Unlocking Volatility in Autopsy

What is Autopsy?

Autopsy is a widely used digital forensics software platform that offers a comprehensive suite of tools and plugins for investigating computer systems (disk forensics) and mobile phones. It provides a graphical interface to The Sleuth Kit and other digital forensics tools. It boasts solid capabilities and, being a FOSS (free and open-source) product, has received a lot of love from the community. Developed by Basis Technology, Autopsy provides a user-friendly interface designed to facilitate forensic analysis, making it accessible to both professional investigators and less experienced users.

Autopsy supports a range of forensic tasks, including file analysis, timeline creation, metadata analysis, reporting, etc. through its modular architecture and extensive plugin support. This versatility allows it to adapt to various investigative needs, making it one of the most famous free tools in the digital forensics field.

What is Volatility?

The Volatility Framework is an open source memory forensics tool written in Python. It is actively maintained by members of The Volatility Project. It is currently the most widely used tool for memory forensics, so you must know it (as you are reading in this field here :P).

So What is Here?

Cybersecurity practitioners “mainly” use Autopsy for disk forensics and Volatility for memory forensics. However, many people don’t realize that Autopsy integrates Volatility (version 2 only) as a plugin to automate some memory forensic analysis tasks. This integration isn’t activated by default, so you need to enable it manually. Let me show you how to do that now!

Activating Volatility2 Plugin in Autopsy

Other Autopsy Plugins

To better know other useful Autopsy plugins, please check them out here and there are some add-on modules too.

Conclusion

We talked about activating Volatility2 in Autopsy to make memory analysis a bit easier and more automatic.

~ Cya in the next one