Autopsy 4.21.0

Library Updates

• Update Java to version 17
• Update aLeapp/iLeapp executables.
• Update JNA Version
• Update SQLite library version
• Updated 3rd party libraries that have known CVE's

Ingest Module Updates:

• Recent Activity checks for malicious Chrome extensions from list provided by https://github.com/randomaccess3/detections
• Keyword Search module now can search without needing to index text into Solr.
• New Cyber Triage Malware Scanner module that uses Reversing Labs (requires license). https://www.cybertriage.com/autopsy-malware-module/

Add Data Source Updates:

• Timestamps for logical files can be added. Issue #5852, #1788
• List of logical files/folders can be edited before they are added. Issue #7347

GUI Updates:

• Add "has attachments" flag for emails. Issue #7358
• Add Score to tree view

Bugs:

• Fix path for lnk files
• Fix exporting of CSV files. Issue #6717

Misc:

• Added File Repository concept for data source files that are in a central location. Required for Cyber Triage import feature.
• Added Spanish language support, contributor https://github.com/AburtoArielPM

Autopsy 4.20.0

Recent Activity Updates:

• Added Favicons, Profiles and Extensions to Chromium Browsers
• Added Security Questions/Answers from SAM registry Hive

Data Source Processing

• Added Jython Support for Data Source Processor modules.
• Added example Python DSP plugin

Ingest Pipelines

• Added new DataArtifact ingest pipeline that artifacts will go down.
• Moved Keyword search functionality for artifacts to the new pipeline.

Linux / Mac Improvements

• Script to install prerequisites using Homebrew and Debian package.
• Script that allows you to install TSK from source
• Script that sets JAVA home per install
• Updating Linux and Mac Installation Documentation

Command Line Interface

• Simplified command line input parameters
• The -listAllIngestProfiles switch was added
• The -nogui switch now works.
• Return codes now reflect if the application failed

Bug Fixes:

• Solr 8.11.2 Upgrade which includes update to Log4j to version 2.17.1
• Change Timezone format for Plaso output.
• Regex fix for Mbox parsing.
• Portable Case report string index out of range -1 fixed
• Extracting files, numbering of files and overwriting of files.
• Image tagging
• Joda-Time updated from 2.4 to 2.10 - fixes certain timezone errors

Misc:

• Update to USB id's.

• Update Tesseract to 4.10.

• Moved configuration settings to separate ones that are machine-dependent.

• Interesting files and file filters can now exclude certain features, such as folders.

• Adds host to artifact content viewer.

• When an OS Account is selected the Other Occurrences tab will no longer show the open case in the case list.

• The Communication window Message Viewer Threads panel layout was cleaned up so that the buttons are visible despite the subject length.

• Limit ingest inbox messages to first 20 keyword hits

• GStreamer update to version 1.20.0

• libheif v1.12.0 replaces ImageMagick

• Removal of 32bit version of Autopsy

Autopsy 4.19.3

Bug Fixes:

• Updates for log4j vulnerabilities.
  -- Solr 8.11.0 Upgrade
  -- Manual update of log4j to 2.16.0

Other NOTES:

• This installer was created with some manual work because Solr 8.11.1 was not on maven at the time of building.
• Only a 64-bit installer was created.

Autopsy 4.19.2

GUI Updates

• Special handling of Interesting Files and Interesting Results analysis results was removed from the tree and they are now shown as individual nodes.
• Updated display of analysis results in the tabular results viewer.
• Improved algorithm for populating the S(core) column in the tabular results view.
• Updated the right-click menu options for data artifacts and analysis results.
• The O(ther Cases) column in the tabular results view and the Other Occurrences content viewer now count cases in the same way.

Misc:

• Installed applications are now added to the central repository.
• The Central Repository ingest module no longer uses the generic Interesting Item analysis result and instead creates more specific Previously Seen, Previously Unseen, and Previously Notable analysis results.
• Automatic destinations (jump lists) parsing added to the Recent Activity module.
• French translation of user documentation contributed by github user @Seb2lyon .

