Chapter 8. Autopsy – The Sleuth Kit
Autopsy and The Sleuth Kit go hand in hand. Both created by Brian Carrier. The Sleuth Kit is a powerful suite of CLI forensic tools, whereas Autopsy is the GUI that sits on top of The Sleuth Kit, and is accessed through a web browser. The Sleuth Kit supports disk image file types including RAW (DD), EnCase (.01), and Advanced Forensic Format (AFF).
The Sleuth Kit uses command-line interface tools to perform the following tasks:
- Find and list allocated and unallocated (deleted) files, and even files hidden by rootkits
- Reveal NTFS Alternate Data Streams (ADS) where files can be concealed within other files
- List files by types
- Display metadata information
- Timeline creation
Autopsy can be run from a Live CD/USB in forensic mode as part of a live analysis in live mode, or it can be used on a dedicated machine to investigate analysis in dead mode post-mortem.
The topics that we will cover in this chapter include the following:
- A Sample image file used in Autopsy
- Digital...