Free and open source Windows-based digital forensics software Autopsy 3.1 is out!
Download it now http//
An overview of some of the big changes since 3.0.10 (big enough to warrant the first minor release)
• Multi-threaded pipelines (configurable to take advantage of your beefy machine specs, we've significant performance improvements in our tests)
• File type ingest module (magic bytes detection)
• File extension mismatch ingest module (configurable extensions to signatures)
• Android ingest module (contacts, call logs, messages)
• KML report module (EXIF information from JPEGs to Google Earth)
• Tags can be deleted (…long awaited)
• Hash databases can be created and maintained (multi-select add to hash databases)
In addition, a new module free for law enforcement will be available next week from Basis Technology
Some other stuff in the works for Autopsy 3.1
* Python module support (write your own modules in Python)
*
*
Any news on 3rd party Modules?
I need the Windows Registry Content Viewer very often.
We're updating our modules this week, however, for other module developers, you'll need to wait for them to update for compatibility with 3.1
Was in contact with the author. I didn't got the answer I wished to have but he seems to be a nice guy 😉
Is the planned advanced timeline feature some kind of 4n6time implementation?
The way Autopsy follows right now looks promising.
What about a registry tool module for autopsy from Basistech? Registry and timeline are very important on cases. Just finishing a nice one with tor/ darknet involved. Timeline and registry hives told me what happend..
What would be your ideal registry module? Currently Autopsy runs RegRipper on registry hives that are found and you can view the output in Autopsy. Are you just looking to have a module like what Willi (viewer and parser) produced more actively developed?
Yes. Regripper is nice, founds mainstream information. But digging deeper means i've to use a viewer to analyze the other trees which were bypassed by regripper.
I've been having a look at Autopsy and was just curious about the length of time it takes to process an image.
This is the situation, my friend had a Mac laptop that died and she wanted to retrieve the data from the hard drive. She took it to the Apple "Genius's" at her local Apple store and they said the hard drive was dead and nothing could be done. They claimed they had tried it in several different Mac's but nothing could be read.
My friend worked with me in LE computer forensics years ago so she has some knowledge of what can or can't be done, but she's been out of the game for many years. In any case the drive was spooling up and when she connected it to her machine in a dock the drive is recognised and clearly working, just no data. Simple answer is her resident "Genius" formatted the drive accidently and then lied about it when she confronted him with that fact. That's all by the by, just another example of poorly trained Apple staff damaging data which seems to happen all to often.
Back to Autopsy )
I pointed her to the tool to try as I've been using it a bit lately and I like the interface and the way it presents data and for her purposes seemed ideal to try and recover the pictures she needs.
As the drive has been formatted and the HFS file system is not recognised by Windows she has the drive added to Autopsy and a "file type" only search included unallocated space is being run. Autopsy seems to have 2 distinct stages when analysing data, first stage it 'reads' the evidence item, then performs the 'analysis' stage.
In this instance the 'read' stage has been going for over 48 hours.
So my long winded rant and ultimate question is…is this normal?
Well, this won't help you but just for the records (though you forgot to mention the size of her Laptop) Autopsy does tend to hang over files. Haven't found out on which ones so far, but can confirm that this happened to me as well with certain setting. If it occurs abort operation, try to change some tiny setting and try again.
Sorry, not sure on the specs of the laptop, it's under 12 months old so I assume relatively good specs and it's a 500gb hard drive.
It's still analysing now after a few days but she did mention that she's checked on it a few times and it had shut down, not sure if it's overheating or has some other issue, however she did mention that Autopsy seems to pick up where it left off with the analysing stage which is pretty cool )
After some testing with Autopsy 3.1.0 I'm back on 3.0.10. I had some freezes, refresh problems in Views. E.g. after selecting Thumbnails in Images I can't see the content in Videos.
But 3.1.0 ist fast, i like it. Looking forward to test the next release.