Autopsy: Digital Forensics
Uncovering digital evidence and recovering files.
Learn how to investigate digital devices and recover evidence with the industry-standard forensics tool.
Digital Forensics
How to Find Hidden Proof with Autopsy.
Autopsy is a free tool used to look inside computer drives. It finds deleted files, reads internet history, and builds timelines. Police and computer experts use it to figure out exactly what happened on a computer.
The Golden Rule
Never look at the real computer drive directly.
What is a Disk Image?
Before we use Autopsy, we must copy the target computer. We make an exact, perfect copy of everything on the hard drive. This perfect copy is called a disk image.
We load this copy into Autopsy. This keeps the real computer safe. If we make a mistake, we only break the copy, not the real evidence.
The 4 Steps of Autopsy
Start a Case
Give your project a name and a number. This keeps your work organized.
Add Data
Tell Autopsy where the disk image is located on your computer.
Run Modules
Ask Autopsy to search for pictures, emails, or deleted files automatically.
Make Report
Save all the proof you found into a document for others to read.
Finding Deleted Files
When someone deletes a file and empties the trash, the file is not really gone. The computer just marks that space as empty. Autopsy ignores those marks and pulls the original files back out.
| File Name | Status | Size | Location |
|---|---|---|---|
| secret-plan.pdf | Recovered | 1.2 MB | /Users/Bob/Documents/ |
| vacation.jpg | Normal | 4.5 MB | /Users/Bob/Pictures/ |
Reading Web History
People browse the web every day. Autopsy finds out exactly what they looked at, even if they tried to clear their history or used "private" mode.
- Finds past web searches.
- Shows downloaded files.
The Timeline Tool
Knowing what happened is good. Knowing when it happened is better. Autopsy puts every file, message, and web search on a straight timeline. You can see the story unfold minute by minute.
Found "Project X" in: email_09.txt
Find Any Word
Hard drives are huge. Reading every document would take years. Autopsy has a giant search engine built right into it. You type a word, and it finds every time that word was typed anywhere.
Digital Fingerprints
Autopsy uses math to create a fingerprint for every file. This fingerprint is called a "Hash".
// Calculating file hash...
File: picture1.jpg
MD5 : 9e107d9d372bb6826bd81d3542a419d6
>>> ALERT: MATCH FOUND IN KNOWN BAD FILES
Ingest Modules (The Helpers)
Autopsy comes with small helper programs called "Ingest Modules". You turn them on, and they do the boring, hard work for you while you wait.
Photo Secrets (EXIF)
When you take a picture with a phone, it saves hidden text inside the picture file. This text is called "EXIF data".
Autopsy reads this hidden text to tell you exactly where the picture was taken on a map, and exactly what kind of phone took it.
DEVICE: iPhone 14
DATE: 2023-10-04 14:02:00
GPS: 40.7128° N, 74.0060° W
The Computer's Diary (Registry)
Windows has a secret diary called the "Registry". It writes down almost everything you do.
If someone plugs in a USB thumb drive to steal files, the Registry remembers the exact name and serial number of that USB drive forever. Autopsy can read this diary to prove a drive was connected.
Reading System Hive...
ROOT\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer
>>> SERIAL: 4C53000133092811
>>> FIRST CONNECTED: Monday, 08:14 AM
Rescuing Broken Files (Carving)
Sometimes, a hard drive gets damaged or someone tries to format it. The computer's map of where files are located gets destroyed.
Autopsy does not need the map. It scans the raw drive looking for special "starting blocks" (like the start of a PDF document). When it finds one, it glues the pieces back together. This is called "File Carving".
CARVING FILE... SUCCESS.
Reading the Mail
Autopsy can open big, complicated email files used by office programs. It shows you exactly who sent messages, who received them, and any files they attached, making it easy to read old conversations.
"Make sure you delete those files before the police arrive."
Proving a Program Ran
When you open a program, the computer makes a tiny file to help it load faster next time. This is called a "Prefetch" file. If someone deletes a hacking tool, Autopsy checks the prefetch files to prove they actually opened the tool in the past.
HACK_TOOL.EXE-01A2B3.pf
RUN COUNT: 14
LAST RUN: Yesterday, 11:00 PM
Opening App Databases (SQLite)
Apps on phones or computers save your chat messages and settings in neat little tables called "Databases". Autopsy can open these tables directly so you can read chat messages line by line, just like a spreadsheet.
| Message_ID | Sender | Chat_Text |
|---|---|---|
| 1042 | Alice | Did you get the money? |
| 1043 | Bob | Yes. I hid it. |
Sticky Notes for Evidence (Tagging)
While searching millions of files, you will find important clues. Autopsy lets you stick a digital "Tag" on them, so you never lose them. You can filter your whole case to only show files with specific tags.
Looking at the Raw Numbers (Hex Viewer)
Sometimes criminals try to disguise a file by changing its name from ".jpg" to ".txt". The Hex Viewer lets you look at the raw computer numbers (1s and 0s) inside the file. Numbers don't lie, so no file can hide what it truly is.
00000000 FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 |......JFIF.....H|
00000010 00 48 00 00 FF DB 00 43 00 08 06 06 07 06 05 08 |.H.....C........|
>>> FILE HEADER "FF D8" MEANS THIS IS A PICTURE, NOT TEXT.
Finding Locked Doors
Autopsy cannot magically guess a password to open a locked file. However, it WILL find every single locked file, encrypted folder, or password-protected zip file on the computer.
It puts all the "locked doors" in one list, so you know exactly where the secrets are kept and where you need to focus your password-cracking tools.
Encrypted Zip Found
"taxes-2023.zip"
Working Together (Team Mode)
Huge police cases have too much data for one person to read. Autopsy has a Team Mode. A whole team of investigators can look at the same disk copy at the same time. If one person tags a clue, the whole team sees it instantly.
Making the Final Report
When you find the proof you need, you simply click "Generate Report." Autopsy takes all your findings, pictures, tags, and timelines, and builds a neat document. You can hand this document directly to your boss, a lawyer, or a judge.
More in this series
Master more skills with other tutorials from the Forensics series.
Web Security
- SQLmap: Database Takeover: Automatic SQL injection and database exploit.
- BeEF: Browser Exploitation Framework: Assessing the security of web browsers.
- Nikto: Comprehensive Web Scanner: Identify server vulnerabilities and misconfigurations.
- DIRB: Web Content Scanner: Analyze web server directories and files.
- Gobuster: URI and DNS Buster: Discover hidden paths and subdomains.
- Burp Suite: Web Security Testing: The standard for web application security.
Networking
- Responder: Network Poisoning: Exploiting Windows network services.
- Ettercap: MITM Attacks: Sniffing and dissecting network traffic.
- Netcat: The Swiss Army Knife: Read and write data across network connections.
- Wireshark: Protocol Analysis: Uncovering the secrets of network traffic.
OSINT
- Maltego: Information Gathering: Visualizing relationships for intelligence gathering.
Wireless
- Kismet: Wireless Discovery: Sniffing and monitoring wireless networks.
- Aircrack-ng: Wireless Security Auditing: Assessing the security of WiFi networks.
Cryptography
- Hashcat: Password Recovery: The world's fastest password cracker.
- John the Ripper: Password Cracking: The fastest way to test password strength.
Forensics
- Autopsy: Digital Forensics: Uncovering digital evidence and recovering files.
Security
- Hydra: Login Cracker: A very fast network logon cracker.
- Metasploit: The Exploitation Framework: Mastering vulnerability assessment and exploitation.
- Nmap: Network Exploration and Security Auditing: The essential guide to scanning and mapping networks.