This blog summarizes some of the highlights of the latest Autopsy release. It’s a new format to give you a summary of the most important changes. The full list of changes is here.

File Discovery

• What Is It?  New UI that allows you to focus on relevant images and videos (more file types coming later). You specify filter and display settings.
• When Would You Use It?  To find unique content on the device.
• How Do You Use It?  Press the “File Discovery” toolbar button. Specify filters (such as only medium and big images and only ones that have been seen fewer than 10 times before) and how to organize results (such as by parent folder or by size). This UI is most powerful when you have enabled the Central Repository and have been collecting hash values for all of your past cases. It lets you ignore all of the files that you’ve seen before.

APFS

• What Is It?  Initial support for Apple’s file system. Donated by Black Bag Technologies into The Sleuth Kit and refactored by Basis to generalize the “Pool” concept.
• When Would You Use It?  When analyzing a MacBook or other Apple device.
  How Do You Use It?  Add the disk image as you would any other disk image, such as NTFS.

Map Viewer

• What Is It?  New UI dedicated to viewing geo location data. Can use online tiles (from Bing) or offline tiles (from https://openmaptiles.com/).
• When Would You Use It?  To view coordinates from Exif, GPS devices, Drones, and Android artifacts.
• How Do You Use It? Use the Tools -> Geolocation menu item, and select filters to restrict what is shown.

Context Content Viewer

• What Is It?  New viewer in the lower right that shows where a file came from (i.e. the context about the file). Currently shows where a file was downloaded from or what message a file was attached to. The next release will show if it was opened, etc.
• When Would You Use It?  If you find a file of interest, then you can more easily figure out how it got there and if it was used.
• How Do You Use It?  Select the “Context” viewer for any file of interest.

Improved Japanese Support

What Is It?  Various fixes that were found from testing with Japanese data. Specifically: encoding of file names in ZIP files (which do not support Unicode), encoding of plain text files, and tokenization in Solr using Kuromoji).
When Would You Use It?  When analyzing computers with Japanese data and locales.
How Do You Use It?  All of the changes are transparent to the user. They happen automatically during ingest or when searching for keywords.

Download It

To try Autopsy 4.14, go to the download page.