Forensic Analysis Workstation Setup: Tools, Autopsy, Directory Structure, Evidence Handling

This section walks through setting up the analysis workstation you will use for every module in the course. By the end, you will have a working environment with the complete open-source forensic toolstack installed.

Estimated time: 60 minutes (including tool downloads).

Workstation requirements

You need a Windows 10 or 11 system dedicated to forensic analysis. This can be a physical machine or a virtual machine. A VM is recommended because it isolates your analysis environment from your daily-use system and can be snapshotted before major operations.

Minimum specifications:

• Windows 10/11 Pro or Enterprise (64-bit)
• 16 GB RAM (32 GB recommended for memory analysis and Plaso)
• 250 GB free disk space (evidence sets and Autopsy case databases are large)
• SSD storage (parsing large artifacts against spinning disk is painfully slow)
• Java Runtime Environment (required for Autopsy)
• Python 3.10+ (required for Plaso and Volatility 3)
• Strawberry Perl (required for RegRipper)

If you are using a VM, allocate at least 8 GB RAM and 250 GB of thin-provisioned storage. VMware Workstation, Hyper-V, and VirtualBox all work. Disable network connectivity on the VM unless you need it for tool downloads. Snapshot the VM after completing the setup so you can revert to a clean, known-good state.

Directory structure

Create this directory structure before installing tools. Every module in the course assumes this layout. The separation between Evidence (raw, never modified), Processed (tool output), and Cases (your analysis notes) supports chain of custody documentation and reproducibility.

# Create the standard forensic analysis directory structure
$dirs = @(
    "C:\Forensics\Tools\EZTools",
    "C:\Forensics\Tools\KAPE",
    "C:\Forensics\Tools\Velociraptor",
    "C:\Forensics\Tools\RegRipper",
    "C:\Forensics\Tools\Plaso",
    "C:\Forensics\Tools\TSK",
    "C:\Forensics\Tools\BulkExtractor",
    "C:\Forensics\Tools\Volatility3",
    "C:\Forensics\Cases",
    "C:\Forensics\Evidence",
    "C:\Forensics\Processed",
    "C:\Forensics\Exports",
    "C:\Forensics\Timelines"
)
foreach ($dir in $dirs) {
    New-Item -ItemType Directory -Path $dir -Force | Out-Null
    Write-Host "Created: $dir"
}

C:\Forensics\
  Tools\                All forensic tools
    EZTools\            Eric Zimmerman's full suite + Timeline Explorer
    KAPE\               KAPE with targets and modules
    Velociraptor\       Velociraptor server and client binaries
    RegRipper\          RegRipper 3.0 with plugins
    Plaso\              Plaso (log2timeline) and pinfo
    TSK\                The Sleuth Kit command-line tools
    BulkExtractor\      Bulk Extractor
    Volatility3\        Volatility 3 memory analysis framework
  Cases\                One subdirectory per investigation
  Evidence\             Raw collected evidence (never modify)
  Processed\            Parsed output from all tools
  Exports\              Filtered data, screenshots, extracted files
  Timelines\            Super timelines from Plaso

Installing the core toolstack

Eric Zimmerman's tools

Download the complete package from https://ericzimmerman.github.io/#!index.md. Extract everything to C:\Forensics\Tools\EZTools\. Add to your system PATH:

# Add EZ tools to PATH permanently (requires elevated prompt)
[Environment]::SetEnvironmentVariable(
    "PATH",
    [Environment]::GetEnvironmentVariable("PATH", "Machine") + ";C:\Forensics\Tools\EZTools",
    "Machine"
)

Verify: run PECmd.exe --help from a new command prompt.

Autopsy

Download from https://www.autopsy.com/. Run the installer, which includes The Sleuth Kit, Java Runtime, and all required dependencies. Autopsy installs to its own directory and does not conflict with the EZ tool suite.

After installation, launch Autopsy and create a test case to verify it starts correctly. Select New Case, provide a case name and output directory, and confirm the case database is created. Autopsy will be your primary platform for disk image analysis, keyword searches, and comprehensive artifact extraction when you need more than the command-line parsers provide.

The Sleuth Kit

TSK is included with the Autopsy installation. For command-line access, add the TSK bin directory to your PATH. The exact path depends on your Autopsy installation location, typically C:\Program Files\Autopsy-[version]\autopsy\sleuthkit\bin\.

Alternatively, download the standalone Windows binaries from https://sleuthkit.org/ and extract to C:\Forensics\Tools\TSK\.

Verify: run fls -V from a command prompt.

