Autopsy User Documentation  3.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
Data Sources

A data source the thing you want to analyze. It can be a disk image, some logical files, a local drive, etc. You must open a case prior to adding a data source to Autopsy.

Autopsy supports three types of data sources:

Adding a Data Source

You can add a data source in several ways:

The data source must remain accessible for the duration of the analysis because the case contains a reference to the data source. It does not copy the data source into the case folder.

Regardless of the type of data source, there are some common steps in the process:

1) You will be prompted to specify the data source to add (details are provided below)

select-data-source-type.PNG

2) Autopsy will perform a basic examination of the data source and populate an embedded database with an entry for each file in the data source. No content is analyzed in the process, only the files are enumerated.

3) While it is examining the data source, you will be prompted with a list of ingest modules to enable.

select-ingest-modules.PNG

4) After you configure the ingest modules, you may need to wait for Autopsy to finish its basic examination of the data source.

data-source-progress-bar.PNG

5) After the ingest modules have been configured and the basic examination of the data source is complete, the ingest modules will begin to analyze the file contents.

You cannot remove a data source from a case.

Adding a Disk Image

Autopsy supports disk images in the following formats:

To add a disk image:

  1. Choose "Image File" from the pull down.
  2. Browse to the first file in the disk image. You need to specify only the first file and Autopsy will find the rest.
  3. Choose the timezone that the disk image came from. This is most important for when adding FAT file systems because it does not store timezone information and Autopsy will not know how to normalize to UTC.
  4. Choose to perform orphan file finding on FAT file systems. This can be a time intensive process because it will require that Autopsy look at each sector in the device.

Adding a Local Drive

Autopsy can analyze a local drive without needing to first make an image copy of it. This is most useful when analyzing a USB-attached device through a write blocker.

Note that if you are analyzing a local drive that is being updated, then Autopsy will not see files that are added after you add it as a data source.

You will need to be running Autopsy as an Administrator to view all devices.

To add a local drive:

  1. Choose "Local Drive" from the pull down.
  2. Choose the device from the pull down list.
  3. Choose to perform orphan file finding. See comment in Adding a Disk Image about this setting.

Adding a Logical File

You can add files or folders that are on your local computer (or on a shared drive) without putting them into a disk image. This is useful if you have only a collection of files that you want to analyze.

Some things to note when doing this:

To add logical files:

  1. Choose "Logical Files" from the pull down.
  2. Press the "Add" button and navigate to a folder or file to add. Choosing a folder will cause all of its contents (including sub-folders) to be added.
  3. Continue to press "Add" until all files and folders have been selected.

All of the files that you added in the panel will be grouped together into a single data source, called "LogicalFileSet" in the main UI.

Copyright © 2012-2015 Basis Technology. Generated on Mon Oct 19 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.