Autopsy Ingest Modules¶
Autopsy¶
Ingest Modules
Ingest modules in Autopsy are automated analysis components that process data sources (disk images, logical files, memory images) to extract forensic artifacts.
They run during the ingest process and populate results into the case database.
1. User Activity and Communication Analysis¶
1.1. Recent Activity¶
What it does: This allows you to see what activity has occured in the last seven days of usage, what web sites were vistied, what the machine did, and what it connected to.
How?
-
It parses user activity as saved by
-
Web browsers(including web searches)
-
Installed programs
-
Operating system
-
It also runs Regripper on registry hives
When to use?
-
User behavior reconstruction
-
Timeline building
-
Internet activity investigation
1.2 Email Parser¶
What: allows the user to identify email-based communications from the system being analyzed.
How?
-
identifies MBOX, EML and PST format files based on file signatures, extracting the e-mails from them, adding the results to the Blackboard
-
This module skips known files and creates a Blackboard artifact for each message.
-
It adds email attachments as derived files.
When?
-
Corporate investigations
-
Insider threat
-
Communication tracing esp in mails like Outlook where email backups are stored locally
1.3 Plaso¶
What? Extracts timeline for various types of files
How?
Runs Plaso engine to combine
-
File timestamps
-
Registry times
-
Event logs
-
Browser artifacts, etc
to create a timeline
When?
-
Timeline reconstruction
-
Correlating multi-source events
2. File related modules¶
2.1 File Type Identification¶
What is does : Identifies true file type
How: Using file signatures/magic bytes (first few bytes of the file that identifes the file)
When?
-
Identify disguised files
-
Identify renamed executables
2.2 Extension mismatch detector¶
What it does: Identifies when extension ≠ actual file type
How: Compares the file signature and the extension of file and reports when there is a mismatch
When?
-
Malware hiding as .jpg/.pdf
-
suspicious user activity
2.3 Interesting Files Identifier¶
What?
Flags files matching predefined or custom rules.
How?
-
allows you to make sets of rules that will be run against each file as it is processed.
-
If a file matches any of the rules, you will see an entry for it in the Tree Viewer.
A rule is a set of conditions. For example, if a rule has conditions "file size > 1 MB" and "file extension \= .txt", only files that match both conditions will be considered a match.
When?
-
Quickly isolate suspicious content
-
Policy violation detection
2.4 Picture analyser¶
What it does: Performs general image analysis on the image, including extracting metadata and converting between image format
How:
-
extracts EXIF (Exchangeable Image File Format) information from ingested pictures.
-
This information can contain geolocation data for the picture, time, date, camera model and settings (exposure values, resolution, etc) and other information.
-
The discovered attributes are added to the Blackboard.
-
This can tell you whereand when a picture was taken, and give clues to the camera that took it.
-
The module also converts HEIC/HEIF images to JPG while maintaining their EXIF information, which will be processed and saved as it would for normal JPG images.
2.5 Keyword Search¶
What it does : The Keyword Search module facilitates both the ingest portion of searching and also supports manual text searching after ingest has completed. It extracts text from files being ingested, selected reports generated by other modules, and results generated by other modules.
How:
-
First, it will try to extract text from supported file formats, eg: PDF, pptx
-
If the file is not supported by the standard text extractor, Autopsy will fall back to a string extraction algorithm.
-
String extraction will not search encrypted files
-
Autopsy ships with some built-in lists that define regular expressions and enable the user to search for Phone Numbers, IP addresses, URLs and E-mail addresses.
-
Two types of keyword searching are supported: Solr search with full text indexing and the built-in Autopsy "In-Line" Keyword Search
When?
-
Fraud
-
IP theft
-
Specific themed investigation, eg: drugs, child pornography
2.6 Hash Lookup Module¶
What it does : Identifies known and notable files using supplied hash list
How ?
-
Computes MD5 (if selected)
-
Checks against provided hash list (if provided)
When to use?
