Autopsy User Documentation
4.20.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
|
The tree on the left-hand side of the main window is where you can browse the files in the data sources in the case and find saved results from automated analyis (ingest). The tree has seven main areas:
You can also use the "Group by Person/Host" option available through the View Options to move the Views, Results, and Tags tree nodes under their corresponding person and host. This can be helpful on very large cases to reduce the size of each sub tree.
By default, the top node of the tree viewer will contain all data sources in the case. The Data Sources node is organized by host and then the data source itself. Right clicking on the various nodes in the Data Sources area of the tree will allow you to get more options for each data source and its contents.
If the "Group by Person/Host" option has been selected in the View Options, the hosts and data sources will be organized under any persons that have been associated with the hosts. Additionally, the rest of the nodes (Views, Results, etc) will be found under each data source.
If the "Group by Person/Host" option in the View Options has been set, the top level nodes will display persons. Persons are manually created and can be associated with one or more hosts. To add or remove a person from a host, right-click on the host and select the appropriate option.
You can edit and delete persons by right-clicking on the node.
All data sources are organized under host nodes. See the hosts page for more information on using hosts.
Under the hosts are the nodes for each data source.
Unallocated space is the chunks of a file system that are currently not being used for anything. Unallocated space can hold deleted files and other interesting artifacts. In an image data source, unallocated space is stored in blocks with distinct locations in the file system. However, because of the way carving tools work, it is better to feed these tools a single, large unallocated space file. Autopsy provides access to both methods of looking at unallocated space.
An example of the single file extraction option is shown below.
Views filter all the files in the case by some property of the file.
This section shows the data artifacts created by running ingest. In general, data artifacts contain concrete information extracted from the data source. For example, call logs and messages from communication logs or web bookmarks extracted from a browser database.
This section shows the analysis results created by running ingest. In general, analysis results contain information that the user has indicated they are interested in. For example, if the user sets up a list of notable hashes, any hash set hits will appear here.
This section shows the OS accounts found in the case. See OS Accounts for an example.
Any item you tag shows up here so you can find it again easily. See Tagging and Commenting for more information.
Reports can be added by Ingest Modules or created using the Reporting tool.
Copyright © 2012-2022 Basis Technology. Generated on Tue Aug 1 2023
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.