Bug Fixes:

• Analysis Results and Annotation content viewers now work when parent is a data artifact.
• Fixed bug that prevented media attachments from being displayed in the Communications Viewer.
• Fixed RegRipper bug to support parsing of ShellBags with non-Latin characters.
• Assorted GUI responsiveness fixes.
• Fixed NTFS handling of compressed files that were not fully initialized (via TSK).
• Other assorted bug fixes.

Autopsy 4.19.1

Bug Fixes:

• Fixed connection leak associated with creating OS Accounts
• Decreased priority of OS Account Content Viewer
• Misc bound check fixes in TSK

Autopsy 4.19.0

Data Source Management:

• To make managing big cases easier, all data sources are now associated with a host that can be specified in the “Add Data Source” wizard.
• Hosts can be grouped by “person”, which is simply a name of the owner.
• The main tree viewer can be configured to group by person and host.

OS Accounts:

• Operating System (OS) accounts and realms are their own data types and no longer generic artifacts.
• OS Accounts are created for Windows accounts found in the registry. Domain-scoped realms are not fully detected yet.
• NTFS files are associated with OS Accounts by SID.
• The Recent Activity module associates artifacts with OS Accounts based on SID or path of database. Other modules still need to be updated.
• OS accounts appear in a dedicated sub-tree of the main tree view and their properties can be viewed in the results view.
• A new content viewer in the lower right area of the main window was built to display OS account data for the item selected in the results view.

Analysis Result and Data Artifacts

• All modules make either Analysis Results or Data Artifacts instead of “Blackboard Artifacts.”
• New “Analysis Result” content viewer shows the results for a given file and its score.
• The tabular results viewer shows an icon for the aggregate score of a file.
• The tree organizes results into "Analysis Results" and "Data Artifacts" instead of simply “Results.”

Discovery UI:

• Domain categorization and account types are displayed in Domain Discovery results.
• The Domain Discovery results view more explicitly shows when a downloaded file no longer exists.
• Check boxes are now used to select search options instead of shift-based multi-select.

Ingest Modules:

• File metadata updates are batched up before being saved to the case database for better performance.
• Parsing of iLEAPP and aLEAPP output was expanded to create communication relationships which can be displayed in the Communications UI.
• EML email parsing handles EML messages that are attachments (and have their own attachments).
• Domain categorization within Recent Activity can be customized by user-defined rules that can be imported and exported.
• Account IDs and Installed Applications are added to the Central Repository.
• Keyword search can be configured to only do OCR and skip non-OCR files.

Miscellaneous:

• A “Reset Windows” feature was created to help redock windows.
• A case-insensitive wordlist of all words in the keyword search index can be exported as a text document.
• Information from the Data Source Summary panels can be exported as an Excel spreadsheet.
• More artifacts are added to the timeline and artifacts with multiple time-based attributes are mapped to multiple timeline events.
• Added option to only perform optical character recognition on certain file types.
• Heap dumps can be saved to a custom location.
• More detailed error messages about encrypted disks when they are added.
• Added file size filter to Ingest Filters.

Performance:

• Keyword search does not make an explicit commit for each report if ingest is running.
• Language ID is performed on a small subset of a file instead of the entire file.
• Recent Activity is more efficient because of TSK changes to file searching (using extension).
• Embedded file extractor module has been made faster by doing file typing in memory and adding extracted files in batches.
• Moved Content Viewers setNode() and isSupported()/isPreferred() code to background threads.
• Moved Data Source Summary Panel population code to background threads.
• Moved Node/Tree queries to background threads.

Bug Fixes:

• Fixed embedded file extractor file name escaping bug.
• Detect VHD files by signature and not extension.
• Fixed iLEAPP path error.
• Content viewers UIs are more consistent.
• Assorted bug fixes are included.

Auto Ingest:

• The Auto Ingest Dashboard is resizable.
• Get thread dumps from AID
• Added beta pause feature that pauses auto ingest for a set amount of time at a scheduled date and time.

