Autopsy Cheat Sheet
GUI digital forensics platform built on The Sleuth Kit for disk images, timelines, keyword search, and artifact parsing.
Overview
Autopsy ingests disk images (E01, raw, AFF) and runs ingest modules: filesystem browsing, deleted file recovery, web artifacts, keyword hits, and timelines. Standard for analyst-led host forensics.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
Linux / Windows installer from project site
wget https://github.com/sleuthkit/autopsy/releases/latest/download/autopsy-4.21.0.zipunzip autopsy-*.zip && cd autopsy*/ && ./bin/autopsyKali
sudo apt install -y autopsy sleuthkitEssential commands
CLI launcher (opens browser UI)
sudo autopsyCommon workflows
In Keyword Search ingest config
password\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b\.(docx|xlsx|pdf)$Timeline analysis —
# Tools → Timeline# Filter by file type, source module (web, USB, program execution)Extract web artifacts —
# Results → Extracted Content → Chrome/Firefox/Edge# Email → PST/OST parsers if modules enabledExport for reporting —
# Report → Generate HTML report# Right-click file → Export → save hash-verified copyUnder the hood — same as sleuth-kit
mmls image.e01fls -r -o OFFSET image.e01icat -o OFFSET image.e01 INODE > recovered.binFlags reference
Ingest Modules | Automated parsers (run per data source) |
|---|---|
File Views | By MIME, extension, deleted |
Data Source Summary | Volume info, hash |
Tags | Analyst bookmarks for report |
Interesting Files | Rule-based hits |
OS Accounts | Parsed Windows users |
Tips
- Always work on forensic copies, never original evidence.
- Enable Hash Lookup (NSRL/known bad) early to filter noise.
- Large images: store case on fast SSD; ingest overnight.
- Pair with Velociraptor for enterprise hunt → Autopsy for deep dive on one host.