🔬 DFIR & forensics
Autopsy
GUI digital forensics platform built on The Sleuth Kit.
Why use it
Autopsy is the open-source disk forensics tool you actually want to learn on. It carves files, parses Windows registry, recovers browser history, and timelines events — all from a friendly Java GUI.
What you get
- Disk image and live system analysis
- Browser history, registry, recent docs, USB
- Timeline view across all artefacts
- Keyword search and indexed text
- Hash sets (NSRL, custom) for filtering known files
System requirements
| Cpu | 4 cores |
|---|---|
| Ram | 8 GB+ |
| Disk | 100 GB+ for cases |
| Os | Windows (best), Linux, macOS |
| Docker | No |
Installation
Download from autopsy.com/download. On Windows, run the installer. On Linux: sudo apt install autopsy (older v2) or build v4 from source. Open Autopsy → Create New Case → Add Data Source.
Suggested configuration
Add the NSRL hash set to dramatically reduce noise — known-good OS files get filtered out. Enable the ingest modules you actually need (PhotoRec for carving slows things down). Save case files to fast NVMe disk; Autopsy is I/O bound.
Integration ideas
- Export findings as case notes to TheHive
- Use Volatility plugins for memory-side analysis
Alternatives
- X-Ways Forensics — Industry standard but commercial.
- CAINE — Forensic Linux distro that bundles Autopsy + others.
Cyentrix verdict
The right starting point for disk forensics learning. Free, well-documented, plenty of tutorials — and good enough for real cases.