OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier

2,421 views

Published on

Autopsy 3 is an easy to use digital forensics tool. Its development started after discussions at the first OSDF conference, with the goal of being a platform for which other developers will write modules. Autopsy allows you to perform a digital forensics exam on Windows using a free tool. This talk will cover the basic features of Autopsy, including timeline analysis, registry analysis, web artifact analysis, keyword search, and hash sets. There will also be discussion about future modules, and how to get involved as a user or developer.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,421
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
118
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier

  1. 1. Autopsy 3: Extensible Desktop Forensics Brian Carrier VP Digital Forensics Basis Technology
  2. 2. Part 1: What is Autopsy? 2
  3. 3. Elevator Pitch • Autopsy is an open source desktop digital forensics tool that is: – Easy to use – Extensible – Capable 3
  4. 4. Brief History • 2001: First Open Source Release – Interface to The Sleuth Kit – Linux and OS X only • 2010: Started v3 from scratch as a platform – Inspired by OSDFCon discussions – Windows-based – Automated – Some US Army funding (with 42Six Solutions) – 3.0.0 released in September, 2012. 4
  5. 5. Screen Shot 5
  6. 6. Easy To Use • Auto detect as much as possible. • Guide you to next step: – After case is created: Start Add Data Source Wizard • All results are found in the tree. • History buttons to allow you to back out. • …. 6
  7. 7. Frameworks • Ingest Modules analyze media on import – Hash analysis, keyword search,… • Content viewers display files – Text, image, text analytics, video triage, … • Report modules generate final reports – HTML, XML, … • ... • Would love feedback from other developers! 7
  8. 8. Fast Results • Don’t wait until ingest is over to see results. • Provided as soon as they are known. • Indexed keyword search results: – Given every 5 minutes. • Prioritize user folders first. 8
  9. 9. Standard Features • File System Analysis (via The Sleuth Kit) – NTFS, FAT, HFS+, ExtX, UFS, ISO9660, YAFFS2, etc. • Hash calculation and lookup • Keyword search (via SOLR) • Web artifact extraction • EXIF and image analysis • Tagging and Reporting • View by file types, sizes, etc. • View pictures and videos 9
  10. 10. Part 2: What Is New Since OSDFCon 2012? 10
  11. 11. Improvements • Many performance & stability improvements • Bug fixes • Better HTML Reports (speed, content, etc.) • Error reporting in lower right bubbles • Ingest Inbox updates • More developer docs and sample modules • Closer to Linux / OS X installers • New logo 11
  12. 12. Dr. Hash 12
  13. 13. OS X Screen Shot 13
  14. 14. New Features • Data Sources: – Local (logical) files and local drives – Ext4 and Yaffs2 (via Sleuth Kit) • Analytics: – ZIP / Archive Module – Raw RegRipper output – File Metadata viewer – Beta Timeline Viewer 14
  15. 15. New Features (2) • General: – Tags and bookmarks – 64-bit Version (faster, more memory) – Multi-select tagging and exporting • External modules: – Basis Technology’s Video Triage module – Basis Technology’s Text Gisting module 15
  16. 16. Video Triage 16
  17. 17. Text Gisting 17
  18. 18. Download Stats • Version 3.0.6 had almost 15,000 official downloads between June and October. 18
  19. 19. Part 3: What Is Coming? 19
  20. 20. Future Features • Updatable Hash Databases (SQLite-based) • Delete Tags • Carving via Scalpel (need to plug memory leaks) • ExFAT support (via NPS contract) • OS X and Linux installers • New focus on optimizing for search – Keyword search UI – Filtering of files 20
  21. 21. Future Features • Training: – Next Course: March 19-20 in Herndon, VA. • Online forum for users and developers • More third-party modules…. – Module Competition 21
  22. 22. DHS Funded Effort • Problems: – Increasing backlogs from more media – Decreasing law enforcement budgets • Proposed Solution: – Make tools that are tailored towards common law enforcement use cases. • Image and video analysis • Timeline analysis – Release as free, open source Autopsy modules. 22
  23. 23. Image Analysis • Incorporate techniques used by photo management software into digital forensics software. • Enable law enforcement to: – Quickly identify known images – Efficiently review child exploitation images of unknown victims. • Beta will be available in January. – Looking for law enforcement users. 23
  24. 24. Current Image Gallery 24
  25. 25. Initial Wireframe 25
  26. 26. Get Involved • Download now: – http://www.sleuthkit.org/ • Join sleuthkit-users e-mail list. • Follow @sleuthkit on twitter for updates. • Develop modules instead of stand-alone tools. • Questions? 26

×