Convert Figma logo to code with AI

sleuthkit logoautopsy

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.

2,390
595
2,390
360

Top Related Projects

1,719

Super timeline all the things

An advanced memory forensics framework

4,747

GRR Rapid Response: remote live forensics for incident response

Quick Overview

Autopsy is an open-source, digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. Autopsy can be used to analyze disk images, perform file system analysis, and recover deleted files.

Pros

  • User-friendly graphical interface for digital forensics tasks
  • Extensible through modules, allowing for customization and additional functionality
  • Multi-user collaborative analysis support
  • Free and open-source, with a large community of contributors

Cons

  • Performance can be slower compared to some commercial alternatives
  • Limited built-in reporting capabilities
  • Steeper learning curve for advanced features and module development
  • Some features may require additional third-party tools or plugins

Getting Started

To get started with Autopsy:

  1. Download the latest version from the official website: https://www.autopsy.com/download/
  2. Install Autopsy following the instructions for your operating system
  3. Launch Autopsy and create a new case
  4. Add data sources (e.g., disk images, local drives) to your case
  5. Use the various analysis modules to examine the data
  6. Generate reports based on your findings

For developers interested in creating modules or contributing to Autopsy:

  1. Fork the GitHub repository: https://github.com/sleuthkit/autopsy
  2. Set up your development environment following the instructions in the README
  3. Familiarize yourself with the Autopsy architecture and API documentation
  4. Develop and test your modules or contributions
  5. Submit pull requests for review and integration into the main project

Competitor Comparisons

1,719

Super timeline all the things

Pros of Plaso

  • Highly flexible and extensible framework for parsing various log formats
  • Strong command-line interface for advanced users and automation
  • Supports a wide range of data sources and artifact types

Cons of Plaso

  • Steeper learning curve compared to Autopsy's GUI-based approach
  • Less user-friendly for beginners or those preferring graphical interfaces
  • May require more manual configuration and scripting for complex analyses

Code Comparison

Plaso (Python):

parser = argparse.ArgumentParser(description='Process some files.')
parser.add_argument('files', metavar='FILE', nargs='+', help='files to process')
args = parser.parse_args()
for file in args.files:
    process_file(file)

Autopsy (Java):

public class AutopsyModule extends IngestModuleFactory {
    @Override
    public IngestModule createIngestModule(IngestModuleIngestJobSettings settings) {
        return new CustomIngestModule();
    }
}

Both projects are open-source digital forensics tools, but they cater to different user needs. Plaso focuses on log parsing and timeline creation, offering a powerful command-line interface for advanced users. Autopsy provides a more comprehensive GUI-based forensic platform, making it more accessible to a broader range of users, including those with less technical expertise. While Plaso excels in flexibility and extensibility, Autopsy offers a more integrated and user-friendly experience for digital forensics investigations.

An advanced memory forensics framework

Pros of Volatility

  • Specialized in memory forensics, offering deep analysis of RAM dumps
  • Highly extensible with a robust plugin system
  • Command-line interface allows for easy scripting and automation

Cons of Volatility

  • Limited to memory analysis, lacking disk forensics capabilities
  • Steeper learning curve for beginners compared to Autopsy's GUI
  • Requires more manual configuration and command-line knowledge

Code Comparison

Volatility (Python):

import volatility.plugins.common as common
import volatility.utils as utils
import volatility.win32 as win32

class MyPlugin(common.AbstractWindowsCommand):
    def calculate(self):
        addr_space = utils.load_as(self._config)
        return win32.tasks.pslist(addr_space)

Autopsy (Java):

public class MyIngestModule implements FileIngestModule {
    @Override
    public ProcessResult process(AbstractFile file) {
        if (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.FS) {
            // Process file system artifact
        }
        return ProcessResult.OK;
    }
}

Volatility focuses on memory analysis with Python-based plugins, while Autopsy provides a broader forensics framework in Java with a user-friendly interface. Volatility excels in deep memory examination, whereas Autopsy offers a more comprehensive toolkit for digital forensics investigations.

