Autopsy 4.10 releases: Open source forensics tool

Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera’s memory card.

Support for Windows 32-bit and 64-bit operating system, the same support for Linux and OSX (download the source code, compile their own).


  • Multi-User Cases: Collaborate with fellow examiners on large cases.
  • Timeline Analysis: Displays system events in a graphical interface to help identify activity.
  • Keyword Search: Text extraction and index searched modules enable you to find files that mention specific terms and find regular expression patterns.
  • Web Artifacts: Extracts web activity from common browsers to help identify user activity.
  • Registry Analysis: Uses RegRipper to identify recently accessed documents and USB devices.
  • LNK File Analysis: Identifies shortcuts and accessed documents
  • Email Analysis: Parses MBOX format messages, such as Thunderbird.
  • EXIF: Extracts geolocation and camera information from JPEG files.
  • File Type Sorting: Group files by their type to find all images or documents.
  • Media Playback: View videos and images in the application and not require an external viewer.
  • Thumbnail viewer: Displays thumbnail of images to help quick view pictures.
  • Robust File System Analysis: Support for common file systems, including NTFS, FAT12/FAT16/FAT32/ExFAT, HFS+, ISO9660 (CD-ROM), Ext2/Ext3/Ext4, Yaffs2, and UFS from The Sleuth Kit.
  • Hash Set Filtering: Filter out known good files using NSRL and flag known bad files using custom hashsets in HashKeeper, md5sum, and EnCase formats.
  • Tags: Tag files with arbitrary tag names, such as ‘bookmark’ or ‘suspicious’, and add comments.
  • Unicode Strings Extraction: Extracts strings from unallocated space and unknown file types in many languages (Arabic, Chinese, Japanese, etc.).
  • File Type Detection based on signatures and extension mismatch detection.
  • Interesting Files Module will flag files and folders based on name and path.
  • Android Support: Extracts data from SMS, call logs, contacts, Tango, Words with Friends, and more.

Changelog 4.10

New Features:

  • Central Repository
    • Case Manager shows data source details
    • SSID, MAC address, IMEI, IMSI, and ICCID can be stored and correlated on
    • SSID, MAC address, IMEI, IMSI, and ICCID values from past cases are flagged if they are seen again in the current case.
    • File types can be specified when searching for common files with past cases.
    • Results from finding common files with past cases is now organized by case instead of by number of occurrences.
    • The Central Repository can now be searched for a specific value (hash, email, etc.)
  • The E01 Verifier ingest module was renamed to Data Source Integrity module and it will:
    • Calculate hashes if none exist for a non-E01 data source
    • Validate hashes if they are defined
  • MD5, SHA1, or SHA256 hash values of raw data sources can now be specified when they are added.
  • Added the ability for examiners to select the time zone for displaying dates.
  • Tesseract OCR text extraction for keyword search now supports languages other than
    English, if language packs are installed.
  • Custom headers and footers can now be added to HTML reports.
  • New report module to export basic file data in CASE/UCO format.
  • Ingest filter rules (for triage) can now specify a list of extensions (such as “jpg,jpeg,png”) instead of needing to make a rule for each extension.
  • Image Gallery
    • Refactored to ensure database was fully closed when case was closed.
    • No longer pre-populate DrawableDB database.
    • Added caching to reduce time required to insert files after analysis.

Bug Fixes:

  • Duplicate interesting item and EXIF metadata artifacts are no longer created
    when you run the modules that generate them more than once.
  • The Application content viewer now displays SQLite table column names even
    when the table is empty.
  • Assorted small bug fixes are included.


Copyright © 2003-2017 Brian Carrier