Autopsy 4.18.0

Keyword Search:

• A major upgrade from Solr 4 to Solr 8.6.3. Single user cases continue to use the embedded server.
  Multi-user clusters need to install a new Solr 8 server and can now create a Solr cloud with multiple servers.
  -- NOTE: Cases created with Autopsy 4.18 cannot be opened by previous versions of Autopsy. Autopsy 4.18 can open older cases though.
  -- See http://sleuthkit.org/autopsy/docs/user-docs/4.18.0/upgrade_solr8_page.html for more details.
• Improved text indexing speed by not doing language detection on unknown file formats and unallocated space.

Domain Discovery:

• Added details view to Domain Discovery to show what web-based artifacts are associated with the selected domain.
• Updated the Domain Discovery grouping and sorting by options.
• Added basic domain categorization for webmail-based domains.

Content Viewers:

• Built more specialized viewers for web-based artifacts.

Data Source Summary:

• Added a “Geolocations” tab that shows what cities the data source was near (based on geolocation data).
• Added a “Timeline” tab that shows counts of events from the last 30 days the data source was used.
• Added navigation buttons to jump from the summary view to the main Autopsy UI (for example to go to the map).

Ingest Modules:

• New YARA ingest module to flag files based on regular expression patterns.
• New “Android Analyzer (aLEAPP)” module based on aLEAPP. Previous “Android Analyzer” also still exists.
• Updated “iOS Analyzer (iLEAPP)” module to create more artifacts and work on disk images.
• Hash Database module will calculate SHA-256 hash in addition to MD5.
• Removed Interesting Item rule that flagged existence of Bitlocker (since it ships with Windows).
• Fixed a major bug in the PhotoRec module that could result in an incorrect file layout if the carved file spanned non-contiguous sectors.
• Fixed MBOX detection bug in Email module.

Reporting:

• Attachments from tagged messages are now included in a Portable Case.

Misc:

• Added support for Ext4 inline data and sparse blocks (via TSK fix).
• Updated PostgreSQL JDBC driver to support any recent version of PostgreSQL for multi-user cases and PostgreSQL Central Repository.
• Added personas to the summary viewer in CVT.
• Handling of bad characters in auto ingest manifest files.
• Assorted small bug fixes.

Autopsy 4.17.0

GUI:

• Expanded the Data Source Summary panel to show recent activity, past cases, analysis results, etc. Also made this available from the main UI when a data source is selected.
• Expanded Discovery UI to support searching for and basic display of web domains. It collapses the various web artifacts into a single view.

Ingest Modules:

• Added iOS Analyzer module based on iLEAPP and a subset of its artifacts.
• New Picture Analyzer module that does EXIF extraction and HEIC conversion. HEIC/HEIF images are converted to JPEGs that retain EXIF using ImageMagick (replaces the previous EXIF ingest module).
• Added support for the latest version of Edge browser that is based on Chromium into Recent Activity. Other Chromium-based browsers are also supported.
• Updated the rules that search Web History artifacts for search queries. Expanded module to support multiple search engines for ambiguous URLs.
• Bluetooth pairing artifacts are created based on RegRipper output.
• Prefetch artifacts record the full path of exes.
• PhotoRec module allows you to include or exclude specific file types.
• Upgraded to Tika 1.23.

Performance:

• Documents are added to Solr in batches instead of one by one.
• More efficient queries to find WAL files for SQLite databases.
• Use a local drive for temp files for multi-user cases instead of the shared folder.

Command Line

• Command line support for report profiles.
• Restored support for Windows file type association for opening a case in Autopsy by double clicking case metadata (.aut) file.
• Better feedback for command line argument errors.

Misc:

• Updated versions of libvmdk, libvhdi, and libewf.
• Persona UI fixes: Pre-populate account and changed order of New Persona dialog.
• Streaming ingest support added to auto ingest.
• Recent Activity module processes now use the global timeout.
• Option to include Autopsy executable in portable case (Windows only.)
• Upgraded to NetBeans 11 Rich Client Platform.
• Added debug feature to save the stack trace on all threads.

