autopsy
Digital forensics analysis and investigation platform
SYNOPSIS
autopsy [options]
The `autopsy` command typically launches a web server interface. Once running, interaction primarily occurs through a web browser.
PARAMETERS
-p <port>
Specifies the TCP port for the `autopsy` web server to listen on. The default port is usually 9999.
-b <address>
Binds the web server to a specific IP address. By default, it might listen on all available interfaces.
-d
Runs `autopsy` in debug mode, providing more verbose output to the console for troubleshooting.
-l <logfile>
Directs log output to the specified file instead of standard error.
-c <config_file>
Specifies an alternative configuration file to use for `autopsy` settings.
DESCRIPTION
The `autopsy` command, historically part of The Sleuth Kit (TSK), served as a web-based graphical interface for digital forensic analysis. It allowed investigators to manage cases, add hosts, and analyze disk images and other forms of digital evidence through a web browser. Unlike tools that perform direct analysis on the command line, `autopsy` provided a structured environment to present and navigate the data extracted by underlying TSK utilities like `mmls`, `fls`, `istat`, and `icat`.
It did not itself parse file systems or extract data; instead, it acted as an orchestrator and viewer, making complex forensic data more accessible and manageable. Users would launch the `autopsy` command, which would start a local web server (typically on port 9999), and then access the forensic browser via a web browser to perform their investigations. Its primary goal was to simplify the process of examining large datasets and presenting findings.
CAVEATS
The command-line `autopsy` discussed here refers to the legacy web-based version of Autopsy. This version is largely superseded by the modern, standalone Java-based Autopsy Graphical User Interface (GUI) application, which offers more features, a more robust interface, and is actively developed. While the old `autopsy` command might still be available in some distributions, it is generally not recommended for new forensic cases due to its age, potential security vulnerabilities (being a web server), and lack of modern features. Its primary value is historical or for very specific legacy environments.
CORE WORKFLOW
The typical workflow using the original `autopsy` command involved:
1. Launching the `autopsy` command to start the web server.
2. Accessing the interface via a web browser (e.g., `http://localhost:9999`).
3. Creating a Case: Setting up a new investigation.
4. Adding a Host: Associating forensic images with a specific machine.
5. Adding a Disk Image: Importing raw disk images (e.g., `dd` images, E01 files) for analysis.
6. Analyzing Evidence: Using the interface to browse file systems, search for keywords, view timelines, and extract files, all powered by the underlying TSK tools.
HISTORY
The `autopsy` command-line tool has a rich history within the digital forensics community. It was originally developed by Brian Carrier as part of The Sleuth Kit (TSK), a collection of command-line forensic tools. The first major release of Autopsy as a web-based interface (often referred to as Autopsy 2.x) emerged in the early 2000s, providing a much-needed user-friendly frontend to the powerful TSK utilities. This web interface, launched via the `autopsy` command, revolutionized how digital evidence was analyzed by making complex data more navigable. As technology evolved, so did the need for a more robust and integrated solution. This led to the development of the modern Java-based Autopsy GUI, which offers a full-fledged desktop application experience, significantly expanding capabilities beyond the original web interface. The command-line `autopsy` thus represents an important evolutionary step in digital forensics tools.