has moved to this site, For information, please join the Google Group forensicswiki-reborn

Autopsy Forensic Browser, version 2

From Forensics Wiki
Jump to navigation Jump to search
Maintainer: Brian Carrier
OS: Web-based
Genre: Analysis
License: GPL

The Autopsy Forensic Browser (Autopsy) is a graphical interface to the command line digital investigation analysis tools in The Sleuth Kit. Together, they can analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/UFS2, Ext2/Ext3).

The Sleuthkit and Autopsy are both Open Source and run on UNIX platforms. As Autopsy is HTML-based, you can connect to the Autopsy server from any platform using a web browser. Autopsy provides a "File Manager"-like interface and shows details about deleted data and file system structures.

Current state

As of 2014, Autopsy 2.24 is the last version of Autopsy that supports non-Windows platforms. Since Autopsy 2.24 was released in 2010, it cannot support all features introduced in latest Sleuthkit versions. Various modifications introduced in Sleuthkit since 2010 break Autopsy 2.24.

There are several known conflicts between Autopsy 2.24 and Sleuthkit 4.1.3:

  • Autopsy cannot normally jump through directories on HFS.
  • Autopsy cannot handle Sun VTOC.
  • Autopsy cannot view timelines in most cases.

Also, Ext4 file creation timestamps cannot be viewed in the Autopsy "File Manager"-like interface. Unofficial patch exists to fix or "hack around" these issues.

See also