Difference between revisions of "Autopsy 3rd Party Modules"

From SleuthKitWiki
Jump to: navigation, search
(Added Cyber Triage)
m (Add Prefetch Parser Python Module)
Line 6: Line 6:
  
 
Ingest modules in Autopsy run on each data source and file that are added to the case.  These modules are responsible for the big data analysis where they extract data from specific files and put the results in the embedded database.  
 
Ingest modules in Autopsy run on each data source and file that are added to the case.  These modules are responsible for the big data analysis where they extract data from specific files and put the results in the embedded database.  
 +
 +
== Prefetch Parser ==
 +
* Description: This module will process thru all the prefetch files in the C:\Windows\Prefetch directory and parse out the information in them.  It works on the following windows versions XP, Vista/7, 8/8.1 and 10.  Winner of the OSDFCon 2015 Python Module challenge.
 +
* Author: Mark McKinnon
 +
* Minimum Autopsy version: 3.1.3 for V3 and 4.0.0 for V4
 +
* Source URL: http://redwolfcomputerforensics.com/downloads/Process_Prefetch_Files_V3.7z for Autopsy version 3.1.3
 +
* Source URL: http://redwolfcomputerforensics.com/downloads/Process_Prefetch_Files_V4.7z for Autopsy version 4.0.0
 +
* License: GNU General Public License Version 3.
  
 
== sdhash (Autopsy AHBM) ==
 
== sdhash (Autopsy AHBM) ==

Revision as of 13:19, 16 February 2016

This page will list the third party modules that have been written for Autopsy. Autopsy comes with a set of modules, but other developers are encouraged go write modules instead of stand-alone tools.

Autopsy has many new frameworks and as more modules are written, this page will obviously get longer.

Ingest Modules

Ingest modules in Autopsy run on each data source and file that are added to the case. These modules are responsible for the big data analysis where they extract data from specific files and put the results in the embedded database.

Prefetch Parser

sdhash (Autopsy AHBM)

  • Description: This module allows you to use sdhash to perform fuzzy hash matching. The investigator can match files against other files or sdhash reference sets during ingest, or search for similar files from the directory viewer or search results after ingest. Released as part of OSDFCon 2013 Development contest.
  • Author: Petter Bjelland
  • Minimum Autopsy version: 3.0.7
  • Source URL: https://github.com/pcbje/autopsy-ahbm
  • Release Download: https://github.com/pcbje/autopsy-ahbm/releases
  • License: Apache 2.0
  • The video presentation is also uploaded to youtube: http://youtu.be/GBmZRufH_3o

SmutDetect Module

  • Scans JPG, BMP, PNG & GIF files (selection of files based on file signatures) for pixels with skin tone and computes file percentage. Files are tagged with skin-tone percentage in increments of 10 to allow a categorised view of thumbnails.
  • Author: Rajmund Witt
  • Source URL: https://github.com/rajwitt/SmutDetect4Autopsy
  • Release and Documentation URL: http://www.smutdetect.co.uk
  • License: GPL 3.0
  • Since Release 1.0.2 works with Autopsy 3.1.1

Windows Registry Ingest Module

Child Exploitation Hashset Modules

  • Description: Hash lookup modules that integrate with ProjectVic and C4All databases. These allow you to use Autopsy in child exploitation investigations and leverage hashsets of pre-categorized images.
  • Author: Basis Technology
  • Minimum Autopsy version: 3.1.0
  • Release Download: http://www.basistech.com/digital-forensics/autopsy/le-bundle/
  • License: Closed source

Data Content Viewer Modules

Content viewer modules in Autopsy display a single file in some way. The standard application comes with viewers for hex, strings, and pictures. These add-on modules allow you to view files in other ways. They are available in the lower right hand corner of Autopsy.

Video Triage

  • Description: Analyzes video files and displays a series of images so that you can get a basic idea of what the video contains without viewing the entire thing.
  • Author: Basis Technology
  • Minimum Autopsy version: 3.0.7
  • Release Download: http://www.basistech.com/digital-forensics/autopsy/video-triage/
  • License: Closed source

Windows Registry Content Viewer

Multi Content Viewer

  • Description: Content viewer for dozens of file types: html, pdf, eml, emlx, rtf, doc, docx, xls, xlsx, ppt, pptx, odt, ods, odp, wps, wpd, sxw, eps, dbf, csv, tif, emf, wmf, odg, pcx, pbm, svg, pict, vsd, psd, cdr, dxf, and more. Also highlights and enables navigation through keyword hits on the rendered preview.
  • Author: Luis Filipe Nassif
  • Minimum version of Autopsy required: 3.1
  • Source URL: https://github.com/lfcnassif/MultiContentViewer
  • Release Download: https://github.com/lfcnassif/MultiContentViewer/releases
  • License of source code: LGPL v3.0

Report Modules

Report modules in Autopsy allow you to make final reports after your investigation is over. Standard modules in Autopsy include HTML and Excel.

  • No 3rd party modules have been publicly released.

Other

These modules are more free form and do not use one of the more structured extension points.

Cyber Triage

  • Description: Incident Response tool that automates collection and analysis to determine if a host is compromised or not. Can analyze live or dead systems.
  • Author: Basis Technology
  • Minimum version of Autopsy required: 3.1
  • Source URL: http://www.cybertriage.com
  • Release Download: http://www.cybertriage.com
  • License of source code: Commercial