ToolsFebruary 9, 20261 min readby 0xt0pus

Autopsy

Digital forensics analysis platform for disk image examination and evidence recovery

#forensics#dfir#blue-team

Autopsy

Description

Autopsy is an open-source digital forensics analysis platform used during incident response investigations. It is one of the primary technical tools that responders rely on for forensic analysis of disk images, file systems, and digital evidence. Autopsy supports a wide range of forensic modules for timeline analysis, keyword searching, hash lookup, data carving, and more.

Usage 1: Forensic Disk Image Analysis

Open a forensic disk image (e.g., E01, DD, raw) in Autopsy to analyze file systems, recover deleted files, examine artifacts, and build timelines during an incident investigation.

Steps:

1. Launch Autopsy
2. Create a New Case (provide case name and directory)
3. Add a Data Source (select the disk image file)
4. Select ingest modules to run (e.g., Hash Lookup, Keyword Search, Recent Activity, etc.)
5. Analyze results in the Tree View, Timeline, and other panels

Usage 2: Incident Response Evidence Examination

Used alongside other IR tools (FTK Imager for acquisition, Velociraptor for endpoint collection) to perform deep forensic analysis of collected evidence.

Context from Notes:

Forensics analysis tools such as Autopsy and EnCase are part of the standard IR toolkit alongside:
- Packet sniffers
- Forensics image capturing tools (FTK Imager)
- Smart and non-smartphones for out-of-band communications
- Removable media to store collected evidence
- Network tap to inspect network traffic

Notes

  • Autopsy is the GUI frontend for The Sleuth Kit (TSK)
  • Supports multiple image formats: E01, DD, raw, VHD, VMDK
  • Can be used for both Windows and Linux forensic analysis
  • Commonly paired with FTK Imager (for acquisition) and EnCase (as an alternative analysis tool)