Autopsy User Documentation  4.21.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
Cases

Table of Contents

You need to create a case before you can analyze data in Autopsy. A case can contain one or more data sources (disk images, disk devices, logical files). The data sources can be from multiple drives in a single computer or from multiple computers. It's up to you.

Each case has its own directory that is named based on the case name. The directory will contain configuration files, a database, reports, and other files that modules generates. The main Autopsy case configuration file has an ".aut" extension.

Creating a Case

splashscreen.PNG

There are several ways to create a new case:

The New Case wizard dialog will open and you will need to enter the case name and base directory. A directory for the case will be created inside of the "base directory". If the directory already exists, you will need to either delete the existing directory or choose a different combination of names.

case-newcase.PNG

NOTE: You will only have the option of making a multi-user case if you have configured Autopsy with multi-user settings. See Setting Up Multi-user Cluster for installation instructions and Creating Multi-user cases for details on creating multi-user cases.

You will also be prompted for optional information as shown below:

new_case_optional_info.png

All fields on this panel are optional. Additionally, the Organization section will only be active if the central repository is enabled.

After you create the case, you will be prompted to add a data source, as described in Adding a Data Source.

Opening a Case

To open a case, either:

"Open Recent Case" will always bring up a screen allowing you to select one of the recently opened cases. "Open Case" will do one of two things;

multi_user_case_select.png

Viewing Case Details and the Data Source Summary

You can view the case properties by going to the "Case" menu and clicking "Case Details".

case_properties.png

Most of the case properties can be edited through the "Edit Details" button.

You can view the data source summary by going to the "Case" menu and clicking "Data Source Summary" or by selecting the data source in the Tree Viewer and then the "Summary" tab. More information can be found on the Data Source Summary page.

ds_summary_window.png

Copyright © 2012-2023 BasisTech. Generated on Tue Feb 6 2024
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.