Autopsy (software)

Autopsy is computer software that makes it simpler to deploy many of the open source programs and plugins used in The Sleuth Kit.[1] The graphical user interface displays the results from the forensic search of the underlying volume, making it easier for investigators to flag pertinent sections of data. The tool is largely maintained by Basis Technology Corp. with the assistance of programmers from the community. The company sells support services and training for using the product.[2]

The tool is designed with these principles in mind:

  • Extensible — the user should be able to add new functionality by creating plugins that can analyze all or part of the underlying data source.
  • Centralized — the tool must offer a standard and consistent mechanism for accessing all features and modules.
  • Ease of Use — the Autopsy Browser must offer the wizards and historical tools to make it easier for users to repeat their steps without excessive reconfiguration.
  • Multiple Users — the tool should be usable by one investigator or coordinate the work of a team.

The core browser can be extended by adding modules that help scan the files (called "ingesting"), browse the results (called "viewing"), or summarize results (called "reporting"). A collection of open-source modules allows customization.

Autopsy tool can be used to recover WannaCry-infected data as well.[3]

Process

Autopsy analyzes major file systems (NTFS, FAT, ExFAT, HFS+, Ext2/Ext3/Ext4, YAFFS2) by hashing all files, unpacking standard archives (ZIP, JAR etc.), extracting any EXIF values and putting keywords in an index. Some file types like standard email formats or contact files are also parsed and cataloged.

Users can search these indexed files for recent activity or create a report in HTML or PDF summarizing important recent activity. If time is short, users may activate triage features that use rules to analyze the most important files first. Autopsy can save a partial image of these files in the VHD format.

Correlation

Investigators working with multiple machines or file systems can build a central repository of data allowing them to flag phone numbers, email addresses, files, or other pertinent data that might be found in multiple places. The SQL Lite or PostgreSQL database stores the information so investigators can find all occurrences of names, domains, phone numbers, or USB registry entries.

Language

Version 2 of Autopsy is written in Perl and it runs on all major platforms including Linux, Unix, macOS, and Windows. It relies upon The Sleuth Kit to analyze the disk. Version 2 is released under the GNU GPL 2.0.[4]

Autopsy 3.0 is written in Java using the NetBeans platform. It was released under the Apache license 2.0.[4]

Autopsy 4.0 runs on Windows, Linux, and macOS.

Autopsy depends on a number of libraries with various licenses.[4] It works with SQLite and PostgreSQL databases to store information. The indices for searching keywords are built with Lucene / SOLR.

References

  1. "The Sleuth Kit (TSK) & Autopsy: Open Source Digital Forensics Tools". Brian Carrier.
  2. "Digital Forensics". Basis Technology Corp. 23 December 2013.
  3. S. C. Nayak, V. Tiwari and B. K. Samanthula, "Review of Ransomware Attacks and a Data Recovery Framework using Autopsy Digital Forensics Platform," 2023 IEEE 13th Annual Computing and Communication Workshop and Conference (CCWC), Las Vegas, NV, USA, 2023, pp. 0605-0611, doi: 10.1109/CCWC57344.2023.10099169.
  4. "Autopsy: License". Brian Carrier.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.