SlideShare una empresa de Scribd logo

Digital Forensics Software Autopsy 3.0 Extensible Open Source

Descargar como PPTX, PDF
J
Jason Letourneau

This document provides an overview of Autopsy 3.0 digital forensics software from Basis Technology. It discusses Autopsy's extensible framework that allows new modules to be added, its easy-to-use graphical interface, and how it provides fast results through automated ingest modules. The document demonstrates Autopsy's main features including ingest modules for hashing, keyword search, and web browser analysis, as well as content viewer modules and an external timeline viewer. It promotes upcoming training and a module writing competition, and encourages users and developers to get involved with the open source project.

Tecnología
1 de 41
© 2013, Basis Technology 1 Autopsy 3.0 Extensible Desktop Digital Forensics It’s not your father’s open source software Brian Carrier VP of Digital Forensics Basis Technology
© 2013, Basis Technology 2 • Software and services technology company • Roughly 80 people • Offices in Cambridge, DC, Tokyo, and London • Two technology areas: – Text Analytics – Digital Forensics Quick Intro To Basis Technology
© 2013, Basis Technology 3 • Conduct investigations • Research and development • Custom software development • Open Source Software – Autopsy module development – Commercial support – Training Digital Forensics at Basis
© 2013, Basis Technology 4 • What comes to your mind first? Open Source Software
© 2013, Basis Technology 5 • What comes to your mind first? • Autopsy 3 is different Open Source Software
© 2013, Basis Technology 6 • Open source software that allows you to forensically analyze disk images and local drives Context: What Is The Sleuth Kit?
© 2013, Basis Technology 7 • Original method for using TSK • Over 25 different tools (!) • mmls example: # mmls tsk1.img Slot Start End Length Description 00: ----- 0000000 0000000 0000001 Primary Table 01: ----- 0000001 0000062 0000062 Unallocated 02: 00:00 0000063 0032129 0032067 NTFS (0x07) 03: 00:01 0032130 0064259 0032130 DOS FAT16 (0x06) TSK Command Line Tools
© 2013, Basis Technology 8 • Software libraries allow functionality to be embedded in a bigger program. • Many commercial, open source, and govn’t systems use TSK as a library. • Looks like: tsk_img_open(1, “C:imgsimage1.E01”, TSK_IMG_TYPE_DETECT, 512); TSK Library Interface
© 2013, Basis Technology 9 TSK Framework Talk to me after if you are building a system that needs this.
© 2013, Basis Technology 10 • Powerful volume and file system analysis tools. • Extensible framework. • Not user friendly for the 99%. TSK Take Away
© 2013, Basis Technology 11 • Graphical digital forensics interface. • Brief History: – 2001: First Open Source Release • Interface to The Sleuth Kit • Linux and OS X only – 2010: Started v3 from scratch as a platform • Based on OSDFCon discussions • Windows-based & automated • Some US Army funding (with 42Six Solutions) • 3.0.0 released in September, 2012. Autopsy
© 2013, Basis Technology 12 • Extensible – Several frameworks and plug-in modules • Easy to use – Simple UI concepts – More details during the demo • Fast results – Provided as soon as they are found • Cost Effective – Free Autopsy 3 Key Points
© 2013, Basis Technology 13 Autopsy 3 Main Screen
© 2013, Basis Technology 14 Autopsy Ingest Modules MD5/SHA1 Hash Calculation Hash Lookup Add Text to Keyword Index ... Web Browser Analysis E01 File MBOX Thunderbird EXIF Extraction Registry Analysis Run automatically as media is added to Case. • Remembers what you ran last time. • Anyone can write new modules. • Can tweak knobs based on investigation type and available time.
