autopsy
NAME
autopsy - Autopsy Forensic Browser
SYNOPSIS
autopsy [-c] [-C] [-d evid_locker ] [-i device filesystem
mnt ] [-p port ] [addr]
DESCRIPTION
By default, autopsy starts the Autopsy Forensic Browser
server on port 9999 and and accepts connections from the
localhost. If -p port is given, then the server opens on
that port and if addr is given, then connections are only
accepted from that host. When the -i argument is given,
then autopsy goes into live analysis mode.
The arguments are as follows:
-c Force the program to use cookies even for localhost.
-C Force the program to not use cookies even for remote
hosts.
-d evid_locker
Directory where cases and hosts are stored. This over-
rides the LOCKDIR value in conf.pl. The path must be a
full path (i.e. start with /).
-i device filesystem mnt
Specify the information for the live analysis mode.
This can be specified as many times as needed. The
device field is for the raw file system device, the
filesystem field is for the file system type, and the
mnt field is for the mounting point of the file system.
-p port
TCP port for server to listen on.
addr IP address or host name of where investigator is
located. If localhost is used, then 'localhost' must be
used in the URL. If you use the actual hostname or IP,
it will be rejected.
When started, the program will display a URL to paste into
an HTML browser. The browser must support frames and forms.
The Autopsy Forensic Browser will allow an investigator to
analyze images generated by dd(1) for evidence. The program
allows the images to be analyzed by browsing files, blocks,
inodes, or by searching the blocks. The program also gen-
erates Autopsy reports that include collection time, inves-
tigators name, and MD5 hash values.
VARIABLES
The following variables can be set in conf.pl.
USE_STIMEOUT
When set to 1 (default is 0), the server will exit
after STIMEOUT seconds of inactivity (default is 3600).
This setting is recommended if cookies are not used.
BASEDIR
Directory where cases and forensic images are located.
The images must have simple names with only letters,
numbers, '_', '-', and '.'. (See FILES).
TSKDIR
Directory where The Sleuth Kit binaries are located.
NSRLDB
Location of the NIST National Software Reference
Library (NSRL).
INSTALLDIR
Directory where Autopsy was installed.
GREP_EXE
Location of grep(1) binary.
STRINGS_EXE
Location of strings(1) binary.
FILES
Evidence Locker
The Evidence Locker is where all cases and hosts will
be saved to. It is a directory that will have a direc-
tory for each case. Each case directory will have a
directory for each host.
<CASE_DIR>/case.aut
This file is the case configuration file for the case.
It contains the description of the case and default
subdirectories for the hosts.
<CASE_DIR>/investigators.txt
This file contains the list of investigators that will
use this case. These are used for logging only, not
authentication.
<HOST_DIR>/host.aut
This file is where the host configuration details are
saved. It is similar to the 'fsmorgue' file from pre-
vious versions of Autopsy. It has an entry for each
file in the host and contains the host description.
md5.txt
Some directories will have this file in it. It con-
tains MD5 values for important files in the directory.
This makes it easy to validate the integrity of images.
EXAMPLE
# ./autopsy -p 8888 10.1.34.19
SEE ALSO
dd(1), fls(1), ffind(1), ifind(1), grep(1), icat(1) md5(1),
strings(1),
REQUIREMENTS
The Autopsy Forensic Browser requires The Sleuth Kit
<www.sleuthkit.org/sleuthkit>
HISTORY
autopsy first appeared in Autopsy v1.0.
LICENSE
This software is distributed under the GNU Public License.
AUTHOR
Brian Carrier <carrier@sleuthkit.org>
Man(1) output converted with
man2html