Knogin
[Developers]

Digital Forensics: Autopsy Platform Integration

A forensics examiner at a law enforcement digital crimes unit is running Autopsy analysis on a disk image seized from a fraud suspect. The examination generates hundreds of artefacts over several hours. Without integrati

Back to All Modules
Category: ForensicsLast Updated: Mar 18, 2026
forensicsreal-time

Overview#

A forensics examiner at a law enforcement digital crimes unit is running Autopsy analysis on a disk image seized from a fraud suspect. The examination generates hundreds of artefacts over several hours. Without integration, those findings live in the Autopsy case file on the forensics workstation, disconnected from the Argus investigation record, the evidence chain, and the case manager who needs status updates. The Autopsy integration closes that gap: case metadata, artefact counts, status, and data source lists sync into Argus, giving case managers a real-time inventory of ongoing examinations without requiring direct access to the forensics server.

Autopsy is developed by Basis Technology and is widely used by law enforcement, military, and corporate IR teams for disk image analysis, file system carving, hash database lookups, timeline analysis, and keyword searching. It serves as a front-end for The Sleuth Kit with a plugin ecosystem covering email parsing, web artefact extraction, EXIF metadata, and registry analysis.

Open Standards#

  • GraphQL (June 2018 specification): All Autopsy integration operations are exposed as typed GraphQL queries and mutations, enabling strongly-typed case synchronisation, stats retrieval, and artefact inventory access from any compliant client.
  • ISO/IEC 27037:2012: The evidence management pipeline that receives Autopsy case artefacts is validated against ISO 27037 guidelines covering digital evidence identification, collection, acquisition, and preservation to support court-admissible chain of custody.
  • JWT (RFC 7519) / Bearer Token (RFC 6750): Every query and mutation requires a caller-presented RS256 JSON Web Token verified against the platform JWKS endpoint; unauthenticated requests are rejected before any data is accessed.
  • NIST Special Publication 800-101r1: Report exports that incorporate Autopsy examination summaries follow NIST SP 800-101r1 guidelines for mobile and digital media forensic evidence handling.
  • SHA-256 (FIPS 180-4): Cryptographic SHA-256 digests are recorded for evidence artefacts ingested from Autopsy cases, providing integrity verification and tamper detection throughout the evidence lifecycle.
  • ISO 19005-3 (PDF/A-3): Investigation reports that combine Autopsy examination summaries with other DFIR findings are rendered as ISO 19005-3 archival PDF/A-3 packages, ensuring long-term readability and legal admissibility.
  • Exchangeable Image File Format (EXIF / JEITA CP-3451C): Image evidence linked to Autopsy cases is parsed for EXIF metadata including timestamps, GPS coordinates, and camera provenance, supporting timeline analysis and geolocation of photographic artefacts.

Last Reviewed: 2026-03-18 Last Updated: 2026-04-14

Key Features#

Case Metadata Synchronisation#

Sync Autopsy case records into Argus via syncAutopsyCase. Case records capture the case name, case number, data sources (disk images, logical files) under analysis, artefact count, case status, and secrecy level. Case managers get a real-time inventory of ongoing examinations through Argus without needing direct access to the Autopsy server.

Data Source Tracking#

Each case records its data source list: the disk images or logical device paths being analysed. This allows case managers to track what physical media is under examination, supporting chain-of-custody management and resource allocation across the forensics team.

Status and Artefact Count#

Case status (in_progress, complete, review) and current artefact count are tracked across all active cases. High artefact counts in in-progress cases signal examinations consuming significant processing time that may require additional resources.

Clearance-Level Enforcement#

Cases carry secrecy_level tags, ensuring forensic examinations involving classified systems are restricted to cleared forensics personnel within the organisation. Access attempts by unclarified users are logged to the audit trail.

Use Cases#

  • Integrated Evidence Management: Link an Autopsy case to an Argus investigation and attach resulting artefacts as evidence records, replacing the need for parallel case notes in two separate systems
  • Forensics Team Coordination: Forensics managers view all in-progress Autopsy cases through the Argus admin interface, enabling examination assignment without direct access to the forensics server
  • Post-Incident Reporting: Generate investigation reports that include Autopsy examination summaries alongside DFIR-ORC artefact highlights, CAPE Sandbox sample analysis, and MWDB malware intelligence for a complete technical narrative
  • Law Enforcement Case Support: Maintain clear linkage between the Autopsy case number, Argus investigation ID, and evidence submission records to support legal proceedings and disclosure requirements

Integration#

Available via GraphQL: autopsyCases, autopsyStats (queries); syncAutopsyCase (mutation). All operations require authentication and organisation scoping.

Works alongside DFIR-ORC for live endpoint collection, CAPE Sandbox for malware analysis, the Evidence domain for legal chain-of-custody management, and the Case domain for investigation case management.

Ready to Build?

Get started with our APIs or contact our integration team for support.