Had a client accidentally delete critical business files. Empty trash, backups were corrupted, typical disaster scenario. Needed something more powerful than basic recovery software.
That's when I properly explored Autopsy. It's a graphical interface for The Sleuth Kit, used by actual digital forensics investigators. The learning curve is steeper than consumer recovery tools, but you get access to professional-grade analysis capabilities.
What Autopsy actually does
Autopsy isn't just about hitting "recover" and hoping for the best. It analyzes disk images at multiple levels:
🔍 File System Analysis
Understands NTFS, FAT, EXT4, HFS+ and other file systems. Reads metadata, journaling data, and allocation tables.
🗑️ Deleted File Recovery
Finds files marked as deleted but not yet overwritten. Recovers directory structure and timestamps.
🖼️ File Carving
Recovers files based on content signatures even when filesystem metadata is gone. Great for corrupted drives.
📊 Timeline Analysis
Shows when files were created, modified, accessed. Useful for understanding what happened and when.
🔐 Web Browser Artifacts
Extracts history, downloads, cookies from Chrome, Firefox, Safari. Even finds deleted browsing data.
📱 Mobile Device Support
Analyzes iOS and Android backups. Extracts messages, call logs, app data.
Installing Autopsy
Autopsy is cross-platform. The easiest method is downloading the platform-specific installer:
# macOS (Intel)
brew install --cask autopsy
# macOS (Apple Silicon)
# Download from sleuthkit.org/autopsy/downloads.php
# Linux (Ubuntu/Debian)
sudo apt-get install autopsy
# Windows
# Download installer from sleuthkit.orgNote: Autopsy requires Java 11 or later. Most installations include it, but you might need to install it separately on Linux.
Creating a disk image (important first step)
Before analyzing anything, you need to create a disk image. Never work directly on the original drive - you risk overwriting the data you're trying to recover.
# On macOS/Linux - create a bit-for-bit copy
dd if=/dev/disk2 of=evidence.img bs=4M conv=noerror,sync status=progress
# Split into chunks if the image is huge
dd if=/dev/disk2 | split -b 4G - evidence.img.
# On Windows - use FTK Imager (free) or similar
# Or via WSL
wsl dd if=/dev/sdb of=/mnt/c/evidence.img bs=4M conv=noerror,sync status=progressWhy this matters: Working on a copy preserves the original evidence and prevents accidental data loss. In professional forensics, this is standard practice.
Creating a new case
Launch Autopsy and create a new case:
- Click "New Case" and give it a name and case number
- Choose a location for case data (needs space for extracted files)
- Add a data source - select your disk image file
- Choose ingest modules (more on this below)
- Let it run the initial analysis
The initial analysis can take a while depending on drive size. For a 500GB drive, expect anywhere from 30 minutes to several hours.
Understanding ingest modules
Ingest modules are analysis plugins that run automatically. Here's what I typically enable:
| Module | Purpose | Speed |
|---|---|---|
| File Type | Identifies file types by extension and content | Fast |
| Deleted Files | Recovers files marked as deleted | Fast |
| Hash Lookup | Identifies known files via NSRL database | Medium |
| EXIF | Extracts metadata from images | Fast |
| Email Parser | Extracts emails from PST/MBOX files | Medium |
| Web History | Extracts browser history and downloads | Medium |
| Keyword Search | Searches for specific text in files | Slow |
Tip: For quick recovery, skip the slower modules initially. You can always run them later.
Navigating the interface
Once analysis completes, you'll see several views:
- Tree View: Browse by directory structure, including deleted files
- File Types: Grouped by extension (JPG, PDF, DOCX, etc.)
- Deleted Files: Only shows files marked as deleted
- Results: Output from ingest modules (web history, emails, etc.)
