The 4.21 version of Autopsy is out, and this blog post will cover three of the most notable new features. You can see the full list of changes here. We’re going to cover,
To download the latest version, go here.
You can also attend a Webinar on September 12. Register here.
The Keyword Search module has a new feature that allows you to not populate the Solr index, which means that ingests are faster (but later searches will be slower).
The Traditional Way Of Searching For Keywords In Autopsy Was To:
This is great when you want to perform many searches on the data because each later search is going to be fast. But it was a waste when you may have only one set of keywords and you want to triage the device for them.
Now, You Can Search Using The Following Process:
But, if you later realize you have more keywords to search for, you’ll have to run ingest all over again and read in all of the file content.
Otherwise, the user experience is nearly the same. You’ll see results in the tree on the left and be able to see the highlighted text on the bottom.
You can choose during ingest if you want to add text to the index or not. The default is to add the text.
One note is that a small amount of text is still maintained in the Solr index. Any file that has a keyword hit will be added to the index so that it can be later viewed.
A new “Cyber Triage Malware Scanner” ingest module was added that will scan executables for malware. This module is a bit different from others in Autopsy because it requires a commercial license to use.
The traditional use case is that you want to know if a disk image has backdoors and remote access that someone could have used to plant evidence.
Some labs will mount disk images as local drives and scan them with their local AV. Although it frequently works, this has some limitations.
The new Autopsy module will use 40+ malware scanning engines from Cyber Triage, and the executable files are not written to disk. This service DOES NOT use VirusTotal, so if files are uploaded, they are not broadcasted to the world.
Results Show Up In The Tree As Usual:
The module ships with Autopsy, and you can get an evaluation key from CyberTriage.com.
Autopsy has historically ignored timestamps when you import a folder of files. That’s because the times on those files could be anything. Autopsies never had any idea if they were accurate or not.
Well, Autopsy still doesn’t know if they are accurate, but it will now let you pick which timestamps to copy in.
You can choose to import the modified, created, or accessed times on the files, and that will get stored in the database.
Another change on the above panel is that you can remove file or folder entries in the top table before adding them.
Download the latest version of Autopsy today and try out these new features.
bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…
Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…
Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…
Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…