Autopsy User Documentation
4.16.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
|
A data source is the thing you want to analyze. It can be a disk image, some logical files, a local disk, etc. You must open a case prior to adding a data source to Autopsy.
Autopsy supports multiple types of data sources:
You can add a data source in several ways:
The data source must remain accessible for the duration of the analysis because the case contains a reference to the data source. It does not copy the data source into the case folder.
Regardless of the type of data source, there are some common steps in the process:
1) You will select the type of data source.
2) You will be prompted to specify the data source to add. This screen varies based on the data source type. Details on adding each type of data source are provided below.
NOTE: If you are adding a data source to a multi-user case, ensure that all Autopsy clients will have access to the data source at the same path. We recommend using UNC paths to ensure this consistent mapping.
3) Autopsy will perform a basic examination of the data source and populate an embedded database with an entry for each file in the data source. No content is analyzed in the process, only the files are enumerated.
4) While it is examining the data source, you will be prompted with a list of ingest modules to enable. If one or more ingest profiles have been saved, there will be a screen before this asking whether to use one of the saved profiles or do a custom setup. See Ingest Modules for more information on setting up ingest profiles.
5) After you configure the ingest modules, you may need to wait for Autopsy to finish its basic examination of the data source.
6) After the ingest modules have been configured and the basic examination of the data source is complete, the ingest modules will begin to analyze the file contents.
Data sources can be removed from cases created with Autopsy 4.14.0 and later. See the section below.
Autopsy supports disk images in the following formats:
To add a disk image:
Autopsy can analyze a local disk without needing to first make an image copy of it. This is most useful when analyzing a USB-attached device through a write blocker.
Note that if you are analyzing a local disk that is being updated, then Autopsy will not see files that are added after you add it as a data source.
You will need to be running Autopsy as an Administrator to view all devices.
There is an option to make a copy of the local disk as a VHD during analysis. This VHD can be loaded in Windows or analyzed through Autopsy. There is an additional option to update the image path in the case database to this newly created file. Enabling this option will allow you to browse the case data normally even after the local disk is removed. Note that at least one ingest module must successfully run in order to generate the complete image copy.
To add a local drive:
You can add files or folders that are on your local computer (or on a shared drive) without putting them into a disk image. This is useful if you have only a collection of files that you want to analyze.
Some things to note when doing this:
To add logical files:
All of the files that you added in the panel will be grouped together into a single data source, called "LogicalFileSet" in the main UI.
There is also limited support for logical evidence (L01) files. To add one as a data source, select "Logical evidence file (L01)" in the top combo box and then browse to your file.
To add unallocated space image files:
This option allows you to add the results of a logical imager collection. See the Logical Imager page for details.
An XRY text export folder is expected to look similar to this:
To add exported text files:
As of Autopsy 4.14.0, data sources can be removed from cases. Removing a data source will delete all files associate with the data source, as well as all results from running ingest modules, tags, and timeline data. Reports will not be deleted, as most are not associated with a specific data source. If a new data source was created while processing another (from the Virtual Machine Extractor Module for example), this new data source will also be deleted if its parent is deleted.
To delete a data source, right click it in either the Tree Viewer or the Result Viewer and select "Remove Data Source". If the case was originally created with a version of Autopsy earlier than 4.14.0 then this option will be disabled. After a confirmation dialog, the case will close and then reopen after the data source has been removed.
Copyright © 2012-2020 Basis Technology. Generated on Tue Sep 22 2020
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.