Overview#
A forensics examiner at a law enforcement digital crimes unit is running Autopsy analysis on a disk image seized from a fraud suspect. The examination generates hundreds of artefacts over several hours. Without integration, those findings live in the Autopsy case file on the forensics workstation, disconnected from the Argus investigation record, the evidence chain, and the case manager who needs status updates. The Autopsy integration closes that gap: case metadata, artefact counts, status, and data source lists sync into Argus, giving case managers a real-time inventory of ongoing examinations without requiring direct access to the forensics server.
Autopsy is developed by Basis Technology and is widely used by law enforcement, military, and corporate IR teams for disk image analysis, file system carving, hash database lookups, timeline analysis, and keyword searching. It serves as a front-end for The Sleuth Kit with a plugin ecosystem covering email parsing, web artefact extraction, EXIF metadata, and registry analysis.
Mermaid diagram
flowchart TD A[Forensics examiner opens Autopsy case] --> B[Analysis runs on disk image or logical device] B --> C[Artefacts discovered and logged in Autopsy] C --> D[syncAutopsyCase mutation called] D --> E[Case metadata ingested into Argus] E --> F[Case record created or updated in PostgreSQL] F --> G{Secrecy level check} G -->|Cleared personnel only| H[Case visible to authorised team members] G -->|Insufficient clearance| I[Access denied - audit event recorded] H --> J[Case manager views status and artefact count in Argus] H --> K[Case linked to Argus investigation record] K --> L[Artefacts attached as evidence in Evidence domain] L --> M[Chain-of-custody entry updated] M --> N[Report generation: Autopsy summary + full investigation narrative]
Last Reviewed: 2026-03-18 Last Updated: 2026-04-14
Key Features#
Case Metadata Synchronisation#
Sync Autopsy case records into Argus via
syncAutopsyCaseData Source Tracking#
Each case records its data source list: the disk images or logical device paths being analysed. This allows case managers to track what physical media is under examination, supporting chain-of-custody management and resource allocation across the forensics team.
Status and Artefact Count#
Case status (
in_progresscompletereviewClearance-Level Enforcement#
Cases carry
secrecy_levelUse Cases#
- Integrated Evidence Management: Link an Autopsy case to an Argus investigation and attach resulting artefacts as evidence records, replacing the need for parallel case notes in two separate systems
- Forensics Team Coordination: Forensics managers view all in-progress Autopsy cases through the Argus admin interface, enabling examination assignment without direct access to the forensics server
- Post-Incident Reporting: Generate investigation reports that include Autopsy examination summaries alongside DFIR-ORC artefact highlights, CAPE Sandbox sample analysis, and MWDB malware intelligence for a complete technical narrative
- Law Enforcement Case Support: Maintain clear linkage between the Autopsy case number, Argus investigation ID, and evidence submission records to support legal proceedings and disclosure requirements
Integration#
Available via GraphQL:
autopsyCasesautopsyStatssyncAutopsyCaseWorks alongside DFIR-ORC for live endpoint collection, CAPE Sandbox for malware analysis, the Evidence domain for legal chain-of-custody management, and the Case domain for investigation case management.