Autopsy / TSK

Basis Technology

Open-source digital forensics platform built on The Sleuth Kit, for disk image analysis.

Digital Forensics & IR Free & Open Source GUI Learning Cross-platform

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain

1 Reconnaissance

2 Weaponization

3 Delivery

4 Exploitation

5 Installation

6 Command & Control

7 Actions on Objectives

Defender — IR Lifecycle

8 Detection / Monitoring

9 Containment & Eradication

10 Post-incident Forensics

Description

Autopsy is the graphical front-end for The Sleuth Kit (TSK), the leading open-source disk forensics library. It is the de facto free alternative to EnCase / FTK for dead-box analysis and is widely used in law enforcement and education.

Modules a CySA+ candidate should be aware of:

Timeline — combined MAC times from file system + logs.
Hash Lookup — NSRL and custom hash sets to ignore known goods.
Keyword Search with indexed full-text.
Web Artifacts — browser history/cookies/cache.
Registry / Recent Activity — RegRipper integration.
PhotoRec carving and EXIF extraction.

Use cases

Dead-box analysis of an acquired disk image
Timeline reconstruction for incident report
Hash-matching evidence against IOC lists