An Overview of Autopsy - Open Source Digital Forensic Platform

An Overview of Autopsy: Open Source
Digital Forensic Platform
Author, Balakrishnan Subramanian
A Data Science Foundation White Paper
May 2020
---------------------------------------------------
www.datascience.foundation
Data Science Foundation

Data Science Foundation, Atlantic Business Centre, Atlantic Street, Altrincham, WA14 5NQ
Tel: 0161 926 3641 Email: [email protected] Web: www.datascience.foundation
Registered in England and Wales 4th June 2015, Registered Number 9624670
Copyright 2016 - 2017 Data Science Foundation
ABSTRACT
Digital forensics refers to the way toward recouping information from computerized gadgets,
from PC hard drives to cell phones. This movement is frequently connected with criminal or
common investigations. Advanced gadgets can give a wide range of kinds of data that are not
clear to the casual user. Autopsy is the chief open source digital forensics platform that is
anything but difficult to utilize, quick, and usable in every computerized examination. It
analyzes hard drives, smart phones, media cards etc. It is primarily developed for Microsoft
Windows, but there is minimal support for running on Linux and macOS. In this whitepaper, I
am focusing about overview of Autopsy, installation of Autopsy and cases & data sources of an
Autopsy.
Keywords: digital forensic, case, data source, ingest.
1. INTRODUCTION
1. Brief History
In 2001, first Open Source platform was released. It is interfaced to The Sleuth Kit.
It is applicable for only Linux and OS X. And then in 2010, they started v3 from
scratch as a platform. It is based on OSDFCon discussions. It is Windows-based
and automated. Some US Army funding (with 42Six Solutions). Finally, v3.0.0
released in September, 2012.
2. Basic Concept
This section will outline the following basic concepts:
Investigation Workflow
Deployment Types
Central Repository
1. Investigation Workflow
Analyzing data in Autopsy uses the following workflow:
Step 1: Make a Case

A case is a “container for one or more data sources. One must be created
before data is analyzed”.
Step 2: Add a Data Source
One or more data sources are added to the case. Data sources include disk
images and local files.

Step 3: Configure Ingest Modules
After the data source is included, ingest modules work out of sight to break
down the information. Results are presented on the interface continuously
and give cautions as important. Model ingests modules incorporate hash
count and query, watchword looking, and web relic extraction. Third party
modules can be created and added to the pipelines.

Step 4: Review of manually analyze Data
The user navigates “the interface, files contents, and ingest module results to
identify the evidence”.
Step 5: Tag Results
Interesting items can be tagged for later reporting and analysis.
Step 6: Report Generation
The user initiates a final report based on selected tags or results.
2. Deployment Types
There are two types of deployment. (a) Desktop/Single User (b)

Cluster/Multiuser.
Desktop/Single User:
Functionality: In this type, cases can be opened by only one person at

a time.
Technical: Everything runs on a single computer. It works out of the

box with a single installer. Launching Autopsy will start all embedded
services (i.e. Data bases, Text indexing etc...)

Cluster/Multiuser
Functionality: Cases can be opened by multiple users at the same

time.It allows for “Auto Ingest” mode where new media is
automatically analyzed 24×7 by multiple modes. It provides faster
analysis because data base is often faster.
Technical: User experience is the exact same. It uses central level

servers for database, text index etc. And also it uses central level high
speed storage.
Central Repository
In this case, Database that stores data from past cases. It contains
MD5 hash values, comments and wifi SSIDs.
Autopsy typically has case-specific databases. It keeps databases

smaller and easier to manage. It allows for archival etc.
Central Repository deployment types:

Two types are supported:
(i) SQLite – It requires no other installations. It can be used by

only one user at a time.
(ii) PostgreSQL – Database is stored on a server. It can be used
by multiple users at a time. It can use the same server for multi-
user cases.
2. INSTALLATION OF AUTOPSY
Autopsy needs to be installed on an examiner’s computer (or Virtual machine). It applies

to both Single/Multi user.
Steps:
Step 1: Download “.msi” installer.
Step 2: Use default values.
Step 3: It will install in a version-specific folder. You can have multiple versions of
Autopsy installed at the same time.
Installing Autopsy on Linux/OS X
Basic flow:
Install dependencies using package management tool: .Java, The Sleuth Kit,
PhotoRec, etc.
Download “.zip” file of Autopsy and expand.
Run “unix_setup.sh” to copy files into Autopsy.
There are other things to setup on a new installation: hash sets, keywords etc.
Launch Autopsy and enable the central repository using a SQLite data base in the default
App data location.
3. CASES AND DATA SOURCES

1. Cases
A case can contain at least information sources (disk image, disk devices and
logical files). The data sources can be from various drives in a solitary PC or from
numerous PCs.

