Description
Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit and other forensics tools. It analyzes disk images, recovers deleted files, extracts artifacts, and generates forensic reports.
Installation
BASH
# Linux
sudo apt install autopsy
# Or download from https://www.autopsy.com/download/
# Launch
autopsy
# Web interface: http://localhost:9999/autopsyBasic Usage
BASH
# CLI workflow with Sleuth Kit
# List partitions
mmls disk.dd
# List files in partition
fls -o 2048 disk.dd
# Recover deleted file
icat -o 2048 disk.dd 12345 > recovered_file
# Search for strings
strings -a disk.dd | grep -i passwordAdvanced Usage
BASH
# File carving
scalpel disk.dd -o output/
# Timeline generation
fls -m "/" -r -o 2048 disk.dd > body.txt
mactime -b body.txt > timeline.csv
# Hash analysis
md5deep -r /mnt/evidence/ > hashes.txt
# Keyword search
srch_strings -a -t d disk.dd | grep -i "credit card"Common Workflows
BASH
# Evidence processing pipeline
mmls evidence.E01 # Find partitions
fls -r -o 2048 evidence.E01 # List all files
icat -o 2048 evidence.E01 <inode> # Extract files
mactime -b body.txt -d # Generate timeline