Once the case has been processed, the left-hand pane will populate with the number of artifacts located on the system:

In the previous screenshot, there are several items listed under the Extracted Content portion. These include looking at programs that have been installed, the operating system information, and recent documents. Another key feature of Autopsy is the ability to examine the entire folder structure of the image file.Clicking on the plus sign next to Data Sources expands the entire folder structure. This is useful if, through other sources, an analyst is able to identify the location of a suspect file.

There are different data points that can be examined utilizing Autopsy. What to search for and how to search for it is often dictated by the type of incident or examination under investigation. For example, a malware infection that originates from a compromised website may involve examining the system for URLs that the user may have typed in or otherwise accessed via a browser. Furthermore, the actual file may be located utilizing information obtained via the system memory examination covered in the previous chapter. For example, if an analyst was able to locate a suspect process via Volatility or Redline and was subsequently able to also locate the executable, they may utilize Autopsy to find the last time the executable was launched. This can provide analysts a time to examine other systems for evidence of compromise.

In another scenario, analysts may be tasked with identifying if an employee accessed confidential files to pass onto a competitor. This may involve examining the system for the times and dates files were accessed, email addresses that may have been used, external cloud storage sites that were accessed, or USB storage that was connected to the system. Finally, a full listing of files may provide insight into the confidential documents that were moved.