Man Linux: Main Page and Category List

NAME

       autopsy - Autopsy Forensic Browser

SYNOPSIS

       autopsy  [-c]  [-C]  [-d  evid_locker ] [-i device filesystem mnt ] [-p
       port ] [addr]

DESCRIPTION

       By default, autopsy starts the Autopsy Forensic Browser server on  port
       9999  and  and  accepts  connections from the localhost.  If -p port is
       given, then the server opens on that port and if addr  is  given,  then
       connections  are only accepted from that host.  When the -i argument is
       given, then autopsy goes into live analysis mode.

       The arguments are as follows:

       -c     Force the program to use cookies even for localhost.

       -C     Force the program to not use cookies even for remote hosts.

       -d evid_locker
              Directory where cases and hosts are stored.  This overrides  the
              LOCKDIR  value  in  conf.pl.  The path must be a full path (i.e.
              start with /).

       -i device filesystem mnt
              Specify the information for the live analysis mode.  This can be
              specified  as many times as needed.  The device field is for the
              raw file system device, the filesystem field  is  for  the  file
              system  type, and the mnt field is for the mounting point of the
              file system.

       -p port
              TCP port for server to listen on.

       addr   IP address or host name of where investigator  is  located.   If
              localhost is used, then ’localhost’ must be used in the URL.  If
              you use the actual hostname or IP, it will be rejected.

       When started, the program will display a URL  to  paste  into  an  HTML
       browser.   The  browser  must  support  frames and forms.   The Autopsy
       Forensic Browser will allow an investigator to analyze images generated
       by dd(1) for evidence.  The program allows the images to be analyzed by
       browsing files, blocks,  inodes,  or  by  searching  the  blocks.   The
       program  also  generates  Autopsy reports that include collection time,
       investigators name, and MD5 hash values.

VARIABLES

       The following variables can be set in conf.pl.

       USE_STIMEOUT
              When set to 1  (default  is  0),  the  server  will  exit  after
              STIMEOUT  seconds of inactivity (default is 3600).  This setting
              is recommended if cookies are not used.
       BASEDIR
              Directory where cases and  forensic  images  are  located.   The
              images  must  have simple names with only letters, numbers, ’_’,
              ’-’, and ’.’.  (See FILES).
       TSKDIR
              Directory where The Sleuth Kit binaries are located.
       NSRLDB
              Location of the NIST National Software Reference Library (NSRL).
       INSTALLDIR
              Directory where Autopsy was installed.
       GREP_EXE
              Location of grep(1) binary.
       STRINGS_EXE
              Location of strings(1) binary.

FILES

       Evidence Locker
              The  Evidence  Locker is where all cases and hosts will be saved
              to.  It is a directory that will have a directory for each case.
              Each case directory will have a directory for each host.

       <CASE_DIR>/case.aut
              This  file  is  the  case  configuration  file for the case.  It
              contains the description of the case and default  subdirectories
              for the hosts.

       <CASE_DIR>/investigators.txt
              This  file contains the list of investigators that will use this
              case.  These are used for logging only, not authentication.

       <HOST_DIR>/host.aut
              This file is where the host configuration details are saved.  It
              is  similar  to  the  ’fsmorgue’  file from previous versions of
              Autopsy.  It has an entry for each file in the host and contains
              the host description.

       md5.txt
              Some  directories  will  have  this file in it.  It contains MD5
              values for important files in the directory.  This makes it easy
              to validate the integrity of images.

EXAMPLE

       # autopsy -p 8888 10.1.34.19

SEE ALSO

       dd(1), fls(1), ffind(1), ifind(1), grep(1), icat(1) md5(1), strings(1),

REQUIREMENTS

       The   Autopsy   Forensic    Browser    requires    The    Sleuth    Kit
       <www.sleuthkit.org/sleuthkit>

HISTORY

       autopsy first appeared in Autopsy v1.0.

LICENSE

       This software is distributed under the GNU Public License.

AUTHOR

       Brian Carrier <carrier at sleuthkit dot org>

       Send documentation updates to <doc-updates at sleuthkit dot org>