The Autopsy GUI is divided into three main sections. These sections display details relating to the system and specific files. When Autopsy has completed processing a new case or opening an existing case, the analyst will see the following window:

As shown in the previous screenshot, Autopsy is divided into three main panes. The first of these is the left-hand pane, which contains the data sources and file structure, as well as search results. Clicking on the plus (+) sign expands the results, while clicking on the minus (-) sign collapses them. This allows the analyst to access the system at a high level, and also to drill down to specific elements.

The center pane contains directory listings or results from searches. For example, the following screenshot shows web cookies that were located on the system:

Finally, the bottom pane contains the metadata and other information about individual files contained in the center pane. For example, if the .youtube.com cookie is selected, the following data appears when the Results tab is selected:

Clicking the File Metadata tab will produce information specific to that file. This includes the timestamps for the file, as well as an MD5 hash:

Finally, the file's hexadecimal content can be viewed by clicking on the Hex tab:

This view is excellent if an analyst wants to inspect an application or another file that is suspected of being malware.

What Autopsy offers is the ability to perform some of the actions and analysis that can be found in other commercial platforms. However, it should be noted that in the case of more complex investigations, it may become necessary to utilize more sophisticated platforms. Autopsy also provides responders that are new to disk forensics with a more user-friendly platform so that they can gain experience with one before they move on to a more sophisticated commercial solution.