Organizing Sponsor

logo-BasisTech_green-2-01

Hash_Logos-for-Software_Smaller-03-298x300

2017 Module Development Contest

Congratulations to the winners of this year’s competition.

We had 15 submissions to this year’s event and the modules were reviewed by a committee and voted on by the OSDFCon Audience. The committee included:

  • Hoyt Harness
  • Terrance Maguire
  • Brian Moran
  • Chris Ray

We had a logistical mistake on the day of the event that prevented the audience from voting on one of the modules and therefore we are listing it as an Honorable Mention. We apologize for this mistake.

Award Winners

Process Extract Volume Shadow (first place)

  • This module will parse out the volume shadows of an image and then find all the differences based on the meta data. Each volume shadow that is found will have its own corresponding directory created. The external program uses DFVFS to access the volume shadows. Once the external program has been run then each volume shadow will be brought into Autopsy as its own logical volume.
  • Author: Mark McKinnon
  • Source Code: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_Extract_VSS

 

digiSignedOrProtected_PDFs (2nd place tie)

  • The digiSigned|ProtectedPDF module is a file ingest jython-based module for the Autopsy software. It provides two main services for PDF files:
    • Identifies the PDF files that are digitally signed (digital signature refers to the cryptographically-based signature of documents. It does not refer to having images of physical signatures in a document.)
    • Identifies the PDF files which have some kind of user-level protection. Specifically, the module flags as interesting files PDF files that forbids the “document assembly” and “document modify” operations.
  • Author: Patricio Domingues
  • Source Code: https://github.com/PatricioDomingues/digiSignedOrProtectedPDF
  • Video: https://basistech.wistia.com/medias/x4j8zg48ei

 

FEA – Forensics Enhanced Analysis (2nd place tie)

 

Honorable Mention

NOTE: This module was not voted on because of a mistake at the event.

Face Detection

 

Other Submissions

Plaso

  • This module takes user input from a form.  The user will enter the directory where Plaso is installed, they can then save this directory for use later so they do not have to enter it next time they run Plaso.  It allows the use to pick whether run with Volume Shadows and also to exclude files sources since it is redundant data that may already be in Autopsy.  It will then run plaso against the image that the ingest module was run against.  It will then import the data into Autopsy.  There is also an option to import a plaso storage file instead of running it against an image if the user has already run plaso against the image.
  • Author: Mark McKinnon
  • Source Code: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Plaso

 

Volatility and Volatility Dump File

  • The Volatility module will allow the user to run Volatility (exe or py file) against one or more memory images.  Memory image(s) can be add to Autopsy as a Logical files.  Users have the choice to run any plugin that is supported by volatility.  When the current plugin runs, it will write the output for the plugin(s) selected to a SQLite database in the Autopsy module output directory and then be imported into the extracted content of Autopsy for the user to examine.  
  • Author: Mark McKinnon
  • Source Code: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Volatility

 

Cuckoo

  • This module will upload files with a selected tags to the Cuckoo server.  Each file will be exported to the temp directory and an external program python executable program will transfer the file using Cuckoo’s REST API to the Cuckoo server.  Once the file has been submitted a message will be generated in the Ingest messages with the success or error of the submission.  At this point the data will only reside in the Cuckoo server for each file.  
  • Author: Mark McKinnon
  • Source Code: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Cuckoo

 

Parse CCM Recently Used Apps

 

MacOSX_Safari

  • This module will scan each user of a MacOSX from OSX 10.9 thru 10.12 and pull all the artifacts that are in the Library/Safari.  Each artifact (plist, SQLite) and parsed (using a plist parser if a plist and converted to SQLite) and imported from SQLite to the extracted content.  Each user artifact will be associated with the user the artifact came from.
  • Author: Mark McKinnon
  • Source Code: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/MacOSX_Safari

 

Windows FileHistory

  • This module will export Windows File History.  The Catalog1.edb and Catalog2.edb from each users file history is extracted and parsed into a SQLite database and then the data is imported into the extracted content of Autopsy under the artifact “File History Catalog 1” or “File History Catalog 2”.  The data does include the user name so you can identify what file history goes with what user.
  • Author: Mark McKinnon
  • Source Code: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/FileHistory 

