Autopsy 3: Extensible Desktop
Forensics
Brian Carrier
VP Digital Forensics
Basis Technology
Part 1:
What is Autopsy?

2
Elevator Pitch
• Autopsy is an open source desktop digital
forensics tool that is:
– Easy to use
– Extensible
– Capable

3
Brief History
• 2001: First Open Source Release
– Interface to The Sleuth Kit
– Linux and OS X only

• 2010: Started v3 fr...
Screen Shot

5
Easy To Use
• Auto detect as much as possible.
• Guide you to next step:
– After case is created: Start Add Data Source Wi...
Frameworks
• Ingest Modules analyze media on import
– Hash analysis, keyword search,…

• Content viewers display files
– T...
Fast Results
• Don’t wait until ingest is over to see results.
• Provided as soon as they are known.
• Indexed keyword sea...
Standard Features
• File System Analysis (via The Sleuth Kit)
– NTFS, FAT, HFS+, ExtX, UFS, ISO9660, YAFFS2, etc.

• Hash ...
Part 2:
What Is New Since
OSDFCon 2012?

10
Improvements
• Many performance & stability improvements
• Bug fixes
• Better HTML Reports (speed, content, etc.)
• Error ...
Dr. Hash

12
OS X Screen Shot

13
New Features
• Data Sources:
– Local (logical) files and local drives
– Ext4 and Yaffs2 (via Sleuth Kit)

• Analytics:
– Z...
New Features (2)
• General:
– Tags and bookmarks
– 64-bit Version (faster, more memory)
– Multi-select tagging and exporti...
Video Triage

16
Text Gisting

17
Download Stats
• Version 3.0.6 had almost 15,000 official
downloads between June and October.

18
Part 3:

What Is Coming?

19
Future Features
• Updatable Hash Databases (SQLite-based)
• Delete Tags
• Carving via Scalpel (need to plug memory leaks)
...
Future Features
• Training:
– Next Course: March 19-20 in Herndon, VA.

• Online forum for users and developers
• More thi...
DHS Funded Effort
• Problems:
– Increasing backlogs from more media
– Decreasing law enforcement budgets

• Proposed Solut...
Image Analysis
• Incorporate techniques used by photo
management software into digital forensics
software.
• Enable law en...
Current Image Gallery

24
Initial Wireframe

25
Get Involved
• Download now:
– http://www.sleuthkit.org/

• Join sleuthkit-users e-mail list.
• Follow @sleuthkit on twitt...
Upcoming SlideShare
Loading in...5
×

OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier

1,858

Published on

Autopsy 3 is an easy to use digital forensics tool. Its development started after discussions at the first OSDF conference, with the goal of being a platform for which other developers will write modules. Autopsy allows you to perform a digital forensics exam on Windows using a free tool. This talk will cover the basic features of Autopsy, including timeline analysis, registry analysis, web artifact analysis, keyword search, and hash sets. There will also be discussion about future modules, and how to get involved as a user or developer.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,858
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
103
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier

  1. 1. Autopsy 3: Extensible Desktop Forensics Brian Carrier VP Digital Forensics Basis Technology
  2. 2. Part 1: What is Autopsy? 2
  3. 3. Elevator Pitch • Autopsy is an open source desktop digital forensics tool that is: – Easy to use – Extensible – Capable 3
  4. 4. Brief History • 2001: First Open Source Release – Interface to The Sleuth Kit – Linux and OS X only • 2010: Started v3 from scratch as a platform – Inspired by OSDFCon discussions – Windows-based – Automated – Some US Army funding (with 42Six Solutions) – 3.0.0 released in September, 2012. 4
  5. 5. Screen Shot 5
  6. 6. Easy To Use • Auto detect as much as possible. • Guide you to next step: – After case is created: Start Add Data Source Wizard • All results are found in the tree. • History buttons to allow you to back out. • …. 6
  7. 7. Frameworks • Ingest Modules analyze media on import – Hash analysis, keyword search,… • Content viewers display files – Text, image, text analytics, video triage, … • Report modules generate final reports – HTML, XML, … • ... • Would love feedback from other developers! 7
  8. 8. Fast Results • Don’t wait until ingest is over to see results. • Provided as soon as they are known. • Indexed keyword search results: – Given every 5 minutes. • Prioritize user folders first. 8
  9. 9. Standard Features • File System Analysis (via The Sleuth Kit) – NTFS, FAT, HFS+, ExtX, UFS, ISO9660, YAFFS2, etc. • Hash calculation and lookup • Keyword search (via SOLR) • Web artifact extraction • EXIF and image analysis • Tagging and Reporting • View by file types, sizes, etc. • View pictures and videos 9
  10. 10. Part 2: What Is New Since OSDFCon 2012? 10
  11. 11. Improvements • Many performance & stability improvements • Bug fixes • Better HTML Reports (speed, content, etc.) • Error reporting in lower right bubbles • Ingest Inbox updates • More developer docs and sample modules • Closer to Linux / OS X installers • New logo 11
  12. 12. Dr. Hash 12
  13. 13. OS X Screen Shot 13
  14. 14. New Features • Data Sources: – Local (logical) files and local drives – Ext4 and Yaffs2 (via Sleuth Kit) • Analytics: – ZIP / Archive Module – Raw RegRipper output – File Metadata viewer – Beta Timeline Viewer 14
  15. 15. New Features (2) • General: – Tags and bookmarks – 64-bit Version (faster, more memory) – Multi-select tagging and exporting • External modules: – Basis Technology’s Video Triage module – Basis Technology’s Text Gisting module 15
  16. 16. Video Triage 16
  17. 17. Text Gisting 17
  18. 18. Download Stats • Version 3.0.6 had almost 15,000 official downloads between June and October. 18
  19. 19. Part 3: What Is Coming? 19
  20. 20. Future Features • Updatable Hash Databases (SQLite-based) • Delete Tags • Carving via Scalpel (need to plug memory leaks) • ExFAT support (via NPS contract) • OS X and Linux installers • New focus on optimizing for search – Keyword search UI – Filtering of files 20
  21. 21. Future Features • Training: – Next Course: March 19-20 in Herndon, VA. • Online forum for users and developers • More third-party modules…. – Module Competition 21
  22. 22. DHS Funded Effort • Problems: – Increasing backlogs from more media – Decreasing law enforcement budgets • Proposed Solution: – Make tools that are tailored towards common law enforcement use cases. • Image and video analysis • Timeline analysis – Release as free, open source Autopsy modules. 22
  23. 23. Image Analysis • Incorporate techniques used by photo management software into digital forensics software. • Enable law enforcement to: – Quickly identify known images – Efficiently review child exploitation images of unknown victims. • Beta will be available in January. – Looking for law enforcement users. 23
  24. 24. Current Image Gallery 24
  25. 25. Initial Wireframe 25
  26. 26. Get Involved • Download now: – http://www.sleuthkit.org/ • Join sleuthkit-users e-mail list. • Follow @sleuthkit on twitter for updates. • Develop modules instead of stand-alone tools. • Questions? 26
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×