digital forensics

Analyzing Disk Image with Autopsy

Perform comprehensive forensic analysis of disk images using Autopsy to recover files, examine artifacts, and build investigation timelines.

artifact-analysisautopsydisk-analysisfile-recoveryforensicssleuth-kit
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

  • When you have a forensic disk image and need structured analysis of its contents
  • During investigations requiring file recovery, keyword searching, and timeline analysis
  • When non-technical stakeholders need visual reports from forensic evidence
  • For examining file system metadata, deleted files, and embedded artifacts
  • When building a comprehensive case from multiple disk images

Prerequisites

  • Autopsy 4.x installed (Windows) or Autopsy 4.x with The Sleuth Kit (Linux)
  • Forensic disk image in raw (dd), E01 (EnCase), or AFF format
  • Minimum 8GB RAM (16GB recommended for large images)
  • Java Runtime Environment (JRE) 8+ for Autopsy
  • Sufficient disk space for the Autopsy case database (2-3x image size)
  • Hash databases (NSRL, known-bad hashes) for file identification

Workflow

Step 1: Install Autopsy and Configure Environment

# On Linux, install Sleuth Kit and Autopsy
sudo apt-get install autopsy sleuthkit
 
# Download Autopsy 4.x (GUI version) from official source
wget https://github.com/sleuthkit/autopsy/releases/download/autopsy-4.21.0/autopsy-4.21.0.zip
unzip autopsy-4.21.0.zip -d /opt/autopsy
 
# On Windows, run the MSI installer from sleuthkit.org
# Launch Autopsy
/opt/autopsy/bin/autopsy --nosplash
 
# For Sleuth Kit command-line analysis alongside Autopsy
sudo apt-get install sleuthkit

Step 2: Create a New Case and Add the Disk Image

1. Launch Autopsy > "New Case"
2. Enter Case Name: "CASE-2024-001-Workstation"
3. Set Base Directory: /cases/case-2024-001/autopsy/
4. Enter Case Number, Examiner Name
5. Click "Add Data Source"
6. Select "Disk Image or VM File"
7. Browse to: /cases/case-2024-001/images/evidence.dd
8. Select Time Zone of the original system
9. Configure Ingest Modules (see Step 3)
# Alternatively, use Sleuth Kit CLI to verify the image first
img_stat /cases/case-2024-001/images/evidence.dd
 
# List partitions in the image
mmls /cases/case-2024-001/images/evidence.dd
 
# Output example:
# DOS Partition Table
# Offset Sector: 0
# Units are in 512-byte sectors
#      Slot    Start        End          Length       Description
#      00:  -----   0000000000   0000002047   0000002048   Primary Table (#0)
#      01:  00:00   0000002048   0001026047   0001024000   NTFS (0x07)
#      02:  00:01   0001026048   0976771071   0975745024   NTFS (0x07)
 
# List files in a partition (offset 2048 sectors)
fls -o 2048 /cases/case-2024-001/images/evidence.dd

Step 3: Configure and Run Ingest Modules

Enable the following Autopsy Ingest Modules:
- Recent Activity: Extracts browser history, downloads, cookies, bookmarks
- Hash Lookup: Compares files against NSRL and known-bad hash sets
- File Type Identification: Identifies files by signature, not extension
- Keyword Search: Indexes content for full-text searching
- Email Parser: Extracts emails from PST, MBOX, EML files
- Extension Mismatch Detector: Finds files with wrong extensions
- Exif Parser: Extracts metadata from images (GPS, camera, timestamps)
- Encryption Detection: Identifies encrypted files and containers
- Interesting Files Identifier: Flags files matching custom rule sets
- Embedded File Extractor: Extracts files from ZIP, Office docs, PDFs
- Picture Analyzer: Categorizes images using PhotoDNA or hash matching
- Data Source Integrity: Verifies image hash during ingest
# Configure NSRL hash set for known-good filtering
# Download NSRL from https://www.nist.gov/itl/ssd/software-quality-group/national-software-reference-library-nsrl
wget https://s3.amazonaws.com/rds.nsrl.nist.gov/RDS/current/rds_modernm.zip
unzip rds_modernm.zip -d /opt/autopsy/hashsets/
 
