Autopsy is one of the most widely used free and open-source digital forensics tools, built on top of The Sleuth Kit (TSK). It provides a graphical interface for investigators to analyze disks, file systems, memory images, mobile exports, and OS artifacts. Autopsy is a core tool in forensic labs because it is reliable, extensible, and packed with features for file recovery, timeline analysis, keyword searching, and artifact identification.

This chapter explains how Autopsy works, its major features, supported evidence types, and how investigators use it in real forensic workflows.

What Is Autopsy?

Autopsy is a digital forensics platform used for analyzing:

Disk images (E01, RAW, VHD, etc.)
Mobile extractions (logical/FFS exports)
Memory dumps
File system structures
OS artifacts (Windows, Linux, macOS)
Email archives
Internet history

Autopsy integrates evidence parsing, search capabilities, and reporting into one interface, making it suitable for both beginners and advanced forensic analysts.

Key Capabilities of Autopsy

1. Disk Image Analysis

Autopsy supports multiple image formats:

RAW (dd images)
E01 / Ex01
AFF
VHD / VHDX

You can analyze:

Partition tables
Volume structures
Deleted files
File carving
NTFS/FAT/EXT file systems

2. File System Browser

Autopsy provides a structured tree view of:

Directories
Hidden/system files
Unallocated space
Deleted entries

This allows easy navigation and deep inspection of disk contents.

3. Keyword Search (Global & Ingest)

Autopsy supports:

Keyword lists
Regular expressions
Email searches
Phone numbers, credit card patterns
Highlighted hits in extracted text

This is crucial for investigative triage.

4. OS Artifact Extraction

Autopsy automatically parses multiple OS artifacts.

Windows artifacts:

Registry hives
Event logs
Prefetch files
LNK (Shortcut) files
Jump lists
User accounts
Browser artifacts

Linux artifacts:

EXT3/EXT4 file structures
Bash history
Log files

macOS artifacts:

APFS metadata
Safari data (limited)

5. Timeline Analysis

The timeline view shows:

File creation
Modification
Access
Deletion
Log events
System activity

Helps investigators reconstruct event sequences.

6. File Carving (Using Photorec/Sleuth Kit)

Autopsy can recover:

Deleted images
Documents
Videos
Archives
SQLite databases

Even if file system metadata is missing.

7. Hash Analysis

Supports:

MD5/SHA1/SHA256 hashing
Known file filter (NSRL databases)
Known bad file identification
Duplicate file detection

Useful for malware and contraband identification.

8. Email Analysis

Autopsy parses:

PST/OST
MBOX
EML
MSG

This helps uncover communication trails.

9. Web Browser Forensics

Parses:

Chrome history
Firefox history
Edge
Cookies
Downloads
Autofill data

Autopsy also extracts WebCacheV01.dat for IE/Edge Legacy.

10. Report Generation

Autopsy generates:

HTML reports
CSV/Excel exports
Timeline files
Artifact lists

Reports can be customized for court or internal investigations.

How Autopsy Works Internally

Autopsy is built on The Sleuth Kit (TSK), which provides:

File system parsing
Volume analysis
Metadata extraction
Deleted file recovery
Partition handling

Autopsy adds:

GUI
Workflow automation
Artifact modules
Plugins (Python/Java)

Together they provide a complete forensic suite.

Autopsy Ingest Modules

Ingest modules run automatically on evidence.

Common modules:

Hash lookup
File type identification
Keyword search
PhotoDNA / EXIF parser
Deleted file finder
Browser history analyzer
MIME type detector
OS artifacts module

Each module extracts forensic artifacts into the case database.

Supported Evidence Types

Autopsy can process:

Disk images
Bitstream copies
SD card images
Memory dumps (with Volatility plugin)
Mobile exports (UFED/AXIOM)
Email files
Operating system logs
ZIP/RAR archives
Cloud data exports (e.g., Google Takeout)

Workflow for Forensic Analysis in Autopsy

1. Create New Case

Choose:

Case type (single-user / multi-user)
Case folder
Name and metadata

2. Add Evidence

You can import:

Disk image
Logical files
Folders
Mobile extractions
Memory dumps

3. Configure Ingest Modules

Select modules like:

OS artifacts
Hash lookup
Email parser
Picture analysis
Keyword search

4. Analyze Artifacts

Artifacts are broken into categories:

Web activity
Installed programs
System logs
Email
User accounts
Downloads
Recent files
Communications

5. Perform Manual Review

Examine:

Folder tree
File hex view
Metadata tab
Thumbnail preview
Recovered files

6. Build Timeline

Investigate event flow:

Initial compromise
File creation
User actions
Malware execution

7. Export or Report Findings

Choose:

HTML report
CSV exports
JSON
Screenshots for documentation

Strengths of Autopsy

Beginner-friendly GUI
Strong OS artifact support
Excellent for disk image analysis
Free & open source
Large community
Extensible via plugins
Supports multi-user collaboration

Limitations of Autopsy

Limited mobile forensics compared to AXIOM or Cellebrite
Memory forensics requires additional modules
Gaps in macOS and iOS parsing
Not ideal for encrypted container cracking
Slower on very large cases

Intel Dump

Autopsy is a free forensic toolkit built on Sleuth Kit, used for disk, file system, browser, email, and artifact analysis.
Supports E01, RAW, VHD images, and provides integrated OS artifact parsing for Windows, Linux, and limited macOS.
Key features include timeline analysis, file carving, keyword search, hash databases, email parsing, and report generation.
Autopsy uses ingest modules for automated artifact extraction and supports plugins for advanced analysis.
Ideal for disk forensics, browser investigations, deleted file recovery, and OS artifact analysis; less suitable for advanced mobile forensics or encrypted environments.