© 2013, Basis Technology 15 • Hash Lookup: – NSRL, EnCase, Hashkeeper support • Keyword Search: – Lucene SOLR index – Extract text (better for HTML and PDF) – Import / export lists – Regular expressions – Can support more advanced text analytics Standard Ingest Modules
© 2013, Basis Technology 16 • Recent Activity Module: – Browser artifacts: • History, cookies, downloads, bookmarks • Firefox, Chrome, Safari, IE – Recent user documents – Recent devices – Runs regripper behind the scenes • EXIF from JPEGs • MBOX email • ZIP Archive Standard Ingest Modules
© 2013, Basis Technology 17 • More file formats / P2P logs • Anti-virus / Malware • Volume shadow / file system journals • Cryptography and steganography detection • Text analytics (language detection) • Object identification in pictures • Skin tone detection Future Ingest Module Ideas
© 2013, Basis Technology 18 • Display a file in a given way. • Text: Hex and Strings • Media: Pictures and video Content Viewer Modules
© 2013, Basis Technology 19 Content Viewer: Video Triage
© 2013, Basis Technology 20 • Not part of open source package • Name finder and translator – Uses Basis Technology text analytics Content Viewer: Text Gisting
© 2013, Basis Technology 21 External Viewer Module: Timeline
© 2013, Basis Technology 22 Demo
© 2013, Basis Technology 23 • Easy to install and use – Less training and confusion. • Extensible and open – Can be adapted to your needs – Updated by community • Low cost • No cost Takeaway
© 2013, Basis Technology 24 • 4th Annual Open Source Forensics Conference – Free for government employees! – http://www.osdfcon.org/ – Nov 4 and 5 in Northern VA. Open Source Conference
© 2013, Basis Technology 25 • Cash prizes for best new module. – $1500 for first prize • Voting by attendees at OSDFCon. • Any module type is eligible. • See issue tracker for ideas. • Submission details: http://www.basistech.com/about- us/events/open-source-forensics- conference/contest/ Module Writing Competition
© 2013, Basis Technology 26 • 2 Day Autopsy training courses: – November 6 & 7 in DC (after OSDFCon) • ½ Day Developer Training at OSDFCon Autopsy Training
© 2013, Basis Technology 27 • Users: – Use it and spread the word – Provide feedback on features – Help with documentation and support • Developers: Write modules instead of stand- alone apps. Contact us with feature changes. • We’re looking for law enforcement users. What You Can Do
© 2013, Basis Technology 28 • Download from: – http://www.sleuthkit.org/autopsy/ • Questions: brianc@basistech.com • We’re hiring engineers…. • We have stickers Conclusion
© 2013, Basis Technology 29 Demo Highlights (In Case Demo Fails)
© 2013, Basis Technology 30 Easy To Use
© 2013, Basis Technology 31 Splash Screen • User is always guided to next step in process
© 2013, Basis Technology 32 Add Image Wizard • Detects image format • Detects volume and file systems
© 2013, Basis Technology 33 Ingest Manager in Wizard • Uses previous settings for modules.
© 2013, Basis Technology 34 Intuitive Interface • All results on left, history buttons, keyword search box
© 2013, Basis Technology 35 Single Place for All Results
© 2013, Basis Technology 36 View By File Type
© 2013, Basis Technology 37 View Final Days of Activity
© 2013, Basis Technology 38 • View directories of keyword and hash hits • Tag and bookmark files • Extract files or launch external viewers Right Click Actions
© 2013, Basis Technology 39 Ingest Inbox • Shows users what has been found in background tasks
© 2013, Basis Technology 40 HTML Report • Report modules can be customized
© 2013, Basis Technology 41 Contact Info Brian Carrier Basis Technology brianc@basistech.com