# Import into Autopsy:
# Tools > Options > Hash Sets > Import > Select NSRLFile.txt
# Mark as "Known" (to filter out known-good files)

Step 4: Analyze File System and Recover Deleted Files

# In Autopsy GUI: Navigate tree structure
# - Data Sources > evidence.dd > vol2 (NTFS)
# - Examine directory tree, note deleted files (marked with X)
 
# Using Sleuth Kit CLI for targeted recovery
# List deleted files
fls -rd -o 2048 /cases/case-2024-001/images/evidence.dd
 
# Recover a specific deleted file by inode
icat -o 2048 /cases/case-2024-001/images/evidence.dd 14523 > /cases/case-2024-001/recovered/deleted_document.docx
 
# Extract all files from a directory
tsk_recover -o 2048 -d /Users/suspect/Documents \
   /cases/case-2024-001/images/evidence.dd \
   /cases/case-2024-001/recovered/documents/
 
# Get detailed file metadata
istat -o 2048 /cases/case-2024-001/images/evidence.dd 14523
# Shows: creation, modification, access, MFT change timestamps, size, data runs

Step 5: Perform Keyword Searches and Tag Evidence

In Autopsy:
1. Keyword Search panel > "Ad Hoc Keyword Search"
2. Search terms: credit card patterns, SSN regex, email addresses
3. Example regex for credit cards: \b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})\b
4. Example regex for SSN: \b\d{3}-\d{2}-\d{4}\b
5. Review results > Right-click items > "Add Tag"
6. Create tags: "Evidence-Critical", "Evidence-Supporting", "Requires-Review"
7. Add comments to tagged items documenting relevance
# Using Sleuth Kit for CLI keyword search
srch_strings -a -o 2048 /cases/case-2024-001/images/evidence.dd | \
   grep -iE '(password|secret|confidential)' > /cases/case-2024-001/keyword_hits.txt
 
# Search for specific file signatures
sigfind -o 2048 /cases/case-2024-001/images/evidence.dd 25504446
# 25504446 = %PDF header signature

Step 6: Build Timeline and Generate Reports

In Autopsy:
1. Timeline viewer: Tools > Timeline
2. Select date range of interest (incident window)
3. Filter by event type: File Created, Modified, Accessed, Web Activity
4. Zoom into suspicious time periods
5. Export timeline events as CSV for external analysis
 
Generate Report:
1. Generate Report > HTML Report
2. Select tagged items and data sources to include
3. Configure report sections: file listings, keyword hits, timeline
4. Export to /cases/case-2024-001/reports/
# Using Sleuth Kit mactime for CLI timeline
fls -r -m "/" -o 2048 /cases/case-2024-001/images/evidence.dd > /cases/case-2024-001/bodyfile.txt
 
# Generate timeline from bodyfile
mactime -b /cases/case-2024-001/bodyfile.txt -d > /cases/case-2024-001/timeline.csv
 
# Filter timeline to specific date range
mactime -b /cases/case-2024-001/bodyfile.txt \
   -d 2024-01-15..2024-01-20 > /cases/case-2024-001/incident_timeline.csv

Key Concepts

Concept Description
Ingest Modules Automated analysis plugins that process data sources upon import
MFT (Master File Table) NTFS metadata structure recording all file entries and attributes
File carving Recovering files from unallocated space using file signatures
Hash filtering Using NSRL or custom hash sets to exclude known-good or flag known-bad files
Timeline analysis Chronological reconstruction of file system and user activity events
Deleted file recovery Restoring files whose directory entries are removed but data remains
Keyword indexing Full-text search index built from all file content including slack space
Artifact extraction Automated parsing of browser, email, registry, and OS-specific artifacts

Tools & Systems

Tool Purpose
Autopsy Open-source GUI forensic platform for disk image analysis
The Sleuth Kit (TSK) Command-line forensic toolkit underlying Autopsy
fls List files and directories in a disk image including deleted entries
icat Extract file content by inode number from a disk image
mactime Generate timeline from TSK bodyfile format
mmls Display partition layout of a disk image
NSRL NIST hash database for identifying known software files
sigfind Search for file signatures at the sector level

Common Scenarios

Scenario 1: Employee Data Theft Investigation Import the employee workstation image, run all ingest modules, search for company-confidential file names and keywords, examine USB connection artifacts in Recent Activity, check for cloud storage client artifacts, review deleted files for evidence of data staging, generate HTML report for legal team.

