you'll see the following dialog:

Once Autopsy finishes processing you'll be back at the command window. Press enter to return to the command prompt.

Viewing Results

You can open the case created on the command line like any other Autopsy case. Simply go to "Open Case" and then browse to the output folder you set up in the Configuration section and look for the folder starting with your case name. It will have a timestamp appended to the name you specified.

If you are only interested in the CASE-UCO report then you don't need to open Autopsy. The report can be found in the case folder under "Reports\CASE-UCO" and then an automatically generated data source name containing the ID and timestamp.