Digital Forensics Platform – [Autopsy]

Introduction

Autopsy is a free digital forensics platform and graphical user interface (GUI) to The Sleuth Kit and other open source digital forensics tools, that allows you to efficiently analyze hard drives and smart phones or even recover photos from your camera’s memory card, etc. Plugin architecture allows you to find add-on modules or develop custom in Java or Python.

Autopsy: Digital Forensics Platform

The Autopsy and Sleuth Kit are both open source and together they can analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2, Ext2/3, etc.).  This digital forensics platform is designed to be intuitive and easy to use, even for non-technical investigators.

Very simple interface and multiple guides/wizards allows you straight and easy usage. Also, there are no annoying popups to distract you from investigation, all messages from modules/results will be located in ingest inbox.

Supported Platforms

Autopsy runs on Windows-based systems, and on the same UNIX platforms as The Sleuth Kit:

• Linux
• Mac OS X
• Open & FreeBSD
• Solaris
• Cygwin (you can’t use the win32 executables, you must build in Cygwin)

Features

Autopsy comes with plenty of modules that provides:

• MULTI-USER CASES: Collaborate with fellow examiners on large cases.
• TIMELINE ANALYSIS: Displays system events in a graphical interface to help identify activity.
• KEYWORD SEARCH: Text extraction and index searched modules enable you to find files that mention specific terms and find regular expression patterns.
• WEB ARTIFACTS: Extracts web activity from common browsers to help identify user activity.
• Registry Analysis: Uses RegRipper to identify recently accessed documents and USB devices.
• LNK File Analysis: Identifies short cuts and accessed documents
• Email Analysis: Parses MBOX format messages, such as Thunderbird.
• EXIF: Extracts geo location and camera information from JPEG files.
• File Type Sorting: Group files by their type to find all images or documents.
• Media Playback: View videos and images in the application and not require an external viewer.
• Thumbnail viewer: Displays thumbnail of images to help quick view pictures.
• Robust File System Analysis: Support for common file systems, including NTFS, FAT12/FAT16/FAT32/ExFAT, HFS+, ISO9660 (CD-ROM), Ext2/Ext3/Ext4, Yaffs2, and UFS from The Sleuth Kit.
• Hash Set Filtering: Filter out known good files using NSRL and flag known bad files using custom hashsets in HashKeeper, md5sum, and EnCase formats.
• Tags: Tag files with arbitrary tag names, such as ‘bookmark’ or ‘suspicious’, and add comments.
• Unicode Strings Extraction: Extracts strings from unallocated space and unknown file types in many languages (Arabic, Chinese, Japanese, etc.).
• File Type Detection based on signatures and extension mismatch detection.
• Interesting Files Module will flag files and folders based on name and path.
• Android Support: Extracts data from SMS, call logs, contacts, Tango, Words with Friends, and more.

Reporting

Available file report:

• HTML, XLS: fully packaged and shareable reports with comments and notes (bookmarks, web history, recent documents, keyword hits, hashset hits, installed programs, devices attached, cookies, downloads, and search queries);
• Body: primarily for use in timeline analysis, this file will include MAC times for every file in an XML format for import by external tools, such as mactime in The Sleuth Kit.

Fast Results

Features to get you evidence faster:

• Multiple ingest modules run in parallel to take advantage of multi-core systems.
• Results from ingest modules are, in general, given as soon as they are found.
• Time intensive steps can be disabled for a faster, but less thorough analysis.
• User folders and files are prioritized over system folders and files.

Install

Windows:

Autopsy is very easy to install, when we talk about Windows platforms. All Autopsy dependencies are bundled with the installer, so there is no need for manual installation. Just follow the usual steps.

Linux/OS X:

It will run on Linux and OS X, but you’ll need to do some manual steps to compile. Download the .ZIP file and follow the instructions for dependencies installation.

Furthermore, if you want to make custom modules, they also offers online training to help you in learning process Click the ‘tutorials’ button for source.

But, that’s not everything. Above all, Autopsy is completely free digital forensics platform!