Releases: sleuthkit/autopsy
Autopsy 4.14.0
Specialized UIs:
- New File Discovery UI that allows you to search and filter for certain types of files. Works best with the Central Repository storing all of the hashes you've seen.
- New Map viewer that uses either Bing (when online) or offline map tiles.
- Communications UI shows country names for phone numbers and fixed bug in summary panel.
- Fixed bugs in timeline filtering.
- Refactored backend timeline filtering code based on The Sleuth Kit data model changes to remove JavaFX dependency.
Data Sources:
- Added limited support for APFS disk images. Does not include encrypted volumes or ones that span multiple disks. Uses contribution to The Sleuth Kit from Black Bag Technologies.
- New data source processor that parses “XRY File Exports”.
Content Viewers:
- Added a new “Context” viewer to show where a file came from. Currently shows what message a file was attached to or what URL a file was downloaded from.
- Added support to seek and change playback speed for videos in “Application” viewer.
- Improved support for Unicode HTML files in “Application” viewer.
- Added support for webp image files in “Application” viewer.
Ingest Modules:
- Keyword Search module uses Decodetect statistical encoding detection for plain text files. Fixes issues with incorrect detection of Japanese files.
- Embedded File Extractor module uses statistical analysis to determine encoding of file names in ZIP files. Fixes issues with ZIP files created on Windows Japanese computers.
- Solr (Keyword Search module) now uses Japanese-specific tokenization using Kuromoji.
- Fixed Shellbags module in RegRipper (used by Autopsy Recent Activity module) to fix parsing errors.
- Plaso module no longer generates an error if enabled for non-disk image data sources.
- Added support for message attachments that are stored as an external file system file. Expanded Email and Android modules to use this technique.
General:
- Fixed crashes by gstreamer when a video is selected.
- Added initial capability to delete a data source from a case (excludes data in the CR).
- Changed behavior of portable case menu item to automatically open the case and warn if it was already unpacked.
- Fixed bug that caused issues when case metadata had Unicode values.
- Added new Attachment APIs to the CommunicationsArtifactHelper class to support attachments stored as external file system files.
Autopsy 4.13.0
General:
- Switch from Oracle JDK to OpenJDK.
- Full command line support (case creation, adding of data sources, running ingest, and generating reports).
Logical Imager:
- Output can be individual files instead of VHD image (uses less space).
- More fine grained progress during collection and importing.
- Log of files and make artifacts.
- All console messages are saved to a log file too.
- Improved handling of cancellation when adding results into a case.
Ingest Modules:
- Added Android support as Python modules for: Android installed apps, Android browser, Facebook Messenger, IMO, LINE, Opera, ORUX Maps, Samsung SBrowser, Skype, ShareIt, TextNow, Viber, WhatsApp, Xender, Zapya.
- Recycle Bin files are parsed in Recent Activity module, new artifacts are created, and deleted file entries are created at the original location of the deleted files. Code is based on Mark McKinnon’s RecycleBin module (https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Recycle_Bin).
- ShellBag registry data is extracted from RegRipper in the Recent Activity module. New artifacts are recreated for the data. Based on Mark McKinnon’s “Parse ShellBags” module (https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_Shellbags).
- Additional data is extracted about users from SAM hive in Recent Activity module. Data includes password dates, permissions, groups, and full name. Based on Mark McKinnon’s “Parse SAM” module (https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_SAM).
- Email ingest module parses EML files. Based on Mark McKinnon’s “EML Parser” module (https://github.com/markmckinnon/Autopsy-Plugins/tree/master/EML_Parser).
- Fixed bug in MBOX module that caused attachments to have a “_” in the name.
- New Plaso ingest module that runs Plaso and generates events for the timeline.
- Fixed bug in Email module for VCard files to better parse phone number types.
- Keyword Search module waits longer for Solr to start to prevent incorrectly reporting a problem and disabling the feature.
- Embedded file extractor module was updated to not report compression bombs for GZIP files.
