Autopsy offers GUI access to a variety of investigative command-line tools from The Sleuth Kit, including file analysis, image and file hashing, deleted file recovery, and case management, among other capabilities. Autopsy can be problematic when installing but, fortunately for us, comes built into Kali Linux, and is also very easy to set up and use.

Although the Autopsy browser is based on The Sleuth Kit, features of Autopsy differ when using the Windows version as compared to the Linux version. Some of the official features offered by The Sleuth Kit and Autopsy 2.4 in Kali Linux include:

• Image analysis: Analyzing directories and files including sorting files, recovering deleted files, and previewing files
• File activity timelines: Creating timelines based on timestamps of files when they were written, accessed, and created
• Image integrity: Creating MD5 hashes of the image file used, as well as individual files
• Hash databases: Matching digital hashes or fingerprints of unknown files (such as suspected malicious .exe files) against those in the NIST National Software Reference Library (NSRL)
• Events sequencer: Displaying events sorted by date and time
• File analysis: Analyzing the entire image file to display directory and file information and contents
• Keyword search: Allows searching using keyword lists and predefined expression lists
• Metadata analysis: Allows viewing of metadata details and structures of files that are essential for data recovery