A case groups the investigation data you are going to analyze. It's up to you how
many cases you create: either it may be by investigation or by host within an
investigation.
Each case has its own index (directory) that is named dependent on the case name.
The index will contain configuration files, a database, reports, and different
records that modules create.
The fundamental Autopsy case configuration file has an ".aut" augmentation.
Factors:
Only one case can be open at a time.

Reporting is done at a case level.
Cases are automatically saved.
1. Creating a Case
There are several ways to create a new case:
The opening splash screen has a button to create a new case.

The "File", "Create New Case" menu item
2. Case directory

Each Autopsy case (Multi and Single user) has a directory. Either it has a
notion of a ‘base’ directory or it makes a folder in the base directory with the
case name.
Note: In a Multi-user cluster, all examiners need to have access to the case
directory at the same path.
Case directory contents:
Autopsy.db – SQLite database will store basic case information and

data source information.
Export folder - Default location to store exported files.
Reports folder – Default location to store reports.
Module output folder – Default location for modules to write output
to.
2. Data Sources
A data source the thing you need to examine. It tends to be a plate picture, some
legitimate records, a neighborhood drive, and so forth. You should open a case
preceding adding a data source to Autopsy.
1. Adding a Data Source
You can include a data source in a few different ways:
After you make a case, it naturally prompts you to include a data

source.
There is a toolbar thing to include a Data Source when a case is open.
The "File", "Add Data Source" menu thing when a case is open.

Autopsy supports three types of data sources:
Disk Image: A file (or set of files) that is a byte-for-byte copy of a hard
drive or media card.
Adding a Disk Image
Autopsy supports disk images in the following formats:
Raw Single (For example: *.img, *.dd, *.raw, etc)

Raw Split (For example: *.001, *.002, *.aa, *.ab, etc)
EnCase (For example: *.e01, *e02, etc)
To add a disk image:
Choose "Image File" starting from the pull.

Browse to the first file in the disk image. You have to
determine just the first file and Autopsy will discover the
rest.
Choose the timezone that the disk image originated from.
This is generally significant for when including FAT record
frameworks since it doesn't store timezone data and
Autopsy won't realize how to standardize to UTC.
Choose to perform orphan file finding on FAT file systems.
This can be a time intensive procedure since it will
necessitate that Autopsy takes a gander at every area in
the gadget.

Disk Image Analysis
It uses The Sleuth Kit (TSK) to analyze the contents of the image.
And it detects volume systems that break the disk into partitions.
And also it detects file systems that organize a partition so that
files can be stored.
Volume System Analysis
Volume systems organize the disk image into one or more

volumes (or partitions). It is located near the beginning of the
disk image. Autopsy/TSK supports: disk operating system (DOS),
GUID Partition Table (GPT), Macintosh (Mac), Berkeley Software
Distribution (BSD) and Solaris.
Autopsy will show areas of disk that are not in a volume.
Each volume is analyzed to look for a file system. If no volume is

found, the entire image is analyzed for a file system.
File System Analysis
It allows files to be stored. Typically it is located at beginning of

disk image or inside of volume.
The supported formats are: NT File System (NTFS), File

Allocation Table (FAT), Extensible File Allocation Table (EXFAT),
The hierarchical file system (HFS+), ISO9660, Ext 2/3/4, Reverse
Engineering of the Android File System (YAFFS2), Universal
Flash Storage (UFS).
Orphan Files
o Orphan files are those that are deleted and no longer have a
parent folder. They are accessible in the “$OrphanFiles” folder.
And finding orphan files in FAT file system is time intensive.
Every cluster must be read and analyzed. And it can be disabled
when image is added.

