// What is Autopsy?
Autopsy is a free, open-source digital forensics platform built on top of The Sleuth Kit (TSK). It provides a graphical interface for analysing disk images, file systems, and mobile devices � making it one of the most widely used tools in both law enforcement and corporate DFIR.
Autopsy is particularly useful for investigating compromised endpoints, recovering deleted files, analysing user activity artefacts, and building a timeline of events across a system.
Autopsy is cross-platform but runs best on Windows. Download it from sleuthkit.org/autopsy. The Windows installer bundles all required dependencies including The Sleuth Kit and Java.
| Supported Data Source | Description |
|---|---|
Raw disk image (.dd, .img) | Bit-for-bit copy of a disk or partition |
| E01 / Expert Witness Format | EnCase forensic image format � most common in corporate DFIR |
Virtual machine disks (.vmdk, .vhd) | VM disk files � useful for cloud and virtualised environments |
| Local disk | Analyse a live disk (write-blocker recommended) |
| Logical files / folders | Analyse a collection of files without a full image |
// Creating a Case
Every Autopsy investigation starts with a case. A case is a container that holds all the evidence sources, analysis results, tags, and reports for a single investigation.
Open Autopsy and select New Case. Enter a case name, choose a base directory for storing case data, and set the case type (Single-user for standalone analysis, Multi-user if collaborating across a team).
Fill in the optional metadata � case number, examiner name, phone, email, and notes. This information is embedded in any reports you export, which matters for chain of custody.
After creating the case, Autopsy immediately prompts you to add a data source � a disk image, local disk, or logical file set. You can add more sources later from the Case menu.
Use a consistent naming convention. Include the date and device identifier in the case name (e.g. 2026-05-03_LAPTOP-JSMITH) so you can find cases quickly and maintain clear records.
// Adding Data Sources
A data source is the evidence you are analysing. Autopsy supports multiple types � you can add more than one to a single case.
Ingest Modules
When you add a data source, Autopsy runs ingest modules � automated analysis passes that extract artefacts from the image. You select which modules to run at this stage.
| Ingest Module | What it does |
|---|---|
| Recent Activity | Extracts browser history, downloads, searches, last accessed files, installed programs |
| Hash Lookup | Compares files against known-good (NSRL) and known-bad hash sets to flag malicious or system files |
| File Type Identification | Identifies true file types based on magic bytes, not just extensions |
| Extension Mismatch Detector | Flags files where the extension doesn't match the actual file type � a common obfuscation technique |
| Keyword Search | Indexes file contents for full-text search, including strings inside executables |
| Email Parser | Parses PST, MBOX, and EML files and populates the Email Accounts section |
| Encryption Detection | Flags encrypted or high-entropy files � may indicate packed malware or encrypted containers |
| EXIF Parser | Extracts metadata from images � GPS coordinates, camera model, timestamps |
| Plaso / Log2Timeline | Generates a super-timeline from multiple artefact types � requires separate installation; not included in Autopsy by default |
Run all relevant modules upfront. Re-running ingest on a large image takes a long time. Enable everything you might need at the start rather than adding modules later.
// File System Navigation
The left-hand tree in Autopsy gives you a full view of the file system. You can browse it like Windows Explorer � navigating through folders, viewing file metadata, and examining file contents in the viewer pane.
Key views
File System Tree
Full directory structure of the image. Deleted files and folders appear with a red X overlay. You can view hidden and system files here.
File Viewer
Bottom-right pane. Shows file content in Hex, Text, Application (renders images/HTML), and Metadata tabs. Metadata tab shows MAC times, size, inode, and flags.
Tagging
Right-click any file or result to add a tag � Notable, Follow Up, or custom. Tags are collected in the Tags node in the tree and included in reports.
Bookmarking
Bookmark interesting files to add them to your report. Bookmarks appear under the Results node and can be exported directly.
MAC Times
Every file in the file system has three timestamps � collectively called MAC times. These are critical for building a timeline.
| Timestamp | Meaning | Forensic Note |
|---|---|---|
| Modified | Last time file content was changed | Changed when file is written to |
| Accessed | Last time the file was read or opened | Can be unreliable � some systems disable access time updates for performance |
| Changed / Created | On Windows: Created time. On UNIX: last metadata change (permissions, owner) | On NTFS, Created time is stored separately and is a reliable creation indicator |
Timestamps can be manipulated. Attackers use tools like timestomp to alter MAC times. Look for inconsistencies � a file with a Modified time earlier than its Created time is a red flag.
// Deleted File Recovery
When a file is deleted on most file systems, the data isn't immediately overwritten � only the reference to it is removed. Autopsy can recover these files by reading the raw disk image and identifying unallocated clusters that still contain file data.
How to find deleted files
Deleted files appear in the directory tree with a red X icon. You can also navigate to File Views > Deleted Files in the left panel to see all recovered deleted files across the image in one place.
File carving (finding deleted files without a directory entry) is handled by the PhotoRec carver integrated into Autopsy. PhotoRec is an open-source tool from CGSecurity � Autopsy bundles it to reconstruct files based on file headers and footers in unallocated space, useful when the directory entry itself has been overwritten.
Recovery states
| State | What it means |
|---|---|
| Allocated | File exists and is referenced by the file system � normal active file |
| Unallocated | File has been deleted � directory entry removed, but data clusters may still be intact |
| Orphan | File clusters found in unallocated space with no directory entry � recovered by carving |
Export recovered files carefully. Right-click a deleted file and choose Extract File(s) to save it to your case output directory. Avoid opening files directly from the image in case you modify timestamps.
