About Autopsy and Plugins Installation Guide
Why this Autopsy and plugins installation guide? Basis Technology Autopsy is based on sleuthkit (same company) and uses many 3rd party addons. Useful for large file sets analysis like images and file folders. Autopsy is a complex forensics system, which requires knowledge of the system to work properly. After trial and error, we provide you this fast installation guide in order to get you started. This guide will help you install it on a single Windows computer.
Affiliate: Experience limitless no-code automation, streamline your workflows, and effortlessly transfer data between apps with Make.com.
After Autopsy installation, you can also check the OptimizationCore Autopsy Ingestion Modules Configuration guide and the OptimizationCore Basis Technology Autopsy Usage Guide.
Basis Technology Autopsy Installation Steps
1. Download Latest version of Basis Technology Autopsy.
2. Install and open Autopsy.
3. [Close] the “Welcome” window.
4. Follow these steps for basic Autopsy configuration:
[Tools] => [Options]
[Central Repository]
[V] Use a Central Repository
[Configure]
Type: SQLite
Name: <Name it>
Location: <Path to location>
*** This will be the main repository for all the cases on this local computer.
[View]
"When selecting a file:"
(*) Stay on the same file viewer
[Machine Translation]
*** You can setup language translator for File names / Folder names / Text Documents (content)
[Application]
*** You can choose a logo for your reports ([Generate Report] feature)
"Logo"
(*) Specify a logo: [Browse]Installing Basis Technology Autopsy 3rd party modules and plugins
The Official Basis Technology Autopsy 3rd party modules GitHub page contains list of plugins that were reviewed by the Autopsy team. Installing plugins from unknown sources is not recommended. Most of the plugins are stored in other repositories and you will have a link there from Autopsy repository to actual download.
Installing NBM Plugins
NBM Modules are Java modules within NetBean Module container (*.nbm extension):
a. Contain several modules
b. Auto update available
c. Version and compatibility check for Autopsy – if the plugin is not compatible, you will receive an alert.
How to Install Autopsy NBM Modules:
1. Open Autopsy and close the “Welcome” window.
2. Follow the steps:
[Tools] => [Plugins]
"Plugins"
[Downloaded] => [Add Plugins...] => Select "*.nbm" file
[Install]Our NBM Module recommendations: Video Triage, Virus Total Online Check.
“Video Triage” module is by the Autopsy team. This is a “Content Viewer Module”. Meaning, it supplies compatibility to view / preview the content in the view panel (right pane). Specifically, “Video Triage” module shows keyframes from selected video files – it should give you the idea what the video about without actually viewing the whole file. Download Autopsy Video Triage Module. You will need to put an email there to obtain the link. Extract the archive for NBM file.
Another module that can be helpful to some is the VirusTotal Ingest module. It checks the file hashes of the data source against VT using their API. You will need to register with VT to get the free API with maximum 500 daily hashes check. For this case it is better to use Sigcheck. Check our SysInternals Sigcheck VirusTotal Offline Scan guide.
Installing Python Plugins
“Python modules” are python scripts:
a. Contain one or more *.py files
b. Ingest and Report modules
c. Do not verify versions
d. Need to copy then to central location
How to Install Autopsy Python Modules:
1. Open Autopsy and close the “Welcome” window.
2. View the current Python Plugins folder or choose another one:
[Tools] => [Python Plugins] => Select the folder
3. Copy all your Python plugins to this folder. Each plugin should have its own folder. Do not throw the PY files in the Plugins root folder.
Recommended Python Ingest Modules from the Autopsy Github repository:
Amazon_Echosystem_Parser EML_Parser FileHistory LFA-master Process_EVTX Process_Extract_VSS Process_Facebook_Chats Process_Prefetch_Files_V41 Process_TeraCopy Process_Windows_Mail Recycle_Bin Shimcache_parser Thumbcache_parser Thumbs_parser Webcache Windows_Internals Wordlist MS_Office_Telemetry_Parser
Autopsy Ingestion Modules Configuration
After you have finished installing Autopsy and the plugins / modules you can continue to OptimizationCore Autopsy Ingestion Modules Configuration guide.