Digital Forensics Investigation using Autopsy In Kali Linux

Autopsy is one of the digital forensics tools use to investigate what happened on a computer. It offers a GUI access to variety of investigative command-line tools from The Sleuth Kit including image file hashing, deleted file recovery, file analysis and case management. Autopsy produces results in real time, making it more compatible over other forensics tools.

It comes preinstalled in kali linux so Lets start the Kali Virtual Machine. You will find the option ‘forensics’ in the application tab. Select ‘autopsy’ from the list of forensics tools.

Open Autopysy

Open Autopysy

When you select autopsy, it will open a prompt where you see a program information, the version number listed as 2.24 with the path to the Evidence Locker folder as /var/lib/autopsy and an address http://localhost:9999/autopsy to open it on a web browser.

When you select auto

Click on that link and open it in your Kali web browser, you will be redirected to the home page of autopsy. This tool is running on our local web server accessing the port 9999.

port 9999

Create a New Case

There will be three options on the home page: ‘OPEN CASE’, NEW CASE’, ‘HELP’

For forensic investigation, we need to create a new case and arrange all the information and evidences. Select ‘NEW CASE’

Create a New Case

It will direct you to a page where you have been asked to add case name, description and investigator names. Note that you can add more than one investigator name because in these scenarios usually a team of forensic investigators work on a single case.

single case

After adding all the required information, select ‘NEW CASE’


This simply showing us the name of the case, the destination where it will be stored i.e. /var/lib/autopsy/case01/, and the destination where its configuration file will be stored i.e. /var/lib/autopsy/case01/case.aut

Select ‘ADD HOST’ option below.

ADD HOSTNow you will be asked to enter the name of the computer you are investigating and the description of the investigation. After that it will ask you the time zone (leaving it blank will select the default setting), timeskew adjustments means a value in seconds to compensate for differences in time, path of alert hash means a path to the created database of bad hashes and a path of ignore hash database means specifying a path to the database of good hashes. Select ‘ADD HOST’ to continue.



Select ‘ADD IMAGE’ here.


Creating a Image File

We need to import an image file of the system we want to investigate. Creating this image file is the first step of forensic investigation. The reason for doing this is analysis cannot be conducting on an original storage device.  A disk Image can be defined as a file that stores the contents and structure of a data storage device such as a hard drive, CD drive, phone, tablet, RAM, or USB. This image file can be taken locally or remotely.

There are several ways to get the image file. You can get this by different tools such as FTK imager or guymager. Or you can use CLI to acquire your image by using dd (disk-to-disk) command:

# dd if=/dev/sda of=ehacking.img

Where /dev/sda is the source and ehacking.img is the destination file.

Once you get an image file, select ‘ADD IMAGE’ option here.Creating a Image File

Import the image to autopsy by specifying the location of the file and selecting the type whether it is Disk or Partition.

Select the import method ‘Copy’ to copy it into the evidence locker and click on ‘NEXT’.

NEXTTo maintain the integrity of the image file we must calculate its Hash value. It is important to calculate the Hash so that we may be able to prove that the file has not been tampered.


This showing the hash value of the image file and links the image into the evidence locker. Select ok to continue.

evidence locker

The Case Management Prompt

Now we have successfully imported the file for investigation.  Let’s check the integrity by selecting an option ‘IMAGE INTEGRITY’.

The Case Management Prompt

This showing the name and the hash value of the file. Select ‘VALIDATE’.


The validation is successful, displaying the same MD5 hashes in the bottom.


File Analysis

Let’s click on ‘ANALYZE’.

File Analysis

It will ask which type of analysis I want. Select ‘FILE ANALYSIS’.


It gives me the list of files and directories that are inside in this file. From here you can analyze the content of the target image file and conduct the required investigation.

File Browsing Mode

In this article we have learned how to use a forensic tool Autopsy to investigate an image file and analyze the contents inside that file. We also calculated the hash value of the image file so that in future if there is a need to prove the integrity of the image file you can easily validate it by matching the hash values to maintain evidence integrity.

Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

What Makes ICS/OT Infrastructure Vulnerable?

Infrastructure security for operational technologies (OT) and industrial control systems (ICS) varies from IT security in several ways, with the inverse confidentiality, integrity, and...

Everything You Must Know About IT/OT Convergence

What is an Operational Technology (OT)? Operational technology (OT) is a technology that primarily monitors and controls physical operations. It can automate and control machines,...

Understand the OT Security and Its Importance

This article discusses OT security and why it is essential for protecting industrial systems from cyberattacks. We will also discuss common control objectives that can...

What is Deepfake, and how does it Affect Cybersecurity?

Producing deepfake is easy. It is hard to detect. They operate with a description of reality rather than reality itself (e.g., a video). Any...