🕵️‍♂️

Understanding Autopsy Software for Analysis

Apr 6, 2025

Autopsy Software Lecture Notes

Introduction

  • Autopsy software is a free tool for digital investigation and forensic analysis.
  • Available for download at autopsy.com.

Installation

  • Choose between 32-bit and 64-bit versions.
    • Recommendation: Use 64-bit for better performance (over 4GB RAM).
  • Demonstration on Windows 7 virtual machine.

Creating a Case

  • Initial interface requires creating a case.
    • Click on New Case.
    • Example name: Disk Analysis.
    • Change path to a different drive (D drive recommended).
  • Input case details:
    • Case number, investigator's name, phone number, email address, organization (if applicable).

Selecting Host

  • Options for creating or using existing host files.
  • Ability to create disk images from tools like FTK Imager.

Image Selection

  • Select local file (e.g., drive C) for analysis.
  • Important: Save analysis results in a different partition.
  • Option to create VHD images for virtual hard disks.

Analysis Options

  • Select time zone and hash lookup options.
  • Additional options for analyzing Android and iOS devices.

Analysis Progress

  • Monitor analysis progress on the interface.
  • Notifications for issues during extraction.
  • Ability to save results as CSV.

Reviewing Results

  • After completion of analysis:
    • File Types: Segregated by images, videos, audio, etc.
    • File Metadata: Important for investigative reports (creation date, access date).
    • Artifacts: Information about installed software, recent documents accessed.
    • User Activity: Running programs, shell bags, USB device logs, web history, cookies.
    • Email Information: Email software used, logs, messages.

Reports and Tags

  • Ability to tag files and generate reports.
  • Export options include Excel, HTML, and text files.
  • Example of generated report includes:
    • Case details, metadata, web history, artifact findings.

Conclusion

  • Autopsy provides detailed analysis capabilities compared to other forensic software.
  • Version used: 4.5.
  • Encouraged to practice with the software for better understanding of digital forensics.

Full transcript