Scenario 2: Malware Infection Forensics Add the compromised system image, enable Extension Mismatch and Encryption Detection modules, examine the prefetch directory for execution evidence, search for known malware hashes, build timeline around the infection window, extract suspicious executables for further analysis in a sandbox.

Scenario 3: Child Exploitation Material (CSAM) Investigation Import image with PhotoDNA and Project VIC hash sets enabled, run Picture Analyzer module, hash all image files against known-bad databases, tag and categorize matches by severity, generate law enforcement report with chain of custody documentation.

Scenario 4: Intellectual Property Dispute Import multiple employee disk images as separate data sources in one case, perform keyword searches for proprietary terms and project names, compare file hashes between sources, build timeline showing file access and transfer patterns, export evidence for legal review.

Output Format

Autopsy Case Analysis Summary:
  Case:           CASE-2024-001-Workstation
  Image:          evidence.dd (500GB NTFS)
  Partitions:     2 (System Reserved + Primary)
  Total Files:    245,832
  Deleted Files:  12,456 (recoverable: 8,234)
 
  Ingest Results:
    Hash Matches (Known Bad):  3 files
    Extension Mismatches:      17 files
    Keyword Hits:              234 across 45 files
    Encrypted Files:           5 containers detected
    EXIF Data Extracted:       1,245 images with metadata
 
  Tagged Evidence:
    Critical:     12 items
    Supporting:   34 items
    Review:       67 items
 
  Timeline Events:  1,234,567 entries (filtered to incident window: 892)
  Report:          /cases/case-2024-001/reports/autopsy_report.html
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md2.8 KB

API Reference: Autopsy and The Sleuth Kit (TSK)

mmls - Partition Layout

Syntax

mmls <image_file>
mmls -t dos <image_file>    # Force DOS partition table
mmls -t gpt <image_file>    # Force GPT partition table

Output Format

DOS Partition Table
Offset Sector: 0
     Slot    Start        End          Length       Description
     00:  00:00   0000002048   0001026047   0001024000   NTFS (0x07)

fls - File Listing

Syntax

fls -o <offset> <image>              # List root directory
fls -r -o <offset> <image>           # Recursive listing
fls -rd -o <offset> <image>          # Deleted files only, recursive
fls -m "/" -r -o <offset> <image>    # Bodyfile format for mactime

Flags

Flag Description
-r Recursive listing
-d Deleted entries only
-D Directories only
-m "/" Output in bodyfile format with mount point
-o Partition sector offset

icat - File Extraction by Inode

Syntax

icat -o <offset> <image> <inode> > recovered_file
icat -r -o <offset> <image> <inode> > file   # Recover slack space

istat - File Metadata

Syntax

istat -o <offset> <image> <inode>

Output Includes

  • MFT entry number and sequence
  • File creation, modification, access, MFT change timestamps
  • File size and data run locations
  • Attribute list (NTFS: $STANDARD_INFORMATION, $FILE_NAME, $DATA)

mactime - Timeline Generation

Syntax

mactime -b <bodyfile> -d > timeline.csv
mactime -b <bodyfile> -d 2024-01-15..2024-01-20 > filtered.csv
mactime -b <bodyfile> -z UTC -d > timeline_utc.csv

Output Columns

Date,Size,Type,Mode,UID,GID,Meta,File Name

img_stat - Image Information

Syntax

img_stat <image_file>

sigfind - File Signature Search

Syntax

sigfind -o <offset> <image> <hex_signature>
sigfind -o 2048 evidence.dd 25504446    # Find %PDF headers
sigfind -o 2048 evidence.dd 504B0304    # Find ZIP/DOCX headers

