Autopsy 3: Extensible Desktop ForensicsBrian CarrierVP Digital ForensicsBasis Technology

2

Part 1:

What is Autopsy?

3

Elevator Pitch

• Autopsy is an open source desktop digital forensics tool that is:– Easy to use– Extensible– Capable

4

Brief History

• 2001: First Open Source Release – Interface to The Sleuth Kit– Linux and OS X only

• 2010: Started v3 from scratch as a platform– Inspired by OSDFCon discussions–Windows-based– Automated– Some US Army funding (with 42Six Solutions)– 3.0.0 released in September, 2012.

5

Screen Shot

6

Easy To Use

• Auto detect as much as possible.• Guide you to next step:– After case is created: Start Add Data Source Wizard

• All results are found in the tree. • History buttons to allow you to back out.• ….

7

Frameworks

• Ingest Modules analyze media on import–Hash analysis, keyword search,…

• Content viewers display files– Text, image, text analytics, video triage, …

• Report modules generate final reports–HTML, XML, …

• ...

• Would love feedback from other developers!

8

Fast Results

• Don’t wait until ingest is over to see results.• Provided as soon as they are known.• Indexed keyword search results:–Given every 5 minutes.

• Prioritize user folders first.

9

Standard Features

• File System Analysis (via The Sleuth Kit)–NTFS, FAT, HFS+, ExtX, UFS, ISO9660, YAFFS2, etc.

• Hash calculation and lookup• Keyword search (via SOLR)• Web artifact extraction• EXIF and image analysis• Tagging and Reporting• View by file types, sizes, etc.• View pictures and videos

10

Part 2:

What Is New Since OSDFCon 2012?

11

Improvements

• Many performance & stability improvements• Bug fixes• Better HTML Reports (speed, content, etc.)• Error reporting in lower right bubbles• Ingest Inbox updates• More developer docs and sample modules• Closer to Linux / OS X installers• New logo

12

Dr. Hash

13

OS X Screen Shot

14

New Features

• Data Sources:– Local (logical) files and local drives– Ext4 and Yaffs2 (via Sleuth Kit)

• Analytics:– ZIP / Archive Module– Raw RegRipper output– File Metadata viewer– Beta Timeline Viewer

15

New Features (2)

• General:– Tags and bookmarks– 64-bit Version (faster, more memory)–Multi-select tagging and exporting

• External modules:– Basis Technology’s Video Triage module– Basis Technology’s Text Gisting module

16

Video Triage

17

Text Gisting

18

Download Stats

• Version 3.0.6 had almost 15,000 official downloads between June and October.

19

Part 3:

What Is Coming?

20

Future Features

• Updatable Hash Databases (SQLite-based)• Delete Tags• Carving via Scalpel (need to plug memory leaks)• ExFAT support (via NPS contract)• OS X and Linux installers• New focus on optimizing for search– Keyword search UI– Filtering of files

21

Future Features

• Training:–Next Course: March 19-20 in Herndon, VA.

• Online forum for users and developers • More third-party modules….–Module Competition

22

DHS Funded Effort

• Problems:– Increasing backlogs from more media–Decreasing law enforcement budgets

• Proposed Solution:–Make tools that are tailored towards common law

enforcement use cases.• Image and video analysis• Timeline analysis

– Release as free, open source Autopsy modules.

23

Image Analysis

• Incorporate techniques used by photo management software into digital forensics software.• Enable law enforcement to:–Quickly identify known images– Efficiently review child exploitation images of

unknown victims.

• Beta will be available in January.– Looking for law enforcement users.

24

Current Image Gallery

25

Initial Wireframe

26

Get Involved

• Download now:– http://www.sleuthkit.org/

• Join sleuthkit-users e-mail list.• Follow @sleuthkit on twitter for updates.• Develop modules instead of stand-alone tools.

• Questions?