-
Filter OS files
-
Identify malware
3. Data Recovery related¶
3.1 Embedded File Extractor¶
What it does: The Embedded File Extractor module opens ZIP, RAR, other archive formats, Doc, Docx, PPT, PPTX, XLS, and XLSX and sends the derived files from those files back through the ingest pipeline for analysis.
How:
-
This module expands archive files to enable Autopsy to analyze all files on the system.
-
It enables keyword search and hash lookup to analyze files inside of archives
When?
-
data exfiltration through documents
-
hidden payload detection
-
Uses CyberTriage malware scanning infrastructure to see if any Windows executables are malware
-
Queries to an online service using the file’s hash to see if it was already analysed
-
Also had option to upload the file if it was not already analysed and is new
When?
-
Malware cases
-
Incident Response
4.2 Encryption Decryption¶
What : Identifies potentially encrypted files
How?
Uses entropy analysis
- High entropy → likely encrypted or compressed
The module looks for the following types of encryption:
-
Any file that has an entropy equal to or greater than the threshold in the module settings and that fits the file size constraints
-
Password protected Office files, PDF files, and Access database files
-
BitLocker volumes
-
SQLCipher (uses the minimum entropy from the module settings)
-
VeraCrypt (uses the minimum entropy from the module settings)
4.3 YARA Analyzer¶
What and How?
- Uses a set of user-supplied rules to search for patterns in binary and textual files
When?
-
Advanced malware detection
-
Signature-based scanning
5. Specialized modules¶
5.1 Central Repository¶
What? Saves properties to central repository for later correlation to cases
How?
Stores artifacts in a central database and correlates:
-
Hashes
-
Domains
-
Email addresses
When ?
-
Multi-case investigations
-
Enterprise forensic labs
5.2 Virtual Machine Extractor¶
What? Identifies VM-related files.
How?
Detects VMDK, VDI, VMX and other VM disk formats
When?
-
Detect hidden OS environments
-
Anti-forensics detection
5.3 Data Source Integrity¶
What? Calculates and validates hashes of data source
How?
-
If the data source has any hashes associated with it (either user-entered or contained in an E01 file), it will verify these hashes
-
If the data source has no associated hashes, it will calculate the hashes and store them in the database
When?
-
Court reporting
-
Chain of custody verification
5.4 Android Analyzer (Default)¶
What? This module mainly parses artifacts that come from the Android operating system itself. These include:
-
SMS
-
Call logs
-
Contacts
-
Basic Accounts
-
Some build in browser artifacts
When?
- Usually used on logical acquisition of data in mobile device investigations
5.5 Android Analyser (LEAPP)¶
What? uses the LEAPP framework to parse data from apps installed by the user.
Example 3rd party data:
-
WhatsApp chats
-
Telegram messages
-
chrome app data
-
Location history from apps
These apps maintain their own DB, seperate from Android core DB
When?
- Usually used on File System data acquisition
5.6 DJI Drone Analyzer¶
What? Parses DJI drone flight logs.
How?
Extracts:
-
GPS data
-
Flight paths
-
Timestamps
When?
- Drone incident investigations
5.7 iOS Analyzer (iLEAPP)¶
What? Used to analyse iOS files
Extracts:
-
Messages
-
Safari data
-
App artifacts
When?
- iPhone forensic analysis
5.8 GPX Parser¶
What? Extracts GEO data from GPX files
How?
Extracts:
-
Latitude/Longitude
-
Timestamps
-
Routes
When?
- Location-based investigations
Vehicle tracking cases3.2 PhotoRec Carver¶
What ? Recovers deleted files from unallocated space.
How?
- carves files from unallocated space in the data source
- can help a reviewer discover more information about files that used to be on the device and were subsequently deleted.
- These are simply extra files that were found in "empty" portions of the device storage.
When?
- Deleted file recovery
- Damaged file systems
4. Malware, Encryption and Security Related¶
4.1 Cyber Triage Malware Scanner¶
What? Identifies executables with possible malware
How?