2020 Autopsy Module Development Contest

Congratulations to the winners of the 2020 competition!

We received 20 submissions and the modules were reviewed by a committee and voted on by the OSDFCon Audience. The committee included:

  • Johan Berggren
  • Josh Brunty
  • Christopher Cooper
  • María Elena Darahuge
  • Aaron Fitts
  • Eduardo Gusmão
  • Al Holt
  • Patrick Huwiler
  • Ryan Jones
  • Mark Kealiher
  • Ben Knowles
  • Jamie Levy
  • David Loveall
  • Ron Mays
  • William Menzie
  • Jonathan Millman
  • Nilay Mistry
  • Brian Moran
  • Gustavo Presman
  • Chris Ray
  • Nate Remynse
  • Emily Wicki

Need a refresh? Watch the module submissions below!

Award Winners

First Place: SpeechToText module

Summary: Carves files including slack space for embedded images and imports them back into autopsy as derived files of the parent file.
Author: Miguel Cerdeira Marreiros Negrão

Source code

Second Place: AD1_Extractor

Summary: The module will take an Access Data AD1 file (single or split) that has been added as a logical data
source and extract all the files and add them as a new data source so that they can be processed in Autopsy. This will save someone having to convert to convert the files to another format first. It will extract the files from the AD1 to a directory under the ModuleOutput directory. It will then create a custom extracted content artifact with the files that were extracted with their mac times.
Author: Mark McKinnon

Source code

Third Place: Forensic Analysis for Mobile Apps (FAMA)

Summary: FAMA is a framework that is accessible within Autopsy’s modules.
It does the following:

  1. It can perform a live extraction from an Android device (it uses ADB)
  2. It analyzes an Android image to extract and produce forensic artifacts of Android applications. For each application, the framework runs an application specific python file. This python file leverages the FAMA API to extract artifacts, parse SQLite3 databases (and recover rows through external and well known tools such as Undark and Parse SQL delete parser), add the artifacts to Autopsy’s Blackboard.
  3. For each analyzed application, it is also possible to generate reports. FAMA has support for various types of reports, namely: timeline-based; multimedia (display video/photos in a dynamic HTML page); Maps-based. It also supports PDF reports.
  4. Right now, FAMA has support for two Android applications: TikTok and Tinder. These two were implemented as proof-of-concepts. Support for other Android applications can easily be added (this is the goal of the framework, to ease the addition of support for new Android applications).
  5. In developing FAMA, we noticed that Autopsy supports the addition of “Data Source processor”. Therefore, we added a new data source processor “Live extraction with ADB (Android)”.

However, for this to work, Autopsy needs to be patched (we have a pending Pull Request #6027 — it’s quite trivial and hopefully it will be accepted by the Autopsy Team). Note, that FAMA works without the patch (see readme_fama.pdf), since the purpose of the patch is to enable Jython Datasource processor modules to add data sources.
Authors: José Carlos Francisco, Ruben Nogueira, Patrício Domingues, & Miguel Frade

Source code

Other Submissions

Android Usagestats

Summary: Android usagestats parser to add recorded usage events to the autopsy timeline.
Authors: Ginger Geneste & Bart Broere

Source code

Autopsy-DocumentMetadataIngestModule

Summary: It has the ability to extract the metadata of documents. It also attempts to extract metadata even if the file is partially corrupted.
Authors: Hyun Yi & BeomJun Park

Source code

Camera Fingerprint PRNU

Summary: Camera Fingerprint PRNU uses photo response non-uniformity of camera sensor (PRNU) to check if a photo was truly taken by a suspected camera or not.
Authors: Grzegorz Bieś & Ernest Bieś

Source code

filecarver

Summary: Carves files including slack space for embedded images and imports them back into autopsy as derived files of the parent file
Author: Alan Browne

