autopsy 3: free open source end-to-end windows-based digital forensics platform
DESCRIPTION
Autopsy™ is the premier free and open source end-to-end digital forensics platform built by Basis Technology and the digital forensics open source community. The platform has been in development since OSDF Con 2010, based on intense interest and collaboration from the digital forensics community, which determined the need for an open source end-to-end forensics platform that runs on Windows systems. Autopsy version 3 is a complete rewrite from version 2 and is built to enable the creation of fast, thorough, and efficient hard drive investigation tools that can evolve with digital investigators’ needs. The standard installation includes features that rival commercial closed source offerings, without the associated costs. FEATURES Triage capability and real-time alerting Automated workflow based on The Sleuth Kit™ Windows installation Case management and report generation Recent user activity extraction including: web history, recent documents, bookmarks, downloads, and registry analysis Keyword and pattern search including: phone numbers, email addresses, URLs, and IP addresses Hash lookup Interesting files detection and timeline viewing ...and much more For digital forensics investigators and analysts, there are numerous advantages to using open source software and software built on open source platforms like Autopsy and The Sleuth Kit: • Transparent evidence extraction: Open source platforms allow you to look at the source code and to verify that the software is performing its functions in a forensically sound way. This can prove to be critical when testifying or preparing for litigation. • Easily extensible: Open source platforms grow organically and as the needs of their consituents and users change, so does their functionality. • Active community of users and developers: In addition to commercial support offered by Basis Technology, there is a wealth of information that is available in a community that has evolved over the last 11 years where both users and developers are actively working to improve the software platform. This free knowledge base is an extremely powerful value add to your purchased enterprise support.TRANSCRIPT
© 2013, Basis Technology 1
Autopsy 3.0Extensible Desktop Digital ForensicsIt’s not your father’s open source software
Brian CarrierVP of Digital ForensicsBasis Technology
© 2013, Basis Technology 2
• Software and services technology company• Roughly 80 people• Offices in Cambridge, DC, Tokyo, and London• Two technology areas:
– Text Analytics– Digital Forensics
Quick Intro To Basis Technology
© 2013, Basis Technology 3
• Conduct investigations• Research and development• Custom software development• Open Source Software
– Autopsy module development– Commercial support– Training
Digital Forensics at Basis
© 2013, Basis Technology 4
• What comes to your mind first?
Open Source Software
© 2013, Basis Technology 5
• What comes to your mind first?
• Autopsy 3 is different
Open Source Software
© 2013, Basis Technology 6
• Open source software that allows you to forensically analyze disk images and local drives
Context: What Is The Sleuth Kit?
© 2013, Basis Technology 7
• Original method for using TSK• Over 25 different tools (!)• mmls example:
# mmls tsk1.img Slot Start End Length Description00: ----- 0000000 0000000 0000001 Primary Table01: ----- 0000001 0000062 0000062 Unallocated02: 00:00 0000063 0032129 0032067 NTFS (0x07)03: 00:01 0032130 0064259 0032130 DOS FAT16
(0x06)
TSK Command Line Tools
© 2013, Basis Technology 8
• Software libraries allow functionality to be embedded in a bigger program.
• Many commercial, open source, and govn’t systems use TSK as a library.
• Looks like:
tsk_img_open(1, “C:\imgs\image1.E01”, TSK_IMG_TYPE_DETECT, 512);
TSK Library Interface
© 2013, Basis Technology 9
TSK Framework
Talk to me after if you are building a system that needs this.
© 2013, Basis Technology 10
• Powerful volume and file system analysis tools.• Extensible framework.• Not user friendly
for the 99%.
TSK Take Away
© 2013, Basis Technology 11
• Graphical digital forensics interface.• Brief History:
– 2001: First Open Source Release • Interface to The Sleuth Kit• Linux and OS X only
– 2010: Started v3 from scratch as a platform• Based on OSDFCon discussions• Windows-based & automated• Some US Army funding (with 42Six Solutions)• 3.0.0 released in September, 2012.
