Autopsy: a platform overview

Autopsy is the graphical user interface (GUI) used in The Sleuth Kit to make it simpler to operate, automating many of the procedures, and so easier to identify, sort and catalogue pertinent pieces of forensic data. As the name implies, The Sleuth Kit—a collection of command lines and a C library—allows users to collect, parse and analyse forensic data on computer systems and mobile phones. The website claims that the system can even recover photos from your camera.[1] Layering a GUI over text-based and command line interfaces might not appeal to purists who love their simplicity, but Autopsy allows an ease of use those who grew up with GUI interfaces will appreciate.

Autopsy: Windows/UNIX friendly and Mac friendly’ish platform

Autopsy is ready to go on any Windows-based or UNIX system that can allow the user to view data from NTFS, FAT, UFS1/2, Ext2/3 images (and more), and can be adopted for use by Macintosh as well. Both Autopsy and The Sleuth Kit are Open Source, and run on UNIX platforms. The complexity of UNIX might deter some users, but that’s perhaps the worst drawback to this package. The Open Source approach allows the user to verify all aspects of the data capture, parsing and analysis, providing transparency and essentially putting control fully into the hands of the user. In that sense, the software is both educational and informational. The user can be entirely aware of how the information is collected, parsed, and categorized, and can also add plug-ins and rewrite code to personalize it for any particular use. The software is also free, which sweetens the deal, and supported, which is practically unheard of for freeware. The website contains plenty of documentation, a blog, wiki, a trouble-shooting forum, trouble-shooting history, and other useful materials. If that’s not enough, YouTube also carries a number of videos to guide the new user on installation and overview from two minute tutorials (https://www.youtube.com/watch?v=PvHgR1poU5s), 30-minute exhaustive explanations (https://www.youtube.com/watch?v=Smy4mj293GE), as well as more complex explanations of advanced uses and specific tasks; e.g. analysis of disk images (https://www.youtube.com/watch?v=FJqoUakfmdo&t=148s). YouTube offers a broad range of brief to detailed guided audio-video files that make mastering the software a breeze.

Installation and use

Autopsy and The Sleuth Kit are a quick and easy download, and contain wizards that facilitate smooth installation. The Sleuth Kit is complete upon installation, but users can also write and add their own modules in Java or Python. Trouble writing a module? No worries. The website also offers training how-to’s for individual modules the user might wish to add as a plug-in to the system. That means penultimate control and customization, which also suggests an extra layer of security for those who build their own.

Functions and features

Autopsy claims it is “intuitive” to use, “right out of the box.”[2] It can run keyword searches, extract website artifacts from various internet providers such as Chrome, Firefox and IE. One useful feature is Autopsy’s ability to produce results in real time, streaming key word results as they turn up in searched data. A quick right click opens the relevant file. That means little or no wait time to find out if specific search terms are on the disk, phone or computer that is being searched. Users can also backtrack when deep searches lead nowhere, utilizing back and forward history buttons to help retrace their steps. Video can also be viewed without external applications, increasing ease and speed of use. Thumbnail views, file and file type sorting, filtering for good files and flagging for bad, utilizing custom hash set filtering are just some of the other features to be found on Version 3, offering major improvements from Version 2.[3] Basis Technology largely funded the work on Version 3, where Brian Carrier, who produced much of the work on earlier versions of Autopsy, is CTO and head of digital forensics. He is also considered a Linux expert and has authored books on the topic of forensic data mining, and Basis Technology produces The Sleuth Kit. As a result, users can probably feel pretty confident that they are getting a good product, a product that isn’t going to disappear any time soon, and one that will likely be well-supported in to the future. All good things to know.

Computer Forensics Training

The bottom line

Autopsy and The Sleuth Kit are widely known, used and trusted. Autopsy has more than 1,000 GitHub stars, a measure used by industry peers to acknowledge the utility of any software or hardware. It has had significant input from expert contributors to improve its functionality and is user friendly, easy to download and use. The Sleuth Kit and Autopsy are also Open Source products so the code is transparent for any user to see and also to alter as required for their own purposes. The modular structure also allows for plug-ins to the same purpose. The Sleuth Kit is considered a leader in its industry and rates a ‘project health score’ of 97/100 from the Linux Security Expert site.[4]

[1] Sleuth Kit website page. Downloaded 12 January 2018 from https://www.sleuthkit.org/autopsy/

[2] IBID.

[3] The latest version as of January, 2018, is Autopsy Version 4.5.

[4] The Sleuth Kit. 30 November 2017. Downloaded 12 January 2018 from https://linuxsecurity.expert/tools/the-sleuth-kit/

Be Safe

Section Guide

Ryan
Fahey

View more articles from Ryan

You'll leave InfoSec Institute's Computer Forensics course with 2 industry certifications!

Section Guide

Ryan
Fahey

View more articles from Ryan