Is Autopsy the right tool for this job?

What I have: dd generated images of five windows servers which suffered a ransomware intrusion

What I want: to know how the bad guys got in.

Is this the right tool or am I barking up the wrong tree?

Autopsy can definitely help if you look at the timeline to see the most recently modified files, most recently run applications, inspect the registry for things like recently ran programs, programs set to run on startup, examining Windows event logs for items such as RDP access, etc. There are numerous things you can analyze in Autopsy to determine how they got in! I would suggest however that you take a look at Cyber Triage which is a commercial product from Basis Tech. It’s fantastic for ransomware investigations as it automates the manual steps you’d normally have to take and will give you results in a matter of minutes! Ask them for a demo and give it a shot as it has saved us numerous hours for these types of investigations.

All this said, make sure you also look at how the external router or firewall was configured as most ransomware intrusions are simple done through port forwarded RDP access and a brute force attack against the host. Once they are into the primary RDP server it’s simply a matter of time before they pivot to other hosts. You really need to talk to the network admin and do your own external scans to determine if RDP was the entry point.