- Timeline: Chronological view of file activity
Recovering deleted files
Here's the workflow I use for deleted file recovery:
- Go to "Deleted Files" view
- Sort by "Path" or "File Type" to narrow down
- Use filters to show only specific file types
- Right-click files and "Extract" to save them
- For multiple files, select them and extract to a folder
# Extraction creates this structure:
case_name/
├── exports/
│ ├── deleted_files/
│ │ ├── recovered_document.docx
│ │ ├── recovered_photo.jpg
│ │ └── ...Success rates: Recently deleted files (within days) have near 100% recovery. Files deleted months ago may be partially overwritten. Fragmented files might not recover perfectly.
File carving for corrupted drives
When the file system is damaged, use file carving:
# In Autopsy, go to Tools -> File Carving
# Or run from command line with Sleuth Kit
# carve JPEGs from an image
fls -r evidence.img
find evidence.img -type f -name "*.jpg"
# More advanced carving with scalpel
# First configure scalpel.conf with file signatures
scalpel -c scalpel.conf -o output_dir evidence.imgFile carving looks for file signatures (magic bytes) rather than relying on filesystem metadata. It's slower but can recover files from even heavily damaged drives.
Real-world example: Recovering accidentally deleted business files
Here's how I approached the client situation:
- Created a disk image of the affected drive using dd
- Opened Autopsy and created a new case
- Added the disk image as data source
- Ran basic ingest modules (skipped keyword search initially)
- Browsed to "Deleted Files" and filtered by Office documents
- Found 47 deleted DOCX/XLSX files from the past week
- Extracted all of them to verify
- 45 of 47 files opened successfully with no corruption
Total time: about 4 hours (most was waiting for the initial ingest to complete). The alternative would have been days of manual reconstruction or permanent data loss.
Understanding what can and can't be recovered
Important to set expectations:
| Scenario | Recovery Chance |
|---|---|
| Recently deleted (hours/days) | Excellent - 95%+ |
| Deleted weeks ago | Good - 60-80% |
| Deleted months ago | Fair - 30-50% |
| Secure wiped / overwritten | Poor - 0-5% |
| SSD with TRIM enabled | Poor - 0-10% |
| Encrypted drive (no password) | Impossible - 0% |
SSD note: Modern SSDs with TRIM can make deleted files unrecoverable quickly. The TRIM command tells the SSD which blocks are no longer in use, and the SSD wipes them proactively for performance.
Advanced: Timeline analysis
The timeline view shows file activity over time:
# Events shown in timeline:
- File created
- File modified
- File accessed
- File deleted
- Metadata changes
# You can filter by:
- Date range
- Event type
- File type
- Specific users (on multi-user systems)Useful for understanding what happened to a system. Found malware that created files at 3 AM? Timeline will show it clearly.
Common pitfalls to avoid
- Never work on the original drive - Always create an image first
- Don't recover to the same drive - You might overwrite other deleted files
- SSDs need immediate action - TRIM can wipe deleted files quickly
- Encrypted drives need passwords - BitLocker/FileVault without keys = no recovery
- Cloud sync can interfere - Disable Dropbox/OneDrive before recovery
When to use Autopsy vs simpler tools
Autopsy is overkill for simple situations:
| Use Autopsy when... | Use simpler tools when... |
|---|---|
| You need a full disk image | Just recovering a few recent files |
| Analyzing corrupted filesystems | Working with a healthy drive |
| Need timeline/activity analysis | Only need to browse deleted files |
| Professional/legal requirements | Personal one-time recovery |
| Analyzing disk images from elsewhere | Recovering from local drives only |
Resources for learning more
- Official Autopsy Documentation - Comprehensive reference
- Sleuth Kit - The underlying command-line tools
- CFLabs - More advanced forensics training and tools
- DFIR.org - Digital Forensics and Incident Response community
Bottom line
Autopsis is professional-grade forensics software that happens to be free and open-source. It's not the simplest tool for basic file recovery, but when you need deep analysis, timeline reconstruction, or are working with damaged drives, it's incredibly powerful.
The learning curve is worth it. Even if you only use it occasionally, having a proper forensics tool in your toolkit can save the day when simpler recovery software fails.