2016 Autopsy Module Development Contest


Congratulations to the winners of this years competition.

We had a record number of 21 submissions this year.  Like in past years, the winners were chosen entirely based on the votes of the OSDFCon attendees after the submitters presented their work.  Special thanks to all of the submitters (especially Mark McKinnon with his astonishing 12 submissions).

This years winners were:

NetArchae by Emily Wicki

  • This Autopsy Module extracts Packet Captures (pcaps) from Data Sources. It then sorts them under a “PCAPs” tab within “Interesting Files” and allows the extracted pcaps to be parsed by KeywordSearch.
  • Source Code: https://github.com/thePidge/netArchae

Golden Image by Mathias Vetsch and Luca Taennler

  • The Golden Image module uses two data sources – a “dirty image” and a “golden image” – and compares them with each other. The main task is, to find the difference between these two data sources – newly added files, deleted files and changed files.
  • Source Code: https://github.com/colapse/Autopsy-GoldenImage

Parse SQLite Del Rec by Mark McKinnon

  • This module takes user input from a form. The user enters one or more SQLite database that they want to examine for deleted records into Autopsy. It will then export the specified SQLite database files to the temp directory then parse the SQLite database and create a custom artifact(s) for each table in the database. The custom artifacts have a name in the format of SQLite Database <FileName> Table <Table Name> DELETED Records with custom attributes for each artifact. Once it is complete the UI is notified that a new artifact has been added. This plugin can create a lot of extracted content so use it wisely. It is also not very fast on large database tables so this will need to be addressed in the future.
  • Source Code: https://github.com/markmckinnon/Autopsy-Plugins
  • Module: https://drive.google.com/drive/folders/0Bxdmy6yl9bUqUVhjTnNmWVI5eGs

Other submissions (ordered alphabetically by author) were:

Android Geodata XML/Crawler by Roberto Amelio

  • The modules aim to collect and display significant amounts of data through which an investigator can consider reporting whereabouts the analysed mobile device has been taken.
  • Source: https://github.com/robiame/AndroidGeodata

HashDump by John Lukach

  • HashDump.py creates a HashDump.txt file in the base of the case folder and it contains hashes of files in the case. HashDump was built as a proof of concept that requires the Hash Lookup Ingest Module be run prior to calculate the MD5 hashes. HashDump.py builds the ingest module for the Autopsy user interface that passes the case file location as an argument to the HashDump.exe python program.
  • Source Code: https://github.com/jblukach/AutopsyMultiUserModules

Parse Amcache by Mark McKinnon

  • This module takes user input from a form. The user can select from three (3) Amcache reports to choose from, program entries, file entries and unassociated programs. It will then export the specified amcache.hve files to the temp directory then call an external program to parse out the programs and files and insert them into a SQLite database. The SQLite database is then imported into Autopsy and custom artifact(s) based on the user input will be created. The custom artifacts have a prefix of Amcache and custom attributes are created for each artifact. Once it is complete the UI is notified that a new artifact has been added.
  • Source Code: https://github.com/markmckinnon/Autopsy-Plugins
  • Module: https://drive.google.com/drive/folders/0Bxdmy6yl9bUqUVhjTnNmWVI5eGs

ParseEvtx by Mark McKinnon

  • This module takes user input from a form. The user can select from three (3) default windows EVTX event logs or they can manually enter the logs they would like to parse. It will then export the specified EVTX files to the temp directory then call an external program to parse out the EVTX logs and insert them into a SQLite database. The SQLite database is then imported into Autopsy and a custom artifact named Windows Event Logs is created and custom attributes are created for this artifact. Once it is complete the UI is notified that a new artifact has been added. This works only on EVTX files.
  • Source Code: https://github.com/markmckinnon/Autopsy-Plugins
  • Module: https://drive.google.com/drive/folders/0Bxdmy6yl9bUqUVhjTnNmWVI5eGs

