Hash_Logos-for-Software_Smaller-03-298x300

2018 Module Development Contest


Congratulations to the winners of this year’s competition.

We had 12 submissions to this year’s event and the modules were reviewed by a committee and voted on by the OSDFCon Audience. The committee included:

  • Hoyt Harness
  • Terrance Maguire
  • Brian Moran
  • Chris Ray

Award Winners

First Place: Amcache Scan

  • Summary: This python autopsy module exports the Amcache Registry Hive, parses eight keys and writes the results to sqlite database. The eight Registry keys are as follows:

– Amcache.hve\Root\File\*?\*?

– Amcache.hve\Root\Programs\*?

– Amcache.hve\Root\InventoryApplicationFile\*?

– Amcache.hve\Root\InventoryDeviceContainer\*?

– Amcache.hve\Root\InventoryDevicePnp\*?

– Amcache.hve\Root\InventoryDriverBinary\*?

– Amcache.hve\Root\InventoryDriverPackage\*?

– Amcache.hve\Root\InventoryApplicationShortcut\*?

After the keys are parsed, the SHA1 hashes in the Amcache.hve\Root\File\*?\? and Amcache.hve\Inventory\ApplicationFile\*? keys are compared against VirusTotal. The VirusTotal results appear in Autopsy in real-time.

Second Place: FDRI—Facial Detection and Recognition in Images

  • Summary: FDRI is an image analysis module that focuses in i) finding human faces in images/photos (face detection), as well as ii) finding images that contain a specific person (face recognition). It relies on deep learning for face detection/recognition.
  • Author: Alexandre Frazão, Patrício Domingues
  • Source Code: https://github.com/FDRI/FDRI-Autopsy

Third Place: Log Forensics for Autopsy

  • Summary: Log Forensics for Autopsy is a 2-part Jython module for Autopsy. It consists of a file ingest and report. The file ingest tags certain log files, specific to Windows, such as: .wer, .etl, .evtx, .dmp, .log, and specific .xml. Extracts information from .wer, .log and .xml: Windows Error Reporting events, startup processes, and RegEx patterns from .log (IPs by default).
  • Author: Luís Andrade, João Silva, Patrício Domingues, Miguel Frade
  • Video: https://youtu.be/NabPALrcWYM
  • Source Code: https://github.com/L-Andrade/LFA

Other Submissions

Process APPX Programs

 

Process Facebook Chats

  • Summary: This module will parse the Windows Store Facebook Messenger database. It will add the chat participants and messages to the communications database so you can view them using the communications manager. This has not been tested with the mobile Facebook Messenger to see if it will work or not only Windows.
  • Author: Mark McKinnon
  • Source Code: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_Facebook_Chats

 

Process Windows Mail

 

Spotlight Parser

 

Create Preview Data Container

  • Summary: This module will create a dynamically expanding VHD file the same size as the disk image. It will then copy files to the VHD and close the VHD when complete. The VHD can then be brought back into Autopsy and reviewed. The list of files that are exported is stored in a SQLite database named file_extensions.db3, this can be modified to what the user wants to export. Autopsy must be run as an administrator to use this plugin.
  • Author: Mark McKinnon
  • Source Code: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Create_Preview_Data_Container

 

Hash Images

  • Summary: This module hash non E01 image(s) (Raw (Single and Split), VMDK and VHD). The plugin has a UI panel that you can either enter a MD5 hash or SHA1 hash or provide the FTK Imager log file for the image and it will compare that to the SHA1/MD5 hash of the image. It will create a message stating success or failure of the hash of the image(s).
  • Author: Mark McKinnon
  • Source Code: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/hash_images

 

Cortana/Edge Artifacts

  • Summary: The basis of the module is that it extracts the browsing history for I.E 11/Edge and also a set of artifacts that relate to the use of Cortana. These include the speech files, HTML files and other files generated when talking to Cortana. The module also extracts reminders and attachments. This will include notifications such a missed calls and texts from a mobile phone, running Cortana which is associated with Microsoft Account in use.
  • Author: Clare Taylor
  • Source Code: https://github.com/Tattieness/Cortana_Edge_Autopsy

 

Forensic Expert Witness Report

 