Autopsy
© 2013, Basis Technology 12
• Extensible– Several frameworks and plug-in modules
• Easy to use– Simple UI concepts – More details during the demo
• Fast results – Provided as soon as they are found
• Cost Effective– Free
Autopsy 3 Key Points
© 2013, Basis Technology 13
Autopsy 3 Main Screen
© 2013, Basis Technology 14
Autopsy Ingest Modules
Run automatically as media is added to Case.
• Remembers what you ran last time.• Anyone can write new modules.• Can tweak knobs based on
investigation type and available time.
© 2013, Basis Technology 15
• Hash Lookup:– NSRL, EnCase, Hashkeeper support
• Keyword Search:– Lucene SOLR index– Extract text (better for HTML and PDF)– Import / export lists– Regular expressions– Can support more advanced text analytics
Standard Ingest Modules
© 2013, Basis Technology 16
• Recent Activity Module:– Browser artifacts:
• History, cookies, downloads, bookmarks• Firefox, Chrome, Safari, IE
– Recent user documents– Recent devices– Runs regripper behind the scenes
• EXIF from JPEGs• MBOX email• ZIP Archive
Standard Ingest Modules
© 2013, Basis Technology 17
• More file formats / P2P logs• Anti-virus / Malware• Volume shadow / file system journals• Cryptography and steganography detection• Text analytics (language detection)• Object identification in pictures• Skin tone detection
Future Ingest Module Ideas
© 2013, Basis Technology 18
• Display a file in a given way.• Text: Hex and Strings• Media: Pictures and video
Content Viewer Modules
© 2013, Basis Technology 19
Content Viewer: Video Triage
© 2013, Basis Technology 20
• Not part of open source package• Name finder and translator
– Uses Basis Technology text analytics
Content Viewer: Text Gisting
© 2013, Basis Technology 21
External Viewer Module: Timeline
© 2013, Basis Technology 22
Demo
© 2013, Basis Technology 23
• Easy to install and use– Less training and confusion.
• Extensible and open– Can be adapted to your needs– Updated by community
• Low cost• No cost
Takeaway
© 2013, Basis Technology 24
• 4th Annual Open Source Forensics Conference– Free for government employees!– http://www.osdfcon.org/– Nov 4 and 5 in Northern VA.
Open Source Conference
© 2013, Basis Technology 25
• Cash prizes for best new module.– $1500 for first prize
• Voting by attendees at OSDFCon.• Any module type is eligible.• See issue tracker for ideas.• Submission details:
http://www.basistech.com/about-us/events/open-source-forensics-conference/contest/
Module Writing Competition
© 2013, Basis Technology 26
• 2 Day Autopsy training courses:– November 6 & 7 in DC (after OSDFCon)
• ½ Day Developer Training at OSDFCon
Autopsy Training
© 2013, Basis Technology 27
• Users:– Use it and spread the word– Provide feedback on features– Help with documentation and support
• Developers: Write modules instead of stand-alone apps. Contact us with feature changes.
• We’re looking for law enforcement users.
What You Can Do
© 2013, Basis Technology 28
• Download from:– http://www.sleuthkit.org/autopsy/
• Questions: [email protected]
• We’re hiring engineers….
• We have stickers
Conclusion
© 2013, Basis Technology 29
Demo Highlights (In Case Demo Fails)
© 2013, Basis Technology 30
Easy To Use
© 2013, Basis Technology 31
Splash Screen
• User is always guided to next step in process
© 2013, Basis Technology 32
Add Image Wizard
• Detects image format• Detects volume and file systems
© 2013, Basis Technology 33
Ingest Manager in Wizard
• Uses previous settings for modules.
© 2013, Basis Technology 34
Intuitive Interface
• All results on left, history buttons, keyword search box
© 2013, Basis Technology 35
Single Place for All Results
© 2013, Basis Technology 36
View By File Type
© 2013, Basis Technology 37
View Final Days of Activity
© 2013, Basis Technology 38
• View directories of keyword and hash hits• Tag and bookmark files• Extract files or launch external viewers
Right Click Actions
© 2013, Basis Technology 39
Ingest Inbox
• Shows users what has been found in background tasks
© 2013, Basis Technology 40
HTML Report
• Report modules can be customized