Autopsy 4.19.0

Data Source Management:

• To make managing big cases easier, all data sources are now associated with a host that can be specified in the “Add Data Source” wizard.
• Hosts can be grouped by “person”, which is simply a name of the owner.
• The main tree viewer can be configured to group by person and host.

OS Accounts:

• Operating System (OS) accounts and realms are their own data types and no longer generic artifacts.
• OS Accounts are created for Windows accounts found in the registry. Domain-scoped realms are not fully detected yet.
• NTFS files are associated with OS Accounts by SID.
• The Recent Activity module associates artifacts with OS Accounts based on SID or path of database. Other modules still need to be updated.
• OS accounts appear in a dedicated sub-tree of the main tree view and their properties can be viewed in the results view.
• A new content viewer in the lower right area of the main window was built to display OS account data for the item selected in the results view.

Analysis Result and Data Artifacts

• All modules make either Analysis Results or Data Artifacts instead of “Blackboard Artifacts.”
• New “Analysis Result” content viewer shows the results for a given file and its score.
• The tabular results viewer shows an icon for the aggregate score of a file.
• The tree organizes results into "Analysis Results" and "Data Artifacts" instead of simply “Results.”

Discovery UI:

• Domain categorization and account types are displayed in Domain Discovery results.
• The Domain Discovery results view more explicitly shows when a downloaded file no longer exists.
• Check boxes are now used to select search options instead of shift-based multi-select.

Ingest Modules:

• File metadata updates are batched up before being saved to the case database for better performance.
• Parsing of iLEAPP and aLEAPP output was expanded to create communication relationships which can be displayed in the Communications UI.
• EML email parsing handles EML messages that are attachments (and have their own attachments).
• Domain categorization within Recent Activity can be customized by user-defined rules that can be imported and exported.
• Account IDs and Installed Applications are added to the Central Repository.
• Keyword search can be configured to only do OCR and skip non-OCR files.

Miscellaneous:

• A “Reset Windows” feature was created to help redock windows.
• A case-insensitive wordlist of all words in the keyword search index can be exported as a text document.
• Information from the Data Source Summary panels can be exported as an Excel spreadsheet.
• More artifacts are added to the timeline and artifacts with multiple time-based attributes are mapped to multiple timeline events.
• Added option to only perform optical character recognition on certain file types.
• Heap dumps can be saved to a custom location.
• More detailed error messages about encrypted disks when they are added.
• Added file size filter to Ingest Filters.

Performance:

• Keyword search does not make an explicit commit for each report if ingest is running.
• Language ID is performed on a small subset of a file instead of the entire file.
• Recent Activity is more efficient because of TSK changes to file searching (using extension).
• Embedded file extractor module has been made faster by doing file typing in memory and adding extracted files in batches.
• Moved Content Viewers setNode() and isSupported()/isPreferred() code to background threads.
• Moved Data Source Summary Panel population code to background threads.
• Moved Node/Tree queries to background threads.

Bug Fixes:

• Fixed embedded file extractor file name escaping bug.
• Detect VHD files by signature and not extension.
• Fixed iLEAPP path error.
• Content viewers UIs are more consistent.
• Assorted bug fixes are included.

Auto Ingest:

• The Auto Ingest Dashboard is resizable.
• Get thread dumps from AID
• Added beta pause feature that pauses auto ingest for a set amount of time at a scheduled date and time.