# Autopsy Forensics

## Setup case file and process E01

Download, install, and run Autopsy.

New Case > Enter case information > Next > (complete optional information) > Finish

<figure><img src="https://3710248095-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MAcqFKR60dGwoJxmUG5%2Fuploads%2FhzbSpLhYPvi8rUR6gFax%2Fimage.png?alt=media&#x26;token=cb5504de-6979-46ef-b3cb-11b654b26a31" alt=""><figcaption></figcaption></figure>

This results in a new Autopsy case being created in the location you specific. Now we need to add our data source/E01 image file.

Add Data Source > Disk Image or VM File > Next

<div align="left"><figure><img src="https://3710248095-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MAcqFKR60dGwoJxmUG5%2Fuploads%2F2VjGzr5QE0946KM62Euf%2Fimage.png?alt=media&#x26;token=03928e75-31b7-474e-bd99-e4ee46ff92c6" alt=""><figcaption></figcaption></figure></div>

<div align="left"><figure><img src="https://3710248095-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MAcqFKR60dGwoJxmUG5%2Fuploads%2FLCYktRapZV1yC9cDqwbx%2Fimage.png?alt=media&#x26;token=432c4841-b94c-4797-95bf-1293e4f34623" alt=""><figcaption></figcaption></figure></div>

This is where our previous examination of the SYSTEM hive is important - the timezone defaults to GMT -8 but the image is of a system whose timezone offset is GMT/UTC. Change this to GMT+0/UTC.

De-select irrelevant modules and it should look like this

<div align="left"><figure><img src="https://3710248095-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MAcqFKR60dGwoJxmUG5%2Fuploads%2FtdYgx3NB44lTq1QfFHeb%2Fimage.png?alt=media&#x26;token=a291ddf9-f0bc-4167-a939-318541339d53" alt=""><figcaption></figcaption></figure></div>

We'll look at installing additional ingest modules shortly.

Click Next and wait for Autopsy to ingest the E01.

## Generate timeline