Autopsy: The Digital Forensics Toolkit

Kate Libby

Introduction

In today's entangled and bustling digital age, the need for and importance of digital forensics cannot be overstated. As technology advances, so do the methods by which individuals commit cybercrimes and hide digital evidence. In response to these challenges, digital forensic investigators rely on powerful tools and techniques to uncover hidden information, investigate cybercrimes, and support the efforts of law enforcement. 

One such indispensable tool in the digital forensics' arsenal is Autopsy. 

Autopsy is an open-source, cross-platform digital forensics toolkit that offers a wide range of features and capabilities to aid investigators in the retrieval and analysis of digital evidence according to the project page (Autopsy, n.d.). This essay explores Autopsy, its significance in digital forensics, and its key features, from starting a case to managing the contents of artifacts and everything in between.

Autopsy, also known as The Sleuth Kit, is a widely used open-source digital forensics tool that provides a comprehensive suite of features for forensic investigators. It was originally developed by Brian Carrier and has since gained widespread adoption in the digital forensics’ community due to its versatility, reliability, and cost-effectiveness. Autopsy is available for Windows, macOS, and Linux, making it accessible to a wide range of users.

A screenshot of a computer

Description automatically generated

The Significance of Digital Forensics

Digital forensics is the process of collecting, preserving, analyzing, and presenting electronic evidence in a legal context. It plays a vital role in criminal investigations, corporate security, incident response, and sometimes, civil litigation. With the increasing reliance on digital devices and the internet, digital evidence has become central to solving crimes and establishing culpability. Consequently, the tools and techniques used in digital forensics must continually evolve to meet the demands of modern investigative processes.  Regarding Autopsy, the team at Basis Technologies are continuing to innovate the platform by adding new features, such as ingest modules, to expand the range of devices and data types.

A screenshot of a computer

Description automatically generated

Key Features of Autopsy

Before we dive into earning our forensic wings, we must first explore some key features of Autopsy. Learning these features will enable us to navigate the framework more efficiently, thus allowing us to investigate much easier and with a bit more organization.

When we start Autopsy and choose to establish a new case, we are greeted with the following input fields.  To move on to the next screen you must at least enter a case number.  After that you can choose to populate the next step in case creation, or just move on without providing any information.

A screenshot of a computer

Description automatically generated
A screenshot of a computer

Description automatically generated
A screenshot of a computer

Description automatically generated

Now, we can move on to adding our data sources on which we want to perform digital forensics.  As you can see from the screenshot below, we have a variety of options available to us.

A screenshot of a computer

Description automatically generated

If we selected to add data from local files and folders, we must specify the location.  I have selected my S:\ drive to analyze some data archives.

A screenshot of a computer

Description automatically generated

As far as key features are concerned, that is pretty much all it takes to establish a case and select a data source to analyze.  The other features are a bit more advanced and specific depending on the type of data we are dealing with.

File System Analysis

Autopsy supports the analysis of various file systems, including NTFS, FAT, exFAT, HFS+, Ext2/3/4, and UFS. This versatility ensures that investigators can examine evidence from a wide range of storage devices, such as hard drives, USB drives, drone embedded storage and memory cards.  During the ingest process of the data, we can select which ingest modules we want to use, or we can select them all.  I usually select them all because different types of data can be compiled on the same device.

A screenshot of a computer

Description automatically generated

There are also plugin settings we can configure as well.  Autopsy allows for developers to submit ingest modules for approval, such as Python modules (sleuthkit, n.d.).

 Keyword Searching

Autopsy will automatically search for keywords in accordance with the ingest modules and allows investigators to search for specific keywords or patterns within files and unallocated space. This feature is invaluable for locating crucial pieces of evidence hidden within a vast amount of data.  All you have to do is select the main window and begin typing the keyword you are looking for.

A blue and black text

Description automatically generated
A screenshot of a computer

Description automatically generated

Timeline Analysis

Autopsy provides a timeline view that helps investigators reconstruct events and activities by analyzing file timestamps, including creation, modification, and access times. This is especially helpful when dealing with video artifacts; these items can be critical for establishing a sequence of events in a case.

A screenshot of a computer

Description automatically generated

 You can provide filters as well to view the timeline differently.

