Portable Autopsy 4.19.2 (x64)
Autopsy Portable is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera’s memory card.
Autopsy Portable is a diagnose and forensic tool capable of analyzing raw or E01 disk images, local drives and directories in order to determine possible causes of an event. The application supports NTFS, FAT, HFS, Ext2, Ext3 and UFS file system types, enabling you to investigate the input (IMG, DD, 001, AA, RAW and E01 files, local disks or logical files) and generate complete reports in HTML, XLS, TXT format or a TSK body file used for creating an event timeline.
Thanks to the built-in wizards, creating a new ‘case’ becomes just a matter of pressing a few ‘Next’ buttons. There are multiple analysis modules that you can choose from: the application can display data on the recent actions, perform hash lookup, extract archives, parse exif images, search for keywords and view unallocated storage space.
One of the main advantages of Autopsy is the implementation of the ingest method, which makes the analysis results available to the user as they are obtained, without waiting for the whole procedure to be completed first.
Hash lookup operations are intended to detect malware files and other issues that require your attention. Autopsy processes multiple formats during this procedure, in an attempt to determine the NSRL database format, find the EnCase hashset file, test the compliance with the HashKeeper standard and verify the integrity of the file. Relying on Apache SOLR, the keyword search module allows you to define relevant strings and provides support for regular expressions.
The application can also be used for extracting URLs, bookmarks and downloaded files from browsers, viewing installed applications, analyzing the registry or extracting e-mail addresses and IDs of the connected devices.
Autopsy can process disk images or directories to help you generate an event timeline. It assists you in putting the pieces together and determining what might have caused an incident to happen in the first place.
Easy to Use
Autopsy was designed to be intuitive out of the box. Installation is easy and wizards guide you through every step. All results are found in a single tree. See the intuitive page for more details.
Extensible
Autopsy was designed to be an end-to-end platform with modules that come with it out of the box and others that are available from third-parties. Some of the modules provide:
- Timeline Analysis – Advanced graphical event viewing interface (video tutorial included).
- Hash Filtering – Flag known bad files and ignore known good.
- Keyword Search – Indexed keyword search to find files that mention relevant terms.
- Web Artifacts – Extract history, bookmarks, and cookies from Firefox, Chrome, and IE.
- Data Carving – Recover deleted files from unallocated space using PhotoRec
- Multimedia – Extract EXIF from pictures and watch videos.
- Indicators of Compromise – Scan a computer using STIX.
See the Features page for more details. Developers should refer to the module development page for details on building modules.
There is currently a Autopsy Module Writing Contest going on right now before OSDFCon 2016. Start writing modules for cash prizes.
Fast
Everyone wants results yesterday. Autopsy runs background tasks in parallel using multiple cores and provides results to you as soon as they are found. It may take hours to fully search the drive, but you will know in minutes if your keywords were found in the user’s home folder. See the fast results page for more details.
Cost Effective
Autopsy is free. As budgets are decreasing, cost effective digital forensics solutions are essential. Autopsy offers the same core features as other digital forensics tools and offers other essential features, such as web artifact analysis and registry analysis, that other commercial tools do not provide.
Analysis Features
Below is the list of Autopsy features.
- Multi-User Cases: Collaborate with fellow examiners on large cases.
- Timeline Analysis: Displays system events in a graphical interface to help identify activity.
- Keyword Search: Text extraction and index searched modules enable you to find files that mention specific terms and find regular expression patterns.
- Web Artifacts: Extracts web activity from common browsers to help identify user activity.
- Registry Analysis: Uses RegRipper to identify recently accessed documents and USB devices.
- LNK File Analysis: Identifies short cuts and accessed documents
- Email Analysis: Parses MBOX format messages, such as Thunderbird.
- EXIF: Extracts geo location and camera information from JPEG files.
- File Type Sorting: Group files by their type to find all images or documents.
- Media Playback: View videos and images in the application and not require an external viewer.
- Thumbnail viewer: Displays thumbnail of images to help quick view pictures.
- Robust File System Analysis: Support for common file systems, including NTFS, FAT12/FAT16/FAT32/ExFAT, HFS+, ISO9660 (CD-ROM), Ext2/Ext3/Ext4, Yaffs2, and UFS from The Sleuth Kit.
- Hash Set Filtering: Filter out known good files using NSRL and flag known bad files using custom hashsets in HashKeeper, md5sum, and EnCase formats.
- Tags: Tag files with arbitrary tag names, such as ‘bookmark’ or ‘suspicious’, and add comments.
- Unicode Strings Extraction: Extracts strings from unallocated space and unknown file types in many languages (Arabic, Chinese, Japanese, etc.).
- File Type Detection based on signatures and extension mismatch detection.
- Interesting Files Module will flag files and folders based on name and path.
- Android Support: Extracts data from SMS, call logs, contacts, Tango, Words with Friends, and more.
Input Formats
Autopsy analyzes disk images, local drives, or a folder of local files. Disk images can be in either raw/dd or E01 format. E01 support is provided by libewf.
Reporting
Autopsy has an extensible reporting infrastructure that allows additional types of reports for investigations to be created. By default, an HTML, XLS, and Body file report are available. Each are configurable depending on what information an investigator would like included in their report:
- HTML and Excel: The HTML and Excel reports are intended to be fully packaged and shareable reports. They can include references to tagged files along with comments and notes inserted by the investigator as well as other automated searches that Autopsy performs during ingest. These include bookmarks, web history, recent documents, keyword hits, hashset hits, installed programs, devices attached, cookies, downloads, and search queries.
- Body File: Primarily for use in timeline analysis, this file will include MAC times for every file in an XML format for import by external tools, such as mactime in The Sleuth Kit.
What’s NEW:
GUI Updates:
- Special handling of Interesting Files and Interesting Results analysis results was removed from the tree and they are now shown as individual nodes.
- Updated display of analysis results in the tabular results viewer.
- Improved algorithm for populating the S(core) column in the tabular results view.
- Updated the right-click menu options for data artifacts and analysis results.
- The O(ther Cases) column in the tabular results view and the Other Occurrences content viewer now count cases in the same way.
Misc:
- Installed applications are now added to the central repository.
- The Central Repository ingest module no longer uses the generic Interesting Item analysis result and instead creates more specific Previously Seen, Previously Unseen, and Previously Notable analysis results.
- Automatic destinations (jump lists) parsing added to the Recent Activity module.
- French translation of user documentation contributed by github user @Seb2lyon .
Bug Fixes:
- Analysis Results and Annotation content viewers now work when parent is a data artifact.
- Fixed bug that prevented media attachments from being displayed in the Communications Viewer.
- Fixed RegRipper bug to support parsing of ShellBags with non-Latin characters.
- Assorted GUI responsiveness fixes.
- Fixed NTFS handling of compressed files that were not fully initialized (via TSK).
- Other assorted bug fixes.