Blog

Autopsy 4.1.0 has been released after a long drought. So, it has a longer list of features than usual. You can download it from sleuthkit.org.

Here is a quick summary of biggish features:

New list view in the timeline module. This view adds to the existing counts view (bar charts) and details view (clusters of events) to show a simple list of events. This is similar to the classic mactime output and interface from Autopsy 2. This was built with our contract with DHS S&T based on user feedback.

VMWare virtual machine files (vmdk) and Microsoft Virtual Hard Drives (vhd) can be added as data sources. This means you can directly add a virtual machine as a disk image and analyze the contents as though it were an E01 or raw image.

New ingest module detects vmdk and vhd files embedded in other data sources and adds them as data sources. When virtual machine files are detected inside of a disk image, they will be extracted and added back in as data sources so that their contents will be analyzed in more depth.

Text associated with blackboard artifacts is indexed and searched for keywords. This means that you’ll get structured hits when your keywords are found in EXIF, web bookmarks, or call logs.

File size and MIME type conditions can be specified for interesting files set membership rules. This allows you to, for example, flag files of a given type in certain folders. We’ll do a blog posting soon about using this module.

Custom (user-defined) blackboard artifact and attribute types are displayed in the UI and included in reports. Add-on modules in Autopsy could always make custom artifacts for the blackboard, but there was a big that they would not be shown in the tree. Now they are. Just in time to make your modules for the OSDFCon contest.

Assorted bug fixes and minor enhancements.

We’re going to get back into a 2-month release cycle so that we don’t do another 8 months (!) without a release.

You can download Autopsy from sleuthkit.org. We’ll be covering some of these new features in our OSDFCon training.