A screenshot of a computer

Description automatically generated

Registry Analysis

The tool supports the examination of Windows registries, enabling investigators to uncover important information about a suspect's activities, installed software, and system configurations.  Being able to analyze the registry with efficiency is extremely helpful in tracking down malicious software.

Web Artifact Analysis

Autopsy can parse and analyze web browser artifacts, such as browser history, cookies, and downloads. This is essential for tracking online activities and identifying potential digital trails left by bad actors.  Autopsy can uncover these trails with great precision and organizational intelligence.  As you can see from the case below, we have a number of web artifacts to analyze, most importantly the metadata and cookies.

A screenshot of a computer

Description automatically generated

Email Analysis

The toolkit supports the analysis of email messages and attachments, making it possible to trace communication patterns and gather evidence from email accounts.  Even if the subject has deleted emails or the accounts associated with them, Autopsy can still detect them and the messages.

Drone Analysis

Even though Autopsy primarily focuses on digital forensics for computers and digital devices, because of its versatility, the onboard storage devices embedded within drones can be analyzed as well.  Within the embedded storage, we can extract flight logs, GPS data and any captured photos and videos the drone collects during flight operations.  While we don’t have any drone data to display here, the extraction process is like that of an external hard drive or USB. 

File Carving

Autopsy includes file carving capabilities, allowing it to recover deleted or damaged files even when file system metadata is missing or corrupted.  This is quite possibly one of the neatest features, as bad actors often delete data thinking it will shroud their activities. Remember, when data is created, it cannot be uncreated, one must create new over it, in a manner of speaking.

A black text on a white background

Description automatically generated
A screenshot of a computer

Description automatically generated

Reporting and Export

Autopsy generates detailed reports that can be used in legal proceedings. These reports provide a clear overview of the findings, making it easier for investigators to present evidence in legal proceedings, or to legal teams that will present the findings.  

A feature I find that is helpful to investigators is Autopsy’s ability to provide an easy-to-follow HTML report. Obviously, for the more technically inclined, there are other formats that would be more suitable.  I have provided a graphical walkthrough of the report generation process, as you will see it is quite easy.

When we start the report generation process, we first decide how we would like our analysis to be presented.  This, of course, will depend on your audience. Select an HTML report for less technical clients, a Google KML for geolocated artifacts or an Excel format for the more technical audience.

A screenshot of a computer

Description automatically generated

From this view, we can select which data sources to include in the report.

A screenshot of a computer

Description automatically generated

From this screen we can choose to generate a report on all results or only the specific results we wish to provide an analysis of.

A screenshot of a computer

Description automatically generated

The report generation process is fairly quick, though some technical variances may take a bit longer.

A screenshot of a computer error

Description automatically generated

Finally, we have an HTML report that is easy to follow and can be viewed in a local browser.

A screenshot of a computer

Description automatically generated

The map below shows some geolocated EXIF Metadata; this would be especially useful in a report.

Autopsy in the Field

To illustrate Autopsy's practical utility, consider a hypothetical scenario where law enforcement is investigating a case of corporate espionage. The suspect is believed to have stolen sensitive company documents from their work computer. Using Autopsy, digital forensic investigators can and should be able to:

- Analyze the suspect's file system to identify deleted files related to the theft.

- Search for specific keywords or document titles within the suspect's files.

- Examine the suspect's web browsing history to determine if they accessed company resources remotely.

- Review the suspect's email correspondence for any evidence of communication with external parties involved in the espionage.

- Create a comprehensive timeline of the suspect's computer activity leading up to and after the theft.

Conclusion

 In the world of digital forensics, Autopsy stands out as an invaluable toolkit that empowers investigators to extract, analyze, and interpret digital evidence efficiently and effectively. Its diverse range of features, compatibility with various platforms, and open-source nature make it a trusted and accessible resource for digital forensic professionals worldwide. As digital crimes continue to escalate and evolve, techniques and tools like Autopsy will remain essential in the ongoing battle to combat digital wrongdoing, uphold justice, and protect the integrity of digital evidence in our increasingly interconnected world.

References

https://github.com/sleuthkit/autopsy_addon_modules

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023