Recomendados

OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierBasis Technology
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3Sam Bowne
 
CNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring RationaleCNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring RationaleSam Bowne
 
CNIT 125 6. Identity and Access Management
CNIT 125 6. Identity and Access ManagementCNIT 125 6. Identity and Access Management
CNIT 125 6. Identity and Access ManagementSam Bowne
 
CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)Sam Bowne
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesSam Bowne
 
Bit Torrent Technology
Bit Torrent TechnologyBit Torrent Technology
Bit Torrent Technologyguestc67adeb
 
BitTorrent - sharing files has never been easier
BitTorrent - sharing files has never been easierBitTorrent - sharing files has never been easier
BitTorrent - sharing files has never been easierMohd253
 

Recomendados

OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierBasis Technology
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3Sam Bowne
 
CNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring RationaleCNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring RationaleSam Bowne
 
CNIT 125 6. Identity and Access Management
CNIT 125 6. Identity and Access ManagementCNIT 125 6. Identity and Access Management
CNIT 125 6. Identity and Access ManagementSam Bowne
 
CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)Sam Bowne
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesSam Bowne
 
Bit Torrent Technology
Bit Torrent TechnologyBit Torrent Technology
Bit Torrent Technologyguestc67adeb
 
BitTorrent - sharing files has never been easier
BitTorrent - sharing files has never been easierBitTorrent - sharing files has never been easier
BitTorrent - sharing files has never been easierMohd253
 
HABS, HAER, and HALS Recording
HABS, HAER, and HALS RecordingHABS, HAER, and HALS Recording
HABS, HAER, and HALS Recordingpreservationcombination
 
Bittorrent Seminar by dhananjay pardeshi
Bittorrent Seminar by dhananjay pardeshiBittorrent Seminar by dhananjay pardeshi
Bittorrent Seminar by dhananjay pardeshidhananjaypardeshi13
 
Uma introdução ao Scrum
Uma introdução ao ScrumUma introdução ao Scrum
Uma introdução ao ScrumEvandro Agnes
 
Guia para la elaboracion de la Ruta de Mejora
Guia para la elaboracion de la Ruta de MejoraGuia para la elaboracion de la Ruta de Mejora
Guia para la elaboracion de la Ruta de MejoraAmerica Magana
 
Curso Scrum - Turma Visie
Curso Scrum - Turma VisieCurso Scrum - Turma Visie
Curso Scrum - Turma VisieRicardo P. Silva
 
Bit torrent Technology ppt
Bit torrent Technology pptBit torrent Technology ppt
Bit torrent Technology pptAkshay K Sajan
 
BitTorrent
BitTorrentBitTorrent
BitTorrentmaheshmohanmu
 
Bit torrent ppt
Bit torrent pptBit torrent ppt
Bit torrent pptSantosh Kumar
 
Open source softrware, group 5 final
Open source softrware, group 5 finalOpen source softrware, group 5 final
Open source softrware, group 5 finalbigrouge
 
Software Analytics - Achievements and Challenges
Software Analytics - Achievements and ChallengesSoftware Analytics - Achievements and Challenges
Software Analytics - Achievements and ChallengesTao Xie
 
Debugging TV Frame 0x19
Debugging TV Frame 0x19Debugging TV Frame 0x19
Debugging TV Frame 0x19Dmitry Vostokov
 
Component Based Model Driven Development of Mission Critical Defense Applicat...
Component Based Model Driven Development of Mission Critical Defense Applicat...Component Based Model Driven Development of Mission Critical Defense Applicat...
Component Based Model Driven Development of Mission Critical Defense Applicat...Remedy IT
 
Lick my Lollipop
Lick my LollipopLick my Lollipop
Lick my LollipopTamara Momčilović
 
Autopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics ConferenceAutopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics ConferenceBasis Technology
 
Utilisation de la plateforme virtuelle QEMU/SystemC pour l'IoT
Utilisation de la plateforme virtuelle QEMU/SystemC pour l'IoTUtilisation de la plateforme virtuelle QEMU/SystemC pour l'IoT
Utilisation de la plateforme virtuelle QEMU/SystemC pour l'IoTPôle Systematic Paris-Region
 
Intro to open source - 101 presentation
Intro to open source - 101 presentationIntro to open source - 101 presentation
Intro to open source - 101 presentationJavier Perez
 
Project SOLOS
Project SOLOSProject SOLOS
Project SOLOSSiddharth Shanbhogue
 
Documentation
DocumentationDocumentation
DocumentationRajesh Seendripu
 
Emerging standards and support organizations within engineering simulation
Emerging standards and support organizations within engineering simulation Emerging standards and support organizations within engineering simulation
Emerging standards and support organizations within engineering simulation Modelon
 
Choosing the right Technologies for your next unicorn.
Choosing the right Technologies for your next unicorn.Choosing the right Technologies for your next unicorn.
Choosing the right Technologies for your next unicorn.Gladson DSouza
 
