Open Source Digital Forensics Conference • VIRTUAL EVENT • NOVEMBER 18, 2020

Autopsy 4.15 Release Highlights


Blog

Autopsy 4.15 is out and we wanted to cover some of the key new features. You can download Autopsy from here and see the full list of changes here.

Central Repository Enabled By Default

We have changed the default configuration so that the Central Repository is enabled by default. We did this because we have found the data can help you ignore previously seen and common files. As an example, the new File Discovery feature takes advantage of data in the Central Repository when it shows you files that you’ve never seen before (i.e. unique pictures).

The Central Repository is a database that can store many types of things:

  • Hash values from past cases
  • Identifiers (such as Wifi SSID) and account names from past cases
  • Hash sets
  • Comments from past cases

The database can be stored as either a local SQLite or a central PostgreSQL database.

You can use the data in the repository for several things:

  • To determine how common or rare a file is
  • To determine if a file was seen in a past case
  • To automatically flag a file that was previously marked as notable

The changes to the repository in 4.15 release include:

  • By default, a SQLite database will be created in your AppData folder. To disable this, use the Options panel.
  • By default, hashes and other identifiers will be sent to the Central Repository for future use. To disable this, do not enable the Correlation Engine ingest module.
  • By default, the Correlation Engine module will NOT flag files if they were previously marked as notable. This is a change in behavior, but is consistent with some people’s concerns of searching past cases and violating search warrant scope. To enable this feature, use the Correlation Engine ingest module settings.

The usual benefits of the Central Repository still exist:

  • The “Other Occurrences” viewer in the lower right will show you where else a file or identifier was previously seen
  • You can search past cases for a given hash or identifier using the “Tools” menu
  • You can comment on a file and see it in future cases.

The changes in this release will be fairly transparent to you (except perhaps that you have a SQLite database growing in size), but will benefit you in the long-term as more features take into account how often items have been seen in the past.

Drones & GPX

There are two new ingest modules focused on Geolocation data in the latest release.

The Drone Analyzer ingest module uses the DatCon library to parse “.dat” files from the internal storage on DJI drones. These files contain track points about where a drone traveled.

Autopsy does not have the ability to acquire data from a drone, but it can analyze the disk image, find the “.dat” files, and make artifacts that can be displayed in the main UI tree and as track points in the geolocation viewer.

This module was funded by DHS S&T and used data acquired by VTO Labs. More information can be found in the user documentation.

Another new geolocation module is the GPX module. This module will find gpx files, parse them, and produce tracks, routes, and bookmarks. They as well can be found in the tree or the geolocation viewer.

Expanded Context Viewer

In the last release, we announced a new “Context” content viewer in the lower right. In the 4.15 release, this viewer was expanded to show when a file was used (based on MRU and other data). In its initial debut last release, it showed only where it was downloaded from.

To support this viewer, Autopsy now also parses more locations of file usage based on the output of RegRipper.

Try It Out

Download Autopsy today to try these new features and many more.