Autopsy User Documentation  4.6.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
Live Triage

Overview

The Live Triage feature allows you to load Autopsy onto a removable drive to run on target systems while making minimal changes to that target system. This will currently only work on Windows systems.

Creating a live triage drive

To create a live triage drive, go to Tools->Make Live Triage Drive to bring up the main dialog.

live_triage_dialog.png

Select the drive you want to use - any type of USB storage device will work. For best results use the fastest drive available. Once the process is complete the root folder will contain an Autopsy folder and a RunFromUSB.bat file.

Running Autopsy from the live triage drive

Insert the drive into the target machine and browse to it in Windows Explorer. Right click on RunFromUSB.bat and select "Run as administrator". This is necessary to analyze the local drives.

live_triage_script.png

Running the script will generate a few more directories on the USB drive. The configData directory stores all the data used by Autopsy - primarily configuration files and temporary files. You can make changes to the Autopsy settings and they will persist between runs. The cases directory is created as a recommended place to save your case data. You will need to browse to it when creating a case in Autopsy.

Once Autopsy is running, proceed to create a case as normal, making sure to save it on the USB drive.

live_triage_case.png

Then choose the Local Disk data source and select the desired drive.

live_triage_ds.png

See the Adding a Local Disk page for more information on local disk data sources.


Copyright © 2012-2016 Basis Technology. Generated on Mon May 7 2018
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.