Eca online-seminar-session-1.pptx
Eca online-seminar-session-1.pptxEca online-seminar-session-1.pptx
Eca online-seminar-session-1.pptxGoran Djonovic
 
Application Virtualization, University of New Hampshire
Application Virtualization, University of New HampshireApplication Virtualization, University of New Hampshire
Application Virtualization, University of New HampshireTony Austwick
 

Más contenido relacionado

Destacado

Bittorrent Seminar by dhananjay pardeshi
Bittorrent Seminar by dhananjay pardeshiBittorrent Seminar by dhananjay pardeshi
Bittorrent Seminar by dhananjay pardeshidhananjaypardeshi13
 
Uma introdução ao Scrum
Uma introdução ao ScrumUma introdução ao Scrum
Uma introdução ao ScrumEvandro Agnes
 
Guia para la elaboracion de la Ruta de Mejora
Guia para la elaboracion de la Ruta de MejoraGuia para la elaboracion de la Ruta de Mejora
Guia para la elaboracion de la Ruta de MejoraAmerica Magana
 
Bit torrent Technology ppt
Bit torrent Technology pptBit torrent Technology ppt
Bit torrent Technology pptAkshay K Sajan
 

Destacado (8)

HABS, HAER, and HALS Recording
HABS, HAER, and HALS RecordingHABS, HAER, and HALS Recording
HABS, HAER, and HALS Recording
 
Bittorrent Seminar by dhananjay pardeshi
Bittorrent Seminar by dhananjay pardeshiBittorrent Seminar by dhananjay pardeshi
Bittorrent Seminar by dhananjay pardeshi
 
Uma introdução ao Scrum
Uma introdução ao ScrumUma introdução ao Scrum
Uma introdução ao Scrum
 
Guia para la elaboracion de la Ruta de Mejora
Guia para la elaboracion de la Ruta de MejoraGuia para la elaboracion de la Ruta de Mejora
Guia para la elaboracion de la Ruta de Mejora
 
Curso Scrum - Turma Visie
Curso Scrum - Turma VisieCurso Scrum - Turma Visie
Curso Scrum - Turma Visie
 
Bit torrent Technology ppt
Bit torrent Technology pptBit torrent Technology ppt
Bit torrent Technology ppt
 
BitTorrent
BitTorrentBitTorrent
BitTorrent
 
Bit torrent ppt
Bit torrent pptBit torrent ppt
Bit torrent ppt
 

Similar a Digital Forensics Software Autopsy 3.0 Extensible Open Source

Open source softrware, group 5 final
Open source softrware, group 5 finalOpen source softrware, group 5 final
Open source softrware, group 5 finalbigrouge
 
Software Analytics - Achievements and Challenges
Software Analytics - Achievements and ChallengesSoftware Analytics - Achievements and Challenges
Software Analytics - Achievements and ChallengesTao Xie
 
Component Based Model Driven Development of Mission Critical Defense Applicat...
Component Based Model Driven Development of Mission Critical Defense Applicat...Component Based Model Driven Development of Mission Critical Defense Applicat...
Component Based Model Driven Development of Mission Critical Defense Applicat...Remedy IT
 
Autopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics ConferenceAutopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics ConferenceBasis Technology
 
Utilisation de la plateforme virtuelle QEMU/SystemC pour l'IoT
Utilisation de la plateforme virtuelle QEMU/SystemC pour l'IoTUtilisation de la plateforme virtuelle QEMU/SystemC pour l'IoT
Utilisation de la plateforme virtuelle QEMU/SystemC pour l'IoTPôle Systematic Paris-Region
 
Intro to open source - 101 presentation
Intro to open source - 101 presentationIntro to open source - 101 presentation
Intro to open source - 101 presentationJavier Perez
 
Emerging standards and support organizations within engineering simulation
Emerging standards and support organizations within engineering simulation Emerging standards and support organizations within engineering simulation
Emerging standards and support organizations within engineering simulation Modelon
 
Choosing the right Technologies for your next unicorn.
Choosing the right Technologies for your next unicorn.Choosing the right Technologies for your next unicorn.
Choosing the right Technologies for your next unicorn.Gladson DSouza
 