Timeline:
- New approach for storing event data. A dedicated events table exists and is populated as files and artifacts are added to the database. No longer requires an explicit step of populating a local events table.
- Users can create their own events from the Timeline UI.
- Filtering was simplified based or existence of tag or hash set hit versus a specific name.
Communications:
- Fixed bug that hid contact book entries with duplicate numbers.
Image Gallery:
- Fixed bug in schema that caused errors with very long file names.
Report:
- CASE report is included in a portable case.
- Image tags are included in portable case.
- More size options for a packaged portable case.
- New Infrastructure to support command line-based generation.
Backend:
- Developers should use new new Blackboard.postArtifact() method to ensure artifact is indexed and added to the timeline.
- New classes were created to make it easier to write modules for apps.
Autopsy 4.12.0
Collection
- Added ability to configure a USB drive to use new logical imager tool.
- Added logical imager tool that runs on a live Windows computer and saves results to a USB drive.
- Added ability to import logical imager results into Autopsy as a data source.
Ingest Modules:
- Changed file type detection so that Tika does not rely only on extension.
- Email ingest module assigns thread IDs to messages
- Android ingest modules store thread ID from their databases.
Content Viewers (lower right of UI):
- New “Text” viewer that consolidates previous Strings and “Indexed Text” viewers.
- New “Translation” panel was added to the new “Text” viewer.
- Added integration with Google and Bing translation (credentials required)
- Redesigned “Other Occurrences” viewer to have 4th column with details of selected item.
- Added Willi Ballentin’s “Registry Hive Viewer” panel to the “Application” viewer.
- Improved HTML viewer to use style sheets and better layout.
- Added ability to draw a box on a picture while tagging it.
Result Table (upper right of UI)
- Added paging to all views for faster loading of large data sets.
- Improved speed of displaying results when a column was sorted.
Reporting
- Portable cases can contain files marked as Interesting Items
- Portable cases can be compressed and chunked
- “Files - Text” report can use either tabs or commas as the delimiter
- “Files - Text” report better handles Unicode text.
- Added ability to create a CSV report for the contents of a table
- HTML report for tagged pictures includes a copy with the overlay box
Communications:
- Added Account Summary view
- Added Contacts panel to show all contacts associated with an account.
- Added Media panel to show media attachments associated with an account
- Added filter to show accounts if they involved with the most recent messages.
- Messages can be grouped by thread.
Auto Ingest
- New Test button was added to help diagnose permission and configuration issues.
Documentation:
- Created new Triage Standard Operating Procedure (SOP) section to the User Docs
Autopsy 4.11.0
New Features:
Adding Data:
- Hashes can optionally be entered when adding a disk image data source to a case.
- Acquisition details can be stored when the data source is added.
Ingest Modules:
- Added support for Microsoft Edge browser (cookies, history, and bookmarks)
- Added support for Safari web browser (downloads, cookies, history, and bookmarks)
- Expanded Chrome browser support to include cache parsing and form/auto fill.
- Expanded Firefox browser support to extract form/auto fill fields.
- Parse Zone.Identifier files to identify the source of files.
- Added a TSK_SOURCE artifact to downloaded files to help users trace back to where it came from.
- Added support for parsing vCards (virtual cards).
- Extract more information about Windows user accounts (number of logins, creation date, and last login)
- Detect more operating system types, which get saved as a TSK_OS_INFO artifact.
- Detect Android media cards, which gets saved as a TSK_DATA_SOURCE_USAGE artifact.
UI:
- The Application content viewer now displays HTML files.
- Video playback now uses gstreamer on 64-bit systems, which supports more video formats.
- Pictures can be rotated and zoomed in the Application content viewer.
- The Other Occurrences content viewer layout was reorganized to make viewing the data easier.
- New "Data Source Summary" panel shows high-level statistics and details about the data sources in the case.
- Data sources are now listed in the data sources tree in alphabetical order.
- The presentation of finding common properties within a case was revised to group results in a more helpful way.