Parse Plists by Mark McKinnon

  • This module takes user input from a form. The user enters one or more plist files that they want to export the information from. It will then export the specified Plist files to the temp directory then parse the Plist into a SQLite database and create a custom artifact(s) for each table in the database. The custom artifacts have a name in the format of Plist <FileName> with custom attributes for each artifact. Once it is complete the UI is notified that a new artifact has been added. This plugin can create a lot of extracted content so use it wisely. It is also not very fast on large Plist files so this will need to be addressed in the future.
  • Source Code: https://github.com/markmckinnon/Autopsy-Plugins
  • Module: https://drive.google.com/drive/folders/0Bxdmy6yl9bUqUVhjTnNmWVI5eGs

SAMParse by Mark McKinnon

ShellBags by Mark McKinnon

ShimcacheParser by Mark McKinnon

Parse SQLite DB by Mark McKinnon

  • This module takes user input from a form. The user enters one or more SQLite database that they want to import into Autopsy. It will then export the specified SQLite database files to the temp directory then open the SQLite database and create a custom artifact(s) for each table in the database. The custom artifacts have a name in the format of SQLite Database <FileName> Table <Table Name> with custom attributes for each artifact. The blob database type is not handled and a text string message is specified stating this. Once it is complete the UI is notified that a new artifact has been added. This plugin can create a lot of extracted content so use it wisely. It is also not very fast on large database tables so this will need to be addressed in the future.
  • Source Code: https://github.com/markmckinnon/Autopsy-Plugins
  • Module: https://drive.google.com/drive/folders/0Bxdmy6yl9bUqUVhjTnNmWVI5eGs

Parse SRUDB by Mark McKinnon

  • This module takes user input from a form and based on the selection will import the System Resource Usage based on the user input. The module will then extract the SRUDB.DAT file to the temp directory and then call an external program to parse the SRUDB.dat file and store the information into a SQLite database. The SQLite database will then be imported into numerous custom artifact(s) based on what the user checks with custom attributes and will notify the UI after it is completed that a new artifact has been added to the Extracted content. This plugin may create numerous different artifacts.
  • Source: https://github.com/markmckinnon/Autopsy-Plugins
  • Module: https://drive.google.com/drive/folders/0Bxdmy6yl9bUqUVhjTnNmWVI5eGs

USN Parser by Mark McKinnon

Parse WebCache by Mark McKinnon

  • This module will extract all the WebcacheV01.dat files for all users to the temp directory and then call an external program to parse the Webcache and store the information into a SQLite database. The SQLite database will then be imported into numerous custom artifact(s) that have a prefix of Webcache in the name with custom attributes and will notify the UI after it is completed that a new artifact has been added to the Extracted content. This plugin may create numerous different artifacts.
  • Source: https://github.com/markmckinnon/Autopsy-Plugins
  • Module: https://drive.google.com/drive/folders/0Bxdmy6yl9bUqUVhjTnNmWVI5eGs

JumpList AD by Mark McKinnon

Payment Card Scanning Module  by Shea Nangle

  • This Autopsy module will search for possible payment card numbers, and will then check the Luhn checksum of each possible payment card number, which will provide a greater degree of confidence regarding if a numeric sequence is a payment card number or not.
  • Source: https://github.com/ultrashea/autopsy-payment-card-scanner

P2P Forensic by Carlos Cilleruelo Rodríguez

  • The main purpose of this plugin is try to get usage information of P2P Windows programs in a forensics environment. There is a PDF attach to this email with info about the module.
  • Source: https://github.com/CarlosLannister/P2PForensic

AuthentiCode Verification by Mathias Vetsch and Luca Taennler

  • The module verifies code signing certificates of Windows executables. It creates Content Tags with the Signer Name of the binary. This module helps to quickly eliminate known-good files from the OS vendor. You can also list the files from any unknown publisher, that signed software on the system you are investigating on.
  • Source: https://github.com/mvetsch/Autopsy-AuthentiCodeVerification

TagFilter by Mathias Vetsch and Luca Taennler

  • In Autopsy there are several tags of various modules which have the same or a similar meaning (For example tags to mark files as “known-good”). In Autopsy there is a listing of files per tag, but you might want to have a list containing all files that were tagged with “known-good”-a-like tags. The TagFilter module. This module enables you to create a list of files by applying several filters (for tags). You can add an unlimited amount of filters and connect them by AND-OR operators. Further on you can also specify f you want the filter to be true or false (File contains or doesn’t contain tag). Besides that, you can also create so called “Filter Groups” in which you can combine filters. The filters are applied top-down and they are built up similar to the SQL WHERE clause. You can also select if you want to search for files on all data sources within your case or just a specific one. In the end you will get a list with all the files that match your filter.
  • Source: https://github.com/colapse/Autopsy-TagFilter