Autopsy 4.16.0

Ingest:

• Added streaming ingest capability for disk images that allow files to be analyzed as soon as they are added to the database.
• Changed backend code so that disk image-based files are added by Java code instead of C/C++ code.

Ingest Modules:

• Include Interesting File set rules for cloud storage, encryption, cryptocurrency and privacy programs.
• Updated PhotoRec 7.1 and include 64-bit version.
• Updated RegRipper in Recent Activity to 2.8
• Create artifacts for Prefetch, Background Activity Monitor, and System Resource Usage.
• Support MBOX files greater than 2GB.
• Document metadata is saved as explicit artifacts and added to the timeline.
• New “no change” hashset type that does not change status of file.

Central Repository / Personas:

• Accounts in the Central Repository can be grouped together and associated with a digital persona.
• All accounts are now stored in the Central Repository to support correlation and persona creation.

Content viewers:

• Created artifact-specific viewers in the Results viewer for contact book and call log.
• Moved Message viewer to a Results sub-viewer and expanded to show accounts.
• Added Application sub-viewer for PDF files based on IcePDF.
• Annotation viewer now includes comments from hash set hits.

Geolocation Viewer:

• Different data types now are displayed using different colors.
• Track points in a track are now displayed as small, connected circles instead of full pins.
• Filter panel shows only data sources with geo location data.
• Geolocation artifact points can be tagged and commented upon.

File Discovery:

• Changed UI to have more of a search flow and content viewer is hidden until an item is selected.

Reports:

• Can be generated for a single data source instead of the entire case.
• CASE / UCO report module now includes artifacts in addition to files.
• Added backend concept of Tag Sets to support Project Vic categories from different countries.

Performance:

• Add throttling of UI refreshes to ensure data is quickly displayed and the tree does not get backed up with requests.
• Improved efficiency of adding a data source with many orphan files.
• Improved efficiency of loading file systems.
• Jython interpreter is preloaded at application startup.

Misc bug fixes and improvements:

• Fixed bug from last release where hex content viewer text was no longer fixed width.
• Altered locking to allow multiple data sources to be added at once more smoothly and to support batch inserts of file data.
• Central repository comments will no longer store tag descriptions.
• Account type nodes in the Accounts tree show counts.
• Full time stamps displayed for messages in ingest inbox.
• More detailed status during file exports.
• Improved efficiency of adding timeline events.
• Fixed bug with CVT most recent filter.
• Improved documentation and support for running on Linux/macOS.

Autopsy 4.15.0

New UI Features:

• Added Document view to File Discovery.
• Expanded Context Content Viewer to show if an app accessed a file.
• Added translation feature to Message Content Viewer.
• Added waypoint type filter to the Geolocation viewer.
• Added zoom feature to Indexed Text Content Viewer.

New Ingest Modules Features:

• New GPX ingest module.
• New Drone ingest module for DJI drones based on DatCon.
• Create artifacts for files opened by Adobe Reader, Windows Media Player, Office Docs (Most Recently Used (MRU) and TrustRecords), 7Zip MRU, WinRAR MRU, Applets, Microsoft Management Console (MMC) via RegRipper.

New Central Repository Features:

• Central Repository stores account IDs that were previously seen.
• Central Repository is enabled by default to store past hashes. Feature to flag previously seen files is disabled by default.

Other New Features:

• Multi-user cases can be created via command line

Bug fixes:

• Prevent entire application from crashing when gstreamer crashes on videos.
• Improve Geolocation viewer with large data sets.
• Fix error with non-sector aligned reads on local disks.
• Times from Recycle Bin files are now in timeline.
• Validate timeline events and ignore events too far in the future.
• Moved some database queries off of UI thread.
• Remove hard coded sizes from UI that cause issues with other languages.