Autopsy Sections 14-17

___

Notes

Section 14: Communications UI

Outline the basic features of the Communications interface; what it displays, basic terminology,
how to use the interface

What does it do?

● Provides a more powerful way of viewing communication data

○ Oriented around accounts and not data types
● Filters accounts by type and communication dates, shows messages and data for a
selected account
● Filters on left, accounts middle, details on right

Terminology

● Account: address that people use to refer to someone/thing

○ Type (such email) and identifier (jdoe@gmail.com; unique to type)
● Relationship: when two accounts communicate or know about each other
○ Sending a message/having an account ID in contact book; contact book
relationship is different but still interesting
○ 3 people → triangle relationship, stuff like that

Device account

● Special account created for each data source to represent the physical device when we
don’t have a better account ID
○ Often used to define a relationship for call logs and contact books on a phone; i.e
call log database defines only the other recipient

What does it show?

● Displays data from other modules; android analyzer and email

 ● Account oriented
○ Pick an account → see all activity associated with it
● Relationship-based
○ Only accounts with a relationship are shown; random emails found in file are not
shown

Using interface

Step 1: pick filters

● Data sources on top

● Account types in middle
○ email/phone, etc.
● Date range on bottom

Step 2: review and sort accounts

● Accounts that need the filter criteria are shown

● Default sorted by # of messages found in case; sorted by relationships technically
● Accounts at top are probably of device owners, then will found other external accounts

Step 3: Review relationships with account

● Select account → associated data items

○ Messages to and from, contact book entries, call logs to and from it
● Summary also shows files and past cases that reference the account

Tabs

Messages Tab

● Shows all messages to and from the account; organizes by thread

Call log tab

● Shows all inbound and outbound calls associated with selected account

Contacts tab

● Shows contacts that contain the account/belong to the account (typically for a ‘device
account’ for latter)
Normal operations

● Within UI right click to have same options to view in timeline, tag, etc.

Conclusion

● Communications UI is focused on allows you to identify relevant accounts and their

relationships
● Shows data extracted from the Email and Android modules
● Allows you to filter by account types and dates and then choose specific accounts

Section 15: Tagging, Commenting, and Reporting

Outline concepts associated with tagging and making final reports

● Creating tags
● Adding comments
● Generating various report types to export results
● Creating a portable case with a subset of your data

Tagging

● What is it?
○ Can make a reference to a file or object and easily find it later; bookmarking
○ Comment on file/ highlight part of picture that is relevant
● use it to find files later to follow up on & identify “bad” files to report

Tag names

● Create arbitrary tag names

○ “Bookmark”, bad, suspicious, strange
● Remembers your names from previous cases
● Make them by right clicking on file; specify is tag is for notable items or not
○ Add file tag; choose existing tag or make a new one

Tagging a result

● Results (blackboard artifacts) are associated with file

● When you view a result, choice to tag either result or file
● Final report will focus on either
Associated with result
 ● Tag keyword hit result if the keyword is very important (occurence is interesting by
itself)
● Tag file if you are more interested in the file that you found from keyword searching and
the keyword is not that relevant anymore
● Keyword hit (keyword:password) → file.doc
● Web history → file; probably want to tad the web history result because probably specific
URL that you care about
● Both options are shown for result entries

Tagging a picture

● Tag specific region of a picture → application view, tags menu; choose create or whatever
you need
○ Save coordinates in database, not editing image; if want to actually draw box,
import

Viewing tags

● Available in the tree towards the bottom

Delete tag

● Right click on file in tag tree to delete tag as well

Tags and examiners

● Tags are associated with the examiner who made them; can see who made them
● Hide tags that are not yours in options panel

C Repo Updating

● If central repo is enabled when you tag a file as “notable” → stores tagging
● Alerts can be generated in the future when that file is seen again if the Correlation
Engine ingest module is enabled

Comments

● Allow you to make notes about why you tagged an item

○ Will be shown in reports
○ Can be saved in the C repo for future reference
● To comment on a file, choose “tag and comment”
 ● Examiners can store comments about a file in C Repo

See comments

● Rows in table have comment icon; yellow notebook icon

● Comments are in annotation viewer

Reporting: what does it do?

● Makes a report that you can send to others or use in other report formats
● Extensible framework; comes with:
○ HTML and Excel Results (focus on results and blackboard artifacts), Text file
(each file and metadata), KML File (Google Earth), Add tagged files to hash set,
Portable case

When would you use it?

