The Sleuth Kit began as a set of Linux-based command-line tools for forensics; eventually, a browser-based GUI named Autopsy was added. Recently, Autopsy has been released as a standalone platform on Windows, and includes support for analyzing Android images. Version 4.9.0 is shown in the following screenshots. The full process for loading and analyzing an image will be covered in Chapter 8, Android Forensic Tools Overview.

Autopsy can be downloaded from https://www.sleuthkit.org/autopsy/download.php.

Once the image has been loaded, expanding the image will show all of the volumes that Autopsy found:

One of these volumes will be the data partition, as shown in the following screenshot:

Note that the media directory in the preceding screenshot is the SD card, as it was symbolically linked to the data partition. The data folder within the /data partition will contain application data:

As each application is installed, a directory is created for it.

Finally, Autopsy does a good job of pulling out some data automatically for an examiner, but as with all forensic tools, this information should be verified manually. We will cover this in Chapter 7, Forensic Analysis of Android Applications: