Autopsy 4.23.1

Fixes a release error with 4.23.0. That was released as a Develop build, instead of Release.

Some of the settings were not available.

No other changes.

Autopsy 4.23.0

New Features

• MCP over STDIO Server (Windows only)
• Signed EXE
• Extract Thumbnails (Mark McKinnon)
• Added PropertySheetEnrichment extension point
• Added list of RMM tools (Mark McKinnon)

Updates

• Disable Keyword Search module and email (regexp) search during ingest by default (its slow..)
• Solr Performance: Use Bin Protocol instead of XML and reduce Tika initializations (SKL)
• iLeapp bails out faster if not a phone (SKL)
• Upgrade regripper to v4 (Mark McKinnon)
• Increase zookeeper timeout (Mark McKinnon)
• Parse thumbcache (Mark McKinnon)
• lxss regripper for Windows Subsystem (Mark McKinnon)
• Update SRU (Mark McKinnon)
• Update Prefetch (Mark McKinnon)
• Update Commons-lang library. Update c3p0 (SKL)
• Fixed progress bar bug that didn't reset for data source modules (SKL)
• Expanded ContentProvider to support versions and feedback messages (SKL)
• Cyber Triage Errors are shown in new node in the tree

NOTE: We have observed SIGNIFICANT slowdowns if you have an EDR monitoring both the case folders and the disk images. Exclude those folders to improve performance.

Autopsy 4.22.1

Library Updates

• Use Sleuth Kit 4.14.0 from Sleuth Kit Labs (which removes XFS and BTRFS)
• Fixes some pool crashing issues from TSK

Reporting

• Fix error in generating Excel reports

MSI is now installed with Sleuth Kit Labs certificate.

The original ZIP file was linked to the wrong version of TSK. The '_v2.zip' (MD5: 85688714ff298b62634ec0c122b3b10b ) is the correct one.

Autopsy 4.22.0

Ingest Module Updates

• Fix Opera Browser parsing
• Update Prefetch and System Resource usage parsing

Add Datasource Updates

• Added Bitlocker support (Windows only)
• Add VHDX support

GUI Updates

• Tagging a file causes it to have a suspicious score

Library Updates

• Update JNA Version
• Update SQLite library version
• Updated 3rd party libraries
• Update Adv Installer verion to 22.3

Bugs

• Centeral Repository dialog is now in front on start for Linux
• Fixes for external file/URL opening on linux and loading of offline help
• Allow Timeline filter to be editable
• Check version of Solr used and if older version, display message there might be an issue with the new version of Solr
• Allows installing TSK in an empty directory with linux_macos_install_scripts.

Misc

• Cyber Triage and Autopsy can run the same time.
• checks if enough memory is present and displays warning if not when installing.
• Snap store updates

Autopsy 4.21.0

Library Updates

• Update Java to version 17
• Update aLeapp/iLeapp executables.
• Update JNA Version
• Update SQLite library version
• Updated 3rd party libraries that have known CVE's

Ingest Module Updates:

• Recent Activity checks for malicious Chrome extensions from list provided by https://github.com/randomaccess3/detections
• Keyword Search module now can search without needing to index text into Solr.
• New Cyber Triage Malware Scanner module that uses Reversing Labs (requires license). https://www.cybertriage.com/autopsy-malware-module/

Add Data Source Updates:

• Timestamps for logical files can be added. Issue #5852, #1788
• List of logical files/folders can be edited before they are added. Issue #7347

GUI Updates:

• Add "has attachments" flag for emails. Issue #7358
• Add Score to tree view

Bugs:

• Fix path for lnk files
• Fix exporting of CSV files. Issue #6717

Misc:

• Added File Repository concept for data source files that are in a central location. Required for Cyber Triage import feature.
• Added Spanish language support, contributor https://github.com/AburtoArielPM

Autopsy 4.20.0

Recent Activity Updates:

• Added Favicons, Profiles and Extensions to Chromium Browsers
• Added Security Questions/Answers from SAM registry Hive

Data Source Processing

• Added Jython Support for Data Source Processor modules.
• Added example Python DSP plugin

Ingest Pipelines

• Added new DataArtifact ingest pipeline that artifacts will go down.
• Moved Keyword search functionality for artifacts to the new pipeline.

Linux / Mac Improvements

• Script to install prerequisites using Homebrew and Debian package.
• Script that allows you to install TSK from source
• Script that sets JAVA home per install
• Updating Linux and Mac Installation Documentation

Command Line Interface

• Simplified command line input parameters
• The -listAllIngestProfiles switch was added
• The -nogui switch now works.
• Return codes now reflect if the application failed

Bug Fixes:

• Solr 8.11.2 Upgrade which includes update to Log4j to version 2.17.1
• Change Timezone format for Plaso output.
• Regex fix for Mbox parsing.
• Portable Case report string index out of range -1 fixed
• Extracting files, numbering of files and overwriting of files.
• Image tagging
• Joda-Time updated from 2.4 to 2.10 - fixes certain timezone errors

Misc:

• Update to USB id's.

• Update Tesseract to 4.10.

• Moved configuration settings to separate ones that are machine-dependent.

• Interesting files and file filters can now exclude certain features, such as folders.

• Adds host to artifact content viewer.

• When an OS Account is selected the Other Occurrences tab will no longer show the open case in the case list.

