Autopsy 3.0Brian CarrierVP of Digital ForensicsBasis TechnologyOpen Source Digital Forensics Conference 2012   1
Autopsy 2Open Source Digital Forensics Conference 2012   2
Why it had to go•  Didn’t run natively on Windows•  Slow UI and analytics•  Old-school HTML   –  Couldn’t right click•  Di...
Autopsy 3 Goals•    Open Source Graphical Platform / Framework•    Automation•    Fast Results / Triage•    Easy to use•  ...
Autopsy 3Open Source Digital Forensics Conference 2012   5
Graphical Platform•  Started with the Netbeans Platform   –  Java.   –  Designed to build apps like this.•  Designed with ...
Automation•  Ingest Modules•  Run on each image as it is added.    –  In background    –  In parallel    –  Saves previous...
Ingest Modules                                            MD5/SHA1                            Add Text to                 ...
Ingest Manager in WizardOpen Source Digital Forensics Conference 2012   9
Fast Results / Triage•  Can configure ingest modules based on   available time:    –  Process unallocated space?    –  Sea...
Ingest Inbox Screen ShotOpen Source Digital Forensics Conference 2012   11
Fast Results / Triage•  Scheduler focuses on user content:   1.  User folders   2.  Program Files folder   3.  Windows fol...
Easy To Use•  Wizards to create cases and import data.•  Single navigation tree to find ingest module   results.    –  Mod...
Easy To UseOpen Source Digital Forensics Conference 2012   14
Appeal to Large Audience•    Focused first on Windows.•    Installer•    Auto-update•    Basic features      –  Keyword Se...
Keyword Search Module•  Index-based search•  Extracts text from documents:    –  Better for non-English PDF and HTML files...
Keyword List ManagerOpen Source Digital Forensics Conference 2012   17
Keyword List ChooserOpen Source Digital Forensics Conference 2012   18
Hash Database Module•  Can calculate MD5 and SHA-1 hashes of all   files.•  Looks up hashes in:    –  NSRL (known files)  ...
Recent Activity Module•  Focuses on user activity•  Browser artifacts:    –  History, cookies, downloads, bookmarks    –  ...
Recent Activity ResultsOpen Source Digital Forensics Conference 2012   21
Other Ingest Modules•  MBOX / Thunderbird   –  Parses into individual messages•  Exif   –  Extracts dates, GPS, and device...
Data Content Viewer Framework•  Allows for different file types to be viewed   differently.•  Standard modules:    –  Hex ...
Content Viewer: HexOpen Source Digital Forensics Conference 2012   24
Content Viewer: StringsOpen Source Digital Forensics Conference 2012   25
Content Viewer: MediaOpen Source Digital Forensics Conference 2012   26
Other Content Viewer Uses•  Finds	  names	  of	  people	  and	  places.	  •  Translates	  from	  Arabic	  to	  La6n	  Char...
Reporting Framework•  Results can be saved to HTML or XML.•  Other modules can be created in the future.Open Source Digita...
How do you get it?•  Available from sleuthkit.org:      http://www.sleuthkit.org/autopsyOpen Source Digital Forensics Conf...
For Developers•  Writing modules will make your life easier:   –  We deal with file access.   –  We deal with displaying r...
For Users•  Give us feedback.•  Bug the developers of your favorite tools to write   them as modules.Open Source Digital F...
Additional Credit For This Work•  Partly funded by US Army Intelligence Center of   Excellence (USAICoE).   –  Partnered w...
Next Steps•    Framework Enhancements•    Linux / OS X support•    More modules•    Tighter integration with TSK Framework...
Thank you!For more information:Visit www.basistech.comWrite to conference@basistech.comCall 617-386-2090 or 800-697-2062Op...
Upcoming SlideShare
Loading in …5
×

Autopsy 3.0 - Open Source Digital Forensics Conference

945
-1

Published on

Autopsy 3.0 is a complete rewrite from Autopsy 2.0, and this talk will cover all of the things that are new about it. Multi-threaded ingest, triage, embedded databases, web artifact analysis, and indexed keyword search are just some of the new and exciting features.

This talk is targeted towards both users and developers. Users will learn about the tool, and how they can use it. Developers will learn the basics of where they can incorporate their tools into the Autopsy workflow as modules.

View more slides from the Open Source Digital Forensics Conference 2012 here: http://info.basistech.com/osdf-2012-slides

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
945
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
57
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Autopsy 3.0 - Open Source Digital Forensics Conference

