Hello aspiring Cyber Forensic Investigators. In our previous blogpost, you learnt in detail about Computer Forensics. In this article, you will learn about one of the tools mentioned in that article, Autopsy. In the world of digital forensics, investigators rely on powerful tools to uncover hidden evidence, reconstruct user activity and understand what really happened on a device. While many enterprise-grade forensics suites come with hefty price tags, one tool stands out as both free and incredibly capable: Autopsy. Built on top of The Sleuth Kit (TSK), Autopsy delivers a graphical and user-friendly interface that transforms complex forensic tasks into something really simple, even for beginners.

What exactly is Autopsy?

Autopsy is an open-source digital forensics platform designed to examine hard drives, memory cards, mobile phones and disk images. It takes the raw power of TSK which is an industry-standard command-line forensics engine and wraps it in a clean graphical interface with modules, dashboards, timelines and reporting features. The result is a forensic workbench that feels modern, intuitive and surprisingly powerful for a free tool. Law enforcement agencies, cybersecurity teams and researchers around the world use Autopsy for investigations ranging from cybercrimes and fraud to incident response and breach analysis. But its ease of use also makes it perfect for students and cybersecurity beginners.

Why Autopsy is so popular?

Autopsy gained massive popularity in computer forensic investigations because it strikes a rare balance: it’s completely free yet rivals the functionality of expensive commercial tools. Here’s why investigators and analysts love it:

1. A User-Friendly GUI for Sleuth Kit

TSK is excellent but it’s all command-line. Autopsy brings visual clarity with:

• A clear file explorer
• Tabs for artifacts and timelines
• Keyword search windows
• Convenient reporting options

For beginners, this alone is a game-changer.

2. Built-In Forensics Modules

Autopsy includes modules for:

• File recovery
• Web browser artifact extraction
• Email parsing
• Registry analysis
• Keyword indexing
• Hash set matching
• EXIF and image metadata

You simply check the modules you want to enable for each case.

3. Enterprise-Level Features Without the Cost

Autopsy supports:

• Case management
• Multi-user collaboration
• Timeline analysis
• Hash databases (like NSRL)
• Custom ingest modules

These features make it scalable from classroom use to real-world investigations.

How Autopsy works?

Autopsy uses a workflow which is same in professional forensic processes.

Step 1: Create a Case

You start by giving a name to your investigation, setting a folder for output and adding case details.

Step 2: Add Data Sources

Next step is to add the forensic image on which you want to perform your investigation. Autopsy can ingest:

• Disk images in various formats (.dd, .img, .E01)
• Physical drives
• Memory dumps
• Logical folders
• Mobile phone extractions (via modules)

Step 3: Enable required modules

This determines what Autopsy scans for. For example:

• File Analysis: lists, categorizes and recovers files
• Web Artifacts: extracts browsing histories and cookies
• Keyword Search: finds specific words or patterns
• Hash Lookup: matches known-good or known-bad files

Step 4: Review Findings

Results appear in categories such as:

• Recent documents
• Web activity
• Installed programs
• User accounts
• Images and media
• Deleted items

You can pivot into deeper analysis, open files in viewers, inspect metadata and even bookmark evidence.

Step 5: Generate a Report

Autopsy exports clean reports in various formats like HTML, CSV and Excel, perfect for documenting conclusions in a professional investigation.

A Beginners Lab

Let’s now see the working of Autopsy practically. For this, we need a forensic image and we will use an Encase Image provided by CFReDS, a portal that provides documented digital forensic images and datasets for use in the digital forensics community. The image we are using Autopsy is of a Dell Latitude laptop named “Hacking Case” that can be downloaded from here. You need to download two Encase Images. The two images we are looking for are,

https://cfreds-archive.nist.gov/images/4Dell%20Latitude%20CPi.E01
https://cfreds-archive.nist.gov/images/4Dell%20Latitude%20CPi.E02

Here is a feel real back story about this forensic image.

“On 09/20/04, a Dell CPi notebook computer, serial # VLQLW, was found abandoned along with a wireless PCMCIA card and an external homemade 802.11b antennae. It is suspected that this computer was used for hacking purposes, although cannot be tied to a hacking suspect, G=r=e=g S=c=h=a=r=d=t. (The equal signs are just to prevent web crawlers from indexing this name; there are no equal signs in the image files.) Schardt also goes by the online nickname of “Mr. Evil” and some of his associates have said that he would park his vehicle within range of Wireless Access Points (like Starbucks and other T-Mobile Hotspots) where he would then intercept internet traffic, attempting to get credit card numbers, usernames & passwords. Find any hacking software, evidence of their use, and any data that might have been generated. Attempt to tie the computer to the suspect, G=r=e=g S=c=h=a=r=d=t. A DD image and a EnCase image of the abandoned computer have already been made.”

The mission for us is to analyze this Encase Image and answer around 20 questions that solve this case. The questions are also provided by the same people who provided this “Hacking Case” to us. Let’s start analyzing this image and solve the case. Once the program is installed, open it and click on “New Case”.

