Autopsy Forensic Browser


autopsy [-c] [-C] [-d evid_locker ] [-i device filesystem mnt ] [-p port ] [addr]


By default, autopsy starts the Autopsy Forensic Browser server on port 9999 and and accepts connections from the localhost. If -p port is given, then the server opens on that port and if addr is given, then connections are only accepted from that host. When the -i argument is given, then autopsy goes into live analysis mode. The arguments are as follows: -c Force the program to use cookies even for localhost. -C Force the program to not use cookies even for remote hosts. -d evid_locker Directory where cases and hosts are stored. This overrides the LOCKDIR value in The path must be a full path (i.e. start with /). -i device filesystem mnt Specify the information for the live analysis mode. This can be specified as many times as needed. The device field is for the raw file system device, the filesystem field is for the file system type, and the mnt field is for the mounting point of the file system. -p port TCP port for server to listen on. addr IP address or host name of where investigator is located. If localhost is used, then 'localhost' must be used in the URL. If you use the actual hostname or IP, it will be rejected. When started, the program will display a URL to paste into an HTML browser. The browser must support frames and forms. The Autopsy Forensic Browser will allow an investigator to analyze images generated by dd(1) for evidence. The program allows the images to be analyzed by browsing files, blocks, inodes, or by searching the blocks. The pro‐ gram also generates Autopsy reports that include collection time, in‐ vestigators name, and MD5 hash values.


The following variables can be set in USE_STIMEOUT When set to 1 (default is 0), the server will exit after STIME‐ OUT seconds of inactivity (default is 3600). This setting is recommended if cookies are not used. BASEDIR Directory where cases and forensic images are located. The im‐ ages must have simple names with only letters, numbers, '_', '-', and '.'. (See FILES). TSKDIR Directory where The Sleuth Kit binaries are located. NSRLDB Location of the NIST National Software Reference Library (NSRL). INSTALLDIR Directory where Autopsy was installed. GREP_EXE Location of grep(1) binary. STRINGS_EXE Location of strings(1) binary.


Evidence Locker The Evidence Locker is where all cases and hosts will be saved to. It is a directory that will have a directory for each case. Each case directory will have a directory for each host. /case.aut This file is the case configuration file for the case. It con‐ tains the description of the case and default subdirectories for the hosts. /investigators.txt This file contains the list of investigators that will use this case. These are used for logging only, not authentication. /host.aut This file is where the host configuration details are saved. It is similar to the 'fsmorgue' file from previous versions of Au‐ topsy. It has an entry for each file in the host and contains the host description. md5.txt Some directories will have this file in it. It contains MD5 values for important files in the directory. This makes it easy to validate the integrity of images.


# autopsy -p 8888


The Autopsy Forensic Browser requires The Sleuth Kit


autopsy first appeared in Autopsy v1.0.


This software is distributed under the GNU Public License.


dd(1), fls(1), ffind(1), ifind(1), grep(1), icat(1) md5(1), strings(1),


Brian Carrier Send documentation updates to

Copied to clipboard