Autopsy — Digital Forensic Toolkit

In our this detailed tutorial we are going to Learn about Autopsy digital forensic toolkit in our Kali Linux system.

Autopsy is one of the digital forensics toolkit use to investigate Windows, Linux, Mac, Android and IOS images. Autopsy is a digital forensics platform and graphical interface to Sleuth Kit Suite® and other digital forensics tools.

It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. We can even use it to recover files from our pen drive. Everyone wants reports quicker so Autopsy produces results in real time, making it much more compatible over other forensics tools.

Opening Autopsy

Autopsy comes pre-installed in our Kali Linux machine. We can find the option “forensics” in the application tab. Select “autopsy” from the list of forensics tools, this works for root user but with the newer version of Kali Linux we got non-root user in default so it might not work. In that case we can simply run sudo autopsy command in terminal.

sudo autopsy

The screenshot is following:

When we start autopsy, it will open a terminal where we can see a program information, the version number listed as 2.24 with the path to the evidence locker folder as /var/lib/autopsy and an address http://localhost:9999/autopsy to open it on a web browser.

Now we copy that link and open it in our Kali Linux’s web browser, we will be in the home page of autopsy. This tool is running on our local web server accessing the port 9999. We can seethe home page of autopsy as following screenshot.

Creating a new case

There will be three options on the home page of autopsy: “OPEN CASE“, “NEW CASE“, “HELP“.

For digital forensic investigation, we need to create a new case and arrange all the information and evidences, so we select “NEW CASE“.

This will lead us to a page where we have been asked to add case name, description and investigator names, as following screenshot:

We can add more than one investigator name because in these scenarios usually a team of forensic investigators working on a single cyber forensic case.

After fill this page we click on the “New Case“.

The above screenshot is simply showing us the name of the case, the destination where it will be stored i.e. /var/lib/autopsy/Example-Case/, and the destination where its configuration file will be stored i.e. /var/lib/autopsy/Example-Case/case.aut 

Then we need to choose investigator’s name and then select ‘ADD HOST’ option below.

Then autopsy will be ask to enter the name of the computer we are investigating and the description of the investigation. After that it will ask us the time zone (leaving it blank will select the default setting).

Timeskew adjustments means a value in seconds to compensate for differences in time, path of alert hash means a path to the created database of bad hashes and a path of ignore hash database means specifying a path to the database of good hashes.

Then we select ‘ADD HOST’ to continue.

Here we can import investigating image file.

Creating an Image file

Now we need to add an image file of the system or drive which we want to investigate. The reason for doing this is analysis cannot be conducting on an original storage device.

A disk Image can be defined as a file that stores the contents and structure of a data storage device such as a hard drive, CD drive, phone, tablet, RAM, or USB. This image file can be taken locally or remotely.

There are many ways to create the image file. We can use the guymager to acquire a disk image.

Once we get the image file, we can select “ADD IMAGE FILE” option.

In the above screenshot we can see that we need to enter the location of our evidence image file, type and the mode of import. Then we click on “Next”.

Then we click on “ADD”, and the screen appears like following screenshot.

This is showing the hash value of the evidence image file and links the image into the evidence locker. Here we click “OK” to continue.

Analyzing The Case

Now we have successfully imported the file for digital forensic investigation. Now we can start analysis by clicking on “Analyze“. The screenshot is following:

We can see that to start analyzing the image file we need to choose an analysis mode from the above tabs. For an example we choose “File Analysis” mode.

In this detailed article we have learned how to use a forensic toolkit Autopsy to investigate an image file in our Kali Linux system and analyze the contents inside that file. We also calculated the hash value of the image file so that in future if there is a need to prove the integrity of the image file you can easily validate it by matching the hash values to maintain evidence integrity.

Stay updated with our articles by following us on Twitter and GitHub. Be a part of the KaliLinuxIn community by joining our Telegram Group, where we focus on Linux and Cybersecurity. We’re always available to help in the comment section and read every comment, ensuring a prompt reply.