Digital forensics is becoming increasingly important in cybersecurity, investigations, and data recovery. In this post, I’ll walk you through installing Autopsy, an open-source digital forensic tool, and demonstrate how to analyze a volume to detect files by extension, locate documents, executables, and even find deleted files.
- Visit the official Autopsy site: https://www.sleuthkit.org/autopsy
- Download the appropriate installer for your operating system.
- Follow the installation wizard:
- Choose destination folder
- Continue Installation
- Once installed, launch Autopsy from the desktop or Start Menu.
Step 2: Creating a New Case
Step 2: Creating a New Case
- Open Autopsy → Click “Create New Case”
- Fill in:
- Case Name
- Case Number (optional)
- Examiner Name (optional)
- Choose a location for your case folder and click Finish
Adding a Data Source
- Choose “Add Data Source”
- Select “Disk Image or VM file” or “Local Disk”
- Browse and load the
.img,.dd,.E01, or actual partition/volume - Select ingest modules:
- File Type Identification
- Recent Activity
- Deleted Files
- Keyword Search
- EXIF Parser
- Click Next to begin processing
- Go to the Results section → File Types
- Autopsy categorizes files into:
- Documents (DOCX, PDF, TXT, etc.)
- Executables (EXE, ELF, APK)
- Images (JPG, PNG, GIF)
- Videos, Audio, Archives
By File types
Finding Deleted Files
- Navigate to Views → Deleted Files
- Autopsy will list files found in unallocated space
- You can sort by file type, size, or preview content
Search by Keyword or Extension
- Use Keyword Search to find strings like “password”, “confidential”, or any file extension like
.pdf - You can also create a timeline of file activity to see what happened when
Generating Forensic Reports
Go to: Tools → Generate Report
Choose report types:
- HTML
- Excel
- Body File (for timeline tools like Plaso)
Select what to include:
- All files
- Keywords hit
- Deleted items
- Installed programs
The report can be shared with other investigators or archived as evidence
Conclusion
Autopsy is a powerful and free forensic toolkit ideal for investigators, students, or tech enthusiasts. With just a disk image, you can uncover hidden files, deleted data, and digital traces that tell a story.
If you’re new to digital forensics, this guide should give you a strong start. Stay tuned for more posts where I’ll explore analyzing mobile phone images and using tools like MobSF and Cellebrite.
Thanks to the Developers
Autopsy and The Sleuth Kit are maintained by an incredible open-source community and contributors at Basis Technology. Their work has made advanced forensics accessible to students, law enforcement, and security professionals worldwide.
💙 Thank you to the developers for making such a powerful forensic suite free and open-source!