The Autopsy 4.18.0 release is out with lots of new features, enhancements, and bug fixes. This blog dives a little deeper into some key digital forensics features. 

• New Android, iOS, and Yara Modules.
• New Domain Discovery interface to focus on overloads of web artifacts.
• Upgraded to Solr 8, which has impact on who can open new cases. 

You can see the full list here.

You can find the latest version on the download page. 

New Modules

You’ll see two new modules in the new release (Yara and aLEAPP) and a significant update to the iLEAPP module added to the last release. Let’s cover the highlights: 

• Yara allows you to search files for regular expression patterns and is popular for intrusion and DFIR investigations. You can now search files in Autopsy data sources using Yara rules.  Simply add the rule files to a folder.   More details can be found in the user docs.
• aLEAPP allows you to analyze Android databases and files.  The “Android Analyzer (aLEAPP)” module wraps the aLEAPP tool and creates Autopsy artifacts with the results. It will work on both physical images and logical file sets. You can read more about it in the user docs.
• iLEAPP is the iOS version of aLEAPP and we introduced it into Autopsy in 4.17.0, but in a limited capacity.  It used to work only on tar file inputs, but it now will work on physical images as well. The iLEAPP team added the ability for us to know which files it wanted to parse.  Our module queries for those files, writes them to disk, and then runs iLEAPP on them. More artifacts are also created in this release. The user docs for this module can be found here. 

Web Domain Analysis

There are often thousands and thousands of web artifacts in an investigation. It can be overwhelming. The “Domain Discovery” interface is our new way of reviewing web domains and it allows you to focus on the domain first (i.e. “sleuthkit.org”) and then the various types of artifacts that are known about it.

You first pick what kinds of domains you are interested in and how you want to display them. Autopsy will group the domain names by some characteristic (number of visits, date of visits, popularity of domain, etc.). 

You can then navigate the domains and then dive into what the user did on those domains. 

This feature makes it easier to understand the web activity on this system and focus on sites that are most relevant to the investigation. 

The user docs for the feature is here. 

Solr 8

We finally upgraded our Keyword Search module to use Apache Solr 8 (from version 4). It has the same core search functionality from within Autopsy, but here are some notable changes:

• Indexing should be faster because we add files in batches instead of individually (we actually slipped this into the last release…). 
• Cases created with Autopsy 4.18.0 and beyond cannot be opened with Autopsy 4.17.0 and earlier.  But, Autopsy 4.18.0 can open older cases (it still has SOlr 4 embedded in it). 
• You can use Solr Cloud in multi-user setups.
• If you have a multi-user cluster, you’ll need to set up a new Solr 8 server(s). But, you can have both Solr 4 and 8 at the same time (on different servers or ports).

You can find out more about the upgrade here. 

Try It Out

You can download the latest Autopsy from the downloads page.