Eca online-seminar-session-1.pptx
Eca online-seminar-session-1.pptxEca online-seminar-session-1.pptx
Eca online-seminar-session-1.pptxGoran Djonovic
 
Application Virtualization, University of New Hampshire
Application Virtualization, University of New HampshireApplication Virtualization, University of New Hampshire
Application Virtualization, University of New HampshireTony Austwick
 
Open source caqdas what is in the box and what is missing
Open source caqdas what is in the box and what is missingOpen source caqdas what is in the box and what is missing
Open source caqdas what is in the box and what is missingMerlien Institute
 
Netflix Open Source: Building a Distributed and Automated Open Source Program
Netflix Open Source: Building a Distributed and Automated Open Source ProgramNetflix Open Source: Building a Distributed and Automated Open Source Program
Netflix Open Source: Building a Distributed and Automated Open Source Programaspyker
 
Building a Distributed & Automated Open Source Program at Netflix
Building a Distributed & Automated Open Source Program at NetflixBuilding a Distributed & Automated Open Source Program at Netflix
Building a Distributed & Automated Open Source Program at NetflixAll Things Open
 
Iot development from prototype to production
Iot development from prototype to productionIot development from prototype to production
Iot development from prototype to productionMender.io
 
SFSCON23 - Frank Karlitschek - What the AI revolution means for Open Source, ...
SFSCON23 - Frank Karlitschek - What the AI revolution means for Open Source, ...SFSCON23 - Frank Karlitschek - What the AI revolution means for Open Source, ...
SFSCON23 - Frank Karlitschek - What the AI revolution means for Open Source, ...South Tyrol Free Software Conference
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 

Similar a Digital Forensics Software Autopsy 3.0 Extensible Open Source (20)

Open source softrware, group 5 final
Open source softrware, group 5 finalOpen source softrware, group 5 final
Open source softrware, group 5 final
 
Software Analytics - Achievements and Challenges
Software Analytics - Achievements and ChallengesSoftware Analytics - Achievements and Challenges
Software Analytics - Achievements and Challenges
 
Debugging TV Frame 0x19
Debugging TV Frame 0x19Debugging TV Frame 0x19
Debugging TV Frame 0x19
 
Component Based Model Driven Development of Mission Critical Defense Applicat...
Component Based Model Driven Development of Mission Critical Defense Applicat...Component Based Model Driven Development of Mission Critical Defense Applicat...
Component Based Model Driven Development of Mission Critical Defense Applicat...
 
Lick my Lollipop
Lick my LollipopLick my Lollipop
Lick my Lollipop
 
Autopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics ConferenceAutopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics Conference
 
Utilisation de la plateforme virtuelle QEMU/SystemC pour l'IoT
Utilisation de la plateforme virtuelle QEMU/SystemC pour l'IoTUtilisation de la plateforme virtuelle QEMU/SystemC pour l'IoT
Utilisation de la plateforme virtuelle QEMU/SystemC pour l'IoT
 
Intro to open source - 101 presentation
Intro to open source - 101 presentationIntro to open source - 101 presentation
Intro to open source - 101 presentation
 
Project SOLOS
Project SOLOSProject SOLOS
Project SOLOS
 
Documentation
DocumentationDocumentation
Documentation
 
Emerging standards and support organizations within engineering simulation
Emerging standards and support organizations within engineering simulation Emerging standards and support organizations within engineering simulation
Emerging standards and support organizations within engineering simulation
 
Choosing the right Technologies for your next unicorn.
Choosing the right Technologies for your next unicorn.Choosing the right Technologies for your next unicorn.
Choosing the right Technologies for your next unicorn.
 
