2019 Module Development Contest

Congratulations to the winners of the 2019 competition!

We received 11 submissions and the modules were reviewed by a committee and voted on by the OSDFCon Audience. The committee included:

• Terrance Maguire
• Brian Moran
• Chris Ray
• Pat

Award Winners

First Place: Perceptual Hash Calculator 

• Summary: This autopsy module can calculate perceptual hash value of jpg files in the data source with pHash algorithm. If there is an import of perceptual hash value, it also can calculate the difference between the import and other pictures’ value, and look for similar pictures.
• Author: Yuming Chen
• Source Code: https://github.com/Moty1995/domain/tree/master/Perceptual%20Hash%20Calculator

 

Second Place: Browser History Histogram 

• Summary: Browser History Histogram(BHH) gathers information related with web browsing and display this information in different reports (PDF, CSV and Dashboard). It supports Google Chrome, Firefox, Brave and Vivaldi and it runs on windows and linux.
• Author: Kevin Baptista, Tomás Honório, Professor Miguel Frade, Professor Patrício Domingues
• Source Code: https://github.com/labcif/BHH

 

Third Place: Cloudtopsy 

• Summary: Downloads CloudTrail logs from AWS and ingests them in Autopsy
• Author: Rebecca Anderson
• Source Code: https://github.com/hexbecca/AutopsyModules

 

Other Submissions

Atomic Wallet

• Summary: The module will look at the artifacts from the crypto currency wallet Atomic Wallet. It will parse out the following artifacts: Connections to the Atomic wallet with date and time and the transactions processed using the wallet.
• Author: Mark McKinnon
• Source Code: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Atomic_Wallet

 

Bam Key (Backgroud Activity Moderator)

• Summary: The module will export the SAM and SYSTEM hive and then parse both hives to get the user associated with the BAM key as well as the BAM key. The information will be stored in the extracted content view.
• Author: Mark McKinnon
• Source Code: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Bam_Key

 

Recycle Bin

• Summary: The module will export the SAM Hive and an $I file that exists on a Windows Vista+ system. It will parse the SAM hive getting userids. It will then parse the $I file getting the actual file location where the $R is suppose to be. It will add an artifact called TSK_RECYCLE_BIN and add the userid and actual file location to the artifact for each $R file.
• Author: Mark McKinnon
• Source Code: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Recycle_Bin

 

Process TeraCopy

• Summary: The module will examine the SQLite databases from the TeraCopy application directory and extract the information from it and present it as an artifact in the extracted view.
• Author: Mark McKinnon
• Source Code: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_TeraCopy

 

Process ActivitiesCache

• Summary: The module will examine the SQLite databases from the Windows 10 Activities cache and extract the information from it and present it as an artifact in the extracted content view.
• Author: Mark McKinnon
• Source Code: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_ActivitiesCache

 

Timesketch

• Summary: The module will export all time related objects (tsk_files and blackboard attributes) from Autopsy and import them into a Timesketch server that is specified by the user. There is an options panel for the user to specify the timesketch server location.
• Author: Mark McKinnon
• Source Code: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Timesketch

 

Your Phone Analyzer – YPA

• Summary: Your Phone is a Windows 10 mobile/desktop app, that makes browsing your phone on your Windows PC easy. Your Phone Analyzer is a 2-part Jython module for Autopsy. It consists of a data source ingest and a report.
  — The data source ingest finds databases left behind by Your Phone, parsing and adding information. It also runs undark and mdegrazia’s SQLite-Deleted-Records-Parser to recover any lost or deleted data.
  — The report creates a chat-like experience with data found by the ingest, with easy-to-read conversations and orderable address book. It also converts BLOBs that are inside a Your Phone database to images.
• Author: Luís Andrade, João Silva, Patrício Domingues, Miguel Frade
• Source Code: https://github.com/labcif/YPA

 

LabCIF – Email Slicer

• Summary: An Autopsy module with the purpose of extracting singular email messages from PST/OST files.
• Author: André Agostinho Nogueira
• Source Code: https://github.com/labcif/EmailSlicer

 

---

 

Contest Overview

Basis Technology is again sponsoring an Autopsy Module Development Contest. The goal is to encourage developers to write Autopsy modules instead of stand-alone tools. Now that Autopsy supports Python modules, this is easier than ever.

Writing new functionality as Autopsy modules make users happy because they don’t have to jump between tools and it makes developers happy because they get to ignore details about the file system, image formats, and interfaces.

You can write ingest modules that focus on processing all of the drive data, content viewer modules that focus on displaying a single file, report modules that focus on exporting data from the case,  or an external module that provides its own UI (similar to the timeline viewer in Autopsy).  Attendees of OSDFCon will vote on the winners, who will receive cash prizes.

Prizes

• First Prize: $1500
• Second Prize: $500
• Third Prize: $250

Basis Technology will double the prize amounts if there are over 12 submissions.

If you need an idea, then you can refer to the github issue tracker:

https://github.com/sleuthkit/autopsy/issues?labels=Feature+Request&page=1&state=open

Once you have your idea, you can then start looking at some of our docs. We’d recommend starting with our tutorial series from last year on writing Python modules.

• The File Ingest Module tutorial outlined how to look for files that had certain characteristics (in the tutorial, we look for big and round files).
• The Data Source Ingest Module tutorial outlined how to query the database for a given file name and open it in SQLite.
• The Report Module tutorial outlined how to make a CSV report module.

The general approach to making a Python module is to find the one that is most similar to what you want to build and copy it. All of our sample modules are in the public domain.

You can also refer to the more in-depth Autopsy Developer’s Guide for instructions on writing Java or Python modules:

Guidelines

1. The Autopsy modules must provide value in a forensics or incident response use case.
2. The module must be released as open source software by the submission deadline under one of the licenses approved by the Open Source Initiative.
3. By submitting an entry, you declare that you have the right to license and submit the module.
4. The contest organizers will test the module before the conference to verify that it basically operates as stated.
5. You must either give a 5-minute presentation and demo at OSDFCon or submit a 5-minute video. If you cannot attend the conference, the video must be submitted by September 16, 2019.
6. In order to collect the cash prizes, winners need to provide a legal picture identification and bank account information within 30 days of notification. Bank payment transfer will be made within two weeks after winners are authenticated.
7. Group entries are allowed; prizes will be paid to the person designated by the group.
8. Employees of Basis Technology are not eligible.

How To Submit

Submissions should be sent to module-submissions2019@osdfcon.org no later than September 16, 2019. The submission should include the module (.NBM file for Java modules, .ZIP file for Python modules), test data to demo the module, and answers to the following questions:

• Name of module
• Names of authors
• Minimum version of Autopsy required
• Description of what module does
• Will the authors attend OSDFCon?
• URL of where source code can be found
• License of source code

Note that if you cannot provide test data that is properly sanitized, we will still accept the submission, but we will have to give a disclaimer that it could not be tested.

Contact:

Any Autopsy or development related questions should be sent to: sleuthkit-developers@lists.sourceforge.net or http://forum.sleuthkit.org.

Disclaimer:

Prizes are considered taxable income. Basis Technology must report prizes over $600 to the IRS. If you win the first place prize, you will need to provide Basis Technology with your Tax ID.  If you do not feel comfortable doing this, we can donate it to a charity of your choice.