New Autopsy Modules Now Available
It is starting to get to that time of the year where I get ready to submit modules to the OSDFCon Autopsy Module Competition. So far I have submitted 6 modules this year. The modules have already been added to my Github repository. Below are the modules and descriptions of them, if you click on the module names it should take you to my Github repository where the module is so you can download it.
This module will take an AD1 file(s) that has been added to a case as a Logical Files data source and export the files from the AD1 file and add those files back into Autopsy as a data source. Once the files have been added back in you can then run ingest modules against it. The new data source will be named the same as the AD1 file name and will have the directory structure of the AD1 file. The following screenshots show what you will see when you use the ingest module.
Once you add an AD1 file as a Logical Files data source and run the ingest module the following will have happened. All the files in the AD1 container will be extracted to the module directory of your case folder. The file internal file structure of the AD1 container will be preserved. When the files are written to disk the dates/times will be the time that they were exported not the dates/times from the AD1 container. Once all the files have been extracted to the ModuleOutput directory they will then be added to the Autopsy case as a Logical Files data source with the same name as the AD1 file. Note that the dates/times of all files will be 0000–00–00 00:00:00 in the data source, this is because of the way that they have been added to the case. For this reason, I have also included the date/times, AD1 internal directory path, MD5 and SHA1 hash for each file that has been added to the new AD1 data source. Once all this is done you can then run any ingest module you have installed against the new data source.
The wordlist module will create a list of words based on data in the image. Before you attempt to run wordlist you will need to run the Keyword Search ingest module. Once that finishes you can then run Wordlist. Wordlist will take all the content that Keyword Search found and create a giant list of words that can be used for password cracking or other things. It will also include a list of files and extensions of those files as well. Below is an example of a wordlist from a small simple image.
The file that will be created will be in the Export directory of your case folder. It attempts to get rid of duplicates as it creates the wordlist. Note that this plugin may run for a while on cases with large Keyword Search indexes. As the plugin runs it will write the words to disk so if for any reason it runs into an error like out of memory you will have some keywords in the list up to the point it errored out.
This module will take a Google Takeout archive(s) that has been added as a Logical File(s) Data Source and uncompress it and add the data back as a new Logical File(s) Data Source named Google Takeout. It will process both zip and tgz files so it does not matter what you select for your Google Takeout compression method. Once you add all the files for your Google Takeout as a Logical File Data Source you should see something like this, note that there was a stray uncompressed file that was part of the Google Takeout, as long as it is part of the Logical File set it will be copied over.
As you can see from above all the files that were part of the Google takeout have been uncompressed into their respective directories and added as a Logical File Data Source. When each file is uncompressed it stores the files and directory’s in the ModuleOutput directory of the case folder in a directory named GoogleTakeout/Takeout. Any non-compressed files will be copied to the root directory of the GoogleTakeout/Takeout folder. Once the ingest module has completed you can then run any ingest modules against them. Note that the mbox file from above was never compressed but was just copied over since there is no way to programmatically know where a file may need to go it will be put in the root directory of the Takeout folder, this will happen with any non-compressed files included in the Google Takeout.
This module idea came after sitting through the presentation Using Apple “Bug Reporting” For Forensics Purposes as OSDFCon 2019. You can get a copy of the presentation here. Once you view the presentation and figure out how to get the sysdiagnose information you will need to add the data as a Logical File Data Source. You can then run the ingest module against it and view the extracted content.
Module: Ring Central Meeting Chats
This module will process the Ring Central meeting chat logs that are available in the Ring Central application has been installed on a PC. It will show you the meeting date and time, the meeting id, time the chat was sent, who the message was from, the content of the message and who it may have been to. below are screenshots of the ingest module and extracted content.
Module: Mass Export By File Extension
Last but not least is the mass export by file extension. This module will export all the file extensions that have entered as part of the ingest modules options panel. The extension in the options panel is a comma-separated list of file extensions you want to be exported.
As it processes each file extension is will create a new directory with the name of the extension to be exported in the Export directory in the case folder. Each file that is to be exported will have its file id appended to the front of the file name so it will avoid overwriting duplicates and allow you to find that file easily in the case if you need to.
This concludes the newest modules that were created for the OSDFCon Autopsy Module competition. Hopefully, one (1) or two (2) of the modules will be of use to you. As always if there are any comments, questions, modules you would like created or issues please let me know. You can comment here or go to my Github repository and open an issue.
