Autopsy 4.7.0

New Features:

• A graph visualization was added to the Communications tool to make it easier to find messages and relationships.
• A new "Application" content viewer (lower right) that will contain file-type specific viewers (to reduce number of tabs).
• New viewer for SQLite databases (in Application content viewer)
• New viewer for binary PLists (in Appilcation content viewer)
• L01 files can be imported as data sources.
• Ingest filters can now use date range conditions for triage.
• Passwords to open password protected archive files can be entered (by right clicking on the file).
• Reports (e.g., RegRipper output) generated by ingest modules are now indexed for keyword search.
• PhotoRec carving module can be configured to keep corrupted files.
• Sector size can be specified for local drives and images when E01 is wrong or it is a raw image.
• New data source processor in Experimental module that runs Volatility, adds the outputs as files, and parses the reports to provide INTERESTING_FILE artifacts.
• Assorted small enhancements are included.

Bug Fixes:

• Memory leaks and other issues revealed by fuzzing the The Sleuth Kit have
  been fixed.
• Result views (upper right) and content views (lower right) stay in synch when switching result views.
• Concurrency bugs in the ingest tasks scheduler have been fixed.
• Assorted small bug fixes are included.

Autopsy 4.6.0 Linux ZIP (beta 1)

We're incrementally releasing a packaged version of Autopsy for Linux. This is the first version of it based on the official 4.6.0 release.

Prerequisites

The following need to be done at least once. They do not need to be repeated for each Autopsy release.

1. Install testdisk for photorec functionality
   % sudo apt-get install testdisk
2. Install Oracle Java and set JAVA_HOME. Use the instructions here:
   https://medium.com/coderscorner/installing-oracle-java-8-in-ubuntu-16-10-845507b13343

Installation

1. Install the sleuthkit-java.deb file that is part of this Autopsy release. This is not an official package yet. This will install libewf, etc.
   % sudo apt install ./sleuthkit-java_4.6.0-1_amd64.deb
2. Make a directory for autopsy, for example:
   % mkdir autopsy-4.6.0-linux1
3. Move the ZIP file that is part of this release into the folder and extract the contents (note the ZIP file does not contain a single top-level folder).
4. Run the unix_setup script to configure Autopsy
   % sh unix_setup.sh

Running

1. In a terminal, change to the ‘bin’ directory in the folder you created.
2. Run Autopsy
   ./autopsy

Known Limitations

• Multi-user cases are not supported
• Local drives cannot be analyzed
• VMDK / VHDI images not supported
• Dead JAR issues if you ever run as ‘root’. Other users can’t overwrite one of the .so files. To fix it, have root delete the /tmp/libtsk_jni.so file.

autopsy-4.6.0

New Features:

• A new Message content viewer was added to make it easier to view email message contents.
• A new Communications interface was added to make it easier to find messages and relationships.
• Hash sets can be centrally stored and shared in the Central Repository.
• New Encryption Detection module that will flag possibly encrypted files.
• Can more easily run Autopsy from a USB drive and leave few traces on target system.
• Tag definitions now have a "notable" property. The Central Repository uses this to mark files as notable.
• Large slack files are now file typed.
• The maximum number of Solr connections and ingest threads have increased.
• Periodic keyword search will dynamically change based on how long queries are taking.
• Users can change the amount of memory allocated to the application.
• The amount of memory required for processing keyword hits has been reduced.
• Layout of HTML reports has been modified make it easier to open.
• "Databases" was added to File Type by Extension view.
• Users can now enter more information about cases including examiner, organization, etc.
• New dialog to open multi-user cases that allows for searching.
• Auto ingest metrics are collected and displayed in dashboard.
• Auto ingest module that extracts disk images from archive files.
• Keyword search has been made more responsive to both search and ingest job cancellation.
• Number of log files to keep before rollover is now configurable.
• Preliminary changes to make Linux and OS X builds easier.

Bug Fixes:

• Memory leaks and other issues revealed by fuzzing the SleuthKit have
  been fixed.
• Memory issues caused by Tika are fixed (by upgrading to 1.17)
• Assorted small enhancements and bug fixes are included.

Autopsy 4.5.0

• Memory usage has been reduced to improve support for very large cases.
• New central repository feature has been added that allows you to correlate between cases and track if an item was previously identified as being "bad" or notable.
• Message attachments are now associated with the message (and not just the source file). These can be found in the data sources and messages parts of the tree.
• Credit card number search has added logic to reduce false positives based on number lengths.
• Virtual directory nodes in the tree view are distinguished in the Data Sources tree by the addition of a "V" to their icon. These are folders that Autopsy/TSK created.
• A new version of the automated ingest dashboard has been added to allow insight into pending, running and completed automated ingest jobs in automated ingest Examiner mode.
• All occurrences of "Known Bad" in the user interface have been changed to "Notable."
• Assorted small enhancements and bug fixes are included.

Autopsy 4.4.1

• Beta version of new central repository feature has been added for correlating artifacts across
  cases; results are displayed using an Interesting Artifacts branch of the Interesting Items tree and an Other Data Sources content viewer.
• Results viewer (top right area of desktop application) sorts are persistent and can be applied to either the table viewer or the thumbnail viewer.
• The View Source File in Directory context menu item now works correctly.
• Tagged image files in the HTML report are now displayed full-size.
• Case deletion is now done using a Case menu item and both single-user and general (not auto ingest) multi-user cases can be deleted.
• Content viewers (bottom right area of desktop application) now resize correctly.
• Some potential deadlocks during ingest have been eliminated.
• Assorted performance improvements, enhancements, and bug fixes.

Autopsy 4.4.0

autopsy-4.4.0

4.4.0 Release