autopsy

autopsy [-dhlV] [-p port-number] [case-name]

-d
    Daemon mode: run server in background without launching browser.


-h
    Print help summary and exit.


-l
    List all existing cases in default directory.


-p n
    Use port n for web server (default 9999).


-V
    Print version information and exit.


case-name
    Optional case directory name to create or open.

Autopsy is an open-source digital forensics tool that provides a web-based graphical interface for analyzing disk images, recovering files, and performing timeline analysis. Built on top of The Sleuth Kit, it supports modules for keyword search, hash lookup, timeline visualization, and smart carving. The autopsy command launches a local web server (default port 9999) where users create or open cases, ingest evidence like raw images or EWF files, and run analysis without modifying originals. Ideal for law enforcement and incident response, it features reporting and extensibility via plugins. Requires Java runtime; cases are stored in directories with SQLite databases for metadata.

Usage involves starting the server, accessing via browser at http://localhost:9999/autopsy, and managing investigations securely.

Designed for read-only analysis; large cases need ample RAM/disk; web interface exposes localhost only; Java dependency; not for real-time or production servers.

Cases stored in ~/.autopsy/cases/ or AUTOPSY_CASES_DIR env var.

After launch: http://localhost:9999/autopsy; use incognito for multi-case testing.

Originated in 1998 by Brian Carrier at @stake; evolved under Basis Technology; integrated with The Sleuth Kit since 2003; version 4.x (2018+) uses JavaFX for cross-platform GUI/server.

fls(1), mmls(1), mactime(1), sleuthkit(7)