As readers of this blog know, Autopsy was designed to be a digital forensics platform that other open source developers can build modules for. To help motivate other developers to write Autopsy modules, Basis Technology  created a module development challenge and we’re pleased to announce the winners.

The ground rules were simple:

1. Make something useful and creative that can plugin to the Autopsy platform and release it as open source software
2. Submit the module before the Open Source Digital Forensics Conference (OSDFCon).
3. Present the module to the attendees of OSDFCon in person or via video.
4. Profit! (in the form of cash prizes!)

We received two really great submissions.  We were impressed by the amount of effort that went into each one of them (and note that we did not award a 3rd prize because there were not enough submissions, so you could have won some cash with even a basic module!).  These modules have been tested by the Basis team and work with 3.0.7 and above in box 32 and 64-bit versions of Autopsy.

First Prize: $1,500

Author: Willi Ballenthin

Minimum version of Autopsy required: 3.0.7

Description: Willi wrote two modules that support registry analysis. One is an ingest module that detects registry hives and extracts the keys and values into “derived files” of the registry hive. This means that they are shown in the directory tree and you can navigate the registry structure and search its contents.

The second module was a new content viewer (the area in the lower right of Autopsy) that will show the tree of a registry hive and allow you to navigate it after you have selected the hive. If you use only this module, you will not see the registry expanded in the directory tree.

Both of these modules are great additions to the capabilities to Autopsy and provide the user with functions much like Regedit.exe to view registry hives.

Source URL:

https://github.com/williballenthin/Autopsy-WindowsRegistryIngestModule/

https://github.com/williballenthin/Autopsy-WindowsRegistryContentViewer

Release Download:

https://github.com/williballenthin/Autopsy-WindowsRegistryIngestModule/blob/master/precompiled/com-williballenthin-autopsy-wrim-3.0.7-20131001.nbm

https://github.com/williballenthin/Autopsy-WindowsRegistryContentViewer/blob/master/precompiled/com-williballenthin-autopsy-wrcv-3.0.7-20131001.nbm

License of source code: Apache 2

Second Prize: $500

Author: Petter Bjelland

Minimum Autopsy version: 3.0.7

Description: Petter developed a fuzzy hashing module based on sdhash. sdhash allows you to match files that are similar, but not necessarily exactly the same, as other files. With this ingest module and a new viewer, the investigator can match files against other files or sdhash reference sets during ingest, or search for similar files from the directory viewer or search results after ingest. Petter could not attend OSDFCon and instead submitted a video of the module in use. It is linked to below.

In addition to the great contribution to the community with this open source module, Petter also donated his cash prize to the Red Cross to benefit victims of Typhoon Haiyan in the Philippines.

Source URL: https://github.com/pcbje/autopsy-ahbm

Release Download: https://github.com/pcbje/autopsy-ahbm/releases

License: Apache 2.0

Video presentation: http://youtu.be/GBmZRufH_3o

Conclusion: We think these two modules show the power of the platform and the ability for it to change and evolve using the developer’s guide and some creative thinking.

See a list of all third party modules here: http://wiki.sleuthkit.org/index.php?title=Autopsy_3rd_Party_Modules

Congratulations and thanks to both Willi and Petter from the entire Autopsy community!

We’ll be doing this again next year alongside OSDFCon with the same rules, so feel free to start developing your modules now.

 

[hs_action id=”5192″]