1. Brief History

   In 2001, first Open Source platform was released. It is interfaced to The Sleuth Kit. It is applicable for only Linux and OS X. And then in 2010, they started v3 from scratch as a platform. It is based on OSDFCon discussions. It is Windows-based and automated. Some US Army funding (with 42Six Solutions). Finally, v3.0.0 released in September, 2012.

2. Basic Concept

   This section will outline the following basic concepts:

   • Investigation Workflow
   • Deployment Types
   • Central Repository
   1. Investigation Workflow

      Analyzing data in Autopsy uses the following workflow:

      Step 1: Make a Case

      A case is a “container for one or more data sources. One must be created before data is analyzed”.

      
       

      Step 2: Add a Data Source

      One or more data sources are added to the case. Data sources include disk images and local files.

      
       

      Step 3: Configure Ingest Modules

      After the data source is included, ingest modules work out of sight to break down the information. Results are presented on the interface continuously and give cautions as important. Model ingests modules incorporate hash count and query, watchword looking, and web relic extraction. Third party modules can be created and added to the pipelines.

      
       

      Step 4: Review of manually analyze Data

      The user navigates “the interface, files contents, and ingest module results to identify the evidence”.

      Step 5: Tag Results

      Interesting items can be tagged for later reporting and analysis.

      Step 6: Report Generation

      The user initiates a final report based on selected tags or results.

   2. Deployment Types

      There are two types of deployment. (a) Desktop/Single User (b) Cluster/Multiuser.

      • Desktop/Single User:

        Functionality: In this type, cases can be opened by only one person at a time.

        Technical: Everything runs on a single computer. It works out of the box with a single installer. Launching Autopsy will start all embedded services (i.e. Data bases, Text indexing etc...)

        
         
      • Cluster/Multiuser

        Functionality: Cases can be opened by multiple users at the same time.It allows for “Auto Ingest” mode where new media is automatically analyzed 24×7 by multiple modes. It provides faster analysis because data base is often faster.

        Technical: User experience is the exact same. It uses central level servers for database, text index etc. And also it uses central level high speed storage.

        
         
      • Central Repository

        In this case, Database that stores data from past cases. It contains MD5 hash values, comments and wifi SSIDs.

        Autopsy typically has case-specific databases. It keeps databases smaller and easier to manage. It allows for archival etc.

        Central Repository deployment types:

        Two types are supported:

        • (i) SQLite – It requires no other installations. It can be used by only one user at a time.
        • (ii) PostgreSQL – Database is stored on a server. It can be used by multiple users at a time. It can use the same server for multi-user cases.

1. Cases

   A case can contain at least information sources (disk image, disk devices and logical files). The data sources can be from various drives in a solitary PC or from numerous PCs.

   A case groups the investigation data you are going to analyze. It's up to you how many cases you create: either it may be by investigation or by host within an investigation.

   Each case has its own index (directory) that is named dependent on the case name. The index will contain configuration files, a database, reports, and different records that modules create.

   The fundamental Autopsy case configuration file has an ".aut" augmentation.

   Factors:

   • Only one case can be open at a time.
   • Reporting is done at a case level.
   • Cases are automatically saved.
   1. Creating a Case
      
       

      There are several ways to create a new case:

      • The opening splash screen has a button to create a new case.
      • The "File", "Create New Case" menu item
   2. Case directory

      Each Autopsy case (Multi and Single user) has a directory. Either it has a notion of a ‘base’ directory or it makes a folder in the base directory with the case name.

      Note: In a Multi-user cluster, all examiners need to have access to the case directory at the same path.

      Case directory contents:

      • Autopsy.db – SQLite database will store basic case information and data source information.
      • Export folder - Default location to store exported files.
      • Reports folder – Default location to store reports.
      • Module output folder – Default location for modules to write output to.
2. Data Sources

   A data source the thing you need to examine. It tends to be a plate picture, some legitimate records, a neighborhood drive, and so forth. You should open a case preceding adding a data source to Autopsy.

   1. Adding a Data Source

      You can include a data source in a few different ways:

      • After you make a case, it naturally prompts you to include a data source.
      • There is a toolbar thing to include a Data Source when a case is open.
      • The "File", "Add Data Source" menu thing when a case is open.
        