  1. 1. Autopsy 3.0Brian CarrierVP of Digital ForensicsBasis TechnologyOpen Source Digital Forensics Conference 2012 1
  2. 2. Autopsy 2Open Source Digital Forensics Conference 2012 2
  3. 3. Why it had to go•  Didn’t run natively on Windows•  Slow UI and analytics•  Old-school HTML –  Couldn’t right click•  Didn’t allow much at the application levelOpen Source Digital Forensics Conference 2012 3
  4. 4. Autopsy 3 Goals•  Open Source Graphical Platform / Framework•  Automation•  Fast Results / Triage•  Easy to use•  Appeal to large audienceOpen Source Digital Forensics Conference 2012 4
  5. 5. Autopsy 3Open Source Digital Forensics Conference 2012 5
  6. 6. Graphical Platform•  Started with the Netbeans Platform –  Java. –  Designed to build apps like this.•  Designed with lots of internal frameworks. –  Places where modules can be dropped in.•  Writing lots of docs to help developers build modules.Open Source Digital Forensics Conference 2012 6
  7. 7. Automation•  Ingest Modules•  Run on each image as it is added. –  In background –  In parallel –  Saves previous settingsOpen Source Digital Forensics Conference 2012 7
  8. 8. Ingest Modules MD5/SHA1 Add Text to Hash EXIF Hash Lookup Extraction Keyword ... Calculation IndexE01 File Web Browser Analysis Registry Analysis MBOX ThunderbirdOpen Source Digital Forensics Conference 2012 8
  9. 9. Ingest Manager in WizardOpen Source Digital Forensics Conference 2012 9
  10. 10. Fast Results / Triage•  Can configure ingest modules based on available time: –  Process unallocated space? –  Search for orphan files? –  English-only strings extraction?•  Results from Ingest modules are shown as they are found. –  Ingest Inbox gives updates.Open Source Digital Forensics Conference 2012 10
  11. 11. Ingest Inbox Screen ShotOpen Source Digital Forensics Conference 2012 11
  12. 12. Fast Results / Triage•  Scheduler focuses on user content: 1.  User folders 2.  Program Files folder 3.  Windows folders•  Scheduler will be modular to allow for different approaches.Open Source Digital Forensics Conference 2012 12
  13. 13. Easy To Use•  Wizards to create cases and import data.•  Single navigation tree to find ingest module results. –  Modules post results to blackboard. –  More details will be given in the framework talk.•  Common navigation concepts: –  Back and Forward buttons –  Search bar in upper rightOpen Source Digital Forensics Conference 2012 13
  14. 14. Easy To UseOpen Source Digital Forensics Conference 2012 14
  15. 15. Appeal to Large Audience•  Focused first on Windows.•  Installer•  Auto-update•  Basic features –  Keyword Search –  Hash Databases –  File System Browsing –  Registry Analysis –  E-mail AnalysisOpen Source Digital Forensics Conference 2012 15
  16. 16. Keyword Search Module•  Index-based search•  Extracts text from documents: –  Better for non-English PDF and HTML files•  Uses Lucene SOLR (open source)•  Can support more advanced text analytics.•  Searches are done as image is indexed.•  Can save and export keyword lists.Open Source Digital Forensics Conference 2012 16
  17. 17. Keyword List ManagerOpen Source Digital Forensics Conference 2012 17
  18. 18. Keyword List ChooserOpen Source Digital Forensics Conference 2012 18
  19. 19. Hash Database Module•  Can calculate MD5 and SHA-1 hashes of all files.•  Looks up hashes in: –  NSRL (known files) –  EnCase hashsets (notable / known bad) –  Md5 hashsets (notable / known bad)•  Identifies known bad files as they are found.Open Source Digital Forensics Conference 2012 19
  20. 20. Recent Activity Module•  Focuses on user activity•  Browser artifacts: –  History, cookies, downloads, bookmarks –  Firefox, Chrome, Safari, IE•  Recent user docs•  Recent devices•  Uses: –  RegRipper –  Pasco2Open Source Digital Forensics Conference 2012 20
  21. 21. Recent Activity ResultsOpen Source Digital Forensics Conference 2012 21
  22. 22. Other Ingest Modules•  MBOX / Thunderbird –  Parses into individual messages•  Exif –  Extracts dates, GPS, and device information•  More to comeOpen Source Digital Forensics Conference 2012 22
  23. 23. Data Content Viewer Framework•  Allows for different file types to be viewed differently.•  Standard modules: –  Hex –  Strings extraction (4 or more printable characters) –  Extracted Text from index –  Media (pictures / video) •  gstreamerOpen Source Digital Forensics Conference 2012 23
  24. 24. Content Viewer: HexOpen Source Digital Forensics Conference 2012 24
  25. 25. Content Viewer: StringsOpen Source Digital Forensics Conference 2012 25
  26. 26. Content Viewer: MediaOpen Source Digital Forensics Conference 2012 26
  27. 27. Other Content Viewer Uses•  Finds  names  of  people  and  places.  •  Translates  from  Arabic  to  La6n  Characters  •  Looks  names  up  in  watch  lists.  Open Source Digital Forensics Conference 2012 27
  28. 28. Reporting Framework•  Results can be saved to HTML or XML.•  Other modules can be created in the future.Open Source Digital Forensics Conference 2012 28
  29. 29. How do you get it?•  Available from sleuthkit.org: http://www.sleuthkit.org/autopsyOpen Source Digital Forensics Conference 2012 29
  30. 30. For Developers•  Writing modules will make your life easier: –  We deal with file access. –  We deal with displaying results –  …•  We’re polishing up the module writer’s guide: www.sleuthkit.org/autopsy/docs/api-docsOpen Source Digital Forensics Conference 2012 30
  31. 31. For Users•  Give us feedback.•  Bug the developers of your favorite tools to write them as modules.Open Source Digital Forensics Conference 2012 31
  32. 32. Additional Credit For This Work•  Partly funded by US Army Intelligence Center of Excellence (USAICoE). –  Partnered with 42Six SolutionsOpen Source Digital Forensics Conference 2012 32
  33. 33. Next Steps•  Framework Enhancements•  Linux / OS X support•  More modules•  Tighter integration with TSK Framework.Open Source Digital Forensics Conference 2012 33
  34. 34. Thank you!For more information:Visit www.basistech.comWrite to conference@basistech.comCall 617-386-2090 or 800-697-2062Open Source Digital Forensics Conference 2012 34
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×