Jul 22, 2020
Autopsy– A Forensic Analysis Tool
Autopsy – Digital Forensics
For anyone looking to conduct some in depth forensics on any type of disk image. Autopsy is a great free tool that you can make use of for deep forensic analysis.
It has been a few years since I last used Autopsy. I recall back on one of the SANS tools (SANS SIFT). Back then I felt it was a great tool, but did lack speed in terms of searching through data. It appears with the most recent version of Autopsy that issue has been drastically improved. On top of that, machines have also become much faster using SSD’s and tons of more CPU and RAM power.
The Autopsy Training Course
A big shoutout to Brian Caroll for offering the course for FREE during the covid crisis going around the world. Being at home more now, I had some time to check out Autopsy and take it for a test drive. I do like the feature for allowing a central server to be deployed up. And, this allows multiple investigators to be able to use and share case artifacts and data among each other.
This course will give you enough basic knowledge on how to use the tool. It doesn’t get into deep dive topics but does cover enough to allow you to make use of the tool for most basic forensic needs. There do seem to be other course that may be offered for training on mobile forensics or other advanced topics. But that was outside of the scope for this free course. When you complete the course you also get a certificate of completion!
Autopsy Certificate
Plugins
One of the great features within Autopsy is the use of plugins. It gives any coder the ability to create and add in their own custom modules or choose from a handful of pre-made modules. For example, there is one module that will create 10 second thumbnails for any videos found. That way you can easily and visually view if a video file without having to watch the whole clip on its own.
The fact that autopsy can use plugins gives users a chance to code in some useful features. I do feel this feature will gain a lot of backing and traction over time. Otherwise, you are stuck begging the vendor to add in feature requests, which they may not always implement depending on the specific vendor. Below is an image of some of the plugins you can use in autopsy.
Data Ingestion & Extraction
The course itself is an extremely basic starter course and will explain how to ingest data into Autopsy. You will learn how you can search and find certain types of data. Overall, it is a great way to learn (or re-learn) how to use and make use of autopsy. Data ingestion seems good in Autopsy. As you can see below in the ingest module and all the actual data you can ingest and extract out.
Some people might ask, well with solutions such as EDR that also provide some form of forensics. Do you need tools still like autopsy? My take on that is we will always still require tools for offline forensics. Not everything can be done live. And, if this ends up being a criminal case in a court of law. Then, being able to conduct offline forensics will play a huge role with the least amount of changes made to the system.
I did find the data ingestion time to take quite a while. Mind you, I was not using a SSD for my forensic analysis, but rather a 7200 rpm HD. So, I have yet to see if performance would increase when the forensic image is on an SSD. This meant that I had to ingest data that I felt I needed rather than ingest it all at once. Personally, the easy option would be to let it ingest and extract all data and let the machine sit there working away. Below is a list of some of the data that you are able to extract from the disk image.
Timeline
Autopsy also has a neat Timeline feature. This is useful to view how far back you can go with the data. It also gives you an idea of when the machine was most likely first used and setup. During an investigation you may know of a rough timeline of when the suspicious activity took place. And, this timeline feature can help narrow down number of events seen during that specific time.
Geolocation
Another awesome feature is the Geolocation feature. If you have images, videos that contain meta data consisting of latitude and longitude attributes. Then, this tool can narrow down the location of where that image/video was taken. This could be vital evidence needed it prove a criminal case. So this feature definitely had it’s perks.
Last Thoughts
Overall, the tool is excellent for conducting forensics on an image. The support for mobile devices is slowly getting there and getting better. I’d like to try out the mobile tool and give it a review in the future. I feel Autopsy lacked mobile forensics from my past experiences. And, I had to personally resort to other mobile specific forensic tools. If you need to uncover information from a disk image. Then, Autopsy is one of the go to tools for it!
Check out Autopsy here: Autopsy | Digital Forensics
Used Autopsy before ? Share your experiences in the comments section below!
My name is Harry Taheem
I am a Cyber Security Engineer.
My aim is to post things I learn or find interesting and allow others to hopefully gain some more insight. I also plan on posting general IT related issues, as I’d like 
Hello! I just want to provide a huge thumbs up for the great info youve here on this blog. I will be returning aimed at your website for additional soon.
Well-written story. I used to be checking continuously to this web site & I am very impressed! Very educational information, especially the second section. I really need such information. I was seeking this kind of info for quite some times. Thankx and best wishes.