Update The Autopsy Forensic Browser (version 3.0.0b4)

Changes V- 3.0.0b4 (July 3, 2012) New Features:

  • MBOX / Thunderbird parsing module
  • Better lnk file parsing

Bug Fixes:

  • Included needed jar file for Recent Activity (Issue #52).
  • Fixed error handling from ingest (Issue #53).

The Autopsy Forensic Browser is a graphical interface to The Sleuth Kit. Together, they can analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2, Ext2/3). Version 3.0 of Autopsy is a complete re-write and this page describes its features.

This released for Windows Only

Concepts :
Database: Autopsy 3 stores all of its results in an embedded SQLite database. This database stays small because file content is not stored in it. This means that you get the beneifts have having the data stored in a database without having to install a database or be a database administrator. The schema is documented on the wiki.

Ingest Modules: Autopsy 3 focuses on producing results fast. After the basic file system data is added to the database, multiple ingest modules run in parallel to start analyzing the data (screen shot). The ingest modules are part of a framework and third-party-developers can make their own custom ingest modules. Refer to the wiki page for the latest list of modules, but the basic version of Autopsy comes with ingest modules for:

  •     Hash calculation and lookup
  •     Keyword search
  •     Recent user activity (web artifacts, recent documents, etc)