Autopsy As Primary Tool

I wanted to reach out to the greater group and ask if anyone is using Autopsy (3 & above) as their primary analysis tool?

No.

If you are, …

In my case, I'm not, so perhaps 'why not' would be more interesting.

It still doesn't translate NTFS timestamps well enough for my taste. Last time I checked, EnCase at least gave up, and showed a blank when timestamps are out of the range that it translated correctly. That makes it (relatively) easy to know that there is something here that EnCase didn't cope with. Autopsy doesn't – it just mistranslates.

I have recently been updating some testing tools I wrote and wrote about in 2013. While I'm not finished with the update, I can verify that the main problem described in

https://articles.forensicfocus.com/2013/04/06/interpretation-of-ntfs-timestamps/

still is present as far as Autopsy is concerned. It's the first entry in the 'TEST RESULTS' section (no direct link, I'm afraid).

While the effect of this is not likely to be major, and can fairly easily be checked against a second tool that does a correct job, I would much rather use that second tool as the primary tool – at least for any investigation that had to cope with NTFS time stamps – just because I wouldn't have to keep in mind that 'my file timestamp results from Autopsy need to be rechecked against a better tool' .

Interesting. I will study this further. Have you passed this on to Basis?

Next, anything other thoughts not related to this very specific issue?

Interesting. I will study this further. Have you passed this on to Basis?

https://github.com/sleuthkit/autopsy/issues/164

In the screen shot of that issue report, only four time stamps are reported correctly The 'Mod. Time' and 'Change Time' of file 01000, and the 'Access Time' and 'Created Time' of file 02000,

I use Autopsy as tool for examining pendrives on secondary station. I wrote my own modules in python to examine pendrives (scripts copy all files from pendrive and create reports about files). My primary tools is Encase