Autopsy (software)

Last updated July 09, 2024

Autopsy is computer software that makes it simpler to deploy many of the open source programs and plugins used in The Sleuth Kit.^[1] The graphical user interface displays the results from the forensic search of the underlying volume, making it easier for investigators to flag pertinent sections of data. The tool is largely maintained by Basis Technology Corp. with the assistance of programmers from the community. The company sells support services and training for using the product.^[2]

Extensible: Users can add new functionality by creating plugins to analyze parts or all of the underlying data source.
Centralized: It provides a standard and consistent way to access all features and modules.
Ease of Use: The Autopsy Browser includes wizards and historical tools to help users repeat their steps without needing to reconfigure settings.
Multiple Users: Suitable for both individual investigators and teams working together.

The core browser can be enhanced with various modules that facilitate different tasks, such as scanning files, browsing results, and summarizing findings. A range of open-source modules is available for customization based on specific needs.

Autopsy tool can be used to recover WannaCry-infected data as well.^[3]

Process

Autopsy analyzes major file systems (NTFS, FAT, ExFAT, HFS+, Ext2/Ext3/Ext4, YAFFS2) by hashing all files, unpacking standard archives (ZIP, JAR etc.), extracting any EXIF values and putting keywords in an index. Some file types like standard email formats or contact files are also parsed and cataloged.

Users can search these indexed files for recent activity or create a report in HTML or PDF summarizing important recent activity. If time is short, users may activate triage features that use rules to analyze the most important files first. Autopsy can save a partial image of these files in the VHD format.

Correlation

Investigators working with multiple machines or file systems can build a central repository of data allowing them to flag phone numbers, email addresses, files, or other pertinent data that might be found in multiple places. The SQLite or PostgreSQL database stores the information so investigators can find all occurrences of names, domains, phone numbers, or USB registry entries.

Language

Version 2 of Autopsy is written in Perl and it runs on all major platforms including Linux, Unix, macOS, and Windows. It relies upon The Sleuth Kit to analyze the disk. Version 2 is released under the GNU GPL 2.0.^[4]

Autopsy 3.0 is written in Java using the NetBeans platform. It was released under the Apache license 2.0.^[4]

Autopsy 4.0 runs on Windows, Linux, and macOS.

Autopsy depends on a number of libraries with various licenses.^[4] It works phone with SQLite and PostgreSQL databases to store information. The indices for searching keywords are built with Lucene/SOLR.

Related Research Articles

An integrated development environment (IDE) is a software application that provides comprehensive facilities for software development. An IDE normally consists of at least a source-code editor, build automation tools, and a debugger. Some IDEs, such as IntelliJ IDEA, Eclipse and Lazarus contain the necessary compiler, interpreter or both; others, such as SharpDevelop and NetBeans, do not.

SQLite is a database engine written in the C programming language. It is not a standalone app; rather, it is a library that software developers embed in their apps. As such, it belongs to the family of embedded databases. It is the most widely deployed database engine, as it is used by several of the top web browsers, operating systems, mobile phones, and other embedded systems.

PyQt is a Python binding of the cross-platform GUI toolkit Qt, implemented as a Python plug-in. PyQt is free software developed by the British firm Riverbank Computing. It is available under similar terms to Qt versions older than 4.5; this means a variety of licenses including GNU General Public License (GPL) and commercial license, but not the GNU Lesser General Public License (LGPL). PyQt supports Microsoft Windows as well as various kinds of UNIX, including Linux and MacOS.

GNOME-DB is a database application by the GNOME community. The project aims to provide a free unified data access architecture to the GNOME project for all Unix platforms. GNOME-DB is useful for any application that accesses persistent data, since it contains a data management API.

The following tables compare general and technical information for a number of relational database management systems. Please see the individual products' articles for further information. Unless otherwise specified in footnotes, comparisons are based on the stable versions without any add-ons, extensions or external programs.

<span class="mw-page-title-main">Kexi</span> KDE visual database applications creator

Kexi is a visual database applications creator tool by KDE, designed to fill the gap between spreadsheets and database solutions requiring more sophisticated development. Kexi can be used for designing and implementing databases, data inserting and processing, and performing queries. It is developed within the Calligra project but is released separately.

QGIS is a geographic information system (GIS) software that is free and open-source. QGIS supports Windows, macOS, and Linux. It supports viewing, editing, printing, and analysis of geospatial data in a range of data formats. QGIS was previously also known as Quantum GIS.

The Sleuth Kit (TSK) is a library and collection of Unix- and Windows-based utilities for extracting data from disk drives and other storage so as to facilitate the forensic analysis of computer systems. It forms the foundation for Autopsy, a better known tool that is essentially a graphical user interface to the command line utilities bundled with The Sleuth Kit.

BasisTech is a software company specializing in applying artificial intelligence techniques to understanding documents and unstructured data written in different languages. It has headquarters in Somerville, Massachusetts with a subsidiary office in Tokyo. Its legal name is BasisTech LLC.

