Correlate Cases and Get Intelligence


Blog

Overview

Starting with Autopsy 4.5.0, you can now determine when a file or phone number (or other artifact) was seen in a previous case. You can also be alerted when an artifact was found that was previously marked as “bad”.

These features are possible because of new infrastructure called the Central Repository. In this blog, we’ll talk about enabling the Central Repository and the corresponding Correlation Engine module.

Configuring the Central Repository

Database Types

The first step to setting up the Central Repository is to choose what database type you want:

  • SQLite: Stored in a folder on your computer and accessible by only one Autopsy instance.  No database installation required.
  • PostgreSQL: Stored on a database server and can be shared amongst multiple users. You need to install and configure the database.  If you configured Autopsy for multi-user cases, you can re-use the same PostgreSQL database for the Central Repository. If you need to install a database for this, you can use the Autopsy Multi-user instructions.

If you are a single-person shop, then just use SQLite. If there are multiple people in your lab, setup PostgreSQL so that you can all utilize it.

NOTE: If you use a SQLite database, do not try to put it on a network drive and share it at the same time between multiple Autopsy instances. Bad things will happen….

Enable the Central Repository

To enable the Central Repository, go to Tools -> Options -> Central Repository.  Check the “Use a central repository” box.

You will then need to press the “Configure” button to setup the local SQLite or remote PostgreSQL database.

Populating The Database

In order to be able to correlate with previous cases, we need to populate the database with data about each case.   This section outlines what kinds of data can be stored and how to get data into the database.

Choosing Correlation Properties

The Central Repository can store several types of data.  By default, Autopsy will correlate on:

  • Files (MD5)
  • Domain Names
  • Email Addresses
  • Phone Numbers
  • USB Device IDs

But, the more things that you correlate on, the bigger the database will get. If you want to remove some of these data types from the database, you can do that from the Options panel (Tools -> Options -> Central Repository).  Choose “Manage Correlation Properties”.

Autopsy will pull these properties out of the various Blackboard Artifacts that get created by its analysis modules.  For example, it will pull out domain names from Web Bookmarks, Web Cookies, etc.

Correlation Engine Ingest Module

To add properties from your current case, enable the “Correlation Engine” Ingest Module when you add a data source to the case. It will save the properties that were extracted from other ingest modules, such as the Hash Lookup module.

Note that you are responsible for enabling the other ingest modules that extract the properties. If you want to save all of these properties, you need to have the following ingest modules enabled:

  • Hash Lookup: To calculate MD5 hash values
  • Keyword Search: To find emails and phone numbers
  • Email: To find email addresses
  • Android: To find phone numbers
  • Recent Activity: To find USB Device IDs

The Correlation Engine module runs after these modules in the pipeline.

Finding Connections With Previous Cases

Once you start populating your Central Repository, you can take advantage of the stored data during your investigation.  One way is to see if a file or artifact occurred in a previous case or if it exists in another device in the same case.

You may find this feature useful when:

  • You see an address book entry and want to know if you saw this same contact in a previous case.
  • You see a file with “notable material” in it and want to see if someone has seen this before.

To use this feature, select a file or artifact and look in the “Other Occurrences” tab in the lower right.  In the below example, we can see that the MD5 was previously seen in case “demo-case123d”.

This will show you other cases or other devices in the same Case in which this item existed.

Tag and Alerting

While it is useful to know if something was previously seen after you find it, it would be even more useful to have Autopsy tell you that a previously notable item is there. That brings us to the next feature.

When an item is tagged with a “notable” tag name, that notable status will get recorded in the Central Repository. When that item is seen again, the Correlation Engine ingest module will make an “Interesting Item” artifact for it so that you can easily find it.

In the below example, the MD5 hash for image_normal[1].jpg image was previously tagged in case “demo-33323’ as being notable.

Tagging Items as Notable

Experienced Autopsy users may be wondering what a “notable” tag name is.  We are changing this behavior for 4.6.0 (January release), but I’ll first describe what it means in the current 4.5.0 release.

In Autopsy 4.5.0 (the October 2017 release), there is a “Manage Tags” option in the Central Repository options panel.  Opening that allows you to pick what tag names you use to mark items as being notable.  When you use those tag names, then it will record in the Central Repository that the item is notable.

In Autopsy 4.6.0 (not yet released), you identify a tag name as being notable when you create the tag name for the first time.  In this release, there will not be a separate “Manage Tags” option in the Central Repository options panel. In 4.6.0 you will also see the word “(Notable)” after the tag name to remind you that it is for notable items.

Hashset Management

In the 4.6.0 release (January 2018), you’ll also be able to use the Central Repository to store notable and NSRL hash sets that can be shared amongst users in a multi-user environment.  This will make it easier to have each system using the same databases and allow for easier collaboration.  We’ll cover those features in a later blog.

Get More Intelligence

The Correlation Engine features of Autopsy allow you to get more intelligence from your previous cases.  You can see if items were previously seen and be alerted when something is seen again. This will make your investigations faster and help you better understand the situation.

Download the latest Autopsy today.