No single vendor can provide a solution to every analysis problem and no one knows what analysis techniques will work best on tomorrow's problems. Autopsy was designed with this in mind. In several places, it uses frameworks that allow plug-in modules to be easily inserted. This allows you to customize Autopsy to suit your analysis needs and extend it with custom or third-party modules.
Autopsy is written in Java using the NetBeans Platform. This approach allows Autopsy to run on multiple platforms (Windows, OS X, Linux, etc.) and have a modular framework that makes it easy to incorporate other open source forensics tools and create an end-to-end solution.
There are several places in Autopsy where frameworks are used to allow for custom plug-ins to be applied. There are currently three frameworks:
Ingest Modules run in parallel and analyze the disk image contents. When the investigator adds a disk image to the case, she is prompted to enable and configure the ingest modules (screen shot). Example modules include hash calculation, registry analysis, and keyword search. Refer to the Features page for a list of modules that Autopsy currently ships with.
Autopsy was designed to have third-party modules as well. Refer to the add on module github repofor the latest list. Developers are encouraged to write ingest modules because they will get faster results by letting Autopsy deal with file access and reporting. Developers can focus on fancy analysis techniques.
Content viewers allow the examiner to view a single file. Different viewers display the file in different formats. Examples include hex, strings, and media (images, video, etc. using gstreamer) (screen shot). Additional viewers can be created to view different file types (such as advanced text analytics or image analysis).
Report modules create the final report. They access the central database to collect the results from all of the ingest modules. The basic version of Autopsy comes with an HTML and Excel report format. You can make other modules to report in custom formats.
Add-on Viewers show data in a more complex way than the three panel design. As an example, the timeline viewer (screen shot) displays the timeline data in graph form.
