osdf 2013 - autopsy 3: extensible desktop forensics by brian carrier
Post on 26-Jun-2015
1.802 Views
Preview:
DESCRIPTION
TRANSCRIPT
Autopsy 3: Extensible Desktop ForensicsBrian CarrierVP Digital ForensicsBasis Technology
2
Part 1:
What is Autopsy?
3
Elevator Pitch
• Autopsy is an open source desktop digital forensics tool that is:– Easy to use– Extensible– Capable
4
Brief History
• 2001: First Open Source Release – Interface to The Sleuth Kit– Linux and OS X only
• 2010: Started v3 from scratch as a platform– Inspired by OSDFCon discussions–Windows-based– Automated– Some US Army funding (with 42Six Solutions)– 3.0.0 released in September, 2012.
5
Screen Shot
6
Easy To Use
• Auto detect as much as possible.• Guide you to next step:– After case is created: Start Add Data Source Wizard
• All results are found in the tree. • History buttons to allow you to back out.• ….
7
Frameworks
• Ingest Modules analyze media on import–Hash analysis, keyword search,…
• Content viewers display files– Text, image, text analytics, video triage, …
• Report modules generate final reports–HTML, XML, …
• ...
• Would love feedback from other developers!
8
Fast Results
• Don’t wait until ingest is over to see results.• Provided as soon as they are known.• Indexed keyword search results:–Given every 5 minutes.
• Prioritize user folders first.
9
Standard Features
• File System Analysis (via The Sleuth Kit)–NTFS, FAT, HFS+, ExtX, UFS, ISO9660, YAFFS2, etc.
• Hash calculation and lookup• Keyword search (via SOLR)• Web artifact extraction• EXIF and image analysis• Tagging and Reporting• View by file types, sizes, etc.• View pictures and videos
10
Part 2:
What Is New Since OSDFCon 2012?
11
Improvements
• Many performance & stability improvements• Bug fixes• Better HTML Reports (speed, content, etc.)• Error reporting in lower right bubbles• Ingest Inbox updates• More developer docs and sample modules• Closer to Linux / OS X installers• New logo
12
Dr. Hash
13
OS X Screen Shot
14
New Features
• Data Sources:– Local (logical) files and local drives– Ext4 and Yaffs2 (via Sleuth Kit)
• Analytics:– ZIP / Archive Module– Raw RegRipper output– File Metadata viewer– Beta Timeline Viewer
15
New Features (2)
• General:– Tags and bookmarks– 64-bit Version (faster, more memory)–Multi-select tagging and exporting
• External modules:– Basis Technology’s Video Triage module– Basis Technology’s Text Gisting module
16
Video Triage
17
Text Gisting
18
Download Stats
• Version 3.0.6 had almost 15,000 official downloads between June and October.
19
Part 3:
What Is Coming?
20
Future Features
• Updatable Hash Databases (SQLite-based)• Delete Tags• Carving via Scalpel (need to plug memory leaks)• ExFAT support (via NPS contract)• OS X and Linux installers• New focus on optimizing for search– Keyword search UI– Filtering of files
21
Future Features
• Training:–Next Course: March 19-20 in Herndon, VA.
• Online forum for users and developers • More third-party modules….–Module Competition
22
DHS Funded Effort
• Problems:– Increasing backlogs from more media–Decreasing law enforcement budgets
• Proposed Solution:–Make tools that are tailored towards common law
enforcement use cases.• Image and video analysis• Timeline analysis
– Release as free, open source Autopsy modules.
23
Image Analysis
• Incorporate techniques used by photo management software into digital forensics software.• Enable law enforcement to:–Quickly identify known images– Efficiently review child exploitation images of
unknown victims.
• Beta will be available in January.– Looking for law enforcement users.
24
Current Image Gallery
25
Initial Wireframe
26
Get Involved
• Download now:– http://www.sleuthkit.org/
• Join sleuthkit-users e-mail list.• Follow @sleuthkit on twitter for updates.• Develop modules instead of stand-alone tools.
• Questions?
top related