The SQuirreL SQL Client is a database administration tool. It uses JDBC to allow users to explore and interact with databases via a JDBC driver. It provides an editor that offers code completion and syntax highlighting for standard SQL. It also provides a plugin architecture that allows plugin writers to modify much of the application's behavior to provide database-specific functionality or features that are database-independent. As this desktop application is written entirely in Java with Swing UI components, it should run on any platform that has a JVM.

Navicat is a series of graphical database management and development software produced by CyberTech Ltd. for MySQL, MariaDB, Redis, MongoDB, Oracle, SQLite, PostgreSQL and Microsoft SQL Server. It has an Explorer-like graphical user interface and supports multiple database connections for local and remote databases. Its design is made to meet the needs of a variety of audiences, from database administrators and programmers to various businesses/companies that serve clients and share information with partners.

EGroupware is free open-source groupware software intended for businesses from small to enterprises. Its primary functions allow users to manage contacts, appointments, projects and to-do lists. The project releases its software under the terms of GNU General Public License (GPL).

Web2py is an open-source web application framework written in the Python programming language. Web2py allows web developers to program dynamic web content using Python. Web2py is designed to help reduce tedious web development tasks, such as developing web forms from scratch, although a web developer may build a form from scratch if required.

SOFA Statistics is an open-source statistical package. The name stands for Statistics Open For All. It has a graphical user interface and can connect directly to MySQL, PostgreSQL, SQLite, MS Access (map), and Microsoft SQL Server. Data can also be imported from CSV and Tab-Separated files or spreadsheets. The main statistical tests available are Independent and Paired t-tests, Wilcoxon signed ranks, Mann–Whitney U, Pearson's chi squared, Kruskal Wallis H, one-way ANOVA, Spearman's R, and Pearson's R. Nested tables can be produced with row and column percentages, totals, standard deviation, mean, median, lower and upper quartiles, and sum.

KNIME, the Konstanz Information Miner, is a free and open-source data analytics, reporting and integration platform. KNIME integrates various components for machine learning and data mining through its modular data pipelining "Building Blocks of Analytics" concept. A graphical user interface and use of JDBC allows assembly of nodes blending different data sources, including preprocessing, for modeling, data analysis and visualization without, or with minimal, programming.

<span class="mw-page-title-main">TACTIC (web framework)</span> Web-based, open source workflow platform and digital asset management system

TACTIC is a web-based, open source workflow platform and digital asset management system supported by Southpaw Technology in Toronto, ON. Designed to optimize busy production environments with high volumes of content traffic, TACTIC applies business or workflow logic to combined database and file system management. Using elements of digital asset management, production asset management and workflow management, TACTIC tracks the creation and development of digital assets through production pipelines. TACTIC is available under both commercial and open-source licenses, and also as a hosted cloud service through Amazon Web Services Marketplace.

The Open Computer Forensics Architecture (OCFA) is a distributed open-source computer forensics framework used to analyze digital media within a digital forensics laboratory environment. The framework was built by the Dutch national police.

The following outline is provided as an overview of and topical guide to MySQL:

DBeaver is a SQL client software application and a database administration tool. For relational databases it uses the JDBC application programming interface (API) to interact with databases via a JDBC driver. For other databases (NoSQL) it uses proprietary database drivers. It provides an editor that supports code completion and syntax highlighting. It provides a plug-in architecture that allows users to modify much of the application's behavior to provide database-specific functionality or features that are database-independent. This is a desktop application written in Java and based on Eclipse platform.

CAINE Linux is an Italian Linux live distribution managed by Giovanni "Nanni" Bassetti. The project began in 2008 as an environment to foster digital forensics and incidence response (DFIR), with several related tools pre-installed.

References

↑ "The Sleuth Kit (TSK) & Autopsy: Open Source Digital Forensics Tools". Brian Carrier.
↑ "Digital Forensics". Basis Technology Corp. 23 December 2013.
↑ S. C. Nayak, V. Tiwari and B. K. Samanthula, "Review of Ransomware Attacks and a Data Recovery Framework using Autopsy Digital Forensics Platform," 2023 IEEE 13th Annual Computing and Communication Workshop and Conference (CCWC), Las Vegas, NV, USA, 2023, pp. 0605–0611, doi: 10.1109/CCWC57344.2023.10099169.
1 2 3 "Autopsy: License". Brian Carrier.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "The Sleuth Kit (TSK) & Autopsy: Open Source Digital Forensics Tools". Brian Carrier.

[2] "Digital Forensics". Basis Technology Corp. 23 December 2013.

[3] S. C. Nayak, V. Tiwari and B. K. Samanthula, "Review of Ransomware Attacks and a Data Recovery Framework using Autopsy Digital Forensics Platform," 2023 IEEE 13th Annual Computing and Communication Workshop and Conference (CCWC), Las Vegas, NV, USA, 2023, pp. 0605–0611, doi: 10.1109/CCWC57344.2023.10099169.

[lic-4] 1 2 3 "Autopsy: License". Brian Carrier.

[1]

[2]

[3]

[4]