defencia/knowledge/forensics & analysis
Write protection · Autopsy · Sleuth Kit

Forensics & Analysis

The fundamentals of forensic data handling — write protection, storage and exchange — plus an introduction to Autopsy, the open-source forensic framework built on The Sleuth Kit.

AutopsySleuth KitFree

Write protection, storage & exchange

Write protection lets you read but not write a medium, so no timestamps are made and the evidence is not contaminated. If you genuinely cannot write-block, fall back to a normal connection — but document exactly what was done, ideally with witnesses or even on film. Store data securely (who has access? is the room logged?) and have a defined way to exchange images with partners and authorities.

Autopsy — the forensic framework

Autopsy is a forensic framework built on The Sleuth Kit (TSK) from the Linux world, now used worldwide. It loads image files — commonly E01 (EnCase) and DD (raw) — and can carve data, extract web cache and visited sites, read registry hives, hash and compare against known files, and much more.

Autopsy works right after installation — just tell it where to save output (the indexed data can be several GB per case, so ensure free space).

Ingest modules

Ingest modules are Autopsy's built-in automation — they look for specific data such as databases, GPS data, carved (deleted) files and search history. Several are pre-installed; more can be downloaded from the community modules repo and Python plugins dropped into the autopsy python_module folder.

Autopsy requires training and knowing what you are looking for. Commercial tools ship ready-made search filters for scenarios — but they cost a lot of money.