You need to create a case before you can analyze data in Autopsy. A case can contain one or more data sources (disk images, disk devices, logical files). The data sources can be from multiple drives in a single computer or from multiple computers. It's up to you.
Each case has its own directory that is named based on the case name. The directory will contain configuration files, a database, reports, and other files that modules generates. The main Autopsy case configuration file has an ".aut" extension.
Creating a Case
There are several ways to create a new case:
- The opening splash screen has a button to create a new case.
- The "Case", "Create New Case" menu item
The New Case wizard dialog will open and you will need to enter the case name and base directory. A directory for the case will be created inside of the "base directory". If the directory already exists, you will need to either delete the existing directory or choose a different combination of names.
NOTE: You will only have the option of making a multi-user case if you have configured Autopsy with multi-user settings. See Setting Up Multi-user Environment for installation instructions and Creating Multi-user cases for details on creating multi-user cases.
You will also be prompted for optional information, such as investigator name and case number.
After you create the case, you will be prompted to add a data source, as described in Adding a Data Source.
Opening a Case
To open a case, either:
- Choose "Open Existing Case" or "Open Recent Case" from the opening splash screen.
- Choose the "Case", "Open Case" menu item or "Case", "Open Recent Case"
Navigate to the case directory and select the ".aut" file.
Viewing Case Properties
You can view the case properties by going to the "Case" menu and clicking "Case Properties". This will open a screen similar to one of the two following screenshots:
You can use the "Ingest History" tab to view which data sources had which modules run upon them, and when, as shown in the screenshot below.
