Skip to content

πŸ› οΈ Creating a New Case and Adding a Data Source in Autopsy – Step-by-Step with Full Explanation

🧭 Introduction – Why Autopsy?

Autopsy is a free and open-source tool used for digital evidence analysis.\ It is considered one of the most powerful free alternatives to tools like:

  • FTK Imager – Used to view and analyze files, but limited without a paid license.

  • EnCase and X-Ways – Powerful but expensive tools.

πŸ’‘ Advantages of Autopsy:

  • Easy graphical user interface (GUI).

  • Multi-type analysis (images, registry, browser data, deleted files, etc.).

  • Available on both Windows and Linux (GUI is easier on Windows).

🧱 Understanding the Case Concept in Autopsy

Every investigation in Autopsy begins by creating a Case.

βœ… Why Do We Need a Case?

  • Autopsy creates a dedicated database for each case.

  • It stores:

  • Evidence

  • Analysis results

  • Final reports

πŸ“ Step 1: Create a New Case

When launching Autopsy:

  1. Click on Create New Case.

  2. Enter the following details:

Field Description
Case Name Name of the case (e.g., Missing_Person)
Base Directory Location where the case files will be stored
Case Number Unique identifier, could be the date
Examiner Name Name of the analyst or investigator
Organization Name Name of the organization (if applicable)

πŸ“Œ Tip: Use structured and numbered case names to simplify future archiving.

🧩 Step 2: Add Data Source

πŸ’‘ What is a Data Source?

It's the source that contains the data to be analyzed, such as:

  • Disk image

  • Logical files

  • Mobile dump

🧷 Types of Data Sources You Can Add:

Type Description
Disk Image or VM File Full disk image (e.g., E01, DD, ISO) or virtual machine image
Logical Files Individual files or folders
Unallocated Space Unutilized space on the disk
Sparse Files Partially extracted data
Autopsy Log Log files from a previous investigation

πŸ“Œ Very Important Note:

  • You must know the type of data you have β€” is it a full disk image or just loose files?

πŸ” Step 3: Define the Host

After selecting the data source type, you must define the Host (the device from which the data was acquired):

  • This can be:

  • A computer

  • A smartphone

  • An IoT device

  • Give it a clear name (e.g., Laptop_MissingPerson)

πŸ“Œ Important Forensics Note:\ Each analyzed device is represented as a Host in Autopsy, which helps with documentation and evidence-device association.

πŸ•“ Step 4: Set Time Zone

This setting is critically important!

❗ Why Is This Important?

Most digital artifacts (logs, registry, browsers…) include timestamps.\ Setting the correct time zone allows for an accurate timeline of events.

For example:

  • When was a file opened?

  • When did the user visit a site?

  • When was a USB connected?

🧠 Forensics Tip:\ Always document the time zone that the system or user was operating in. An incorrect time zone may lead to inaccurate analysis.

πŸ” Step 5: Enter Hash Value (Optional but Important)

If you have the hash (MD5 or SHA1) of the disk image, enter it here.

βœ… Purpose:

  • Verify the image’s integrity

  • Ensure the data was not modified during copying or upload

πŸ§ͺ Step 6: Select Ingest Modules

Autopsy provides several built-in analysis modules, including:

Module Function
Recent Activity Displays recent user activities
Web Artifacts Extracts browser history and cookies
Extract Registry Analyzes Windows registry
File Type Identification Identifies file types
Keyword Search Searches within files
Email Parser Analyzes email content
Photo Analyzer Extracts and analyzes images

βœ… Practical Tip:

  • If the image size is small β†’ enable all modules.

  • If it's large β†’ enable only what you need.

πŸš€ Final Step: Start the Analysis Phase

After configuring everything:

  1. Click on Finish

  2. Analysis begins automatically, and a progress bar will appear

  3. Do not close Autopsy until the process finishes

πŸ“Š Where Are the Results Saved?

All extracted content (artifacts, reports, logs, etc.) is stored in:

  • Autopsy’s internal database

  • The case folder you created at the beginning

⏱️ What Comes After Analysis?

Once analysis is complete, you can:

  • View browsing history

  • Recover and examine deleted files

  • Export a professional final report

  • Trace a full event Timeline

🧠 Important Notes & Tips for DF Students:

  1. Document every step – especially extraction time, time zone, and data verification

  2. Analysis depends on evidence integrity – altered data = unreliable analysis

  3. Prepare for different scenarios – sometimes you get a full image, other times just files

  4. Understand each module before enabling it to save time and target evidence efficiently