Give a name to the case. We have named it “Hacking_Case”.

Assign a number to the case and provide the name of the Forensic investigator. Our case number is 00 and the investigator is Luke_Reckah.

Next, select the type of source. Select “Disk Image”.

Select the Data Source. Select the first part of the Encase image downloaded.

Next, select all the ingest modules you want to run. Ingest modules are all the tests that can be run on the image to gather information about it. These ingest modules include tests like hash lookup, email parsing etc. We selected all for this.

Autopsy will start analyzing the image. It may take some time to completely analyze the image. However, it will start displaying findings as soon as it finds them. Let the image analysis finish.

After the image analysis is finished, all the extracted information can be found on the left side of the program window.

It’s time to start answering questions related to the case now.

1. What is the image hash? Does the acquisition and verification hash match?

In Digital Forensics, as soon as a image is acquired to perform analysis on it, a hash is calculated to check if the file integrity is intact and not compromised. If the acquisition and verification hash do not match, it means our forensic analysis has changed the image which is not at all intended. The image hash is “AEE4FCD9301C03B3B054623CA261959A”. It is found in the File Meta data section.

2. What operating system was used on the computer?

The operating system information can be found in the “Operating System Information” of the extracted content.

The operating system being used by this laptop is Windows XP.

3. Who is the registered owner?

The information about the registered owner of the computer is found in the same operating system info section in extracted content.

The name of the owner of this computer is “Greg Schardt”.

4. When was the install date?

The installation date can be found in the same operating system info section just below the OS information.

The OS on the computer was installed on 19-08-2004 22:48:27.

5. What is the computer account name?

The computer account name on this computer is found in the same section.

The computer account name is N-1A9ODN6ZXK4LQ.

6. How many user accounts are recorded?

The information about the user accounts is found in the “Operating System User Account” section.

There are total five user accounts on the target computer. They are Administrator, Mr. Evil, SUPPORT_388945a0, Guest and HelpAssistant.

7. What is the account name of the user who mostly uses the computer?

 In the same section as above, the count section shows how many times the user logged in.

The user Mr. Evil has logged in 15 times while the others didn’t even log in once. So, Mr. Evil is the user who mostly uses the computer.

8. Who was the last user to logon to the computer?

The information about the last user to logon to this computer can be found from the Date accessed column of the user account.

The last user to logon to this computer is Mr. Evil.

9. Find 6 installed programs that may be used for hacking?

The programs installed on the computer system can be found out from the “Installed programs” section of the extracted content.

There are total 32 programs installed on the computer and from them, there are seven programs that can be used for hacking. They are Ethereal 0.10.6 v.0.10.6, Network Stumbler 0.4.0, Look@LAN 2.50 Build 29, 123 Write All Stored Passwords, CuteFTP, Cain & Abel v2.5 beta45 and Anonymizer Bar 2.0.

10. Perform a Anti-Virus check. Are there any viruses on the computer?

Malicious files (if any), are found in the “Interesting Items” section of the extracted content.

There is one malware file present on the computer system. It is a zip bomb.

11. When was the last recorded computer shutdown date/time?

The last recorded shutdown date and time can be found out in the following file in Windows. 

“C:\WINDOWS\system32\config\software\Microsoft\WindowNT\CurrentVersion\Prefetcher\ExitTime”

The shutdown date and time is 2004/08/27 10:46:27.

12. List the network cards used by this computer?

The information about the network cards on this computer can be found in the Windows file   “C:\WINDOWS\system32\config\software\Microsoft\WindowNT\CurrentVersion\NetworkCards”

There are two network cards on this system. One is a Compaq WL 110 Wireless LAN PC Card and another is Xircom CardBus Ethernet 100 + Modem 56 (Ethernet Interface).

13. A search for the name of “G=r=e=g S=c=h=a=r=d=t” (The equal signs are just to prevent web crawlers from indexing this name; there are no equal signs in the image files) reveals multiple hits. One of these proves that G=r=e=g S=c=h=a=r=d=t is Mr. Evil and is also the administrator of this computer. What file is it? What software program does this file relate to?

The file that reveals all this information is “C:\Program Files\Look@LAN\irunin.ini”

This file belongs to the program Look@LAN.

14. This time file reports the IP address and MAC address of the computer. What are they?

The IP address of this machine is 192.168.1.111 and the MAC address is 0010a4933e09. The LAN user is Mr. Evil. This confirms that Mr. Evil and Greg Schardt are one and the same.

15. An internet search for vendor name/model of NIC cards by MAC address can be used to find out which network interface was used. In the above answer, the first 3 hex characters of the MAC address report the vendor of the card. Which NIC card was used during the installation and set-up for LOOK@LAN?

Media Access Control (MAC) address or the physical address is a 12 digit hexadecimal number hardcoded to the NIC card. The first 3 hexadecimal characters reveal the vendor of the NIC card. There are many websites which offer this service of knowing the vendor of the NIC card. Pasting the MAC address of the computer reveals the vendor.