Local Drive: Local storage device (local drive, USB-attached drive,
etc.).
Adding a Local Drive
Autopsy can break down a local drive without expecting to

initially make an image duplicate of it. This is most valuable
while breaking down a USB-appended gadget through a compose
blocker.
Note: on the off chance that you are breaking down a

neighborhood drive that is being refreshed, at that point Autopsy
won't see documents that are included after you include it as an
information source.
You should be running Autopsy as an Administrator to see all

gadgets.
To include a neighborhood drive:
Choose "Local Drive" starting from the pull.

Choose the gadget starting from the pull list.
Choose to perform orphan file finding.
Logical Files: Local files or folders.
Adding a Logical File
You can add files or folders that are on your local computer (or
on a shared drive) without putting them into a disk image. This is
useful if you have only a collection of files that you want to
analyze.
Some things to note when doing this:
Autopsy ignores the time stamps on files that it adds this

way because they could be the timestamps when they were
copied onto your examination device.
If you have a USB-attached device that you are analyzing
and you choose to add the device's contents using this
method, then note that it will not look at unallocated space
or deleted files. Autopsy will only be able to see the
allocated files. You should add the device as a "Logical
Drive" to analyze the unallocated space.

To add logical files:
Choose "Logical Files" from the pull down.

Press the "Add" button and navigate to a folder or file to
add. Choosing a folder will cause all of its contents
(including sub-folders) to be added.
Continue to press "Add" until all files and folders have been
selected.
All of the files that you added in the panel will be grouped
together into a single data source, called "LogicalFileSet" in the
main UI.
4. CONCLUSION
The Autopsy Forensic Browser empowers you to lead an advanced criminological

examination. It is a graphical interface to The Sleuth Kit and different devices. Autopsy
permits you to look at a hard drive or cell phone and recuperate proof from it. This
whitepaper should help you with using Autopsy. Current version of Autopsy works better
with good system configuration.
REFERENCES
1. https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493741001.pd
f
2. https://sleuthkit.org/autopsy/docs/user-docs/3.1/index.html
3. http://www.sleuthkit.org/autopsy/
4. https://www.softpedia.com/get/Others/Miscellaneous/Autopsy.shtml
5. http://en.wikipedia.org/wiki/Autopsy_%28 software%29
6. http://www.sleuthkit.org/autopsy/intuitive.php
7. https://www.basistech.com/basistechnology-enhances-digital-mediainvestigations-with-au
topsy-3-1/
8. http://www.sleuthkit.org/autopsy/download.php
9. https://sourceforge.net/projects/autopsy/file%20s/autopsy/3.1.1/
10. http://wiki.sleuthkit.org/index.php?title=M_ain_Page
11. http://wiki.sleuthkit.org/index.php?title=T_he_Sleuth_Kit
12. http://digitalforensics.sans.org/blog/2009/05/11/a-stepby-step-introduction-to-using-the-a
utopsyforensic-browser/
13. Incident Response and Computer Forensics, Second Edition[11]
http://articles.forensicfocus.com/2013/08/29/autopsy-3-windows-based-easy-to-useand-fre
e/

14. https://www.softpedia.com/get/Others/Miscellaneous/Autopsy.shtml
15. http://www.basistech.com/medium-pemedex/
16. http://wiki.sleuthkit.org/index.php?title=A utopsy_3_Logging_and_Error_Checking
17. http://www.sleuthkit.org/autopsy/v2/[16]Digital Evidence & Computer Crime - Forensic
Science, Computers, & the Internet, 2nd Edition
18. http://www.sleuthkit.org/autopsy/features.php"
19. http://www.sleuthkit.org/autopsy/history.php
AUTHOR WRITE UP
Dr.S.Balakrishnan, (CSI Membership I1505405) is a Professor and Head, Department of

