Analysis of Data Source Using Autopsy (original) (raw)

Last Updated : 28 Apr, 2026

The Sleuth Kit (TSK) is a collection of command-line tools used in digital forensics to analyze disk images, examine file systems, and recover deleted data without altering the original evidence. Autopsy provides a graphical interface for TSK, making analysis more accessible and efficient while preserving forensic integrity.

Supports file systems like NTFS, FAT, and EXT
Recovers deleted files and extracts hidden data
Provides timeline analysis of system activity
Enables keyword searching and indexing for faster investigations
Operates on disk images to maintain evidence integrity

Steps for Data Analysis Using Autopsy

Follow the below steps to do analysis of data using autopsy:

**1. Getting Started

Launch Autopsy
Create a new case by entering case details
Click Finish to initialize the investigation environment

Autopsy Tool

**2. Adding a Data Source

Autopsy supports multiple types of data sources:

**Disk Image / VM File: Exact copies of storage devices or virtual machines
**Local Disk: Hard drives, USB drives, memory cards
**Logical Files: Specific folders or files
**Unallocated Space Image: Raw data without a file system

Data Sources in autopsy tool

The data source used here is a disk image. Add the data source destination.

mantooth.E01 file

**3. Configuring Ingest Modules

Ingest modules define how the data will be analyzed. Selecting the right modules is critical for effective investigation.

configure ingest modules

**Important Ingest Modules

**Recent Activity: Tracks recently accessed files and operations
**Hash Lookup: Identifies known files using hash values
**File Type Identification: Detects files based on internal signatures
**Extension Mismatch Detector: Finds files with altered extensions
**Embedded File Extractor: Extracts hidden files (e.g., ZIP inside DOC)
**EXIF Parser: Retrieves image metadata (date, location, device)
**Keyword Search: Finds specific keywords or patterns
**Email Parser: Extracts data from email databases (PST/OST)
**Encryption Detection: Identifies encrypted or password-protected files
**Interesting File Identifier: Flags files based on custom rules
**Correlation Engine: Links related data across cases
**PhotoRec Carver: Recovers deleted files from unallocated space
**Virtual Machine Extractor: Detects and analyzes VM files
**Data Source Integrity: Verifies hash values for authenticity
**Plaso: Extracts timeline-based timestamps
**Android Analyzer: Analyzes Android-specific data

configure ingest modules

After selecting relevant modules, click Next and then Finish.

**Exploring the Data Source

Once ingestion is complete, Autopsy organizes data into structured views.

**Data Source Information

Displays metadata and technical details
Supports viewing in hex, metadata, and structured formats

data source information

**Partition Analysis

Disk images are divided into volumes/partitions
Each partition can be explored individually

data sources

Each volume can be browsed for its contents, results for which are displayed in the section at the bottom. For example, the content shown below belongs to Data Sources -> Mantooth.E01 -> MSOCache-> [Parent Folder].

MSOCache

**Views in Autopsy

**1. File Type View

Categorizes files based on type or MIME
Includes deleted files

File type view

**2. Deleted Files

Displays recoverable deleted files
**Recovery: Right-click → Extract File(s) → Save

deleted files view

**3. File Size View

Groups files by size (e.g., large files >50MB)
Helps identify suspicious or important files

**Note: It is usually advised to not scan or extract any suspected files/ disks such as payload files, etc. in the main system, rather scan them in safe environments such as a virtual machine, and then extract the data, as they hold the possibility of being corrupt and may infect the examiner's system with viruses.

**Results Section

The Results panel provides extracted and analyzed insights:

extracted content

**Key Artifacts

**EXIF Metadata: Image details like timestamp and geolocation
**Encryption Detection: Identifies protected files
**Extension Mismatch: Flags suspicious file types
**Installed Programs: Extracted from system registry
**OS Information: Details about the operating system
**Recent Documents: Recently accessed files
**Recycle Bin: Deleted but recoverable files
**USB Devices: External device usage history
**Web Activity: Cookies, browsing history, searches

Keyword Hints

**HashSet Hits: Here the search can be made using hash values.
**Email Messages: Here all the outlook.pst files can be explored.

e mail messages

**Interesting Items: As discussed before, these are the file results based upon the custom rules set by the examiner.
**Accounts: Here all the details regarding the accounts present on the disk are shown. This disk has the following email accounts.

accounts

**Reports: Reports about the entire analysis of the data source can be generated and exported in many formats.

reports configure reports reports excelsheey

**Advanced Features

**Multiple Data Sources: Add multiple disk images to a single case

additional features

**Media Analysis: View images and videos in gallery mode

additional images/videos

**Communications: All the communications made using the source device are displayed here. This device had communications only in the form of emails.

communications

**Geolocation: This window displays the artifacts that have longitude and latitude attributes as waypoints on a map. Here the data source has no waypoints.
**Timeline: Information about when the computer was used or what events took place before or after a given event can be found, this greatly helps in investigating events near about a particular time.

timeline

**Best Practices for Forensic Analysis

Always analyze disk images, not live systems
Use virtual machines for suspicious file analysis
Avoid opening unknown files on the main system
Validate evidence using hash verification
Use multiple ingest modules for comprehensive results