Autopsy 4.1.0 Release
Autopsy 4.1.0 has been released after a long drought. So, it has a longer list of features than usual. You can download it from sleuthkit.org.
Here is a quick summary of biggish features:
- New list view in the timeline module. This view adds to the existing counts view (bar charts) and details view (clusters of events) to show a simple list of events. This is similar to the classic mactime output and interface from Autopsy 2. This was built with our contract with DHS S&T based on user feedback.
- VMWare virtual machine files (vmdk) and Microsoft Virtual Hard Drives (vhd) can be added as data sources. This means you can directly add a virtual machine as a disk image and analyze the contents as though it were an E01 or raw image.
- New ingest module detects vmdk and vhd files embedded in other data sources and adds them as data sources. When virtual machine files are detected inside of a disk image, they will be extracted and added back in as data sources so that their contents will be analyzed in more depth.
- Text associated with blackboard artifacts is indexed and searched for keywords. This means that you’ll get structured hits when your keywords are found in EXIF, web bookmarks, or call logs.
- File size and MIME type conditions can be specified for interesting files set membership rules. This allows you to, for example, flag files of a given type in certain folders. We’ll do a blog posting soon about using this module.
- Custom (user-defined) blackboard artifact and attribute types are displayed in the UI and included in reports. Add-on modules in Autopsy could always make custom artifacts for the blackboard, but there was a big that they would not be shown in the tree. Now they are. Just in time to make your modules for the OSDFCon contest.
- Assorted bug fixes and minor enhancements.
We’re going to get back into a 2-month release cycle so that we don’t do another 8 months (!) without a release.