Autopsy

Autopsy is a diagnose and forensic tool capable of analyzing raw or E01 disk images, local drives and directories in order to determine possible causes of an event. The application supports NTFS, FAT, HFS, Ext2, Ext3 and UFS file system types, enabling you to investigate the input (IMG, DD, 001, AA, RAW and E01 files, local disks or logical files) and generate complete reports in HTML, XLS, TXT format or a TSK body file used for creating an event timeline.

Thanks to the built-in wizards, creating a new 'case' becomes just a matter of pressing a few 'Next' buttons. There are multiple analysis modules that you can choose from: the application can display data on the recent actions, perform hash lookup, extract archives, parse exif images, search for keywords and view unallocated storage space.

One of the main advantages of Autopsy is the implementation of the ingest method, which makes the analysis results available to the user as they are obtained, without waiting for the whole procedure to be completed first.

Hash lookup operations are intended to detect malware files and other issues that require your attention. Autopsy processes multiple formats during this procedure, in an attempt to determine the NSRL database format, find the EnCase hashset file, test the compliance with the HashKeeper standard and verify the integrity of the file. Relying on Apache SOLR, the keyword search module allows you to define relevant strings and provides support for regular expressions.

The application can also be used for extracting URLs, bookmarks and downloaded files from browsers, viewing installed applications, analyzing the registry or extracting e-mail addresses and IDs of the connected devices.

Autopsy can process disk images or directories to help you generate an event timeline. It assists you in putting the pieces together and determining what might have caused an incident to happen in the first place.