The 4.8.0 release of Autopsy is out and the major themes in the release are:

• Focus on data source-level review in large cases
• Keyword search accuracy improvements
• Tagging efficiencies

Plus lots of other changes. This blog focuses on the data source-level changes that will make it easier for you to conduct investigations on a single data source as part of a larger case.

Typical Large Case Scenario

For large investigations with multiple examiners, it is common to assign each data source (such as a hard drive, media card, or phone) to one investigator. Their initial focus is to find all relevant things on that data source and then all of the results get merged together in the end.

In many forensics labs, every examiner has their own desktop computer and they each analyze their data source in isolation. This setup makes it initially easy to analyze each data source, but is later more tedious when you need to merge the results and perform more searches after you see results from the other devices.

But, if you have a collaborative system like Autopsy, then you can instead add all of the data sources into a single “case” and integrate your results in real time because you are all working on the same case. This makes the final integration easier, but can make the initial analysis more complex if your UI is mixing the data source results together.

New Features

The 4.8.0 release of Autopsy started an effort to provide more data source-level focused searches and viewing (and there are more changes to come).  Specifically, this release added the ability to:

• Group the navigation tree by data source instead of by data types
• Search within a single data source instead of the entire case.

Tree Changes

The left-hand tree of Autopsy has traditionally been organized by:

• Data Sources
• Views of the files in the case
• Analysis Results
• Tags
• Reports

This view is great for one or two data sources, but is harder to focus on a single data source in a large case.   For example, the web history for all devices are merged together and the “Images” node in the File type Views tree has pictures from all data sources.

You can now choose to organize the tree by data source. When you choose this, the top of the tree is the data sources and then you’ll see the traditional structure inside of that data source:

• Files
• Views
• Results
• Tags

When you open a case that has more than 5 data sources, we’ll prompt you to group by data source.  Your preferred viewing approach is saved for the case so each time you open it you should get the same view.

You can later manually change the results using this new checkbox above the tree.

Searching Changes

Autopsy provides a couple of ways to perform searches:

• Keyword Searches (in upper right corner) to find files with a given keyword in them.
• File Search by Attribute (from Tools menu) to find files by name, size, times, etc.

Both of these searches historically would search all data sources, but you can now restrict them to specific data sources.  As an example, here is the new keyword search UI:

Similar changes were made to the “File Search By Attribute” feature.

Big Cases and Multiple Examiners

The future of investigation is bigger cases and more examiners per case. Autopsy is making the changes needed so that you can find the evidence as quickly as possible.  Download the 4.8.0 release here.