Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform

  • 1,418 views
Uploaded on

Autopsy™ is the premier free and open source end-to-end digital forensics platform built by Basis Technology and the digital forensics open source community. The platform has been in development......

Autopsy™ is the premier free and open source end-to-end digital forensics platform built by Basis Technology and the digital forensics open source community. The platform has been in development since OSDF Con 2010, based on intense interest and collaboration from the digital forensics community, which determined the need for an open source end-to-end forensics platform that runs on Windows systems.

Autopsy version 3 is a complete rewrite from version 2 and is built to enable the creation of fast, thorough, and efficient hard drive investigation tools that can evolve with digital investigators’ needs. The standard installation includes features that rival commercial closed source offerings, without the associated costs.

FEATURES
Triage capability and real-time alerting
Automated workflow based on The Sleuth Kit™
Windows installation
Case management and report generation
Recent user activity extraction including: web history, recent documents, bookmarks, downloads, and registry analysis
Keyword and pattern search including: phone numbers, email addresses, URLs, and IP addresses
Hash lookup
Interesting files detection and timeline viewing
...and much more

For digital forensics investigators and analysts, there are numerous advantages to using open source software and software built on open source platforms like Autopsy and The Sleuth Kit:
• Transparent evidence extraction: Open source platforms allow you to look at the source code and to verify that the software is performing its functions in a forensically sound way. This can prove to be critical when testifying or preparing for litigation.
• Easily extensible: Open source platforms grow organically and as the needs of their consituents and users change, so does their functionality.
• Active community of users and developers: In addition to commercial support offered by Basis Technology,
there is a wealth of information that is available in a community that has evolved over the last 11 years where both users and developers are actively working to improve the software platform. This free knowledge base is
an extremely powerful value add to your purchased enterprise support.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,418
On Slideshare
1,006
From Embeds
412
Number of Embeds
4