Source code

Geolocation BlackVue dashcam

Summary: The module extracts GPS trackpoints from BlackVue dashcam recordings. GPS data is included in a datastream in the mp4 recordings.
Authors: Bart Broere & Ginger Geneste

Source code

Geolocation BlackVue dashcam

Summary: The module extracts GPS trackpoints from BlackVue dashcam recordings. GPS data is included in a datastream in the mp4 recordings.
Authors: Bart Broere & Ginger Geneste

Source code

Google TakeOut

Summary: The module will take Google Takeout file(s) that have been added as logical files, you can add the individual files or a directory, and unzip/tgz them and add them back to the case as a new data source. If the Google Takeout directory has individual files as well the zip/tgx files it will add everything into the data source. You can then process the data source as a normal case. It will create a directory in the Module case directory to store the files it unzips.
Author: Mark McKinnon

Source code

iOS_sysdiagnose

Summary: The module will parse the files that have been created by doing a sysdiagnose against an iPhone. It runs a series of programs that were created by cheeky4n6monkey and will create extracted content for the data that is found.
Author: Mark McKinnon

Source code

LabCIF DOI – Detection of Objects in Images

Summary: DOI ingest module can execute image object detection by using YOLO framework. It benefits from CUDA technology and supports most common image formats. It can easily aid in content filtering within a large image library, by finding images containing the required objects. DOI report module stores detection results inside a self-contained HTML page with filtering and pagination capabilities.
Authors: Mihail Stratan, Paulo Martinho, Patrício Domingues, & Miguel Frade

Source code

LevelDb

Summary: The module will export all the files associated with a LevelDb (Key/Value pair) and then parse it to a csv file then bring the data into Autopsy as Extracted content with a custom artifact of TSK_LEVELDB (LevelDb Database(s)).
Author: Mark McKinnon

Source code

Mass Export By Extentsion

Summary: The module will export allows the user to enter file extensions separated by commas to mass export all of those files to the export directory. Files will be stored in a directory based on their file extension and will have there file id attached to it so that it can handle duplicate file names.
Author: Mark McKinnon

Source code

Nintendo Switch Forensics Module

Summary: Paper to be published at DFRWS EU on full functioning of all the different parts of this module and other aspects of research.
Authors: Tom Farrant, Ben Leonard-Lagarde, Danny Rigby, Sash Rigb, Frederick Sibley-Calder, & Freddie Barr-Smith

Source code

NotifAnalyzer

Summary: Paper to be published at DFRWS EU on full functioning of all the different parts of this module and other aspects of research.
Authors: Luís Andrade, Patrício Domingues, & Miguel Frade

Source code

Ring Central

Summary: The module will parse the Ring Central directory of a user and pull out the meeting and chat information for the Ring Central Application.
Author: Mark McKinnon

Source code

TikTok for Android Analyzer

Summary: TikTok.py is an Autopsy module that runs within Autopsy’s Android Analyzer. The module parses the info of the popular TikTok application, importing into Autopsy’s BlackBoard the main TikTok’s artifacts, namely messages and contacts.
Authors: José Carlos Francisco, Ruben Nogueira, Patrício Domingues, & Miguel Frade

Source code

Tinder for Android Analyzer

Summary: Tinder.py is an Autopsy module that runs within Autopsy’s Android Analyzer. The module parses the info of the popular Tinder application, importing into Autopsy’s BlackBoard the main Tinder’s artifacts, namely messages and contacts.
Authors: José Carlos Francisco, Ruben Nogueira, Patrício Domingues, & Miguel Frade

Source code

W10-FaceMessenger @ Autopsy

Summary: W10-FaceMessenger @ Autopsy is an Autopsy data source ingest module that wraps around
the stand-alone application W10-FaceMessenger to parse and create the following artifacts
associated with the use of Facebook’s Messenger (Beta) on Windows 10:

