Image Analysis: Autopsy

Theory

Autopsy

The Sleuth Kit is a library and a collection of command-line tools used to investigate disk images. Autopsy is the GUI program for TSK. The results of the forensic search carried over the images are displayed here. These results help the investigator to locate relevant sections of data in their investigation. It is used by law enforcement, military, and corporate examiners to investigate the actions taken place on the evidence computer, however, it can be used to recover deleted data from digital devices too.

Autopsy performs operations onto disk images which can be created using tools like FTK Imager. Here an already created image is used. You may download Autopsy from here .

Practical

Analyzing a forensic disk image using Autopsy

• Open Autopsy in Windows

• Create a New Case

• Enter a Case name

• Click on Next

• Enter the Case number

• Enter Examiner details

• Click on Finish

• Select Generate new host name based on data source name

• Click next

• Select Disk image or VM file

• Click on Next

• Select the path of the image file

• Click on Next

• Select All the options

• Next

• Click on Finish

REFERENCES

• https://www.geeksforgeeks.org/analysis-of-data-source-using-autopsy/

• https://www.autopsy.com/

• https://www.autopsy.com/download/

• https://medium.com/@tusharcool118/autopsy-tutorial-for-digital-forensics-707ea5d5994d

• https://sleuthkit.org/autopsy/docs/user-docs/3.1/

• https://www.hackingarticles.in/comprehensive-guide-on-autopsy-tool-windows/