Skip to content

Latest commit

 

History

History
132 lines (91 loc) · 15.7 KB

README.md

File metadata and controls

132 lines (91 loc) · 15.7 KB

Awesome-Autopsy-Plugins Awesome

A list of Autopsy awesome plugins.

⚠️ = Autopsy Version >= 4.0

Plugins

Generic

The Autopsy Video Triage module splits a video file into easily viewable thumbnail images (keyframes). By integrating directly in the Autopsy user interface, this module provides law enforcement, intelligence analysts, and investigators an efficient triage capability for video content.

The Golden Image module uses two data sources – a “dirty image” and a “golden image” – and compares them with each other. The main task is, to find the difference between these two data sources – newly added files, deleted files and changed files.

This module takes user input from a form. The user enters one or more SQLite database that they want to examine for deleted records into Autopsy. It will then export the specified SQLite database files to the temp directory then parse the SQLite database and create a custom artifact(s) for each table in the database. The custom artifacts have a name in the format of SQLite Database <FileName> Table <Table Name> DELETED Records with custom attributes for each artifact. Once it is complete the UI is notified that a new artifact has been added. This plugin can create a lot of extracted content so use it wisely. It is also not very fast on large database tables so this will need to be addressed in the future.

Export MD5 hashes to create a hash library for analysis

Documentation - https://web.archive.org/web/20170214060926/http://blog.4n6ir.com/2015/09/autopsy-python-gold-build-module.html

Export unknown hashes after analysis for Virus Total comparisons

Documentation - https://web.archive.org/web/20170727000938/http://blog.4n6ir.com/2015/09/autopsy-python-low-hanging-fruit-module.html

Export full path to SQLite database for meta data gold build

Compare meta data to identify unknown full paths hidden in plain sight

This Autopsy Module extracts Packet Captures (pcaps) from Data Sources. It then sorts them under a “PCAPs” tab within “Interesting Files” and allows the extracted pcaps to be parsed by KeywordSearch.

HashDump.py creates a HashDump.txt file in the base of the case folder and it contains hashes of files in the case. HashDump was built as a proof of concept that requires the Hash Lookup Ingest Module be run prior to calculate the MD5 hashes. HashDump.py builds the ingest module for the Autopsy user interface that passes the case file location as an argument to the HashDump.exe python program.

Documentation - https://web.archive.org/web/20161022033651/http://blog.4n6ir.com/2016/05/autopsy-python-multi-user-modules.html

This module takes user input from a form. The user enters one or more SQLite database that they want to import into Autopsy. It will then export the specified SQLite database files to the temp directory then open the SQLite database and create a custom artifact(s) for each table in the database. The custom artifacts have a name in the format of SQLite Database <FileName> Table <Table Name> with custom attributes for each artifact. The blob database type is not handled and a text string message is specified stating this. Once it is complete the UI is notified that a new artifact has been added. This plugin can create a lot of extracted content so use it wisely. It is also not very fast on large database tables so this will need to be addressed in the future. Payment Card Scanning Module by Shea Nangle

This Autopsy module will search for possible payment card numbers, and will then check the Luhn checksum of each possible payment card number, which will provide a greater degree of confidence regarding if a numeric sequence is a payment card number or not.

In Autopsy there are several tags of various modules which have the same or a similar meaning (For example tags to mark files as “known-good”). In Autopsy there is a listing of files per tag, but you might want to have a list containing all files that were tagged with “known-good”-a-like tags. The TagFilter module. This module enables you to create a list of files by applying several filters (for tags). You can add an unlimited amount of filters and connect them by AND-OR operators. Further on you can also specify f you want the filter to be true or false (File contains or doesn’t contain tag). Besides that, you can also create so called “Filter Groups” in which you can combine filters. The filters are applied top-down and they are built up similar to the SQL WHERE clause. You can also select if you want to search for files on all data sources within your case or just a specific one. In the end you will get a list with all the files that match your filter.

Virustotal is an online service that allows to identify known-bad files. The service is free to use. The Virustotal online checker module allows to automatically check files on imported data sources against the virustotal service.

Forensics.im is an Autopsy Plugin, which allows parsing levelDB of modern Electron-based Instant Messenger Applications like Microsoft Teams. Unlike the existing levelDB plugin, Forensics.im also parses the binary ldb files, which contain the majority of the entries and allows identifies individual entities, such as messages and contacts, and presets these in Autopsy's blackboard view.

Autopsy plugin that scans the Auto-Start Extensibility Points (ASEPs) and list out the potential persistences.