Virustotal online checker by Mathias Vetsch and Luca Taennler

  • Virustotal is an online service that allows to identify known-bad files. The service is free to use. The Virustotal online checker module allows to automatically check files on imported data sources against the virustotal service.
  • Source: https://github.com/mvetsch/VirusTotalOnlineChecker

Hash_Logos-for-Software_Smaller-03-298x300Contest Overview

Basis Technology is again sponsoring an Autopsy Module Development Contest. The goal is to encourage developers to write Autopsy modules instead of stand-alone tools. Now that Autopsy supports Python modules, this is easier than ever.

Writing new functionality as Autopsy modules makes users happy because they don’t have to jump between tools and it makes developers happy because they get to ignore details about file system, image formats, and interfaces.

You can write ingest modules that focus on processing all of the drive data, content viewer modules that focus on displaying a single file, report modules that focus on exporting data from the case,  or an external module that provides its own UI (similar to the timeline viewer in Autopsy).  Attendees of OSDFCon will vote on the winners, who will receive cash prizes.

Prizes

  • First Prize: $1500 $3,000
  • Second Prize: $500 $1,000
  • Third Prize: $250 $500

This year, Basis Technology doubled the prize amounts because we already have over 12.

Getting Started

If you need an idea, then you an refer to the github issue tracker:

https://github.com/sleuthkit/autopsy/issues?labels=Feature+Request&page=1&state=open

Once you have your idea, you can then start looking at some of our docs. We’d recommend starting with our tutorial series from last year on writing Python modules.

  • The File Ingest Module tutorial outlined how to look for files that had certain characteristics (in the tutorial, we look for big and round files).
  • The Data Source Ingest Module tutorial outlined how to query the database for a given file name and open it in SQLite.
  • The Report Module tutorial outlined how to make a CSV report module.

The general approach to making a Python module is to find the one that is most similar to what you want to build and copy it. All of our sample modules are in the public domain.

You can also refer to the more in-depth Autopsy Developer’s Guide for instructions on writing Java or Python modules:

Guidelines

  1. The Autopsy modules must provide value in a forensics or incident response use case.
  2. The module must be released as open source software by the submission deadline under one of the licenses approved by the Open Source Initiative.
  3. By submitting an entry, you declare that you have the right to license and submit the module.
  4. The contest organizers will test the module before the conference to verify that it basically operates as stated.
  5. You must either give a 5 minute presentation and demo at OSDFCon or submit a 5 minute video. If you cannot attend the conference, the video must be submitted by October 17, 2016.
  6. In order to collect the cash prizes, winners need to provide a legal picture identification and bank account information within 30 days of notification. Bank payment transfer will be made within two weeks after winners are authenticated.
  7. Group entries are allowed; prizes will be paid to the person designated by the group.
  8. Employees of Basis Technology are not eligible.

How To Submit

Submissions should be sent to [EMAIL_REMOVED] no later than October 10, 2016. The submission should include the module (.NBM file for Java modules, .ZIP file for Python modules), test data to demo the module, and answers to the following questions:

  • Name of module
  • Names of authors
  • Minimum version of Autopsy required
  • Description of what module does
  • Will the authors attend OSDFCon?
  • URL of where source code can be found
  • License of source code

Note that if you cannot provide test data that is properly sanitized, we will still accept the submission, but we will have to give a disclaimer that it could not be tested.

Contact:

Any Autopsy or development related questions should be sent to: sleuthkit-developers@lists.sourceforge.net or http://forum.sleuthkit.org.

Disclaimer:

Prizes are considered taxable income. Basis Technology must report prizes over $600 to the IRS. If you win the first place prize, you will need to provide Basis Technology with your Tax ID.  If you do not feel comfortable doing this, we can donate it to a charity of your choice.