Actions

Shares
Downloads
22
Comments
0
Likes
1

Embeds 412

http://www.scoop.it 352
http://www.linkedin.com 53
http://jasonletourneau.com 6
http://translate.googleusercontent.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. © 2013, Basis Technology 1 Autopsy 3.0 Extensible Desktop Digital Forensics It’s not your father’s open source software Brian Carrier VP of Digital Forensics Basis Technology
  • 2. © 2013, Basis Technology 2 • Software and services technology company • Roughly 80 people • Offices in Cambridge, DC, Tokyo, and London • Two technology areas: – Text Analytics – Digital Forensics Quick Intro To Basis Technology
  • 3. © 2013, Basis Technology 3 • Conduct investigations • Research and development • Custom software development • Open Source Software – Autopsy module development – Commercial support – Training Digital Forensics at Basis
  • 4. © 2013, Basis Technology 4 • What comes to your mind first? Open Source Software
  • 5. © 2013, Basis Technology 5 • What comes to your mind first? • Autopsy 3 is different Open Source Software
  • 6. © 2013, Basis Technology 6 • Open source software that allows you to forensically analyze disk images and local drives Context: What Is The Sleuth Kit?
  • 7. © 2013, Basis Technology 7 • Original method for using TSK • Over 25 different tools (!) • mmls example: # mmls tsk1.img Slot Start End Length Description 00: ----- 0000000 0000000 0000001 Primary Table 01: ----- 0000001 0000062 0000062 Unallocated 02: 00:00 0000063 0032129 0032067 NTFS (0x07) 03: 00:01 0032130 0064259 0032130 DOS FAT16 (0x06) TSK Command Line Tools
  • 8. © 2013, Basis Technology 8 • Software libraries allow functionality to be embedded in a bigger program. • Many commercial, open source, and govn’t systems use TSK as a library. • Looks like: tsk_img_open(1, “C:imgsimage1.E01”, TSK_IMG_TYPE_DETECT, 512); TSK Library Interface
  • 9. © 2013, Basis Technology 9 TSK Framework Talk to me after if you are building a system that needs this.
  • 10. © 2013, Basis Technology 10 • Powerful volume and file system analysis tools. • Extensible framework. • Not user friendly for the 99%. TSK Take Away
  • 11. © 2013, Basis Technology 11 • Graphical digital forensics interface. • Brief History: – 2001: First Open Source Release • Interface to The Sleuth Kit • Linux and OS X only – 2010: Started v3 from scratch as a platform • Based on OSDFCon discussions • Windows-based & automated • Some US Army funding (with 42Six Solutions) • 3.0.0 released in September, 2012. Autopsy
  • 12. © 2013, Basis Technology 12 • Extensible – Several frameworks and plug-in modules • Easy to use – Simple UI concepts – More details during the demo • Fast results – Provided as soon as they are found • Cost Effective – Free Autopsy 3 Key Points
  • 13. © 2013, Basis Technology 13 Autopsy 3 Main Screen
  • 14. © 2013, Basis Technology 14 Autopsy Ingest Modules MD5/SHA1 Hash Calculation Hash Lookup Add Text to Keyword Index ... Web Browser Analysis E01 File MBOX Thunderbird EXIF Extraction Registry Analysis Run automatically as media is added to Case. • Remembers what you ran last time. • Anyone can write new modules. • Can tweak knobs based on investigation type and available time.
  • 15. © 2013, Basis Technology 15 • Hash Lookup: – NSRL, EnCase, Hashkeeper support • Keyword Search: – Lucene SOLR index – Extract text (better for HTML and PDF) – Import / export lists – Regular expressions – Can support more advanced text analytics Standard Ingest Modules
  • 16. © 2013, Basis Technology 16 • Recent Activity Module: – Browser artifacts: • History, cookies, downloads, bookmarks • Firefox, Chrome, Safari, IE – Recent user documents – Recent devices – Runs regripper behind the scenes • EXIF from JPEGs • MBOX email • ZIP Archive Standard Ingest Modules
  • 17. © 2013, Basis Technology 17 • More file formats / P2P logs • Anti-virus / Malware • Volume shadow / file system journals • Cryptography and steganography detection • Text analytics (language detection) • Object identification in pictures • Skin tone detection Future Ingest Module Ideas
  • 18. © 2013, Basis Technology 18 • Display a file in a given way. • Text: Hex and Strings • Media: Pictures and video Content Viewer Modules
  • 19. © 2013, Basis Technology 19 Content Viewer: Video Triage
  • 20. © 2013, Basis Technology 20 • Not part of open source package • Name finder and translator – Uses Basis Technology text analytics Content Viewer: Text Gisting
  • 21. © 2013, Basis Technology 21 External Viewer Module: Timeline
  • 22. © 2013, Basis Technology 22 Demo
  • 23. © 2013, Basis Technology 23 • Easy to install and use – Less training and confusion. • Extensible and open – Can be adapted to your needs – Updated by community • Low cost • No cost Takeaway
  • 24. © 2013, Basis Technology 24 • 4th Annual Open Source Forensics Conference – Free for government employees! – http://www.osdfcon.org/ – Nov 4 and 5 in Northern VA. Open Source Conference
  • 25. © 2013, Basis Technology 25 • Cash prizes for best new module. – $1500 for first prize • Voting by attendees at OSDFCon. • Any module type is eligible. • See issue tracker for ideas. • Submission details: http://www.basistech.com/about- us/events/open-source-forensics- conference/contest/ Module Writing Competition
  • 26. © 2013, Basis Technology 26 • 2 Day Autopsy training courses: – November 6 & 7 in DC (after OSDFCon) • ½ Day Developer Training at OSDFCon Autopsy Training
  • 27. © 2013, Basis Technology 27 • Users: – Use it and spread the word – Provide feedback on features – Help with documentation and support • Developers: Write modules instead of stand- alone apps. Contact us with feature changes. • We’re looking for law enforcement users. What You Can Do
  • 28. © 2013, Basis Technology 28 • Download from: – http://www.sleuthkit.org/autopsy/ • Questions: brianc@basistech.com • We’re hiring engineers…. • We have stickers Conclusion
  • 29. © 2013, Basis Technology 29 Demo Highlights (In Case Demo Fails)
  • 30. © 2013, Basis Technology 30 Easy To Use
  • 31. © 2013, Basis Technology 31 Splash Screen • User is always guided to next step in process
  • 32. © 2013, Basis Technology 32 Add Image Wizard • Detects image format • Detects volume and file systems
  • 33. © 2013, Basis Technology 33 Ingest Manager in Wizard • Uses previous settings for modules.
  • 34. © 2013, Basis Technology 34 Intuitive Interface • All results on left, history buttons, keyword search box
  • 35. © 2013, Basis Technology 35 Single Place for All Results
  • 36. © 2013, Basis Technology 36 View By File Type
  • 37. © 2013, Basis Technology 37 View Final Days of Activity
  • 38. © 2013, Basis Technology 38 • View directories of keyword and hash hits • Tag and bookmark files • Extract files or launch external viewers Right Click Actions
  • 39. © 2013, Basis Technology 39 Ingest Inbox • Shows users what has been found in background tasks
  • 40. © 2013, Basis Technology 40 HTML Report • Report modules can be customized
  • 41. © 2013, Basis Technology 41 Contact Info Brian Carrier Basis Technology brianc@basistech.com