Autopsy 4.9.1 release: Open source forensics tool
Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera’s memory card.
Support for Windows 32-bit and 64-bit operating system, the same support for Linux and OSX (download the source code, compile their own).
- Multi-User Cases: Collaborate with fellow examiners on large cases.
- Timeline Analysis: Displays system events in a graphical interface to help identify activity.
- Keyword Search: Text extraction and index searched modules enable you to find files that mention specific terms and find regular expression patterns.
- Web Artifacts: Extracts web activity from common browsers to help identify user activity.
- Registry Analysis: Uses RegRipper to identify recently accessed documents and USB devices.
- LNK File Analysis: Identifies shortcuts and accessed documents
- Email Analysis: Parses MBOX format messages, such as Thunderbird.
- EXIF: Extracts geolocation and camera information from JPEG files.
- File Type Sorting: Group files by their type to find all images or documents.
- Media Playback: View videos and images in the application and not require an external viewer.
- Thumbnail viewer: Displays thumbnail of images to help quick view pictures.
- Robust File System Analysis: Support for common file systems, including NTFS, FAT12/FAT16/FAT32/ExFAT, HFS+, ISO9660 (CD-ROM), Ext2/Ext3/Ext4, Yaffs2, and UFS from The Sleuth Kit.
- Hash Set Filtering: Filter out known good files using NSRL and flag known bad files using custom hashsets in HashKeeper, md5sum, and EnCase formats.
- Tags: Tag files with arbitrary tag names, such as ‘bookmark’ or ‘suspicious’, and add comments.
- Unicode Strings Extraction: Extracts strings from unallocated space and unknown file types in many languages (Arabic, Chinese, Japanese, etc.).
- File Type Detection based on signatures and extension mismatch detection.
- Interesting Files Module will flag files and folders based on name and path.
- Android Support: Extracts data from SMS, call logs, contacts, Tango, Words with Friends, and more.
- Removed data from table that are time intensive and can be found in content viewers (such as hash set hits)
- Added ability to find common items (files, emails, etc.) between current case and past cases using the Central Repository.
- Added ability to ignore common items that exist in a large number of cases by using Central Repository data.
- Data is validated and normalized before being entered into the Central Repository.
- Allow users to specify that an ad-hoc keyword search should not be saved to database
- New “Annotations” content viewer that shows all tags and comments associated with an item
- Added 2 icons to the table to show the item’s score (if it is notable or suspicious) and if it has a comment.
- Added column to the table to show previous number of occurrences.
- Tags are now associated with the user (in a multi-user environment) and you can hide other people’s tags
- New Display options area that unifies various new settings.
- Hash sets can be copied into the user’s config folder (AppData), which makes it easier to run Autopsy from a Live Triage USB and not care about what drive letter it gets.
- Image Gallery stores its groups and seen status in Case DB instead of its own.
- Image Gallery works better in multi-user setups and reloads the database when other nodes add data sources.
- Image Gallery saves which user saw a group and gives user option of seeing only their unseen groups or all unseen groups.
- Saves last export location and pre-populates that in the file picker
- Provide feedback about why some right click options are disabled (ingest is running, not file content, etc.)
- Substring keyword search is more accurate (now uses regular expression)
- New text extractor for SQLite that better deals with full text search tables
- Better deal with Unicode text files that do not have Byte Order Marker
- Embedded file extractor module is now faster because it uses a different 7ZIP API.
- Fixed various HTML report bugs
- Duplicate hash set hits are not created when you run the Hash Ingest Module twice.
- Auto ingest (in Experimental) scan times of input folders is faster.
Copyright © 2003-2017 Brian Carrier