4,747

GRR Rapid Response: remote live forensics for incident response

Pros of GRR

  • Designed for remote, enterprise-scale investigations
  • Supports live forensics and ongoing monitoring
  • Highly scalable and distributed architecture

Cons of GRR

  • Steeper learning curve and more complex setup
  • Requires more resources to run effectively
  • Less focus on disk forensics compared to Autopsy

Code Comparison

Autopsy (Java):

public class AutopsyCase {
    private SleuthkitCase caseDb;
    private String caseName;
    // ...
}

GRR (Python):

class GRRFlow(flow.GRRFlow):
    category = "/Collectors/"
    behaviours = flow.GRRFlow.behaviours + "ADVANCED"
    # ...

Key Differences

  • Autopsy is primarily a desktop application for disk forensics, while GRR is a distributed system for remote investigations
  • Autopsy offers a more user-friendly GUI, whereas GRR relies more on command-line interfaces and web-based dashboards
  • Autopsy is built on The Sleuth Kit framework, while GRR is a standalone platform developed by Google
  • GRR focuses on live system analysis and ongoing monitoring, while Autopsy excels in post-mortem disk analysis

Use Cases

  • Autopsy: Individual investigations, small-scale forensics, disk image analysis
  • GRR: Large-scale enterprise investigations, ongoing monitoring, remote live forensics

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Autopsy 4 http://www.sleuthkit.org/ March 15, 2016

OVERVIEW

Autopsy is a graphical interface to The Sleuth Kit and other open source digital forensics tools. Autopsy 3 was a complete rewrite from Autopsy 2 to make it Java-based. Autopsy 4 improves on Autopsy 3 by supporting collaboration on a single case by multiple users.

Although Autopsy is designed to be cross-platform (Windows, Linux, MacOSX), the current version is fully functional and fully tested only on Windows. We have run it on XP, Vista, and Windows 7 with no problems.

Autopsy 4 is released under the Apache 2.0 license. Some libraries Autopsy uses may have different, but similar, open source licenses.

INSTALLATION

For a Windows installation, all Autopsy dependencies are bundled with the installer provided. There is no need for manual installation of additional dependencies if the Windows installer is used.

If you want the Japanese localized version, you must have the Japanese language pack (http://support.microsoft.com/kb/972813) installed and the default locale set to JA. (http://windows.microsoft.com/en-us/windows/change-system-locale#1TC=windows-7).

SUPPORT

There is a built-in help system in Autopsy once you get it started. There is also a QuickStart Guide that comes with the installer.

Send any bug reports or feature requests to the sleuthkit-users e-mail list. http://www.sleuthkit.org/support.php

LICENSE

The Autopsy code is released under the Apache License, Version 2. See LICENSE-2.0.txt for details.

EMBEDDED SOFTWARE

This section lists the software components and libraries that are used by Autopsy. These tools are bundled with the Windows installer, unless specified otherwise.

JRE (Java Runtime Environment) 17

Netbeans 15 RCP platform and .jar files bundled with the platform

Sleuth Kit for analyzing disk images.

Libewf for opening E01 files

zlib for opening E01 files

Solr (including Lucene and TIKA) for keyword search

GStreamer for viewing video files

GStreamer 1.x Java Core for viewing video files

Regripper for pulling recent activity (Including custom plugins)

Pasco2 for pulling Internet Explorer activity

Jericho for extracting content from HTML files

Advanced installer 9 (Freeware) (not embedded in Autopsy, but used to generate Autopsy installer.)

Metadata Extractor 2.6.2 for extracting Exif metadata

Reflections 0.9.8 for ingest module loading

Sigar for process monitoring

7Zip and 7Zip java bindings for 7Zip extractor module

ImgScalr 4.2 for image resizing in image viewers

ControlsFX JavaFX GUI library

JFXtras JavaFX GUI library

Mustache.java templating system

Joda-Time date and time library

TwelveMonkeys ImageIO plugins

EMBEDDED RESOURCES

This section lists other resources, such as icons, that are used by Autopsy.

FAMFAMFAM Silk Icons v1.3

Fugue Icons v3.5.6

WebHostingHub Glyphs

Splashy Icons (free as in free)