Once the case has been processed, the left-hand pane will be populated with the number of artifacts located on the system:

In the previous screenshot, there are several items listed under the Extracted Content portion. These include looking at programs that have been installed, the operating system's information, and recent documents. Another key feature of Autopsy is the ability to examine the entire folder structure of the image file. Clicking on the plus (+) sign next to Data Sources expands the entire folder structure. This is useful if, through other sources, an analyst is able to identify the location of a suspect file:

There are different data points that can be examined by utilizing Autopsy. What to search for and how to search for it is often dictated by the type of incident or examination under investigation. For example, a malware infection that originates from a compromised website may involve examining the system for URLs that the user may have typed in or otherwise accessed via a browser. Furthermore, the actual file may be located by utilizing information that's been obtained by examining the system memory, which we covered in the previous chapter. For example, if an analyst was able to locate a suspect process via Volatility or Redline and was subsequently able to also locate the executable, they may utilize Autopsy to find the last time the executable was launched. This can provide responders with a time so that they can examine other systems for evidence of compromise.

In another scenario, responders may be tasked with identifying whether an employee accessed confidential files so that they could pass them on to a competitor. This may involve examining the system for the times and dates when files were accessed, email addresses that may have been used, external cloud storage sites that were accessed, or USB storage that was connected to the system. Finally, a full list of these files may provide insight into the confidential documents that were moved.