KAPE

Download from Kroll's website (free registration required). Extract to C:\Forensics\Tools\KAPE\. After extraction, update targets and modules:

cd "C:\Forensics\Tools\KAPE"
.\kape.exe --sync

Velociraptor

Download the Windows amd64 binary from https://github.com/Velocidex/velociraptor/releases. Place it in C:\Forensics\Tools\Velociraptor\. Module 1 covers server deployment and agent configuration.

RegRipper

Download from https://github.com/keydet89/RegRipper3.0. Extract to C:\Forensics\Tools\RegRipper\. Install Strawberry Perl from https://strawberryperl.com/ if you do not have Perl installed. Verify: perl C:\Forensics\Tools\RegRipper\rip.pl -h.

Bulk Extractor

Download from https://github.com/simsong/bulk_extractor/releases. Extract the Windows binary to C:\Forensics\Tools\BulkExtractor\.

Encrypted Disk Detector

Download from https://www.magnetforensics.com/resources/encrypted-disk-detector/. Portable executable. Place in C:\Forensics\Tools\.

Magnet RAM Capture

Download from https://www.magnetforensics.com/resources/magnet-ram-capture/. Portable executable. Place in C:\Forensics\Tools\. This runs on the target system, not the analysis workstation. Copy it to a USB drive for field use.

FTK Imager

Download from https://www.exterro.com/ftk-imager. Run the installer. FTK Imager is also available as a portable version for running from USB drives during field collection.

Arsenal Image Mounter

Download from https://arsenalrecon.com/downloads. Free version is sufficient for this course.

Memory analysis (Volatility 3)

Install Volatility 3 in a Python virtual environment:

python -m venv "C:\Forensics\Tools\Volatility3\venv"
& "C:\Forensics\Tools\Volatility3\venv\Scripts\Activate.ps1"
pip install volatility3

Verify: vol --help.

Plaso

Install Plaso in a separate Python virtual environment to avoid dependency conflicts with Volatility:

python -m venv "C:\Forensics\Tools\Plaso\venv"
& "C:\Forensics\Tools\Plaso\venv\Scripts\Activate.ps1"
pip install plaso

Forensic Linux distribution (optional)

If your workflow includes Linux-based analysis, consider having a bootable forensic distribution available. These are not required for this course but provide an alternative analysis environment and are essential for cases where you need to boot from external media to examine a system without modifying its disk.

CAINE. Download the ISO from https://www.caine-live.net/. Write to a USB drive with Rufus or Etcher. All drives mount read-only by default. Includes Autopsy, TSK, Bulk Extractor, and dozens of other tools pre-installed.

PALADIN. Download from https://sumuri.com/paladin/. GUI-oriented forensic distribution with built-in disk imaging.

CSI Linux. Download from https://csilinux.com/. Includes both forensic tools and OSINT investigation tools.

Any of these distributions can run as a VM alongside your Windows analysis workstation. This gives you both environments available simultaneously: Windows-native tools (EZ suite, Timeline Explorer, KAPE) on the Windows VM, Linux-native tools (TSK command-line, Bulk Extractor, Plaso) on the forensic distribution.

Evidence handling practices

Establish these practices before Module 1. They make your work defensible and reproducible.

Hash everything. When you receive a triage collection or disk image, compute the SHA256 hash before you do anything else. Record the hash in your case notes.

Get-FileHash -Algorithm SHA256 "C:\Forensics\Evidence\case-001\triage.zip"

Never modify the evidence directory. All tools write output to C:\Forensics\Processed\, not back to the evidence directory. The evidence directory is a read-only archive.

One case, one subdirectory. Create a subdirectory under Evidence, Processed, and Cases for each investigation. Name consistently: case-001-workstation, case-002-server-dc01.

Document your tools. Record the version of every tool you use during analysis. Tool output can change between versions.

Record your commands. Keep a running log of every command you execute. Start-Transcript at the beginning of every session.

Start-Transcript -Path "C:\Forensics\Cases\case-001\session-2026-03-15.txt" -Append

Snapshot your VM. After completing this setup, take a VM snapshot. If you suspect tool compromise or need a clean environment for a new case, revert to the snapshot.

Verify your setup: PECmd, MFTECmd, and EvtxECmd respond to --help. Autopsy launches and creates a case. RegRipper prints its help text. Timeline Explorer opens. Your directory structure exists. Your VM is snapshotted.

Your analysis workstation is ready. Module 1 starts with evidence collection: the decisions you make in the first 30 minutes of an investigation and how KAPE, Velociraptor, and memory acquisition tools get the evidence onto this workstation.