Autopsy¶

Autopsy is an open source digital forensics platform. It provides a graphical interface to The Sleuth Kit and other digital forensics tools and is able to analyse a wide range of data for different digital media including images of physical devices like hard drives, USB sticks and mobile devices. Its capabilities include file system analysis, recovery of deleted files, web artifact extraction including browser history, timeline analysis of events, keyword searching, and malware detection.

Personal Experience¶

I've primarily used the tool to read and recover data from images of physical devices and hard drives. With the aid of optional plugins the tool can also be used to analyse memory dumps.

Tools & Software Integrations¶

N/A

Recommended Plugins¶

N/A

Resources¶

N/A

Notes and Troubleshooting¶

Enable Volatility Plugin for Memory Dump (.mem) Analysis¶

Go to Tools > Plugins and enable the experimental module.
Create a new case.
Select Add Data Source and choosing the Memory Image File (Volatility) option.
Select the .mem file when prompted.
Choose the analysis options and plugins you want to run:
- consoles - displays the output from Autopsy tools and plugins for debugging.
- hashdump - extracts password hashes from a system's SAM (Security Accounts Manager) and LSASS (Local Security Authority Subsystem Service) memory.
- lsadump - used to dump credentials and password hashes from the LSASS process.
- netscan - scans the network for connected devices and analyses network information.
- pslist - provides a list of all running processes on the system when the image was created.
- shellbags - registry keys that store information about which folders a user has opened and their settings.
- userassist - tracks the executables and applications that a user had launched on the system.
Start the analysis and wait for Autopsy to process the memory dump.