Common Signatures

Hex File Type
FFD8FF JPEG
89504E47 PNG
25504446 PDF
504B0304 ZIP/DOCX/XLSX
D0CF11E0 OLE (DOC/XLS)

srch_strings - Keyword Search

Syntax

srch_strings -a -o <offset> <image> | grep -i "keyword"
srch_strings -t d <image>    # Print offset in decimal

Autopsy GUI Ingest Modules

Module Function
Recent Activity Browser history, downloads, cookies
Hash Lookup NSRL and known-bad hash matching
File Type Identification Signature-based file type detection
Keyword Search Full-text content indexing
Email Parser PST/MBOX/EML extraction
Extension Mismatch Wrong file extension detection
Embedded File Extractor ZIP, Office, PDF extraction
Encryption Detection Encrypted container identification

Scripts 1

agent.py7.5 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Forensic disk image analysis agent using The Sleuth Kit (TSK) command-line tools."""

import shlex
import subprocess
import os
import sys
import json
import csv
import datetime


def run_cmd(cmd):
    """Execute a command and return output."""
    if isinstance(cmd, str):
        cmd = shlex.split(cmd)
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
    return result.stdout.strip(), result.stderr.strip(), result.returncode


def get_image_info(image_path):
    """Retrieve disk image metadata using img_stat."""
    stdout, _, rc = run_cmd(f"img_stat {image_path}")
    if rc == 0:
        info = {}
        for line in stdout.splitlines():
            if ":" in line:
                key, _, val = line.partition(":")
                info[key.strip()] = val.strip()
        return info
    return None


def list_partitions(image_path):
    """List partition layout using mmls."""
    stdout, _, rc = run_cmd(f"mmls {image_path}")
    partitions = []
    if rc == 0:
        for line in stdout.splitlines():
            parts = line.split()
            if len(parts) >= 6 and parts[2].isdigit():
                partitions.append({
                    "slot": parts[0].rstrip(":"),
                    "start": int(parts[2]),
                    "end": int(parts[3]),
                    "length": int(parts[4]),
                    "description": " ".join(parts[5:]),
                })
    return partitions


def list_files(image_path, offset, path="/", recursive=False):
    """List files in a partition using fls."""
    flags = "-r" if recursive else ""
    cmd = f"fls {flags} -o {offset} {image_path}"
    if path != "/":
        cmd += f" -D {path}"
    stdout, _, rc = run_cmd(cmd)
    files = []
    if rc == 0:
        for line in stdout.splitlines():
            line = line.strip()
            if not line:
                continue
            parts = line.split("\t", 1)
            if len(parts) == 2:
                meta = parts[0].strip()
                name = parts[1].strip()
                deleted = meta.startswith("*")
                file_type = "d" if "d/" in meta else "r"
                inode = ""
                for token in meta.split():
                    if "-" in token and token.replace("-", "").isdigit():
                        inode = token
                        break
                files.append({
                    "name": name,
                    "inode": inode,
                    "type": "directory" if file_type == "d" else "file",
                    "deleted": deleted,
                })
    return files


def list_deleted_files(image_path, offset):
    """List only deleted files using fls -rd."""
    stdout, _, rc = run_cmd(f"fls -rd -o {offset} {image_path}")
    deleted = []
    if rc == 0:
        for line in stdout.splitlines():
            line = line.strip()
            if line:
                deleted.append(line)
    return deleted


def recover_file(image_path, offset, inode, output_path):
    """Recover a file by inode using icat."""
    result = subprocess.run(
        ["icat", "-o", str(offset), image_path, str(inode)],
        capture_output=True,
        timeout=120,
    )
    if result.returncode == 0:
        with open(output_path, "wb") as f:
            f.write(result.stdout)
    return result.returncode == 0


def get_file_metadata(image_path, offset, inode):
    """Get detailed file metadata using istat."""
    stdout, _, rc = run_cmd(f"istat -o {offset} {image_path} {inode}")
    return stdout if rc == 0 else None