  • Contacts
  • Messages
  • Calls
  • Cached images
  • Deleted database records

Authors: Osvaldo Rainha, Ricardo Lopes, Miguel Frade, & Patrício Domingues

Source code

Wordlist

Summary: The module will collect all the content that has been stored in Solr from running the Keyword search ingest module and create a wordlist that can be used to crack passwords. The wordlist will be stored in the Export directory as a text file. File names and extensions will also be included in the wordlist. The wordlist is also a unique wordlist as well, there should be no duplicates.
Author: Mark McKinnon

Source code


Hash_Logos-for-Software_Smaller-03-298x300

Contest Overview

Basis Technology is again sponsoring an Autopsy Module Development Contest. The goal is to encourage developers to write Autopsy modules instead of stand-alone tools. Now that Autopsy supports Python modules, this is easier than ever.

Writing new functionality as Autopsy modules make users happy because they don’t have to jump between tools and it makes developers happy because they get to ignore details about the file system, image formats, and interfaces.

You can write ingest modules that focus on processing all of the drive data, content viewer modules that focus on displaying a single file, report modules that focus on exporting data from the case, or an external module that provides its own UI (similar to the timeline viewer in Autopsy). Attendees of OSDFCon will vote on the winners, who will receive cash prizes.

Prizes

  • First Prize: $1500
  • Second Prize: $500
  • Third Prize: $250

Basis Technology will double the prize amounts if there are over 12 submissions.

Getting Started

If you need an idea, then you can refer to the github issue tracker.

Once you have your idea, you can then start looking at some of our docs. We’d recommend starting with our tutorial series on writing Python modules. You can find them and other information in the Autopsy Developer’s Guide.

  • The File Ingest Module tutorial outlined how to look for files that had certain characteristics (in the tutorial, we look for big and round files).
  • The Data Source Ingest Module tutorial outlined how to query the database for a given file name and open it in SQLite.
  • The Report Module tutorial outlined how to make a CSV report module.

The general approach to making a Python module is to find the one that is most similar to what you want to build and copy it. All of our sample modules are in the public domain.

Guidelines

  1. The Autopsy modules must provide value in a forensics or incident response use case.
  2. The module must be released as open source software by the submission deadline under one of the licenses approved by the Open Source Initiative.
  3. By submitting an entry, you declare that you have the right to license and submit the module.
  4. The contest organizers will test the module before the conference to verify that it basically operates as stated.
  5. You must include a 2-minute video with your submission.VIDEO GUIDELINES
    • Give a synopsis of what your module does and how it is useful with either audio or large, readable text. (When the videos are presented at OSDFCon for voting, it is not always obvious what is happening or what the module does when looking at small text on a large screen, so this will give you the best chance of winning.)
  6. In order to collect the cash prizes, winners need to provide a legal picture identification and bank account information within 30 days of notification. Bank payment transfer will be made within two weeks after winners are authenticated.
  7. Group entries are allowed; prizes will be paid to the person designated by the group.
  8. Employees of Basis Technology are not eligible.

How To Submit

Submissions should be sent to modulesubmissions2020@osdfcon.org no later than October 12, 2020. The submission should include the module (.NBM file for Java modules, .ZIP file for Python modules), test data to demo the module, and answers to the following questions:

  • Name of module
  • Names of authors
  • Minimum version of Autopsy required
  • Description of what module does
  • Will the authors attend OSDFCon?
  • URL of where source code can be found
  • License of source code

Note that if you cannot provide test data that is properly sanitized, we will still accept the submission, but we will have to give a disclaimer that it could not be tested.

2019 Modules

To view last year’s modules, check out this page. For previous year’s modules, look in the archives.

Contact:

Any Autopsy or development related questions should be sent to: sleuthkit-developers@lists.sourceforge.net or forum.sleuthkit.org.

Disclaimer:

Prizes are considered taxable income. Basis Technology must report prizes over $600 to the IRS. If you win the first place prize, you will need to provide Basis Technology with your Tax ID.

If you do not feel comfortable doing this, we can donate it to a charity of your choice.