Autopsy User Documentation  4.13.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
Tree Viewer

The tree on the left-hand side of the main window is where you can browse the files in the data sources in the case and find saved results from automated analyis (ingest). The tree has five main areas:

You can also use the "Group by data source" option available through the View Options to move the Views, Results, and Tags tree nodes under their corresponding data sources. This can be helpful on very large cases to reduce the size of each sub tree. For example:

ui_layout_group_tree.PNG

Data Sources

The Data Sources area shows each data source that has been added to the case, in order added (top one is first). Right clicking on the various nodes in the Data Sources area of the tree will allow you to get more options for each data source and its contents.

Unallocated space is the chunks of a file system that are currently not being used for anything. Unallocated space can hold deleted files and other interesting artifacts. In an image data source, unallocated space is stored in blocks with distinct locations in the file system. However, because of the way carving tools work, it is better to feed these tools a single, large unallocated space file. Autopsy provides access to both methods of looking at unallocated space.

An example of the single file extraction option is shown below.

extracting-unallocated-space.PNG

Views

Views filter all the files in the case by some property of the file.

Results

Reports

Reports can be added by Ingest Modules or created using the Reporting tool.


Copyright © 2012-2019 Basis Technology. Generated on Thu Nov 21 2019
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.