// Keyword Search
The Keyword Search module indexes file content during ingest, allowing you to search across every file on the image � including file slack space and unallocated clusters.
Types of search
Exact Match
Searches for a literal string. Case-sensitive by default. Best for searching for known usernames, hostnames, or file names.
Substring
Partial match � finds the string anywhere within a larger string. Useful when you know part of a value.
Regex
Regular expression search. Use for patterns like IP addresses, email addresses, credit card numbers, or file paths.
Useful search terms for investigations
| Search term / Pattern | What you're looking for |
|---|---|
password | Credentials stored in plaintext in config files, scripts, or documents |
cmd.exe /c | Command execution via shell � found in scripts, logs, or prefetch |
powershell -enc | Encoded PowerShell � common obfuscation technique |
\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} | IP addresses (regex) � useful for finding C2 infrastructure in logs or malware |
[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,} | Email addresses (regex) |
http:// / https:// | URLs embedded in files or scripts |
net user | Account enumeration or manipulation commands |
// Timeline Analysis
Autopsy's Timeline tool aggregates file system timestamps, log entries, and artefact data into a unified chronological view. This is one of the most powerful features for reconstructing what happened during an incident.
Access it via Tools > Timeline. You can switch between three views:
Counts View
A bar chart showing event density over time. Useful for identifying spikes of activity � a large cluster of events at an unusual hour is immediately visible here.
Details View
Granular event list with timestamps, file paths, and event types. Filter by event type (file system, log, web activity) or cluster around a specific time of interest.
List View
Flat table of all events. Sortable and filterable. Good for exporting a time-bounded slice of events into a report.
Narrow before you dive. Use the timeline zoom controls to isolate the window around your suspected incident time. Analysing days of events is overwhelming � zoom into the relevant hour once you have an anchor timestamp.
// Artefacts & Ingest Modules
After ingest completes, Autopsy populates the Results node in the tree with extracted artefacts grouped by category. These give you a quick view of user activity without having to manually dig through the file system.
| Artefact Category | What's extracted | Common source files |
|---|---|---|
| Web History | Visited URLs, page titles, visit timestamps | Chrome: History SQLite DB; Firefox: places.sqlite |
| Web Downloads | Downloaded files, source URL, timestamps | Chrome: History; Firefox: downloads.sqlite |
| Web Search Terms | Search engine queries entered by the user | Extracted from browser history URLs |
| Web Cookies | Stored cookies � can reveal logged-in accounts | Chrome: Cookies; Firefox: cookies.sqlite |
| Installed Programs | Applications installed on the system | Registry: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall |
| Recent Documents | Files recently accessed by the user | LNK files in Recent folder; Registry jump lists |
| Shell Bags | Folders the user has browsed � persists after deletion | Registry: UsrClass.dat |
| USB Devices | Connected USB storage devices and timestamps | Registry: SYSTEM\CurrentControlSet\Enum\USBSTOR |
| Email Messages | Parsed emails including subject, sender, recipients, body | PST, MBOX, EML files |
| EXIF Metadata | GPS, camera model, timestamps from image files | JPEG, TIFF, PNG files |
| OS Account | User accounts found on the system | SAM registry hive; /etc/passwd |
Windows Registry Hives
Autopsy's Recent Activity module parses key registry hives automatically, but you can also navigate to them directly in the file system tree under Windows/System32/config/.
| Hive File | Location | Contains |
|---|---|---|
SAM | config\SAM | Local user accounts and password hashes |
SYSTEM | config\SYSTEM | Hardware config, USB history, timezone, computer name |
SOFTWARE | config\SOFTWARE | Installed programs, OS version, run keys (autostart) |
SECURITY | config\SECURITY | Security policy, cached domain credentials |
NTUSER.DAT | Users\<username>\NTUSER.DAT | Per-user settings, MRU lists, typed paths, search history |
UsrClass.dat | Users\<username>\AppData\Local\Microsoft\Windows\UsrClass.dat | Shell bags � folder browsing history |
// Generating Reports
When your analysis is complete, Autopsy can generate a report from everything you've tagged and bookmarked during the investigation.
Go to Tools > Generate Report. You can export in several formats:
| Format | Best used for |
|---|---|
| HTML Report | Shareable, self-contained report � includes thumbnails and linked artefacts. Best for general reporting. |
| Excel (XLS) | Flat data export � useful for sorting and filtering large artefact sets in a spreadsheet. |
| Tagged Results | Report limited to files and artefacts you tagged as Notable or Follow Up � keeps the output focused. |
| Body File | TSK body file format � all file system events with MAC times. Import into Plaso or mactime for further timeline analysis. |
Tag as you go. The report is only as useful as your tags. Mark anything significant during analysis rather than trying to remember findings at the end. Use Notable Item for confirmed evidence and Follow Up for items that need more investigation.
// Tips & Best Practices
Always work from a forensic image, never the original. Create a verified copy of the evidence using FTK Imager or dd before opening anything in Autopsy. Preserve chain of custody and verify integrity with MD5/SHA-256 hashes.
Verify the image hash before and after. Autopsy will calculate the hash of your data source during ingest. Compare it against your acquisition hash to confirm the image is intact.
Run all ingest modules upfront. Modules like Keyword Search and Hash Lookup are much faster to run on first ingest than to add later. Enable everything relevant before starting the ingest job.
Use hash sets to filter noise. Import the NIST NSRL known-good hash set to automatically flag OS and application files. This lets you focus analysis on user-created or unknown files rather than sifting through thousands of Windows system files.
Document everything. Note the hash of each piece of evidence, the modules run, and the timestamps of your analysis. In a real investigation this documentation is as important as the findings themselves.