Autopsy User Documentation  4.16.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
Quick Start Guide

Cases and Data Sources

Autopsy organizes data by case. Each case can have one or more data sources, which can be a disk image, a set of logical files, a USB-connected device, etc.

Cases can either be single-user or multi-user. Multi-user cases allow several examiners to review the data at the same time and collaborate, but require some additional open source servers to be configured.

When you have several data sources and are deciding about creating creating a case, consider:

Creating a Case

To create a case, use either the "Create New Case" option on the Welcome screen or from the "Case" menu. This will start the New Case Wizard. You will need to supply it with the name of the case and a directory to store the case results into. You can optionally provide case numbers and reviewer names.

Adding a Data Source

The next step is to add an input data source to the case. The Add Data Source Wizard will start automatically after the case is created or you can manually start it from the "Case" menu or toolbar. You will need to choose the type of input data source to add (image, local disk, or logical files and folders). Next, supply it with the location of the source to add.

Next it will prompt you to configure the Ingest Modules.

Ingest Modules

Ingest modules are responsible for analyzing the data source contents and will run in the background. The Ingest Modules analyze files in a prioritized order so that files in a user's directory are analyzed before files in other folders. Ingest modules can be developed by third-parties.

The standard ingest modules included with Autopsy are:

When you select a module, you will have the option to change its settings. For example, you can configure which keyword search lists to use during ingest and which hash sets to use. Refer to the individual module help for details on configuring each module.

While ingest modules are running in the background, you will see a progress bar in the lower right. You can use the GUI to review incoming results and perform other tasks while ingesting at the same time.

Analysis Basics

After the ingest modules start to analyze the data source, you'll see the main analysis interface. You can choose to search for specific items, browse to specific folders, or review ingest module results.

screenshot.PNG

You will start all of your analysis techniques from the tree on the left.

When you select a node from the tree on the left, a list of files will be shown in the upper right. You can use the Thumbnail view in the upper right to view the pictures. When you select a file from the upper right, its contents will be shown in the lower right. You can use the tabs in the lower right to view the text of the file, an image, or the hex data.

If you are viewing files from the Views and Results nodes, you can right-click on a file to go to its file system location. This feature is useful to see what else the user stored in the same folder as the file that you are currently looking at. You can also right click on a file to extract it to the local system.

If you want to search for single keywords, then you can use the search box in the upper right of the program. The results will be shown in a table in the upper right.

The tree on the left as well as the table on the right have a UI Quick Search feature which can be used to quickly find a visible node.

You can tag (bookmark) arbitrary files so that you can more quickly find them later or so that you can include them specifically in a report.

Other Analysis Interfaces

In addition to the 3-panel UI with the tree on the left, there are other interfaces that are more specialized.

Timeline

The timeline feature can be opened from the "Tools" menu or the toolbar. This will show you file system and other events organized by time using various display techniques. See the Timeline section for more details.

Image Gallery

The Image Gallery focuses on showing the pictures and videos from the data source organized by folder. It will show you files as soon as they have been hashed and EXIF data extracted. You can open it from the "Tools" menu. See the Image Gallery Module section for more details.

Communications

The Communications interface focuses on showing which accounts were communicated with the most and what messages were sent. It allows you to focus on certain relationships or communications within a certain date rage. You can open it from the "Tools" menu. See the Communications Visualization Tool section for more details.

Example Use Cases

In this section, we will provide examples of how to do common analysis tasks.

Web Artifacts

If you want to view the user's recent web activity, make sure that the Recent Activity ingest module was enabled. You can then go to the "Results " node in the tree on the left and then into the "Extracted Data" node. There, you can find bookmarks, cookies, downloads, and history.

Known Bad Hash Files

If you want to see if the data source had known bad files, make sure that the Hash Lookup ingest module was enabled. You can then view the "Hashset Hits" section in the "Results" area of the tree on the left. Note that hash lookup can take a long time, so this section will be updated as long as the ingest process is ongoing. Use the Ingest Inbox to keep track of what known bad files were recently found.

When you find a known bad file in this interface, you may want to right click on the file to also view the file's original location. You may find additional files that are relevant and stored in the same folder as this file.

Media: Images and Videos

If you want to see all images and video on the disk image, then go to the "Views" section in the tree on the left and then "File Types". Select either "Images" or "Videos". You can use the thumbnail option in the upper right to view thumbnails of all images.

You can select an image or video from the upper right and view the video or image in the lower right. Video will be played with sound.

Reporting

A final report can be generated that will include all analysis results using the "Generate Report" toolbar button. Reports can be generated in HTML, XLS, KML, and other formats.

You can later find your generated reports by going to the tree and opening the Reports node at the bottom.


Copyright © 2012-2020 Basis Technology. Generated on Tue Sep 22 2020
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.