Image Classification for Autopsy

  • Summary: The module performs automatic classification of objects that it find in images. It can detect a wide variety of objects (cars, guns, etc.—the user can select the type of objects he/she wants to detect) in the images (.png, jpg, etc.) of a digital forensic image loaded within Autopsy. The module relies on Yolo and has a distributed architecture: the server parts run on top of node.js and requires, for proper performance, an NVIDIA GPU. It makes use of the open source YOLO image classifier. The client runs on the Autopsy side. The module was designed this way, so that a single server (possibly fitted with a powerful NVIDIA GPU—Titan XP) in a digital forensic lab can be shared with multiple workstations running Autopsy. Note that although “Image Classification for Autopsy” runs on a node without an NVIDIA GPU, the performance is significantly impacted.
  • Author: Ricardo Maltez, Rúben Caceiro, Patrício Domingues
  • Video: https://youtu.be/7UT-MqlaDN4 
  • Source Codes:

– https://github.com/freakstatic/image-classification-server

– https://github.com/freakstatic/image-classification


Content Overview

Basis Technology is again sponsoring an Autopsy Module Development Contest. The goal is to encourage developers to write Autopsy modules instead of stand-alone tools. Now that Autopsy supports Python modules, this is easier than ever.

Writing new functionality as Autopsy modules make users happy because they don’t have to jump between tools and it makes developers happy because they get to ignore details about the file system, image formats, and interfaces.

You can write ingest modules that focus on processing all of the drive data, content viewer modules that focus on displaying a single file, report modules that focus on exporting data from the case,  or an external module that provides its own UI (similar to the timeline viewer in Autopsy).  Attendees of OSDFCon will vote on the winners, who will receive cash prizes.

Prizes

  • First Prize: $1500
  • Second Prize: $500
  • Third Prize: $250

Basis Technology will double the prize amounts if there over 12 submissions.

Getting Started

If you need an idea, then you can refer to the github issue tracker:

https://github.com/sleuthkit/autopsy/issues?labels=Feature+Request&page=1&state=open

Once you have your idea, you can then start looking at some of our docs. We’d recommend starting with our tutorial series from last year on writing Python modules.

  • The File Ingest Module tutorial outlined how to look for files that had certain characteristics (in the tutorial, we look for big and round files).
  • The Data Source Ingest Module tutorial outlined how to query the database for a given file name and open it in SQLite.
  • The Report Module tutorial outlined how to make a CSV report module.

The general approach to making a Python module is to find the one that is most similar to what you want to build and copy it. All of our sample modules are in the public domain.

You can also refer to the more in-depth Autopsy Developer’s Guide for instructions on writing Java or Python modules:

Guidelines

  1. The Autopsy modules must provide value in a forensics or incident response use case.
  2. The module must be released as open source software by the submission deadline under one of the licenses approved by the Open Source Initiative.
  3. By submitting an entry, you declare that you have the right to license and submit the module.
  4. The contest organizers will test the module before the conference to verify that it basically operates as stated.
  5. You must either give a 5-minute presentation and demo at OSDFCon or submit a 5-minute video. If you cannot attend the conference, the video must be submitted by September 17, 2018.
  6. In order to collect the cash prizes, winners need to provide a legal picture identification and bank account information within 30 days of notification. Bank payment transfer will be made within two weeks after winners are authenticated.
  7. Group entries are allowed; prizes will be paid to the person designated by the group.
  8. Employees of Basis Technology are not eligible.

How To Submit

Submissions should be sent to module-submissions2018@osdfcon.org no later than September 17, 2018. The submission should include the module (.NBM file for Java modules, .ZIP file for Python modules), test data to demo the module, and answers to the following questions:

  • Name of module
  • Names of authors
  • Minimum version of Autopsy required
  • Description of what module does
  • Will the authors attend OSDFCon?
  • URL of where source code can be found
  • License of source code

Note that if you cannot provide test data that is properly sanitized, we will still accept the submission, but we will have to give a disclaimer that it could not be tested.

Contact:

Any Autopsy or development related questions should be sent to: sleuthkit-developers@lists.sourceforge.net or http://forum.sleuthkit.org.

Disclaimer:

Prizes are considered taxable income. Basis Technology must report prizes over $600 to the IRS. If you win the first place prize, you will need to provide Basis Technology with your Tax ID.  If you do not feel comfortable doing this, we can donate it to a charity of your choice.