Creating A Data Preview Container in Autopsy.
Based on feedback from the survey that I posted asking about people’s module needs (that survey can be found here). I wanted to share one of the requested modules that I have created. This module will create a VHD file, format the VHD and then mount it to an available drive letter using Diskpart. The module will then read a SQLite database of file extensions to extract from the data source where the ingest module was run. It will then write out the files matching the file extensions to the mounted VHD file. Once all the files have been extracted it will unmount the VHD file. That is an overview of what it does.
Now lets get more into the details. There are two (2) caveats to this module. The first one is that Autopsy will need to be run with administrator privileges since this is required for using Diskpart and creating/formatting/mounting/unmounting the VHD file. The second caveat is that you will need disk space in order to create and write to the VHD. Below is what the ingest panel looks like:
Once you select and run the “Create Preview Data Container” module it will do the following. Create 2 Diskpart scripts in the Autopsy Temp directory. The scripts will be used to create/format and mount the VHD file and to unmount the VHD file. The VHD file that is create will be an expanding VHD file with the same size as the data source that you are running the ingest against.
Once the VHD file has been created/formatted and mounted the plugin will then create a directory with the name of the data source that it is being run from . Next it will read from a SQLite database named File_Extensions.db3. This database file can be found in the plugin module directory. The database has one (1) table in it called File_Extensions_To_Export. The table contains two (2) columns in it, Output_Directory and File_Extension. Output_Directory is the category of the file extension that you want to export, this category is also used as part of the directory as you will seen later. File Extension is the file extension you want to search for on the data source and write out to the VHD file.
As the program reads the records from the database it will create the Output_Directory under the data source, if it already exists it will not create it. Next the file extension will be searched for on the data source and written to the Output_Directory. The file will be written in the format <inode number>-<file name>. This is done in case there are not duplicate records. For each file extension a record will be written to a CSV file named “File_Extensions_Written_Log_<data source>” that will tell you how many files were exported for each file extension.
Once every file extension has been searched for and written to it will then unmount the VHD file. You can find the VHD file in the Autopy ModuleOutput directory in the “Preview_VHD” directory and be named <case number>_preview.vhd. You can then copy this file somewhere else and mount it or you can copy it and create another case with it for someone else to view the data. How you want to use it is up to you. Below are screen shots
Now I have populated the SQLite database with several output directories and file extensions, if you would like to change it or add your own then all you have to do is delete or insert records and make it your own. Now you might be thinking that you would like to also be able to extract tagged items and I thought about this as well but the request was for specific files so I opted to use the database for some flexibility. This does not mean that tagged items will be left out, you just have to request it.
Once again this module was a request from my plugin survey (that survey can be found here), if you have a burning desire for a module or report then head over to the survey and fill it out.
The module can be found here. As always questions/comments are welcomed and encouraged. Enjoy!
