The document presents Autopsy 3.0, an open-source digital forensics software developed by Basis Technology, highlighting its user-friendly interface, extensibility, and automation features. It supports various modules for file analysis, hash lookups, keyword searches, and web browser artifact examination, making it suitable for both law enforcement and general users. Additionally, the document discusses upcoming training opportunities and a module writing competition for community engagement.

1. © 2013, Basis Technology 1
Autopsy 3.0
Extensible Desktop Digital Forensics
It’s not your father’s open source software
Brian Carrier
VP of Digital Forensics
Basis Technology

2. © 2013, Basis Technology 2
• Software and services technology company
• Roughly 80 people
• Offices in Cambridge, DC, Tokyo, and London
• Two technology areas:
– Text Analytics
– Digital Forensics
Quick Intro To Basis Technology

3. © 2013, Basis Technology 3
• Conduct investigations
• Research and development
• Custom software development
• Open Source Software
– Autopsy module development
– Commercial support
– Training
Digital Forensics at Basis

4. © 2013, Basis Technology 4
• What comes to your mind first?
Open Source Software

5. © 2013, Basis Technology 5
• What comes to your mind first?
• Autopsy 3 is different
Open Source Software

6. © 2013, Basis Technology 6
• Open source software that allows you to
forensically analyze disk images and local
drives
Context: What Is The Sleuth Kit?

7. © 2013, Basis Technology 7
• Original method for using TSK
• Over 25 different tools (!)
• mmls example:
# mmls tsk1.img
Slot Start End Length Description
00: ----- 0000000 0000000 0000001 Primary Table
01: ----- 0000001 0000062 0000062 Unallocated
02: 00:00 0000063 0032129 0032067 NTFS (0x07)
03: 00:01 0032130 0064259 0032130 DOS FAT16
(0x06)
TSK Command Line Tools

8. © 2013, Basis Technology 8
• Software libraries allow functionality to be
embedded in a bigger program.
• Many commercial, open source, and govn’t
systems use TSK as a library.
• Looks like:
tsk_img_open(1, “C:imgsimage1.E01”,
TSK_IMG_TYPE_DETECT, 512);
TSK Library Interface

9. © 2013, Basis Technology 9
TSK Framework
Talk to me after if you are building a system that needs this.

10. © 2013, Basis Technology 10
• Powerful volume and file system analysis tools.
• Extensible framework.
• Not user friendly
for the 99%.
TSK Take Away

11. © 2013, Basis Technology 11
• Graphical digital forensics interface.
• Brief History:
– 2001: First Open Source Release
• Interface to The Sleuth Kit
• Linux and OS X only
– 2010: Started v3 from scratch as a platform
• Based on OSDFCon discussions
• Windows-based & automated
• Some US Army funding (with 42Six Solutions)
• 3.0.0 released in September, 2012.
Autopsy

12. © 2013, Basis Technology 12
• Extensible
– Several frameworks and plug-in modules
• Easy to use
– Simple UI concepts
– More details during the demo
• Fast results
– Provided as soon as they are found
• Cost Effective
– Free
Autopsy 3 Key Points

13. © 2013, Basis Technology 13
Autopsy 3 Main Screen

14. © 2013, Basis Technology 14
Autopsy Ingest Modules
MD5/SHA1
Hash
Calculation
Hash
Lookup
Add Text to
Keyword
Index
...
Web
Browser
Analysis
E01 File
MBOX
Thunderbird
EXIF
Extraction
Registry
Analysis
Run automatically as media is added to Case.
• Remembers what you ran last time.
• Anyone can write new modules.
• Can tweak knobs based on
investigation type and available time.

15. © 2013, Basis Technology 15
• Hash Lookup:
– NSRL, EnCase, Hashkeeper support
• Keyword Search:
– Lucene SOLR index
– Extract text (better for HTML and PDF)
– Import / export lists
– Regular expressions
– Can support more advanced text analytics
Standard Ingest Modules

16. © 2013, Basis Technology 16
• Recent Activity Module:
– Browser artifacts:
• History, cookies, downloads, bookmarks
• Firefox, Chrome, Safari, IE
– Recent user documents
– Recent devices
– Runs regripper behind the scenes
• EXIF from JPEGs
• MBOX email
• ZIP Archive
Standard Ingest Modules

17. © 2013, Basis Technology 17
• More file formats / P2P logs
• Anti-virus / Malware
• Volume shadow / file system journals
• Cryptography and steganography detection
• Text analytics (language detection)
• Object identification in pictures
• Skin tone detection
Future Ingest Module Ideas

18. © 2013, Basis Technology 18
• Display a file in a given way.
• Text: Hex and Strings
• Media: Pictures and video
Content Viewer Modules

19. © 2013, Basis Technology 19
Content Viewer: Video Triage

20. © 2013, Basis Technology 20
• Not part of open source package
• Name finder and translator
– Uses Basis Technology text analytics
Content Viewer: Text Gisting

21. © 2013, Basis Technology 21
External Viewer Module: Timeline

22. © 2013, Basis Technology 22
Demo

23. © 2013, Basis Technology 23
• Easy to install and use
– Less training and confusion.
• Extensible and open
– Can be adapted to your needs
– Updated by community
• Low cost
• No cost
Takeaway

24. © 2013, Basis Technology 24
• 4th Annual Open Source Forensics Conference
– Free for government employees!
– http://www.osdfcon.org/
– Nov 4 and 5 in Northern VA.
Open Source Conference

25. © 2013, Basis Technology 25
• Cash prizes for best new module.
– $1500 for first prize
• Voting by attendees at OSDFCon.
• Any module type is eligible.
• See issue tracker for ideas.
• Submission details:
http://www.basistech.com/about-
us/events/open-source-forensics-
conference/contest/
Module Writing Competition

26. © 2013, Basis Technology 26
• 2 Day Autopsy training courses:
– November 6 & 7 in DC (after OSDFCon)
• ½ Day Developer Training at OSDFCon
Autopsy Training

27. © 2013, Basis Technology 27
• Users:
– Use it and spread the word
– Provide feedback on features
– Help with documentation and support
• Developers: Write modules instead of stand-
alone apps. Contact us with feature changes.
• We’re looking for law enforcement users.
What You Can Do

28. © 2013, Basis Technology 28
• Download from:
– http://www.sleuthkit.org/autopsy/
• Questions: brianc@basistech.com
• We’re hiring engineers….
• We have stickers
Conclusion

29. © 2013, Basis Technology 29
Demo Highlights
(In Case Demo Fails)

30. © 2013, Basis Technology 30
Easy To Use

31. © 2013, Basis Technology 31
Splash Screen
• User is always guided to next step in process

32. © 2013, Basis Technology 32
Add Image Wizard
• Detects image format
• Detects volume and file systems

33. © 2013, Basis Technology 33
Ingest Manager in Wizard
• Uses previous settings for modules.

34. © 2013, Basis Technology 34
Intuitive Interface
• All results on left, history buttons, keyword search box

35. © 2013, Basis Technology 35
Single Place for All Results

36. © 2013, Basis Technology 36
View By File Type

37. © 2013, Basis Technology 37
View Final Days of Activity

38. © 2013, Basis Technology 38
• View directories of keyword and hash hits
• Tag and bookmark files
• Extract files or launch external viewers
Right Click Actions

39. © 2013, Basis Technology 39
Ingest Inbox
• Shows users what has been found in background tasks

40. © 2013, Basis Technology 40
HTML Report
• Report modules can be customized

41. © 2013, Basis Technology 41
Contact Info
Brian Carrier
Basis Technology
brianc@basistech.com