Windows

Parses prefetch on a windows computer and displays the details in the UI

Quick collection of important disk artifacts for triage

  • File System: MFT, LogFile, UsnJrnl
  • Event Logs: evtx
  • pagefile.sys, hiberfil.sys and MEMORY.DMP
  • Prefetch files: pf
  • SYSTEM, SECURITY, SOFTWARE, SAM, NTUSER.DATm, UsrClass.dat, RecentFileCache.bcf, Amcache.hve

Documentation - https://web.archive.org/web/20170925135452/http://blog.4n6ir.com/2015/09/autopsy-python-file-marker-module.html

This module takes user input from a form. The user can select from three (3) Amcache reports to choose from, program entries, file entries and unassociated programs. It will then export the specified amcache.hve files to the temp directory then call an external program to parse out the programs and files and insert them into a SQLite database. The SQLite database is then imported into Autopsy and custom artifact(s) based on the user input will be created. The custom artifacts have a prefix of Amcache and custom attributes are created for each artifact. Once it is complete the UI is notified that a new artifact has been added.

This module takes user input from a form. The user can select from three (3) default windows EVTX event logs or they can manually enter the logs they would like to parse. It will then export the specified EVTX files to the temp directory then call an external program to parse out the EVTX logs and insert them into a SQLite database. The SQLite database is then imported into Autopsy and a custom artifact named Windows Event Logs is created and custom attributes are created for this artifact. Once it is complete the UI is notified that a new artifact has been added. This works only on EVTX files.

This module takes user input from a form. The user enters one or more plist files that they want to export the information from. It will then export the specified Plist files to the temp directory then parse the Plist into a SQLite database and create a custom artifact(s) for each table in the database. The custom artifacts have a name in the format of Plist with custom attributes for each artifact. Once it is complete the UI is notified that a new artifact has been added. This plugin can create a lot of extracted content so use it wisely. It is also not very fast on large Plist files so this will need to be addressed in the future.

This module will extract the SAM registry files to the temp directory and then call an external program to parse the files and store the information into a SQLite database. The SQLite database will then be imported into a custom artifact named SAM File with custom attributes and will notify the UI after it is completed that a new artifact has been added to the Extracted content.

This module will extract the each NTUSER.dat registry files to the temp directory and then call an external program to parse the shellbags for each user and store the information into a SQLite database. The SQLite database will then be imported into a custom artifact named Shellbags File with custom attributes and will notify the UI after it is completed that a new artifact has been added to the Extracted content.

This module will extract the SYSTEM registry files to the temp directory and then call an external program to parse the Shimcache and store the information into a SQLite database. The SQLite database will then be imported into a custom artifact named Shimcache with custom attributes and will notify the UI after it is completed that a new artifact has been added to the Extracted content.

This module takes user input from a form and based on the selection will import the System Resource Usage based on the user input. The module will then extract the SRUDB.DAT file to the temp directory and then call an external program to parse the SRUDB.dat file and store the information into a SQLite database. The SQLite database will then be imported into numerous custom artifact(s) based on what the user checks with custom attributes and will notify the UI after it is completed that a new artifact has been added to the Extracted content. This plugin may create numerous different artifacts.

This module will extract the $UsnJrnl:$J file to the temp directory and then call an external program to parse the Journal and store the information into a SQLite database. The SQLite database will then be imported into a custom artifact named NTFS UsrJrnl entries with custom attributes and will notify the UI after it is completed that a new artifact has been added to the Extracted content.

This module will extract all the WebcacheV01.dat files for all users to the temp directory and then call an external program to parse the Webcache and store the information into a SQLite database. The SQLite database will then be imported into numerous custom artifact(s) that have a prefix of Webcache in the name with custom attributes and will notify the UI after it is completed that a new artifact has been added to the Extracted content. This plugin may create numerous different artifacts.

This module will extract all the Jump list Auto destination files for all users to the temp directory and then call an external program to parse the files and store the information into a SQLite database. The SQLite database will then be imported into a custom artifact named Jump List Auto Dest with custom attributes and will notify the UI after it is completed that a new artifact has been added to the Extracted content.

The main purpose of this plugin is try to get usage information of P2P Windows programs in a forensics environment.

Supported P2P programs:

  • Emule
  • utorrent and BitTorrent

The module verifies code signing certificates of Windows executables. It creates Content Tags with the Signer Name of the binary. This module helps to quickly eliminate known-good files from the OS vendor. You can also list the files from any unknown publisher, that signed software on the system you are investigating on.

Android

The modules aim to collect and display significant amounts of data through which an investigator can consider reporting whereabouts the analysed mobile device has been taken.

Law Enforcement

Simple Scan of JPG, BMP, PNG & GIF files (seletion of files based on file signatures) for pixels with skin tone and computing percentages. Files are tagged with skin-tone percentages in increments of 10 to allow a categorised view of thumbnails

Documentation - http://www.4ensics.co.uk/smutdetect4autopsy/

Using these modules, you can automatically identify what images are known child exploitation images and get their categorization.

Documentation - http://www.basistech.com/digital-forensics/autopsy/le-bundle/