Autopsy
What is Autopsy?
AutopsyOpen-source digital-forensics platform developed by Brian Carrier and Basis Technology that provides a graphical front end to The Sleuth Kit and a rich set of analysis modules.
Autopsy is a free, open-source digital-forensics platform led by Brian Carrier and his team at Basis Technology / Sleuth Kit Labs. It serves as a graphical front end to The Sleuth Kit (TSK) and adds case management, automated ingest modules, keyword search, timeline analysis, hash sets (NSRL), web artefact carving, EXIF metadata, registry parsing, Android forensics and a Python/Java plug-in API for custom modules. Originally released as a web-based tool in 2003, Autopsy 3+ is a desktop application written in Java that runs on Windows, Linux and macOS. It is widely used by law-enforcement, students and DFIR practitioners as a free counterpart to commercial suites such as FTK and EnCase, and is often the first tool taught in academic computer-forensics courses.
● Examples
- 01
A first-responder loading an E01 disk image into Autopsy and running the default ingest modules to triage a suspected insider-threat case.
- 02
A student writing a custom Autopsy Python module to parse a proprietary chat database during a CTF exercise.
● Frequently asked questions
What is Autopsy?
Open-source digital-forensics platform developed by Brian Carrier and Basis Technology that provides a graphical front end to The Sleuth Kit and a rich set of analysis modules. It belongs to the Forensics & IR category of cybersecurity.
What does Autopsy mean?
Open-source digital-forensics platform developed by Brian Carrier and Basis Technology that provides a graphical front end to The Sleuth Kit and a rich set of analysis modules.
How does Autopsy work?
Autopsy is a free, open-source digital-forensics platform led by Brian Carrier and his team at Basis Technology / Sleuth Kit Labs. It serves as a graphical front end to The Sleuth Kit (TSK) and adds case management, automated ingest modules, keyword search, timeline analysis, hash sets (NSRL), web artefact carving, EXIF metadata, registry parsing, Android forensics and a Python/Java plug-in API for custom modules. Originally released as a web-based tool in 2003, Autopsy 3+ is a desktop application written in Java that runs on Windows, Linux and macOS. It is widely used by law-enforcement, students and DFIR practitioners as a free counterpart to commercial suites such as FTK and EnCase, and is often the first tool taught in academic computer-forensics courses.
How do you defend against Autopsy?
Defences for Autopsy typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Autopsy?
Common alternative names include: Autopsy Forensic Browser, Sleuth Kit Autopsy.
● Related terms
- forensics-ir№ 1142
The Sleuth Kit
An open-source library and collection of command-line tools for low-level analysis of disk images and file systems, maintained by Brian Carrier.
- forensics-ir№ 426
Forensic Imaging
Creating a bit-for-bit copy of a storage medium, verified by cryptographic hashes, for use in forensic analysis and as legally admissible evidence.
- forensics-ir№ 162
Chain of Custody
The chronological, documented trail showing every person, location, and action affecting a piece of evidence from seizure through final disposition.
- forensics-ir№ 378
EnCase
EnCase is a commercial digital-forensics product family from OpenText (originally Guidance Software) widely used by law-enforcement and corporate investigators since the late 1990s.
- forensics-ir№ 436
FTK
Forensic Toolkit (FTK) is a commercial digital-forensics suite developed by AccessData and now owned by Exterro, used to acquire, index and analyse computer evidence.
- forensics-ir№ 1156
Timeline Analysis
A forensic technique that reconstructs the chronological sequence of events on a system by correlating timestamps from files, logs, and other artifacts.
● See also
- № 428Forensic Toolkit