Computer Science and Business Systems at Sri Krishna College of Engineering and
Technology, Coimbatore, Tamilnadu, India. He has 17 years of experience in teaching,
research and administration. He has published over 15 books, 3 Book Chapters, 21 Technical
articles in CSI Communications Magazine, 1 article in Electronics for You (EFY) magazine, 3
articles in Open Source for You Magazine and over 100 publications in highly cited Journals
and Conferences. Some of his professional awards include: Faculty with Maximum Publishing
in CSI Communications 2017-2019, International Data Science Writer of the Year 2019, MTC
Global Outstanding Researcher Award, Contributors Competition Winner July 2019, August
2019 and September 2019 by DataScience Foundation, with cash prize of £100, 100 Inspiring
Authors of India, Deloitte Innovation Award - Cash Prize Rs.10,000/- from Deloittee for Smart
India Hackathon 2018, Patent Published Award, Impactful Author of the Year 2017-18. His
research interests are Artificial Intelligence, Cloud Computing and IoT. He has delivered
several guest lectures, seminars and chaired a session for various Conferences. He is serving
as a Reviewer and Editorial Board Member of many reputed Journals and acted as Session
chair and Technical Program Committee member of National conferences and International
Conferences at Vietnam, China, America and Bangkok. He has published more than 19 Patents
on IoT Applications.

About the Data Science Foundation
The Data Science Foundation is a professional body representing the interests of the Data
Science Industry. Its membership consists of suppliers who offer a range of big data analytical
and technical services and companies and individuals with an interest in the commercial
advantages that can be gained from big data. The organisation aims to raise the profile of this
developing industry, to educate people about the benefits of knowledge based decision making
and to encourage firms to start using big data techniques.
Contact Data Science Foundation

Email:[email protected]
Telephone: 0161 926 3641
Atlantic Business Centre
Atlantic Street
Altrincham
WA14 5NQ
web: www.datascience.foundation


An Overview of Autopsy - Open Source Digital Forensic Platform

Uploaded by

Copyright:

Available Formats

An Overview of Autopsy - Open Source Digital Forensic Platform

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

An Overview of Autopsy - Open Source Digital Forensic Platform

Uploaded by

Copyright:

Available Formats

An Overview of Autopsy: Open Source

Digital Forensic Platform

Author, Balakrishnan Subramanian

A Data Science Foundation White Paper

Data Science Foundation

Keywords: digital forensic, case, data source, ingest.

This section will outline the following basic concepts:

Analyzing data in Autopsy uses the following workflow:

Step 1: Make a Case

Data Science Foundation

Step 2: Add a Data Source

Data Science Foundation

Data Science Foundation

Step 5: Tag Results

Interesting items can be tagged for later reporting and analysis.

Step 6: Report Generation

The user initiates a final report based on selected tags or results.

There are two types of deployment. (a) Desktop/Single User (b)

Functionality: In this type, cases can be opened by only one person at

Technical: Everything runs on a single computer. It works out of the

Data Science Foundation

Functionality: Cases can be opened by multiple users at the same

Technical: User experience is the exact same. It uses central level

Autopsy typically has case-specific databases. It keeps databases

Central Repository deployment types:

Data Science Foundation

(i) SQLite – It requires no other installations. It can be used by

Autopsy needs to be installed on an examiner’s computer (or Virtual machine). It applies

Step 1: Download “.msi” installer.

Step 2: Use default values.

Installing Autopsy on Linux/OS X

3. CASES AND DATA SOURCES

Data Science Foundation

The fundamental Autopsy case configuration file has an ".aut" augmentation.

Only one case can be open at a time.

There are several ways to create a new case:

The opening splash screen has a button to create a new case.

Data Science Foundation

Case directory contents:

Autopsy.db – SQLite database will store basic case information and

1. Adding a Data Source

You can include a data source in a few different ways:

After you make a case, it naturally prompts you to include a data

Data Science Foundation

Autopsy supports disk images in the following formats:

Raw Single (For example: *.img, *.dd, *.raw, etc)

To add a disk image:

Choose "Image File" starting from the pull.

Data Science Foundation

Volume System Analysis

Volume systems organize the disk image into one or more

Autopsy will show areas of disk that are not in a volume.

Each volume is analyzed to look for a file system. If no volume is

File System Analysis

It allows files to be stored. Typically it is located at beginning of

The supported formats are: NT File System (NTFS), File

Data Science Foundation

Autopsy can break down a local drive without expecting to

Note: on the off chance that you are breaking down a

Raw Single (For example: .img, .dd, *.raw, etc)