With the introduction of cLeapp (Chrome Logs, Events and Protobuf Parser), I have created an Autopsy plugin that will run cLeapp against a ChromeOs extraction and pull in the information into Autopsy. To find out more about cLeapp head over to Alexis Brignoni’s Initialization vectors Blog to find out more information about cLeapp. To download the new plugin to install, head over to https://github.com/markmckinnon/Autopsy-NBM-Plugins

To add this plugin, download the Netbeans Module from here and install it, if you need help installing a Netbeans Autopsy Module then go here for instructions. …

It is starting to get to that time of the year where I get ready to submit modules to the OSDFCon Autopsy Module Competition. So far I have submitted 6 modules this year. The modules have already been added to my Github repository. Below are the modules and descriptions of them, if you click on the module names it should take you to my Github repository where the module is so you can download it.

Module: AD1 Extractor

This module will take an AD1 file(s) that has been added to a case as a Logical Files data source and export…

I have updated my plugins and created a new release of them in my GitHub repository. You can download the new release here.

Whats New in this release? I have added the following new plugins:

Create Datasource Hashset
Process Activities Cache
Process Teracopy
Remove Artifacts
Timesketch

Whats fixed in this release? I have fixed the following error so it will no longer appear.

Error When Running Ingest

Along with this error your options will now be remembered for the next time that you run one of my plugins. …

When I started down my path of creating Autopsy plugins one of the biggest issues I had was in testing them. I would create a case, backup the autopsy.db file and then test my plugin. If I was good enough to code it perfectly I would only have to test it once, but sorry to say that is not the case. I would then have to close the case, copy the autopsy.db file back and then reopen the case and start to test again. Now this really does not take much time to do but when you do it often…

The ActivitiesCache.db was introduced in Windows 10 version 1803. You can read more details about the database here and here. Eric Zimmerman has also introduced a standalone tool to also parse this database and you can read about that here. Now Autopsy has the ability to parse this database for each user and display the information contained in it.

What the plugin does is it will search for each user and export their ActivitiesCache.db along with the associated wal file and then pull the contents out and display them in Autopsy. …

Autopsy and Timesketch

Renzik now has a new friend in Timesketch. If you have ever wanted to add Timesketch to your Autopsy workflow you now can. The new Timesketch Autopsy plugin will pull all date related events from files or artifacts and create a json_line file and upload it to Timesketch. The plugin GUI option panel takes the following options for it to run.

IP address and port of the Timesketch server. These options can be saved for subsequent runs so you do not have to put them in every time. Timesketch user name and password are the next required options. I did…

As I was going thru the list of Autopsy requests I found one that talked about hashing Disk Images. Now there is an ingest module to validate EWF files but not one to do RAW (Single or Split), VMDK or VHD files. Well the wait is over let me introduce you to the Hash images plugin.

Hash Images plugin User Interface.

The hash image plugin takes one (1) of three (3) possible arguments. You can either provide the MD5 or SHA1 hash value for the image or you can use the FTK Imager log file if the image was created with FTK Imager. To use…

I have released some new modules to my github repository. I will be planning on creating writeups for each one of them within the next week. The modules that had been added are:

Parse Windows Facebook chats. This will parse the Windows App store Facebook Messenger database. Here is the link for the code:

Parse Windows Mail. This will parse Windows Mail and provide contacts and snippets of emails. Here is the link for the code:

Spotlight Parser. This will parse the Macos Spotlight database. Here is the link for the code:

Hash Images. This will hash non E01 images…

Have you recently look at the Settings → Apps → Apps and Features and then compared it to the Program and Features found in the control panel? If you have you may have noticed there are more program that are listed in one but not the other.

Settings → Apps → Apps and Features screen shot from my PC.

Based on feedback from the survey that I posted asking about people’s module needs (that survey can be found here). I wanted to share one of the requested modules that I have created. This module will create a VHD file, format the VHD and then mount it to an available drive letter using Diskpart. The module will then read a SQLite database of file extensions to extract from the data source where the ingest module was run. It will then write out the files matching the file extensions to the mounted VHD file. Once all the files have been extracted…

markmckinnon

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store