The Vendor of this NIC card is XIRCOM.

16. What is the SMTP email address for Mr.Evil?

SMTP or Simple Mail Transfer Protocol is a protocol used to send emails. The SMTP email address if present on the system can be found in “C:\Program Files\Agent\Data\AGENT.INI file“.

The SMTP email address is “whoknowsme@sbcglobal.net”.

17. What are the NNTP (News Server) settings for Mr.Evil?

This information can be found in the same file as above.

The news server being used is “news.dallas.sbcglobal.net”.

18. What two installed programs show this information?

We searched for local settings of all programs and found the information about this news server in the local settings of Outlook Express.

We found this information in the “Documents and settings” file (and above shown path) of user Mr. Evil.

19. List 5 newsgroups that Mr.Evil has subscribed to?

We can find this information in the same file as above.

User Mr. Evil subscribed to over 23 news groups. The news groups subscribed by the user Mr. Evil are,

1. Alt.2600.phreakz  2. Alt.2600  3. Alt.2600.cardz    4. Alt.2600codez  5. Alt.2600.crackz   6. Alt.2600.moderated  7. Alt.binaries.hacking.utilities 8. Alt.stupidity.hackers.malicious   9. Free.binaries.hackers.malicious   10. alt.nl.binaries.hack   11. Free.binaries.hacking.talentless.troll_haven   12. alt.hacking 13. free.binaries.hacking.beginner  14. alt.2600.programz   15. Free.binaries.hacking.talentless.troll-haven   16. alt.dss.hack   17. free.binaries.hacking.computers   18. free.binaries.hacking.utilities 19. alt.binaries.hacking.websites   20. alt.binaries.hacking.computers   21. alt.binaries.hacking.websites  22.           alt.binaries.hacking.beginner   23. alt.2600.hackerz

20. A popular IRC (Internet Relay Chat) program called MIRC was installed. What are the user settings that were shown when the user was online in a chat channel?

We can find this information in the .ini file of the installed program MIRC. The path to this program is in “C:\Program Files\mIRC\mirc.ini”

The user settings that were shown when the user was online and in a chat channel are                        
user = Mini Me                        
email = none@of.ya                        
nick = Mr                         
anick = mrevilrulez

21. This IRC program has the capability to log chat sessions. List 3 IRC channels that the user of this computer accessed?

This information can be accessed from C:\Program Files\mIRC\logs file.

The IRC channels that this user accessed are          
Ushells.undernet.log                                             
Elite.hackers.undernet.log          
Mp3xserv.undernet.log                                         
Chataholics.undernet.log          
Cybercafé.undernet.log                                         
M5tar.undernet.log          
Thedarktower.afternet.log                                     
Funny.undernet.log          
Luxshell.undernet.log                                            
Evilfork.efnet.log          
Iso-warez.efnet.log                                                
Houston.undernet.log

22. Ethereal, a popular “sniffing” program that can be used to intercept wired and wireless internet packets was also found to be installed. When TCP packets are collected and re-assembled, the default save directory is that users\My Documents directory. What is the name of the file that contains the intercepted data?

After going through the Documents folder, we found the file that contains the intercepted data. It’s name is “interception”.

23. Viewing the file in a text format reveals much information about who and what was intercepted. What type of wireless computer was the victim (person who had his internet surfing recorded) using?

Viewing the file “interception” in text format revealed that the victim was using Windows CE Pocket PC wireless computer.

24. What websites was the victim accessing?

Even this information can be obtained from the same file “interception” which is a packet capture file. We found two websites the victim was accessing, Mobile.msn.com and MSN Hotmail Email.

25. Yahoo mail, a popular web based email service, saves copies of the email under what file name?

Yahoo mail saves copies of email under the file name “ShowLetter[1].htm” which is in the temporary internet files folder of the user’s “Documents and Settings”.

26. Search for the main user’s web based email address. What is it?

This information can be found out in the same file. The main user’s web based email address is “mreveilrulez@yahoo.com”.

27. How many executable files are in the recycle bin?

The contents in the Recycle bin can be found in the RECYCLER folder.

There are in total four executable files in the Recycle bin.

28. Are these files really deleted?

As most of our readers already know, the files that go to the Recycle Bin are not permanently deleted. They are only deleted temporarily and can be restored easily to their actual location in Windows.

29. How many files are actually reported to be deleted by the file system?

This information can be found out from the INFO2 file.

The actual files deleted are three.

On being asked to find out any evidence that this laptop was used for hacking, we found in our forensic investigation that this laptop belonged to Greg Schardt who also has a online persona “Mr. Evil”. We found his operating system as Windows XP and he was running Ethereal, a packet interception program to capture network traffic. Apart from Ethereal, his system had six other programs which were used for hacking. He was active among many hacking related IRC channels and NEWS groups. Corroborating this evidence with what his associates said about him, we can come to a conclusion that this laptop belonged to Greg Schardt and he was involved in hacking activities. This case can be closed now. Read how to perform forensics on a PDF File.