Autopsy is a powerful open-source digital forensics tool used by law enforcement, incident responders, and cybersecurity analysts to investigate and analyze digital evidence. Built on top of The Sleuth Kit (TSK), Autopsy provides a user-friendly graphical interface for examining hard drives, memory dumps, mobile data, and other digital artifacts, making it a go-to solution for both professional investigations and training environments.

Whether you’re analyzing a compromised system, recovering deleted files, or tracing insider threats, Autopsy offers a robust and extensible platform to support comprehensive forensic workflows.

First time seeing this?

What Autopsy Does

Autopsy allows analysts to ingest and examine disk images, live data, and logical filesystems to uncover evidence of unauthorized activity, malware, or insider misconduct. It automates many common forensic tasks, such as timeline creation, hash matching, keyword search, and file recovery, while also offering advanced modules for memory analysis, email parsing, EXIF metadata extraction, and mobile device forensics.

Autopsy supports both structured investigations and exploratory forensics, providing detailed visibility into user activity, system events, and hidden artifacts.

Find Tool

Key Features of Autopsy

Graphical User Interface (GUI)
User-friendly, intuitive interface for navigating evidence, timelines, file systems, and forensic modules.

File System Analysis
Examine NTFS, FAT, EXT, HFS+, APFS, and other common file systems to recover deleted, hidden, or fragmented files.

Timeline Analysis
Correlate file activity, event logs, web history, and user behavior in chronological order to reconstruct incident timelines.

Keyword Search and Regular Expressions
Search disk images and artifacts for specific terms, patterns, or sensitive data (e.g., PII, credentials).

Hash Set Comparison
Compare files against known good or bad hash databases (e.g., NSRL, custom blacklists) to flag suspicious or malicious content.

Email and Web Artifact Recovery
Extract and analyze emails, browser history, downloads, cookies, and cached files from common applications.

Multi-User Case Management
Supports collaborative investigations with role-based access and shared evidence repositories.

Module-Based Extensibility
Extend Autopsy’s functionality with built-in and third-party modules for mobile device analysis, memory forensics, registry parsing, and more.

Join CyberMaterial’s subscriber chat

Available in the Substack app and on web

Join chat

Advanced Use Cases

Incident Response and Breach Investigation
Examine endpoints to detect persistence mechanisms, data exfiltration, malware, and lateral movement artifacts.

Law Enforcement and Legal Forensics
Conduct full forensic investigations with court-admissible evidence, chain of custody tracking, and comprehensive reporting.

Insider Threat Detection
Identify unauthorized file access, USB usage, or tampering based on system activity and metadata.

Mobile Forensics
Analyze Android and iOS device images for messages, call logs, location data, and app activity.

Security Education and Training
Used in digital forensics courses and labs to teach evidence handling, file recovery, and investigative methodology.

Report Incident

Latest Updates

Recent improvements to Autopsy include:

• New data carving engine for improved file recovery

• Support for APFS and advanced macOS artifacts

• Updated Android and iOS parsers for mobile device analysis

• Faster keyword indexing and search performance

• Integration with Python-based modules and external analysis tools

  ---

Check Jobs

Why It Matters

In modern investigations, digital evidence is often the key to understanding and prosecuting cybercrimes, data breaches, or insider threats. Autopsy simplifies the process by delivering powerful forensic capabilities in a visual, accessible format, helping analysts uncover hidden data, trace malicious behavior, and build defensible timelines. Whether used in a SOC, crime lab, or classroom, Autopsy is a trusted platform for deep digital investigations.

Visit Book Club

Requirements and Platform Support

Autopsy runs on:

• Windows (officially supported)

• Linux and macOS (with manual setup and limited support)

It requires:

• Java Runtime Environment (JRE 8 or higher)

• Sufficient disk and memory for large case files

• Administrative privileges to install and analyze disk images

• Compatible evidence formats (e.g., E01, AFF, RAW images, logical file sets)

Autopsy is open-source and available for free at https://www.autopsy.com, with extensive documentation, video tutorials, plugin libraries, and community support through The Sleuth Kit ecosystem.