MacFSEvents

  • This module will export File System Events from a Mac OS.  The directory .fseventsd directory from a Mac OS X file system will be exported.  The program FSEparser_v2.0.exe is called passing it the exported directory.  The program will parse the FSEvents and create a SQLite database that will be imported into the FSEvents artifact in Autopsy.
  • Author: Mark McKinnon
  • Source Code: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/MacFSEvents

 

MacOSX Recent Artifacts

 

Thumbs.db Parser

 

Thumbscache Parser

 

Process Evtx By EventID

 

Content Overview

Basis Technology is again sponsoring an Autopsy Module Development Contest. The goal is to encourage developers to write Autopsy modules instead of stand-alone tools. Now that Autopsy supports Python modules, this is easier than ever.

Writing new functionality as Autopsy modules make users happy because they don’t have to jump between tools and it makes developers happy because they get to ignore details about the file system, image formats, and interfaces.

You can write ingest modules that focus on processing all of the drive data, content viewer modules that focus on displaying a single file, report modules that focus on exporting data from the case,  or an external module that provides its own UI (similar to the timeline viewer in Autopsy).  Attendees of OSDFCon will vote on the winners, who will receive cash prizes.

Prizes

  • First Prize: $1500
  • Second Prize: $500
  • Third Prize: $250

Basis Technology will double the prize amounts if there over 12 submissions.

Getting Started

If you need an idea, then you can refer to the github issue tracker:

https://github.com/sleuthkit/autopsy/issues?labels=Feature+Request&page=1&state=open

Once you have your idea, you can then start looking at some of our docs. We’d recommend starting with our tutorial series from last year on writing Python modules.

  • The File Ingest Module tutorial outlined how to look for files that had certain characteristics (in the tutorial, we look for big and round files).
  • The Data Source Ingest Module tutorial outlined how to query the database for a given file name and open it in SQLite.
  • The Report Module tutorial outlined how to make a CSV report module.

The general approach to making a Python module is to find the one that is most similar to what you want to build and copy it. All of our sample modules are in the public domain.

You can also refer to the more in-depth Autopsy Developer’s Guide for instructions on writing Java or Python modules:

Guidelines

  1. The Autopsy modules must provide value in a forensics or incident response use case.
  2. The module must be released as open source software by the submission deadline under one of the licenses approved by the Open Source Initiative.
  3. By submitting an entry, you declare that you have the right to license and submit the module.
  4. The contest organizers will test the module before the conference to verify that it basically operates as stated.
  5. You must either give a 5-minute presentation and demo at OSDFCon or submit a 5-minute video. If you cannot attend the conference, the video must be submitted by October 9, 2017.
  6. In order to collect the cash prizes, winners need to provide a legal picture identification and bank account information within 30 days of notification. Bank payment transfer will be made within two weeks after winners are authenticated.
  7. Group entries are allowed; prizes will be paid to the person designated by the group.
  8. Employees of Basis Technology are not eligible.

How To Submit

Submissions should be sent to module-submissions2017@osdfcon.org no later than October 2, 2017. The submission should include the module (.NBM file for Java modules, .ZIP file for Python modules), test data to demo the module, and answers to the following questions:

  • Name of module
  • Names of authors
  • Minimum version of Autopsy required
  • Description of what module does
  • Will the authors attend OSDFCon?
  • URL of where source code can be found
  • License of source code

Note that if you cannot provide test data that is properly sanitized, we will still accept the submission, but we will have to give a disclaimer that it could not be tested.

Contact:

Any Autopsy or development related questions should be sent to: sleuthkit-developers@lists.sourceforge.net or http://forum.sleuthkit.org.

Disclaimer:

Prizes are considered taxable income. Basis Technology must report prizes over $600 to the IRS. If you win the first place prize, you will need to provide Basis Technology with your Tax ID.  If you do not feel comfortable doing this, we can donate it to a charity of your choice.