Autopsy is the open-source GUI forensic suite built on top of The Sleuth Kit (TSK). Used by law enforcement, military, and corporate examiners to investigate disk images. Free, modular, runs ingest modules over a data source and surfaces results in a unified case interface. Single-user and multi-user deployments.
Side: blue
Deployment
| Mode | Use case |
|---|---|
| Single-User | one analyst at a time on the case file |
| Multi-User | multiple examiners collaborating on a large case (requires shared infrastructure: PostgreSQL, Solr, ActiveMQ) |
Autopsy itself wraps The Sleuth Kit — a library and collection of command-line tools (fls, mmls, icat, etc.) that analyse volume and filesystem data. Autopsy is the GUI; TSK is the engine.
Workflow
- Create a case — case name, examiner name, case number
- Add a data source — a disk image (
.dd,.E01), a single file, or a logical folder - Configure ingest modules — analysers that run in the background
- Review results as they populate in the Tree, Result Viewer, and Content Viewer panes
- Tag items of interest and generate a report
Three ways to invoke ingest modules:
- run-immediately on data-source add (default)
- right-click a data source → Run Ingest Modules
- toolbar Tools → Run Ingest Modules
Key features
| Feature | What it does |
|---|---|
| Timeline Analysis | renders filesystem MAC times + log events on a single chronological view |
| Keyword Search | text extraction with index over the data source; supports literal words and regex |
| Web Artifacts | extracts browsing history, cookies, downloads from Firefox / Chrome / Edge / IE |
| Registry Analysis | runs RegRipper internally for SAM / SYSTEM / SOFTWARE / NTUSER hive parsing |
| LNK File Analysis | parses Windows shortcut files for accessed-document and target-path metadata |
| Email Analysis | parses MBOX (Thunderbird) and PST files |
| Hash Calculation | MD5 and SHA-1 hashing of every file for known-good / known-bad matching |
| Recycle Bin Recovery | shows files deleted to Recycle Bin that have not yet been overwritten |
| Recent Activity | aggregates recently-opened documents, USB device history, executed programs |
| Interesting Files | rule-based flagging of files matching a curated definition |
Ingest modules
Modules run in the background as the data source is processed. Results appear in real time on the interface.
Module configuration on first use of a data source:
- choose which file types to scan (drop-down filter)
- enable / disable individual modules
- running every module is slower; pick what the case actually needs
Interface panes
| Pane | Contents |
|---|---|
| Tree | data sources, file system view, results categories (Web History, Hash Hits, etc.) |
| Result Viewer | tabular list of items in the selected tree node |
| Content Viewer | hex / strings / metadata / image / application views of a selected item; pluggable for additional viewer types |
| Data Artifacts | results from background ingest tasks and search results |
| Reports | references to generated reports |
The Content Viewer is plug-in based — install modules to add new viewer types.
Reports
Generated from the Reports node or via Tools → Generate Report. Common formats: HTML, Excel, KML (for GPS data). Include selected categories: tagged files, web history, keyword hits, hash hits, etc.
Pitfalls
- Running every ingest module on a large image is slow and can dominate analysis time. Start with the modules the case requires.
- Keyword Search builds an index. For multi-GB images, allow significant ingest time before searching.
- Multi-User mode requires shared PostgreSQL + Solr + ActiveMQ infrastructure. Single-User is the default for solo investigations.
- Autopsy hashes every file by default; turn off Hash Lookup if you do not need it and want faster ingestion.