autopsy - Autopsy Forensic Browser
autopsy [-c] [-C] [-d evid_locker ] [-i
mnt ] [-p port ] [addr]
By default, autopsy
starts the Autopsy Forensic Browser server on port
9999 and and accepts connections from the localhost. If -p port
given, then the server opens on that port and if addr
is given, then
connections are only accepted from that host. When the -i
given, then autopsy goes into live analysis mode.
The arguments are as follows:
- -d evid_locker
- Directory where cases and hosts are stored. This overrides
the LOCKDIR value in conf.pl. The path must be a full path
(i.e. start with /).
- -i device filesystem mnt
- Specify the information for the live analysis mode. This
can be specified as many times as needed. The device field is for
the raw file system device, the filesystem field is for the file
system type, and the mnt field is for the mounting point of the
- -p port
- TCP port for server to listen on.
- IP address or host name of where investigator is located.
If localhost is used, then 'localhost' must be used in the URL. If you use
the actual hostname or IP, it will be rejected.
When started, the program will display a URL to paste into an HTML browser. The
browser must support frames and forms. The Autopsy Forensic Browser will allow
an investigator to analyze images generated by dd(1)
for evidence. The
program allows the images to be analyzed by browsing files, blocks, inodes, or
by searching the blocks. The program also generates Autopsy reports that
include collection time, investigators name, and MD5 hash values.
The following variables can be set in conf.pl.
When set to 1 (default is 0), the server will
exit after STIMEOUT seconds of inactivity (default is 3600). This
setting is recommended if cookies are not used.
Directory where cases and forensic images are
located. The images must have simple names with only letters, numbers, '_',
'-', and '.'. (See FILES).
Directory where The Sleuth Kit binaries are
Location of the NIST National Software
Reference Library (NSRL).
Directory where Autopsy was installed.
Location of grep(1) binary.
Location of strings(1) binary.
The Evidence Locker is where all cases and
hosts will be saved to. It is a directory that will have a directory for each
case. Each case directory will have a directory for each host.
This file is the case configuration file for
the case. It contains the description of the case and default subdirectories
for the hosts.
This file contains the list of investigators
that will use this case. These are used for logging only, not authentication.
This file is where the host configuration
details are saved. It is similar to the 'fsmorgue' file from previous versions
of Autopsy. It has an entry for each file in the host and contains the host
Some directories will have this file in it. It
contains MD5 values for important files in the directory. This makes it easy
to validate the integrity of images.
# autopsy -p 8888 10.1.34.19
The Autopsy Forensic Browser requires The Sleuth Kit
first appeared in Autopsy
This software is distributed under the GNU Public License.
Brian Carrier <carrier at sleuthkit dot org>
Send documentation updates to <doc-updates at sleuthkit dot org>