# Disk Analysis with Autopsy ### Disk Forensics * Process of extracting forensics info for storage mediums like HDDs, USBs, firmwares, etc. * In order to forensically analyze a disk, you need to create a forensic image of the drive * Forensic image is an exact digital copy of a physical drive and data contained in it * Forensic image can be created with various tools like * **FTK Imager** * **Encase Imager** * Forensic imager tools do not change or modify any data. This is accomplished with use of bitstream *** ### Autopsy * Free and open source digital forensics tool used to perform forensic analysis on disk images * Used to extract important information like * Deleted Files * Email Messages * Browser History and Cookies * Installed Programs * File Metadata * Used by LEAs worldwide to analyze and extract evidence from hard drives and other storage mediums used in crimes *** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.nomanaziz.me/cybersecurity/blue-teaming/digital-forensics-and-incidence-response/disk-analysis-with-autopsy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.