def create_bodyfile(image_path, offset, output_path):
    """Generate a TSK bodyfile for timeline creation."""
    result = subprocess.run(
        ["fls", "-r", "-m", "/", "-o", str(offset), image_path],
        capture_output=True, text=True,
        timeout=120,
    )
    if result.returncode == 0:
        with open(output_path, "w") as f:
            f.write(result.stdout)
    return result.returncode == 0


def generate_timeline(bodyfile_path, output_csv, start_date=None, end_date=None):
    """Generate a timeline from a bodyfile using mactime."""
    cmd = ["mactime", "-b", bodyfile_path, "-d"]
    if start_date and end_date:
        cmd.append(f"{start_date}..{end_date}")
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
    if result.returncode == 0:
        with open(output_csv, "w") as f:
            f.write(result.stdout)
    return result.returncode == 0


def search_keywords(image_path, offset, keyword):
    """Search for keyword strings in the disk image."""
    result = subprocess.run(
        ["srch_strings", "-a", "-o", str(offset), image_path],
        capture_output=True, text=True,
        timeout=120,
    )
    if result.returncode != 0 or not result.stdout:
        return []
    keyword_lower = keyword.lower()
    return [line for line in result.stdout.splitlines() if keyword_lower in line.lower()]


def find_file_signature(image_path, offset, hex_signature):
    """Find file signatures at the sector level using sigfind."""
    stdout, _, rc = run_cmd(f"sigfind -o {offset} {image_path} {hex_signature}")
    return stdout if rc == 0 else None


def analyze_image(image_path, case_dir):
    """Run a full automated analysis workflow on a disk image."""
    os.makedirs(case_dir, exist_ok=True)
    results = {"image": image_path, "timestamp": datetime.datetime.utcnow().isoformat()}

    print(f"[*] Image info...")
    results["image_info"] = get_image_info(image_path)

    print(f"[*] Partition layout...")
    partitions = list_partitions(image_path)
    results["partitions"] = partitions

    for part in partitions:
        if "NTFS" in part.get("description", "") or "Linux" in part.get("description", ""):
            offset = part["start"]
            print(f"[*] Listing files at offset {offset} ({part['description']})...")
            files = list_files(image_path, offset, recursive=True)
            results[f"files_offset_{offset}"] = {
                "total": len(files),
                "deleted": sum(1 for f in files if f["deleted"]),
            }
            print(f"    Total: {len(files)}, Deleted: {results[f'files_offset_{offset}']['deleted']}")

            print(f"[*] Creating bodyfile for timeline...")
            bf_path = os.path.join(case_dir, f"bodyfile_{offset}.txt")
            create_bodyfile(image_path, offset, bf_path)

            tl_path = os.path.join(case_dir, f"timeline_{offset}.csv")
            generate_timeline(bf_path, tl_path)

    report_path = os.path.join(case_dir, "analysis_summary.json")
    with open(report_path, "w") as f:
        json.dump(results, f, indent=2, default=str)
    print(f"[*] Summary saved to {report_path}")
    return results


if __name__ == "__main__":
    print("=" * 60)
    print("Disk Image Forensic Analysis Agent")
    print("Tools: The Sleuth Kit (fls, icat, mmls, mactime)")
    print("=" * 60)

    if len(sys.argv) > 1:
        image = sys.argv[1]
        import tempfile
        case = sys.argv[2] if len(sys.argv) > 2 else os.environ.get("AUTOPSY_CASE_DIR", os.path.join(tempfile.gettempdir(), "autopsy_case"))
        if os.path.exists(image):
            analyze_image(image, case)
        else:
            print(f"[ERROR] Image not found: {image}")
    else:
        print("\n[DEMO] Usage: python agent.py <disk_image.dd> [case_directory]")
        print("[*] Supported operations:")
        print("    - Partition enumeration (mmls)")
        print("    - File listing with deleted file recovery (fls, icat)")
        print("    - Timeline generation (mactime)")
        print("    - Keyword searching (srch_strings)")
        print("    - File signature detection (sigfind)")
Keep exploring