Autopsy (GUI) in Linux

Shreya T
4 min readNov 25, 2022


Hello world. This is a short writeup of Autopsy(GUI) in Kali workstation

Download Autopsy from →

Run Autopsy as root

It prompts a program information, the version number listed as 2.24 with the path to the Evidence Locker folder as /var/lib/autopsy and an address http://localhost:9999/autopsy to open it on a web browser.

The autopsy web-browser

After clicking on http://localhost:9999/autopsy , it will be redirected to the home page of autopsy. This tool is running on our local web server accessing the port 9999.

If the port is somehow not free, run : fuser -k 9999/tcp . This will kill any process running in port 9999

Creating a new case

There will be three options on the home page: ‘OPEN CASE’, NEW CASE’, ‘HELP’

For forensic investigation, we need to create a new case and arrange all the information and evidences. Select ‘NEW CASE’ and fill the necessary details

After filling the details click on New Case and Click on add host after then

This shows the destination where the case file will be stored i.e. /var/lib/autopsy/Diskimg_analysis/ , and the destination where its configuration file will be stored i.e. /var/lib/autopsy/Diskimg_analysis/case.aut

Adding the Host

After clicking on add host , fill the required details

After then, click on ADD HOST

Add Image

Now we need to add an image file of the system or drive which we want to investigate. The reason for doing this is analysis cannot be conducting on an original storage device.

Click on Add Image file

Provide the destination of the Disk Image with its extention and click on NEXT

Calculating the HASH value

To maintain the integrity (make sure that data has not been altered) of the image file we must calculate its Hash value. It is important to calculate the Hash so that we may be able to prove that the file has not been tampered. Click on ADD

This is showing the hash value of the evidence image file and links the image into the evidence locker. Here we click “OK” to continue.

Check the Image Integrity

This showing the name and the hash value of the file. Select ‘VALIDATE’.

Its validated. Displaying the same MD5 hashes in the bottom.

File Analysis

It will ask which type of analysis I want. Select ‘FILE ANALYSIS’.

It gives me the list of all files and directories that are inside in this disk. From here you can analyze the content of the target image file and conduct the required investigation

The deleted files

To see the deleted files in the disk image click on “ALL DELETED FILES”

Expanding directories

Click on expand directories, to view all the directories present

Thanks for reading ! You can follow me on :

LinkedIn :

Twitter :

Medium :



Shreya T

Security researcher | Cyber Forensics | Malware Analysis | Threat hunting | Speaker | Blogger | Learner