Autopsy - Create New Case | CyberWiki - Encyclopedia of Cybersecurity

An autopsy is an open-source digital forensics tool developed by Basis Technology, first released in 2000. It is a free-to-use and quite efficient tool for hard drive investigation with features like multi-user cases, timeline analysis, registry analysis, keyword search, email analysis, media playback, EXIF analysis, malicious file detection, and much more.

Start a new case in Autopsy

Step 1: Select New Case from the Autopsy menu.

New Case Option

Step 2: Provide the Case Name as well as the location where the case file will be saved. After completing these details click on Next.

Folder location to save case files

Step 3: Include the Case Number as well as the Examiner's information and then click on Finish.

Details of case

Step 4: Select the appropriate data source type (We have taken Disk Image for Demo Purposes) and then click on next.

Selecting Data Source

Data sources autopsy supports:

Disk Image or VM File: A file that is a byte-for-byte copy of a hard drive or media card, or a virtual machine image.

Local Disk: Local storage devices like a local drive, USB-attached drive, etc.

Logical Files: Local files or folders.

Unallocated Space Image Files: Any type of file that does not contain a file system but you want to run through ingest

Autopsy Logical Imager Results: The results after running the logical imager can be used in a case using this type of data source.

XRY Text Export: The results from exporting text files from XRY.

Step 5: Specify the source of data and then click on next.

Specifying the source of data

Step 6: Choose the modules that are necessary for the case and then click on next.

Select necessary modules

The ingest modules help in determining the factors for the data in the data source.

Recent Activity: Find out about the most recent disc actions, such as the files that were the last read.

Hash Lookup: Use hash values to find files.

File Type Identification: Rather than relying on file extensions, identify files based on their internal signatures.

Extension Mismatch Detector: Detect files with tampered/changed extensions, presumably to hide evidence.

Embedded File Extractor: It extracts embedded files such as.zip, .rar, and other formats and analyses the resulting file. A PNG picture stored within a document to make it look like a document and so hide vital information is another example.

EXIF (Exchangeable Image File Format) Parser: It's used to get information about the file's metadata, such as the date of creation, geolocation, and so on.

Keyword Search: It looks for a certain term or pattern in the data source.

Email Parser: If the disc contains any type of email database, such as Outlook's pst/ost files, an email parser can extract information from these files.

Encryption Detection: Encrypted / password-protected files are detected and identified.

Interesting File Identifier: Let's develop some custom rules for data filtering. When findings related to these guidelines are discovered, the examiner is alerted.

Correlation Engine: Allows properties to be saved in the central repository and subsequently retrieved. It helps in the visual representation of associated characteristics.

PhotoRec Carver: Recover files, photographs, and other items from the free space.

Virtual Machine Extractor: Any Virtual Machine discovered on the data source can be extracted and analyzed using this module.

Data Source Integrity: If the hash values aren't already in the database, it calculates them and saves them. Otherwise, the hash values connected with the database will be checked.