Autopsy Forensic Browser, version 2

From ForensicsWiki
Jump to: navigation, search
Autopsy
Maintainer: Brian Carrier
OS: Web-based
Genre: Analysis
License: GPL
Website: sleuthkit.org/autopsy/v2/

The Autopsy Forensic Browser (Autopsy) is a graphical interface to the command line digital investigation analysis tools in The Sleuth Kit. Together, they can analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/UFS2, Ext2/Ext3).

The Sleuthkit and Autopsy are both Open Source and run on UNIX platforms. As Autopsy is HTML-based, you can connect to the Autopsy server from any platform using a web browser. Autopsy provides a "File Manager"-like interface and shows details about deleted data and file system structures.

Current state

As of 2014, Autopsy 2.24 is the last version of Autopsy that supports non-Windows platforms. Since Autopsy 2.24 was released in 2010, it cannot support all features introduced in latest Sleuthkit versions. Various modifications introduced in Sleuthkit since 2010 break Autopsy 2.24.

There are several known conflicts between Autopsy 2.24 and Sleuthkit 4.1.3:

  • Autopsy cannot normally jump through directories on HFS.
  • Autopsy cannot handle Sun VTOC.
  • Autopsy cannot view timelines in most cases.

Also, Ext4 creation timestamps cannot be viewed in Autopsy "File Manager"-like interface. Unofficial patch exists to fix or "hack around" these issues.

See also