cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Baechle
Advocate I

Forensics: Autopsy 4.7 adds link visualization, encrypted ZIP, database, and Volatility support!

For all you forensicators on a budget:

 

In case you missed it, Basis Technologies released Autopsy 4.7.0 on May 8th and its adds some really great features:  Autopsy 4.7 Release notes (14 May 2018)

 

Top among them is the new link analysis visualization for the Communication Analysis tool.  Autopsy 4.7 now creates a chart using pinned target elements (e.g. email addresses, phone numbers, social media accounts, etc.) and shows you where they overlap and the relative frequency of communication through the size of the lines and bubbles representing nodes.

 

There is also richer Linux/Mac OS X support using the updated features if that is your preferred platform.

 

You can add a date filter to your pre-processing so that you're only triaging data within a relevant range, rather than having to ingest and process the entire universe of data in an image or logical file set.

 

There is also Beta level support for working with Volatility outputs that should be finalized in the next release.

 

If you use Autopsy and haven't upgraded, you should really go get your update now.  If you're looking for a forensic tool on a budget, you can do a heck of a lot with Autopsy with shallow pockets!

 

Enjoy!

 

Eric B.

4 Replies
Da
Newcomer II

Thank you. Interesting functionality, it is possible to integrate this function with Maltego?

Baechle
Advocate I

Vladimir,

 


@Da wrote:

Thank you. Interesting functionality, it is possible to integrate this function with Maltego?


Autopsy will export a number of its reports into external formats, for example an XLS structured spreadsheet.  There's no reason that you can't export it into a Maltego case file, CE, or any of the other commercial products.  I can't think of a scenario that would make that particularly interesting.  There are two reasons.  First is the format of the data, and second is the licensing models.

 

(1) Although Maltego and Autopsy are both billed as "forensic tools", they appear to approach them in slightly different ways.  Maltego seems to like structured data much better, and as such its forensic capacity seems more like a litigation support/discovery data translation/visualization tool.  Autopsy on the other hand is a graphical interface for a collection of tools purpose built to extract activity and content information from digital artifacts of evidence that may be structured or unstructured.  You can import Autopsy reports into Maltego but I can't think of a scenario where that's going to provide you useful information.

 

(2) Maltego has a licensing model that limits the records processed/visualized for community versions, requiring you to purchase a commercial version for large data sets.  On the other hand Autopsy naively supports linking into an external database and the ability to process and visualize records and support multiple users is only limited by the database you feed it with.  You could easily exceed the maximum number of records in community versions of Maltego's products with Autopsy, for the same low price of free.

 

If there is some module, feature, or report you think should be instituted in Autopsy, they take community suggestions in the form of "trouble tickets".  They also publish their plugin system so the community can write one themselves and list in on the main Autopsy web site.

 

Sincerely,

 

Eric B.

Da
Newcomer II

About scenarios, I mean situation when after forensic uses  Autopsy give some data about users (emails, logins, etc) on local HD (for example). On next step using Maltego for search and visualize open information about this person (who use this accounts in social networks? what his contacts etc).

Baechle
Advocate I

Vladimir,

 

I apologize, I still don't understand your use-case.

 


@Da wrote:

About scenarios, I mean situation when after forensic uses  Autopsy give some data about users (emails, logins, etc) on local HD (for example). On next step using Maltego for search and visualize open information about this person (who use this accounts in social networks? what his contacts etc).


I am failing to understand what information you would want to process using Maltego.

 

Can you give me an example of what kind of information would be valuable as input to your Maltego use, and then another example of what kind of (and the source of) information you would expect as output from Maltego?

 

The way your question is phrased, it appears as though you expect Maltego to bypass the legal Subpoena process in obtaining account access, contact, and IP address information from a social media company.

 

Sincerely,

 

Eric B.