Skip to content

Autopsy Ingest Modules

Autopsy

Ingest Modules

Ingest modules in Autopsy are automated analysis components that process data sources (disk images, logical files, memory images) to extract forensic artifacts.

They run during the ingest process and populate results into the case database.

1. User Activity and Communication Analysis
1.1. Recent Activity

What it does: This allows you to see what activity has occured in the last seven days of usage, what web sites were vistied, what the machine did, and what it connected to.

How?

  • It parses user activity as saved by

  • Web browsers(including web searches)

  • Installed programs

  • Operating system

  • It also runs Regripper on registry hives

When to use?

  • User behavior reconstruction

  • Timeline building

  • Internet activity investigation

1.2 Email Parser

What: allows the user to identify email-based communications from the system being analyzed.

How?

  • identifies MBOX, EML and PST format files based on file signatures, extracting the e-mails from them, adding the results to the Blackboard

  • This module skips known files and creates a Blackboard artifact for each message.

  • It adds email attachments as derived files.

When?

  • Corporate investigations

  • Insider threat

  • Communication tracing esp in mails like Outlook where email backups are stored locally

1.3 Plaso

What? Extracts timeline for various types of files

How?

Runs Plaso engine to combine

  • File timestamps

  • Registry times

  • Event logs

  • Browser artifacts, etc

to create a timeline

When?

  • Timeline reconstruction

  • Correlating multi-source events

2.1 File Type Identification

What is does : Identifies true file type

How: Using file signatures/magic bytes (first few bytes of the file that identifes the file)

When?

  • Identify disguised files

  • Identify renamed executables

2.2 Extension mismatch detector

What it does: Identifies when extension ≠ actual file type

How: Compares the file signature and the extension of file and reports when there is a mismatch

When?

  • Malware hiding as .jpg/.pdf

  • suspicious user activity

2.3 Interesting Files Identifier

What?

Flags files matching predefined or custom rules.

How?

  • allows you to make sets of rules that will be run against each file as it is processed.

  • If a file matches any of the rules, you will see an entry for it in the Tree Viewer.

A rule is a set of conditions. For example, if a rule has conditions "file size > 1 MB" and "file extension \= .txt", only files that match both conditions will be considered a match.

When?

  • Quickly isolate suspicious content

  • Policy violation detection

2.4 Picture analyser

What it does: Performs general image analysis on the image, including extracting metadata and converting between image format

How:

  • extracts EXIF (Exchangeable Image File Format) information from ingested pictures.

  • This information can contain geolocation data for the picture, time, date, camera model and settings (exposure values, resolution, etc) and other information.

  • The discovered attributes are added to the Blackboard.

  • This can tell you whereand when a picture was taken, and give clues to the camera that took it.

  • The module also converts HEIC/HEIF images to JPG while maintaining their EXIF information, which will be processed and saved as it would for normal JPG images.

What it does : The Keyword Search module facilitates both the ingest portion of searching and also supports manual text searching after ingest has completed. It extracts text from files being ingested, selected reports generated by other modules, and results generated by other modules.

How:

  • First, it will try to extract text from supported file formats, eg: PDF, pptx

  • If the file is not supported by the standard text extractor, Autopsy will fall back to a string extraction algorithm.

  • String extraction will not search encrypted files

  • Autopsy ships with some built-in lists that define regular expressions and enable the user to search for Phone Numbers, IP addresses, URLs and E-mail addresses.

  • Two types of keyword searching are supported: Solr search with full text indexing and the built-in Autopsy "In-Line" Keyword Search

When?

  • Fraud

  • IP theft

  • Specific themed investigation, eg: drugs, child pornography

2.6 Hash Lookup Module

What it does : Identifies known and notable files using supplied hash list

How ?

  • Computes MD5 (if selected)

  • Checks against provided hash list (if provided)

When to use?

  • Filter OS files

  • Identify malware

3.1 Embedded File Extractor

What it does: The Embedded File Extractor module opens ZIP, RAR, other archive formats, Doc, Docx, PPT, PPTX, XLS, and XLSX and sends the derived files from those files back through the ingest pipeline for analysis.

How:

  • This module expands archive files to enable Autopsy to analyze all files on the system.

  • It enables keyword search and hash lookup to analyze files inside of archives

When?

  • data exfiltration through documents

  • hidden payload detection

  • Uses CyberTriage malware scanning infrastructure to see if any Windows executables are malware

  • Queries to an online service using the file’s hash to see if it was already analysed

  • Also had option to upload the file if it was not already analysed and is new

When?

  • Malware cases

  • Incident Response

4.2 Encryption Decryption

What : Identifies potentially encrypted files

How?

Uses entropy analysis

  • High entropy → likely encrypted or compressed

The module looks for the following types of encryption:

  • Any file that has an entropy equal to or greater than the threshold in the module settings and that fits the file size constraints

  • Password protected Office files, PDF files, and Access database files

  • BitLocker volumes

  • SQLCipher (uses the minimum entropy from the module settings)

  • VeraCrypt (uses the minimum entropy from the module settings)

4.3 YARA Analyzer

What and How?

  • Uses a set of user-supplied rules to search for patterns in binary and textual files

When?

  • Advanced malware detection

  • Signature-based scanning

5. Specialized modules
5.1 Central Repository

What? Saves properties to central repository for later correlation to cases

How?

Stores artifacts in a central database and correlates:

  • Hashes

  • Domains

  • Email addresses

When ?

  • Multi-case investigations

  • Enterprise forensic labs

5.2 Virtual Machine Extractor

What? Identifies VM-related files.

How?

Detects VMDK, VDI, VMX and other VM disk formats

When?

  • Detect hidden OS environments

  • Anti-forensics detection

5.3 Data Source Integrity

What? Calculates and validates hashes of data source

How?

  • If the data source has any hashes associated with it (either user-entered or contained in an E01 file), it will verify these hashes

  • If the data source has no associated hashes, it will calculate the hashes and store them in the database

When?

  • Court reporting

  • Chain of custody verification

5.4 Android Analyzer (Default)

What? This module mainly parses artifacts that come from the Android operating system itself. These include:

  • SMS

  • Call logs

  • Contacts

  • Basic Accounts

  • Some build in browser artifacts

When?

  • Usually used on logical acquisition of data in mobile device investigations
5.5 Android Analyser (LEAPP)

What? uses the LEAPP framework to parse data from apps installed by the user.

Example 3rd party data:

  • WhatsApp chats

  • Telegram messages

  • chrome app data

  • Location history from apps

These apps maintain their own DB, seperate from Android core DB

When?

  • Usually used on File System data acquisition
5.6 DJI Drone Analyzer

What? Parses DJI drone flight logs.

How?

Extracts:

  • GPS data

  • Flight paths

  • Timestamps

When?

  • Drone incident investigations
5.7 iOS Analyzer (iLEAPP)

What? Used to analyse iOS files

Extracts:

  • Messages

  • Safari data

  • App artifacts

When?

  • iPhone forensic analysis
5.8 GPX Parser

What? Extracts GEO data from GPX files

How?

Extracts:

  • Latitude/Longitude

  • Timestamps

  • Routes

When?

  • Location-based investigations
Vehicle tracking cases3.2 PhotoRec Carver

What ? Recovers deleted files from unallocated space.

How?

  • carves files from unallocated space in the data source
  • can help a reviewer discover more information about files that used to be on the device and were subsequently deleted.
  • These are simply extra files that were found in "empty" portions of the device storage.

When?

  • Deleted file recovery
  • Damaged file systems
4.1 Cyber Triage Malware Scanner

What? Identifies executables with possible malware

How?