● At the end of the investigation

○ HTML report to give to others
○ Excel report to copy and paste into another report, share subsets with another
user

HTML and Excel Reports

● Document the analysis module results and tagged items

● Two modes: report on all items/only items with specific tags

Specify header/footer

● Generally used do specify sharing restrictions with headers and footers

● HTML result report
○ Left side HTML files
○ Right side if details; report on top and info bottom
● Can add agency logo in options panel; shown on top
● Excel report
○ Same info, but one data type per worksheet

File reports

● Show what files are in the case; one line per file
● Columns for metadata; can choose which metadatas
KML report

● Generate file with

○ Exif artifacts, GPS trackpoints/route
● Includes thumbnail of exif images

Updating hash sets

● Add all of your final tagged files to a hash set; use “save tagged hashes” report module
(if C repo isn’t on)

Portable case

● Autopsy case that includes only a subset of the data form its original case
○ Only tagged files, interesting item hits
● Self contained
○ Has own SQlite database; all files are located in the case folder
● Can be shared with any users for review or assistance

Settings

● Choose what gets added to the case; compress/split into small chunks
● Default is to make folder, up to you to transport it
○ Allows CV/DVD chunks to communicate

Open

● Use normal version of Autopsy

● If the portable case was not packaged (i.e not ZIPed then open it as a normal case
○ It is a normal case! Just smaller
● If the Portable case was packaged, choose “unpack and open portable case
● Will extract the ZIPed case into a new folder

Using

● Portable case is just like a normal case; just a lot less data
● Can run ingest modules, tag files, generate reports, etc.

Accessing reports

● After generated, link to open them

● Can also find them in the Reports section at the bottom of the tree
 ○ Other ingest modules may put output files here too

Conclusion

● Tags are used to mark files for final reporting, follow up, other workflow stages
● Comments can be added to items and stored either at the case level or in the C repo
● Various forms or report formats that allow you to export results
● Portable cases are a small subset of you original case that can be opened by another user

Section 16: Installing 3rd Party Modules

Show how to install 3rd party Java and Python modules

Types of Modules

● Written to be a platform for plugin modules

● Seen several places where other devs can add functionality: ingest modules, content
viewers, report modules
● Others:, data source processors, Machine translations, etc.

Finding modules

● Github repo exists to list publicly available modules (sleuthkit addon modules)

Module concepts

● Officially, modules may only work on a given major version

○ Modules written for 3.0.8 should work with ..9. But not 3.1.0
● In practice, we don’t break backward compatibility; modules should keep
● Modules can be written in either Java (more powerful, but a bit harder to write), Python
(less powerful, easier to write)

Java

● Modules will hae .nbm extension

● Netbean module files
○ Contain several Autopsy modules; allows these modules to be auto-updated and
downloaded
● Modules can verify they are being installed into the correct version of Autopsy
Install
 ● Open wizard using tools->plugins menu
● Choose downloaded tab; add plugins, nbm file
● Press install and follow the wizard
● Has list of installed java modules under installed tab
○ Some come with autopsy

Python

● Are a folder that contain one or more .py files

● Modules do not verify versions
● All modules need to be copied as subfolders in a central location
● Only ingest and report modules can be written in Python
Install

● If the module was shipped as a ZIP file, extract the contents to a folder
● Open the python modules folder → copy the module folder into the plugins folder
● Everything has to be kept in separate folders to prevent collisions

Conclusion

● Installing 3rd party modules is easy

● Java modules are added using tools → plugins Wizard
● Python modules are added by copying in a folder
● Can find new modules on the github repository

Section 17: Conclusion

Review of Topics

● Course:
○ Making a case and adding a data source
○ How to analyze the data source
○ Various UIs
○ Tagging Reporting
○ Installing 3rd party apps
● There’s a lot more to cover, but it takes more than 1 day

Typical workflow

1. Create a case
 2. Add a data source
3. Configure keywords that are case relevant
4. Run ingest with all relevant modules
5. Start to review data as it comes in
6. Update keywords as you find more relevant terms
7. Tag files of interest
8. Generate report

Download future versions

Download on autopsy website

● Tool will notify you of updates

● Messages are also sent elsewhere

Getting involved

● Spread the word

● Ask questions for fellow users
● Help with documentation
● Check out 3rd party modules (see link)

OSDFCon is Digital Forensics tools conference; attend to learn about latest features and
modules, free to government employees