Report / Export:
- Portable Cases can be created based on tagged data. These cases contain a subset of the case data and can be opened anywhere.
- Users can now choose tabs or commas as the delimiter for a files report.
- Case notes are included in the HTML report.
Other:
- Added a new file type that allows module writers to specify a file based on its byte range.
- Data sources can be analyzed and have a CASE/UCO report generated using only the command line.
Bug Fixes
- Decreased the time required to execute inter-case common properties searches of the Central Repository.
- Assorted small bug fixes are included.
Autopsy 4.10.0
New Features:
- Central Repository
- Case Manager shows data source details
- SSID, MAC address, IMEI, IMSI, and ICCID can be stored and correlated on
- SSID, MAC address, IMEI, IMSI, and ICCID values from past cases are flagged if they are seen again in the current case.
- File types can be specified when searching for common files with past cases.
- Results from finding common files with past cases is now organized by case instead of by number of occurrences.
- The Central Repository can now be searched for a specific value (hash, email, etc.)
- The E01 Verifier ingest module was renamed to Data Source Integrity module and it will:
- Calculate hashes if none exist for a non-E01 data source
- Validate hashes if they are defined
- MD5, SHA1, or SHA256 hash values of raw data sources can now be specified when they are added.
- Added the ability for examiners to select the time zone for displaying dates.
- Tesseract OCR text extraction for keyword search now supports languages other than
English, if language packs are installed. - Custom headers and footers can now be added to HTML reports.
- New report module to export basic file data in CASE/UCO format.
- Ingest filter rules (for triage) can now specify a list of extensions (such as "jpg,jpeg,png") instead of needing to make a rule for each extension.
- Image Gallery
- Refactored to ensure database was fully closed when case was closed.
- No longer pre-populate DrawableDB database.
- Added caching to reduce time required to insert files after analysis.
Bug Fixes:
- Duplicate interesting item and EXIF metadata artifacts are no longer created
when you run the modules that generate them more than once. - The Application content viewer now displays SQLite table column names even
when the table is empty. - Assorted small bug fixes are included.
Autopsy 4.9.1
This release has only Image Gallery fixes, but one of the bugs can cause the entire application to hang if there is a ' in the name.
Bug Fixes:
- Fixed possible ingest deadlock from Image Gallery database inserts.
- Image Gallery does not need lock on Case DB during pre-population, which makes UI more responsive.
- Other misc Image Gallery fixes.
Autopsy 4.9.0
New Features:
- Removed data from table that are time intensive and can be found in content viewers (such as hash set hits)
- Added ability to find common items (files, emails, etc.) between current case and past cases using the Central Repository.
- Added ability to ignore common items that exist in a large number of cases by using Central Repository data.
- Data is validated and normalized before being entered into the Central Repository.
- Allow users to specify that an ad-hoc keyword search should not be saved to database
- New “Annotations” content viewer that shows all tags and comments associated with an item
- Added 2 icons to the table to show the item’s score (if it is notable or suspicious) and if it has a comment.
- Added column to the table to show previous number of occurrences.
- Tags are now associated with the user (in a multi-user environment) and you can hide other people’s tags
- New Display options area that unifies various new settings.
- Hash sets can be copied into the user’s config folder (AppData), which makes it easier to run Autopsy from a Live Triage USB and not care about what drive letter it gets.
- Image Gallery stores its groups and seen status in Case DB instead of its own.
- Image Gallery works better in multi-user setups and reloads the database when other nodes add data sources.
- Image Gallery saves which user saw a group and gives user option of seeing only their unseen groups or all unseen groups.
- Saves last export location and pre-populates that in the file picker
- Provide feedback about why some right click options are disabled (ingest is running, not file content, etc.)
Bug Fixes:
- Substring keyword search is more accurate (now uses regular expression)
- New text extractor for SQLite that better deals with full text search tables
- Better deal with Unicode text files that do not have Byte Order Marker
- Embedded file extractor module is now faster because it uses a different 7ZIP API.
