The 4.21 version of Autopsy is out, and this blog post will cover three of the most notable new features. You can see the full list of changes here. We’re going to cover,
- Inline Keyword Search
- Cyber Triage Malware Scanner Module
- Logical File Timestamps
To download the latest version, go here.
You can also attend a Webinar on September 12. Register here.
Search For Keywords Without Building An Index
The Keyword Search module has a new feature that allows you to not populate the Solr index, which means that ingests are faster (but later searches will be slower).
The Traditional Way Of Searching For Keywords In Autopsy Was To:
- Extract text from files
- Add the text to Solr, which would break it into words (tokens)
- Periodically, search the index
This is great when you want to perform many searches on the data because each later search is going to be fast. But it was a waste when you may have only one set of keywords and you want to triage the device for them.
Now, You Can Search Using The Following Process:
- Extract text from the files
- Search the text for keywords in the ingest pipeline
But, if you later realize you have more keywords to search for, you’ll have to run ingest all over again and read in all of the file content.
Otherwise, the user experience is nearly the same. You’ll see results in the tree on the left and be able to see the highlighted text on the bottom.
You can choose during ingest if you want to add text to the index or not. The default is to add the text.
One note is that a small amount of text is still maintained in the Solr index. Any file that has a keyword hit will be added to the index so that it can be later viewed.
Scan Files For Malware Without Locally Mounting
A new “Cyber Triage Malware Scanner” ingest module was added that will scan executables for malware. This module is a bit different from others in Autopsy because it requires a commercial license to use.
The traditional use case is that you want to know if a disk image has backdoors and remote access that someone could have used to plant evidence.
Some labs will mount disk images as local drives and scan them with their local AV. Although it frequently works, this has some limitations.
- Results from a single scanner
- The malware could infect the examiner system if it gets run
The new Autopsy module will use 40+ malware scanning engines from Cyber Triage, and the executable files are not written to disk. This service DOES NOT use VirusTotal, so if files are uploaded, they are not broadcasted to the world.
Results Show Up In The Tree As Usual:
The module ships with Autopsy, and you can get an evaluation key from CyberTriage.com.
Logical File Timestamps
Autopsy has historically ignored timestamps when you import a folder of files. That’s because the times on those files could be anything. Autopsies never had any idea if they were accurate or not.
Well, Autopsy still doesn’t know if they are accurate, but it will now let you pick which timestamps to copy in.
You can choose to import the modified, created, or accessed times on the files, and that will get stored in the database.
Another change on the above panel is that you can remove file or folder entries in the top table before adding them.
Try It Out
Download the latest version of Autopsy today and try out these new features.