Eca online-seminar-session-1.pptx
Eca online-seminar-session-1.pptxEca online-seminar-session-1.pptx
Eca online-seminar-session-1.pptx
 
Application Virtualization, University of New Hampshire
Application Virtualization, University of New HampshireApplication Virtualization, University of New Hampshire
Application Virtualization, University of New Hampshire
 
Open source caqdas what is in the box and what is missing
Open source caqdas what is in the box and what is missingOpen source caqdas what is in the box and what is missing
Open source caqdas what is in the box and what is missing
 
Netflix Open Source: Building a Distributed and Automated Open Source Program
Netflix Open Source: Building a Distributed and Automated Open Source ProgramNetflix Open Source: Building a Distributed and Automated Open Source Program
Netflix Open Source: Building a Distributed and Automated Open Source Program
 
Building a Distributed & Automated Open Source Program at Netflix
Building a Distributed & Automated Open Source Program at NetflixBuilding a Distributed & Automated Open Source Program at Netflix
Building a Distributed & Automated Open Source Program at Netflix
 
Iot development from prototype to production
Iot development from prototype to productionIot development from prototype to production
Iot development from prototype to production
 
SFSCON23 - Frank Karlitschek - What the AI revolution means for Open Source, ...
SFSCON23 - Frank Karlitschek - What the AI revolution means for Open Source, ...SFSCON23 - Frank Karlitschek - What the AI revolution means for Open Source, ...
SFSCON23 - Frank Karlitschek - What the AI revolution means for Open Source, ...
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 

Último

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 

Último (20)