• The Communication window Message Viewer Threads panel layout was cleaned up so that the buttons are visible despite the subject length.

• Limit ingest inbox messages to first 20 keyword hits

• GStreamer update to version 1.20.0

• libheif v1.12.0 replaces ImageMagick

• Removal of 32bit version of Autopsy

Autopsy 4.19.3

Bug Fixes:

• Updates for log4j vulnerabilities.
  -- Solr 8.11.0 Upgrade
  -- Manual update of log4j to 2.16.0

Other NOTES:

• This installer was created with some manual work because Solr 8.11.1 was not on maven at the time of building.
• Only a 64-bit installer was created.

Autopsy 4.19.2

GUI Updates

• Special handling of Interesting Files and Interesting Results analysis results was removed from the tree and they are now shown as individual nodes.
• Updated display of analysis results in the tabular results viewer.
• Improved algorithm for populating the S(core) column in the tabular results view.
• Updated the right-click menu options for data artifacts and analysis results.
• The O(ther Cases) column in the tabular results view and the Other Occurrences content viewer now count cases in the same way.

Misc:

• Installed applications are now added to the central repository.
• The Central Repository ingest module no longer uses the generic Interesting Item analysis result and instead creates more specific Previously Seen, Previously Unseen, and Previously Notable analysis results.
• Automatic destinations (jump lists) parsing added to the Recent Activity module.
• French translation of user documentation contributed by github user @Seb2lyon .

Bug Fixes:

• Analysis Results and Annotation content viewers now work when parent is a data artifact.
• Fixed bug that prevented media attachments from being displayed in the Communications Viewer.
• Fixed RegRipper bug to support parsing of ShellBags with non-Latin characters.
• Assorted GUI responsiveness fixes.
• Fixed NTFS handling of compressed files that were not fully initialized (via TSK).
• Other assorted bug fixes.

Autopsy 4.19.1

Bug Fixes:

• Fixed connection leak associated with creating OS Accounts
• Decreased priority of OS Account Content Viewer
• Misc bound check fixes in TSK

Autopsy 4.19.0

Data Source Management:

• To make managing big cases easier, all data sources are now associated with a host that can be specified in the “Add Data Source” wizard.
• Hosts can be grouped by “person”, which is simply a name of the owner.
• The main tree viewer can be configured to group by person and host.

OS Accounts:

• Operating System (OS) accounts and realms are their own data types and no longer generic artifacts.
• OS Accounts are created for Windows accounts found in the registry. Domain-scoped realms are not fully detected yet.
• NTFS files are associated with OS Accounts by SID.
• The Recent Activity module associates artifacts with OS Accounts based on SID or path of database. Other modules still need to be updated.
• OS accounts appear in a dedicated sub-tree of the main tree view and their properties can be viewed in the results view.
• A new content viewer in the lower right area of the main window was built to display OS account data for the item selected in the results view.

Analysis Result and Data Artifacts

• All modules make either Analysis Results or Data Artifacts instead of “Blackboard Artifacts.”
• New “Analysis Result” content viewer shows the results for a given file and its score.
• The tabular results viewer shows an icon for the aggregate score of a file.
• The tree organizes results into "Analysis Results" and "Data Artifacts" instead of simply “Results.”

Discovery UI:

• Domain categorization and account types are displayed in Domain Discovery results.
• The Domain Discovery results view more explicitly shows when a downloaded file no longer exists.
• Check boxes are now used to select search options instead of shift-based multi-select.

Ingest Modules:

• File metadata updates are batched up before being saved to the case database for better performance.
• Parsing of iLEAPP and aLEAPP output was expanded to create communication relationships which can be displayed in the Communications UI.
• EML email parsing handles EML messages that are attachments (and have their own attachments).
• Domain categorization within Recent Activity can be customized by user-defined rules that can be imported and exported.
• Account IDs and Installed Applications are added to the Central Repository.
• Keyword search can be configured to only do OCR and skip non-OCR files.

Miscellaneous:

• A “Reset Windows” feature was created to help redock windows.
• A case-insensitive wordlist of all words in the keyword search index can be exported as a text document.
• Information from the Data Source Summary panels can be exported as an Excel spreadsheet.
• More artifacts are added to the timeline and artifacts with multiple time-based attributes are mapped to multiple timeline events.
• Added option to only perform optical character recognition on certain file types.
• Heap dumps can be saved to a custom location.
• More detailed error messages about encrypted disks when they are added.
• Added file size filter to Ingest Filters.

Performance:

• Keyword search does not make an explicit commit for each report if ingest is running.
• Language ID is performed on a small subset of a file instead of the entire file.
• Recent Activity is more efficient because of TSK changes to file searching (using extension).
• Embedded file extractor module has been made faster by doing file typing in memory and adding extracted files in batches.
• Moved Content Viewers setNode() and isSupported()/isPreferred() code to background threads.
• Moved Data Source Summary Panel population code to background threads.
• Moved Node/Tree queries to background threads.

Bug Fixes:

• Fixed embedded file extractor file name escaping bug.
• Detect VHD files by signature and not extension.
• Fixed iLEAPP path error.
• Content viewers UIs are more consistent.
• Assorted bug fixes are included.

Auto Ingest:

• The Auto Ingest Dashboard is resizable.
• Get thread dumps from AID
• Added beta pause feature that pauses auto ingest for a set amount of time at a scheduled date and time.