2021 Autopsy Module Development Contest

Congratulations to the winners of the 2021 competition!

We received 11 submissions and the modules were reviewed and judged by a committee. The committee included:

  • María Elena Darahuge
  • Aaron Fitts
  • Ryan Jones
  • Jonathan Millman
  • Brian Moran
  • Gustavo Presman
  • dfirnotes
  • and other anonymous volunteers

Award Winners

First Place: iOS Device Data Extractor

Summary: Creates an encrypted or non-encrypted iOS backup of iPhone and iPad, currently running iOS 10.2 and above. It extracts files from an encrypted or unencrypted iOS backup, including a backup made with iTunes, and can compress them into a zip archive for use with the iLEAPP module, for example.

Authors: Grzegorz Bieś & Ernest Bieś

Source code

Second Place: MF_Detector

Summary: MF_Detector is an autopsy module to detect manipulated photos, namely deep fakes, splicing and copy-move manipulation types. The module implements the following four main tasks:

  1. All photos in the target data source are automatically identified and extracted.
  2. For each photo found by the MF_Detector module, 50 features are extracted using the Discrete Fourier Transform (DFT) algorithm.
  3. A Machine Learning model, based on Support Vector Machines, is used to evaluate the features previously extracted and, for each photo in the data source, it assigns the probability of being manipulated.
  4. Artifacts with the corresponding probability of manipulation for each photo are posted in the Autopsy’s Blackboard.

The MF_Detector module can be valuable to automate and speed up the detection of tampered digital photos, and to assertively search the most relevant artifacts and thus helping forensic investigators to solve cases more efficiently.
Although the processing with 50 features have produced a high accuracy on detecting manipulated photos, the module can be easily adjusted to process a larger number of features extracted by the DFT algorithm.

Two research papers were recently published, where the details behind the functioning of the module and the results are clearly described:

Ferreira, S.; Antunes, M.; Correia, M. E. (2021). Exposing Manipulated Photos and Videos in Digital Forensics Analysis. Journal of Imaging, 7(7):102. https://doi.org/10.3390/jimaging7070102

Ferreira, S.; Antunes, M.; Correia, M.E. (2021). A Dataset of Photos and Videos for Digital Forensics Analysis Using Machine Learning Processing. Data 2021, 6(8):87. https://doi.org/10.3390/data6080087

Authors: Sara Ferreira, Mário Antunes, & Manuel E. Correia

Source code

Third Place: vLeapp Parser

Summary: This ingest module will process logical extractions from cars, trucks, and infotainment systems and parse them for interesting artifacts.

Author: Mark McKinnon

Source code

Other Submissions

cLeapp Parser Ingest Module

Summary: This ingest module will process an extracted image from a Chrome Book acquisition made with Magnet Chrome Acquisition tool or Daniel Dickerman’s process.

Author: Mark McKinnon

Source code

Event Log Viewer

Summary: This content viewer will allow the user to view event logs from Windows XP thru Windows 10. When a user selects an event log (evt or evtx file extension) it will present the user with the event logs that they can look at.

Author: Mark McKinnon

Source code

GBoard4A

Summary: GBoard4A is forensic analyzer for Autopsy digital forensic software to analyze
GBoard application data with a standalone CLI application separated from the
Autopsy and two Autopsy modules:

  1. The Ingest Data Source Module is intended to publish the data gathered by the standalone application to the blackboard functionality of the Autopsy.
  2. The General Report Module is intended to generate a report of any kind. In our case, this module generates an HTML formatted report based on the information gathered by the standalone application.

Authors: Students João Miguel Lavos Lourenço & Luís Jorge Monteiro Ferreira and Professors Miguel Cerdeira Marreiros Negrão, Miguel Monteiro de Sousa Frade, & Professor Patrício Rodrigues Domingues

Source code

LNK File Viewer

Summary: This content viewer will allow the user to view information about a lnk file.

Author: Mark McKinnon

Source code

Microsoft Teams Parser

Summary: The data source ingest module can parse the IndexedDB LevelDB databases used by Microsoft Teams Desktop client for persisting artefacts, such as messages, comments, posts, contacts, calendar entries and reactions and presents these as Blackboard artefacts. Unlike the existing levelDB plugin by Mark McKinnon, this module also parses the binary ldb files, which contain the majority of the entries in scenarios where extensive communications have been exchanged. The module has been tested using the current Microsoft Teams client for Windows and the upcoming Teams 2.0.

Author: Alexander Bilz

Source code

Prefetch Parser Content Viewer

Summary: This content viewer will allow the user to view information in an individual prefetch file, the following information may be shown: Executable file name and location, number of runs, last run time(s) and files used by executable.

Author: Mark McKinnon

Source code

UAL Parser

Summary: This ingest module will process an current.mdb file for User Access Logs from a Windows Server.

Author: Mark McKinnon

Source code

Videoconf4A

Summary: The Videoconf4A module goal is to collect forensic artifacts from the Zoom Video Conferencing desktop application and Chromium based browsers like Google Chrome and Microsoft Edge. Currently the module only works for Windows systems datasources.

A lot of the interesting files containing relevant artifacts related to Zoom activity are encrypted and the module ensures the decryption of those files, collects the artifacts and display them on the “Results” tab. It also parses and displays LevelDB data related to Zoom activity on Chromium based browsers.

Authors: João Oliveira, Miguel Frade, & Patrício Domingues

Source code