Autopsy 4.13 releases: Open source forensics tool

Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera’s memory card.

Support for Windows 32-bit and 64-bit operating system, the same support for Linux and OSX (download the source code, compile their own).

Feature

• Multi-User Cases: Collaborate with fellow examiners on large cases.
• Timeline Analysis: Displays system events in a graphical interface to help identify activity.
• Keyword Search: Text extraction and index searched modules enable you to find files that mention specific terms and find regular expression patterns.
• Web Artifacts: Extracts web activity from common browsers to help identify user activity.
• Registry Analysis: Uses RegRipper to identify recently accessed documents and USB devices.
• LNK File Analysis: Identifies shortcuts and accessed documents
• Email Analysis: Parses MBOX format messages, such as Thunderbird.
• EXIF: Extracts geolocation and camera information from JPEG files.
• File Type Sorting: Group files by their type to find all images or documents.
• Media Playback: View videos and images in the application and not require an external viewer.
• Thumbnail viewer: Displays thumbnail of images to help quick view pictures.
• Robust File System Analysis: Support for common file systems, including NTFS, FAT12/FAT16/FAT32/ExFAT, HFS+, ISO9660 (CD-ROM), Ext2/Ext3/Ext4, Yaffs2, and UFS from The Sleuth Kit.
• Hash Set Filtering: Filter out known good files using NSRL and flag known bad files using custom hashsets in HashKeeper, md5sum, and EnCase formats.
• Tags: Tag files with arbitrary tag names, such as ‘bookmark’ or ‘suspicious’, and add comments.
• Unicode Strings Extraction: Extracts strings from unallocated space and unknown file types in many languages (Arabic, Chinese, Japanese, etc.).
• File Type Detection based on signatures and extension mismatch detection.
• Interesting Files Module will flag files and folders based on name and path.
• Android Support: Extracts data from SMS, call logs, contacts, Tango, Words with Friends, and more.

Changelog 4.13

General:

• Switch from Oracle JDK to OpenJDK.
• Full command line support (case creation, adding of data sources, running ingest, and generating reports).

Logical Imager:

• Output can be individual files instead of VHD image (uses less space).
• More fine grained progress during collection and importing.
• Log of files and make artifacts.
• All console messages are saved to a log file too.
• Improved handling of cancellation when adding results into a case.

Ingest Modules:

• Added Android support as Python modules for: Android installed apps, Android browser, Facebook Messenger, IMO, LINE, Opera, ORUX Maps, Samsung SBrowser, Skype, ShareIt, TextNow, Viber, WhatsApp, Xender, Zapya.
• Recycle Bin files are parsed in Recent Activity module, new artifacts are created, and deleted file entries are created at the original location of the deleted files. Code is based on Mark McKinnon’s RecycleBin module (https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Recycle_Bin).
• ShellBag registry data is extracted from RegRipper in the Recent Activity module. New artifacts are recreated for the data. Based on Mark McKinnon’s “Parse ShellBags” module (https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_Shellbags).
• Additional data is extracted about users from SAM hive in Recent Activity module. Data includes password dates, permissions, groups, and full name. Based on Mark McKinnon’s “Parse SAM” module (https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_SAM).
• Email ingest module parses EML files. Based on Mark McKinnon’s “EML Parser” module (https://github.com/markmckinnon/Autopsy-Plugins/tree/master/EML_Parser).
• Fixed bug in MBOX module that caused attachments to have a “_” in the name.
• New Plaso ingest module that runs Plaso and generates events for the timeline.
• Fixed bug in Email module for VCard files to better parse phone number types.
• Keyword Search module waits longer for Solr to start to prevent incorrectly reporting a problem and disabling the feature.
• Embedded file extractor module was updated to not report compression bombs for GZIP files.

Timeline:

• New approach for storing event data. A dedicated events table exists and is populated as files and artifacts are added to the database. No longer requires an explicit step of populating a local events table.
• Users can create their own events from the Timeline UI.
• Filtering was simplified based or existence of tag or hash set hit versus a specific name.

Communications:

• Fixed bug that hid contact book entries with duplicate numbers.

Image Gallery:

• Fixed bug in schema that caused errors with very long file names.

Report:

• CASE report is included in a portable case.
• Image tags are included in portable case.
• More size options for a packaged portable case.
• New Infrastructure to support command line-based generation.

Backend:

• Developers should use new new Blackboard.postArtifact() method to ensure artifact is indexed and added to the timeline.
• New classes were created to make it easier to write modules for apps.

Download

Copyright © 2003-2017 Brian Carrier

Source: https://github.com/sleuthkit/