Autopsy 4.12 releases: Open source forensics tool

Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera’s memory card.

Support for Windows 32-bit and 64-bit operating system, the same support for Linux and OSX (download the source code, compile their own).

Feature

• Multi-User Cases: Collaborate with fellow examiners on large cases.
• Timeline Analysis: Displays system events in a graphical interface to help identify activity.
• Keyword Search: Text extraction and index searched modules enable you to find files that mention specific terms and find regular expression patterns.
• Web Artifacts: Extracts web activity from common browsers to help identify user activity.
• Registry Analysis: Uses RegRipper to identify recently accessed documents and USB devices.
• LNK File Analysis: Identifies shortcuts and accessed documents
• Email Analysis: Parses MBOX format messages, such as Thunderbird.
• EXIF: Extracts geolocation and camera information from JPEG files.
• File Type Sorting: Group files by their type to find all images or documents.
• Media Playback: View videos and images in the application and not require an external viewer.
• Thumbnail viewer: Displays thumbnail of images to help quick view pictures.
• Robust File System Analysis: Support for common file systems, including NTFS, FAT12/FAT16/FAT32/ExFAT, HFS+, ISO9660 (CD-ROM), Ext2/Ext3/Ext4, Yaffs2, and UFS from The Sleuth Kit.
• Hash Set Filtering: Filter out known good files using NSRL and flag known bad files using custom hashsets in HashKeeper, md5sum, and EnCase formats.
• Tags: Tag files with arbitrary tag names, such as ‘bookmark’ or ‘suspicious’, and add comments.
• Unicode Strings Extraction: Extracts strings from unallocated space and unknown file types in many languages (Arabic, Chinese, Japanese, etc.).
• File Type Detection based on signatures and extension mismatch detection.
• Interesting Files Module will flag files and folders based on name and path.
• Android Support: Extracts data from SMS, call logs, contacts, Tango, Words with Friends, and more.

Changelog 4.12

Collection

• Added ability to configure a USB drive to use new logical imager tool.
• Added logical imager tool that runs on a live Windows computer and saves results to a USB drive.
• Added ability to import logical imager results into Autopsy as a data source.

Ingest Modules:

• Changed file type detection so that Tika does not rely only on extension.
• Email ingest module assigns thread IDs to messages
• Android ingest modules store thread ID from their databases.

Content Viewers (lower right of UI):

• New “Text” viewer that consolidates previous Strings and “Indexed Text” viewers.
• New “Translation” panel was added to the new “Text” viewer.
• Added integration with Google and Bing translation (credentials required)
• Redesigned “Other Occurrences” viewer to have 4th column with details of selected item.
• Added Willi Ballentin’s “Registry Hive Viewer” panel to the “Application” viewer.
• Improved HTML viewer to use style sheets and better layout.
• Added ability to draw a box on a picture while tagging it.

Result Table (upper right of UI)

• Added paging to all views for faster loading of large data sets.
• Improved speed of displaying results when a column was sorted.

Reporting

• Portable cases can contain files marked as Interesting Items
• Portable cases can be compressed and chunked
• “Files – Text” report can use either tabs or commas as the delimiter
• “Files – Text” report better handles Unicode text.
• Added ability to create a CSV report for the contents of a table
• HTML report for tagged pictures includes a copy with the overlay box

Communications:

• Added Account Summary view
• Added Contacts panel to show all contacts associated with an account.
• Added Media panel to show media attachments associated with an account
• Added filter to show accounts if they involved with the most recent messages.
• Messages can be grouped by thread.

Auto Ingest

• New Test button was added to help diagnose permission and configuration issues.

Documentation:

• Created new Triage Standard Operating Procedure (SOP) section to the User Docs

Download

Copyright © 2003-2017 Brian Carrier

Source: https://github.com/sleuthkit/