The 4.21 version of Autopsy is out and this blog post will cover three of the most notable new features.  You can see the full list of changes here. We’re going to cover:

• Inline Keyword Search
• Cyber Triage Malware Scanner Module
• Logical File Timestamps

To download the latest version, go here.  

You can also attend a Webinar on Sept 12. Register here.

Search for Keywords Without Building an Index

The Keyword Search module has a new feature that allows you to not populate the Solr index, which means that ingests are faster (but later searches will be slower). 

The traditional way of keyword searching in Autopsy was to:

• Extract text from files
• Add the text to Solr, which would break it into words (tokens)
• Periodically, search the index

This is great when you want to perform many searches on the data because each later search is going to be fast. But, it was a waste when you may have only one set of keywords and you want to triage the device for them. 

Now, you can search with the following process:

• Extract text from the files
• Search the text for keywords in the ingest pipeline

But, if you later realize you have more keywords to search for, you’ll have to run ingest all over again and read in all of the file content. 

Otherwise, the user experience is nearly the same. You’ll see results in the tree on the left and be able to see the highlighted text on the bottom. 

You can choose during ingest if you want to add text to the index or not. The default is to add the text. 

One note is that a small amount of text is still maintained in the Solr index. Any file that had a keyword hit will be added to the index so that it can be later viewed. 

Scan Files for Malware Without Locally Mounting

A new “Cyber Triage Malware Scanner” ingest module was added that will scan executables for malware. This module is a bit different from others in Autopsy because it requires a commercial license to use. 

The traditional use case is that you want to know if a disk image has backdoors and remote access that someone could have used to plant evidence. Some labs will mount disk images as local drives and scan them with their local AV. This often works, but is limited by:

• Results from a single scanner
• The malware could infect the examiner system if it gets run

The new Autopsy module will use 40+ malware scanning engines from Cyber Triage and the executable files are not written to disk. This service DOES NOT use VirusTotal and therefore if files are uploaded, they are not broadcasted to the world. 

Results show up in the tree as usual:

The module ships with Autopsy and you can get an evaluation key from CyberTriage.com. 

Logical File Timestamps

Autopsy has historically ignored timestamps when you import a folder of files. That’s because the times on those files could be anything. Autopsy never had any idea if they were accurate or not. 

Well, Autopsy still doesn’t know if they are accurate, but it will now let you pick which timestamps to copy in. You can choose to import the modified, created, or accessed time on the files and that will get stored in the database. 

Another change on the above panel is that you can remove file or folder entries in the top table before adding them. 

Try It Out

Download the latest version of Autopsy today and try out these new features.