- Fixed various HTML report bugs
- Duplicate hash set hits are not created when you run the Hash Ingest Module twice.
- Auto ingest (in Experimental) scan times of input folders is faster.
Autopsy 4.8.0
New Features:
- Data Source Grouping:
-- The case tree view can now be grouped by data source.
-- Keyword and file search can now be restricted to a data source. - Central Repository / Correlation:
-- New common files search feature that finds files that exist in multiple devices in the same case.
-- The Other Occurrences content viewer now shows matches in the current case (in addition to central repository).
-- Central repository options panel now shows cases that are in repo. - A comment about a file can be created and saved in the central repository so that future cases and see it.
- Keyword Search:
-- Can enable OCR text extraction of PDF and JPG files using Tesseract.
-- Keyword search module normalizes Unicode text.
-- Keyword search module uses ICU to convert text files that do not have a BOM. - Tagging:
-- Tagging menu changed to have user defined tags at top and "quick tag" removed one level of menus.
-- New "Replace Tag" feature to change the tag on an item. - Other:
-- SQLite tables can be now be exported to CSV files.
-- An interesting file artifact is now created when a "zip bomb" is detected.
-- An object detection ingest module was added to the Experimental module. It requires an OpenCV trained model.
Bug Fixes:
- Expanding the case tree is more efficient.
- Improved "zip bomb" detection.
- Assorted small bug fixes are included.
Autopsy 4.7.0
New Features:
- A graph visualization was added to the Communications tool to make it easier to find messages and relationships.
- A new "Application" content viewer (lower right) that will contain file-type specific viewers (to reduce number of tabs).
- New viewer for SQLite databases (in Application content viewer)
- New viewer for binary PLists (in Appilcation content viewer)
- L01 files can be imported as data sources.
- Ingest filters can now use date range conditions for triage.
- Passwords to open password protected archive files can be entered (by right clicking on the file).
- Reports (e.g., RegRipper output) generated by ingest modules are now indexed for keyword search.
- PhotoRec carving module can be configured to keep corrupted files.
- Sector size can be specified for local drives and images when E01 is wrong or it is a raw image.
- New data source processor in Experimental module that runs Volatility, adds the outputs as files, and parses the reports to provide INTERESTING_FILE artifacts.
- Assorted small enhancements are included.
Bug Fixes:
- Memory leaks and other issues revealed by fuzzing the The Sleuth Kit have
been fixed. - Result views (upper right) and content views (lower right) stay in synch when switching result views.
- Concurrency bugs in the ingest tasks scheduler have been fixed.
- Assorted small bug fixes are included.
Autopsy 4.6.0 Linux ZIP (beta 1)
We're incrementally releasing a packaged version of Autopsy for Linux. This is the first version of it based on the official 4.6.0 release.
Prerequisites
The following need to be done at least once. They do not need to be repeated for each Autopsy release.
- Install testdisk for photorec functionality
% sudo apt-get install testdisk - Install Oracle Java and set JAVA_HOME. Use the instructions here:
https://medium.com/coderscorner/installing-oracle-java-8-in-ubuntu-16-10-845507b13343
Installation
- Install the sleuthkit-java.deb file that is part of this Autopsy release. This is not an official package yet. This will install libewf, etc.
% sudo apt install ./sleuthkit-java_4.6.0-1_amd64.deb - Make a directory for autopsy, for example:
% mkdir autopsy-4.6.0-linux1 - Move the ZIP file that is part of this release into the folder and extract the contents (note the ZIP file does not contain a single top-level folder).
- Run the unix_setup script to configure Autopsy
% sh unix_setup.sh
Running
- In a terminal, change to the ‘bin’ directory in the folder you created.
- Run Autopsy
./autopsy
Known Limitations
- Multi-user cases are not supported
- Local drives cannot be analyzed
- VMDK / VHDI images not supported
- Dead JAR issues if you ever run as ‘root’. Other users can’t overwrite one of the .so files. To fix it, have root delete the /tmp/libtsk_jni.so file.