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 

Digital Forensics Software Autopsy 3.0 Extensible Open Source

  • 1. © 2013, Basis Technology 1 Autopsy 3.0 Extensible Desktop Digital Forensics It’s not your father’s open source software Brian Carrier VP of Digital Forensics Basis Technology
  • 2. © 2013, Basis Technology 2 • Software and services technology company • Roughly 80 people • Offices in Cambridge, DC, Tokyo, and London • Two technology areas: – Text Analytics – Digital Forensics Quick Intro To Basis Technology
  • 3. © 2013, Basis Technology 3 • Conduct investigations • Research and development • Custom software development • Open Source Software – Autopsy module development – Commercial support – Training Digital Forensics at Basis
  • 4. © 2013, Basis Technology 4 • What comes to your mind first? Open Source Software
  • 5. © 2013, Basis Technology 5 • What comes to your mind first? • Autopsy 3 is different Open Source Software
  • 6. © 2013, Basis Technology 6 • Open source software that allows you to forensically analyze disk images and local drives Context: What Is The Sleuth Kit?
  • 7. © 2013, Basis Technology 7 • Original method for using TSK • Over 25 different tools (!) • mmls example: # mmls tsk1.img Slot Start End Length Description 00: ----- 0000000 0000000 0000001 Primary Table 01: ----- 0000001 0000062 0000062 Unallocated 02: 00:00 0000063 0032129 0032067 NTFS (0x07) 03: 00:01 0032130 0064259 0032130 DOS FAT16 (0x06) TSK Command Line Tools
  • 8. © 2013, Basis Technology 8 • Software libraries allow functionality to be embedded in a bigger program. • Many commercial, open source, and govn’t systems use TSK as a library. • Looks like: tsk_img_open(1, “C:imgsimage1.E01”, TSK_IMG_TYPE_DETECT, 512); TSK Library Interface
  • 9. © 2013, Basis Technology 9 TSK Framework Talk to me after if you are building a system that needs this.
  • 10. © 2013, Basis Technology 10 • Powerful volume and file system analysis tools. • Extensible framework. • Not user friendly for the 99%. TSK Take Away
  • 11. © 2013, Basis Technology 11 • Graphical digital forensics interface. • Brief History: – 2001: First Open Source Release • Interface to The Sleuth Kit • Linux and OS X only – 2010: Started v3 from scratch as a platform • Based on OSDFCon discussions • Windows-based & automated • Some US Army funding (with 42Six Solutions) • 3.0.0 released in September, 2012. Autopsy
  • 12. © 2013, Basis Technology 12 • Extensible – Several frameworks and plug-in modules • Easy to use – Simple UI concepts – More details during the demo • Fast results – Provided as soon as they are found • Cost Effective – Free Autopsy 3 Key Points
  • 13. © 2013, Basis Technology 13 Autopsy 3 Main Screen
  • 14. © 2013, Basis Technology 14 Autopsy Ingest Modules MD5/SHA1 Hash Calculation Hash Lookup Add Text to Keyword Index ... Web Browser Analysis E01 File MBOX Thunderbird EXIF Extraction Registry Analysis Run automatically as media is added to Case. • Remembers what you ran last time. • Anyone can write new modules. • Can tweak knobs based on investigation type and available time.
  • 15. © 2013, Basis Technology 15 • Hash Lookup: – NSRL, EnCase, Hashkeeper support • Keyword Search: – Lucene SOLR index – Extract text (better for HTML and PDF) – Import / export lists – Regular expressions – Can support more advanced text analytics Standard Ingest Modules
  • 16. © 2013, Basis Technology 16 • Recent Activity Module: – Browser artifacts: • History, cookies, downloads, bookmarks • Firefox, Chrome, Safari, IE – Recent user documents – Recent devices – Runs regripper behind the scenes • EXIF from JPEGs • MBOX email • ZIP Archive Standard Ingest Modules
  • 17. © 2013, Basis Technology 17 • More file formats / P2P logs • Anti-virus / Malware • Volume shadow / file system journals • Cryptography and steganography detection • Text analytics (language detection) • Object identification in pictures • Skin tone detection Future Ingest Module Ideas
  • 18. © 2013, Basis Technology 18 • Display a file in a given way. • Text: Hex and Strings • Media: Pictures and video Content Viewer Modules
  • 19. © 2013, Basis Technology 19 Content Viewer: Video Triage
  • 20. © 2013, Basis Technology 20 • Not part of open source package • Name finder and translator – Uses Basis Technology text analytics Content Viewer: Text Gisting
  • 21. © 2013, Basis Technology 21 External Viewer Module: Timeline
  • 22. © 2013, Basis Technology 22 Demo
  • 23. © 2013, Basis Technology 23 • Easy to install and use – Less training and confusion. • Extensible and open – Can be adapted to your needs – Updated by community • Low cost • No cost Takeaway
  • 24. © 2013, Basis Technology 24 • 4th Annual Open Source Forensics Conference – Free for government employees! – http://www.osdfcon.org/ – Nov 4 and 5 in Northern VA. Open Source Conference
  • 25. © 2013, Basis Technology 25 • Cash prizes for best new module. – $1500 for first prize • Voting by attendees at OSDFCon. • Any module type is eligible. • See issue tracker for ideas. • Submission details: http://www.basistech.com/about- us/events/open-source-forensics- conference/contest/ Module Writing Competition
  • 26. © 2013, Basis Technology 26 • 2 Day Autopsy training courses: – November 6 & 7 in DC (after OSDFCon) • ½ Day Developer Training at OSDFCon Autopsy Training
  • 27. © 2013, Basis Technology 27 • Users: – Use it and spread the word – Provide feedback on features – Help with documentation and support • Developers: Write modules instead of stand- alone apps. Contact us with feature changes. • We’re looking for law enforcement users. What You Can Do
  • 28. © 2013, Basis Technology 28 • Download from: – http://www.sleuthkit.org/autopsy/ • Questions: brianc@basistech.com • We’re hiring engineers…. • We have stickers Conclusion
  • 29. © 2013, Basis Technology 29 Demo Highlights (In Case Demo Fails)
  • 30. © 2013, Basis Technology 30 Easy To Use
  • 31. © 2013, Basis Technology 31 Splash Screen • User is always guided to next step in process
  • 32. © 2013, Basis Technology 32 Add Image Wizard • Detects image format • Detects volume and file systems
  • 33. © 2013, Basis Technology 33 Ingest Manager in Wizard • Uses previous settings for modules.
  • 34. © 2013, Basis Technology 34 Intuitive Interface • All results on left, history buttons, keyword search box
  • 35. © 2013, Basis Technology 35 Single Place for All Results
  • 36. © 2013, Basis Technology 36 View By File Type
  • 37. © 2013, Basis Technology 37 View Final Days of Activity
  • 38. © 2013, Basis Technology 38 • View directories of keyword and hash hits • Tag and bookmark files • Extract files or launch external viewers Right Click Actions
  • 39. © 2013, Basis Technology 39 Ingest Inbox • Shows users what has been found in background tasks
  • 40. © 2013, Basis Technology 40 HTML Report • Report modules can be customized
  • 41. © 2013, Basis Technology 41 Contact Info Brian Carrier Basis Technology brianc@basistech.com