         

        Autopsy supports three types of data sources:

      • Disk Image: A file (or set of files) that is a byte-for-byte copy of a hard drive or media card.
        • Adding a Disk Image

          Autopsy supports disk images in the following formats:

          • Raw Single (For example: *.img, *.dd, *.raw, etc)
          • Raw Split (For example: *.001, *.002, *.aa, *.ab, etc)
          • EnCase (For example: *.e01, *e02, etc)

          To add a disk image:

          • Choose "Image File" starting from the pull.
          • Browse to the first file in the disk image. You have to determine just the first file and Autopsy will discover the rest.
          • Choose the timezone that the disk image originated from. This is generally significant for when including FAT record frameworks since it doesn't store timezone data and Autopsy won't realize how to standardize to UTC.
          • Choose to perform orphan file finding on FAT file systems. This can be a time intensive procedure since it will necessitate that Autopsy takes a gander at every area in the gadget.
        • Disk Image Analysis

          It uses The Sleuth Kit (TSK) to analyze the contents of the image. And it detects volume systems that break the disk into partitions. And also it detects file systems that organize a partition so that files can be stored.

        • Volume System Analysis

          Volume systems organize the disk image into one or more volumes (or partitions). It is located near the beginning of the disk image. Autopsy/TSK supports: disk operating system (DOS), GUID Partition Table (GPT), Macintosh (Mac), Berkeley Software Distribution (BSD) and Solaris.

          Autopsy will show areas of disk that are not in a volume.

          
           

          Each volume is analyzed to look for a file system. If no volume is found, the entire image is analyzed for a file system.

        • File System Analysis

          It allows files to be stored. Typically it is located at beginning of disk image or inside of volume.

          The supported formats are: NT File System (NTFS), File Allocation Table (FAT), Extensible File Allocation Table (EXFAT), The hierarchical file system (HFS+), ISO9660, Ext 2/3/4, Reverse Engineering of the Android File System (YAFFS2), Universal Flash Storage (UFS).

        • Orphan Files

          o Orphan files are those that are deleted and no longer have a parent folder. They are accessible in the “$OrphanFiles” folder. And finding orphan files in FAT file system is time intensive. Every cluster must be read and analyzed. And it can be disabled when image is added.

      • Local Drive: Local storage device (local drive, USB-attached drive, etc.).
        • Adding a Local Drive

          Autopsy can break down a local drive without expecting to initially make an image duplicate of it. This is most valuable while breaking down a USB-appended gadget through a compose blocker.

          Note: on the off chance that you are breaking down a neighborhood drive that is being refreshed, at that point Autopsy won't see documents that are included after you include it as an information source.

          You should be running Autopsy as an Administrator to see all gadgets.

          To include a neighborhood drive:

          • Choose "Local Drive" starting from the pull.
          • Choose the gadget starting from the pull list.
          • Choose to perform orphan file finding.
      • Logical Files: Local files or folders.
        • Adding a Logical File

          You can add files or folders that are on your local computer (or on a shared drive) without putting them into a disk image. This is useful if you have only a collection of files that you want to analyze.

          Some things to note when doing this:

          • Autopsy ignores the time stamps on files that it adds this way because they could be the timestamps when they were copied onto your examination device.
          • If you have a USB-attached device that you are analyzing and you choose to add the device's contents using this method, then note that it will not look at unallocated space or deleted files. Autopsy will only be able to see the allocated files. You should add the device as a "Logical Drive" to analyze the unallocated space.

          To add logical files:

          • Choose "Logical Files" from the pull down.
          • Press the "Add" button and navigate to a folder or file to add. Choosing a folder will cause all of its contents (including sub-folders) to be added.
          • Continue to press "Add" until all files and folders have been selected.

          All of the files that you added in the panel will be grouped together into a single data source, called "LogicalFileSet" in the main UI.

The Autopsy Forensic Browser empowers you to lead an advanced criminological examination. It is a graphical interface to The Sleuth Kit and different devices. Autopsy permits you to look at a hard drive or cell phone and recuperate proof from it. This whitepaper should help you with using Autopsy. Current version of Autopsy works better with good system configuration.