Autopsy Python Plugins
Python SQLPL NSIS
Switch branches/tags
Nothing to show
Clone or download
markmckinnon Initial Commit of Parse_Appx_Programs
Initial Commit of Parse_Appx Programs
Latest commit 35d3baa May 31, 2018
Permalink
Failed to load latest commit information.
Amazon_Echosystem_Parser Amazon Echosystem Parser Initial Commit Oct 13, 2017
CCM_RecentlyUsedApps Fix program and Upload Oct 9, 2017
Create_Preview_Data_Container Fixed issues with script Jan 4, 2018
Cuckoo Add GPL license file for cuckoo plugin May 30, 2018
Executable Programs For Plugins Program to support the CCM Recently Used Apps Auyopsy Module Mar 9, 2017
FileHistory Windows File History Initial Commit and Update Apr 26, 2017
Gui_Test Added README for GUI test plugins. Nov 29, 2017
Gui_Test_With_Settings Added README for GUI test plugins. Nov 29, 2017
Installer Installer scripts Oct 19, 2017
Jump_List_AD Add GPL license files to Jumplist_ad May 30, 2018
MacFSEvents Updated fseparser_v2.1 and extracted Content Jun 10, 2017
MacOSX_Recent MacOSX Recent Artifacts Initial Commit Jun 14, 2017
MacOSX_Safari MacOSX Safari Autopsy Plugin Module Jan 31, 2017
Parse_Plist Added Plist Parser Plugin Sep 25, 2016
Parse_SAM Initial Load of all programs Sep 23, 2016
Parse_SQLite_Databases Added readme for SQLite databases. Nov 28, 2017
Parse_SQLite_Del_Records Added README.md for SQLite Del Records plugin. Nov 29, 2017
Parse_Shellbags Initial Load of all programs Sep 23, 2016
Parse_USNJ Initial Load of all programs Sep 23, 2016
Plaso Add plaso module Feb 17, 2017
Process_Amcache Fix open issue #1 Jun 14, 2017
Process_Appx_Programs Initial Commit of Parse_Appx_Programs May 31, 2018
Process_EVTX Add Long Tail Analysis Extracted Content Jul 21, 2017
Process_EVTX_By_EventID Process Evtx Files By EventId initial Commit. Jul 27, 2017
Process_Extract_VSS Rename License File Oct 19, 2017
Process_Prefetch_Files_V41 Initial Load of all programs Sep 23, 2016
Process_SRUDB Initial Load of all programs Sep 23, 2016
Shimcache_parser Initial Load of all programs Sep 23, 2016
Thumbcache_parser Fix type Oct 13, 2017
Thumbs_parser Remove file Oct 19, 2017
Volatility Fix bug Oct 6, 2017
Webcache Initial Load of all programs Sep 23, 2016
Windows_Internals Update version number to 1.1 Apr 26, 2017
img Added README.md for SQLite Del Records plugin. Nov 29, 2017
README.md Fixed some punctuation. Nov 29, 2017

README.md

Autopsy-Plugins

This is a repository of Autopsy Python Plugins. You can download all of them and place them in the python plugin directory. All the plugins will recompile on execution.

Plugin Overview

Here is a brief overview of all of the plugins.

Amazon Echosystem Parser

Parse the databases from an Amazon Alexa image.

CCM Recently Used Apps

Parse the WMI() database for Recently used apps.

Create Preview Data Container

Create VHD expandable volumen and mount it. Then read SQLite database of file extensions that can be exported to it and export those files matching the file extensions. Finally it will unmount the VHD so it can be added back into an autopsy case.

Cuckoo

Check the status of a Cuckoo server and submit files to it.

Parse File History

Export the Catalog1.edb file and then call the command line version of the Expor_FileHistory. A sqlite database that contains the File History information is created and then imported into the extracted view section of Autopsy.

Gui Test

Example of the different types of things you can do with the GUI portion of Autopsy Python Plugins.

Gui Test With Settings

Example of the saving and retrieving of settings from the GUI of an Autopsy Python Plugin.

Jump List AD

Export the JumpList AutoDestinations and then call the command line version of the Export_JL_Ad program. A SQLite database that contains the JumpList information is created and then imported into the extracted view section of Autopsy.

MacFSEvents

Export the .fsevents directory and run the FSEParser_v2.1.exe program against the exported data. It will then import the SQLite database that was created from the program.

MacOSX Recent

Export/Parse Mac recents.

MacOSX Safari

Export/Parse Mac OSX safari. A SQLite database that contains the Safari information is created and then imported into the extracted view section of Autopsy.

Parse PList

Parse any plist and convert it to a SQLite database and then import the information into the extracted contant.

SAM Parse

Export SAM Registry Hive and then call the command line version of SAM Parse program. A SQLite database that contains SAM information is created then imported into the extracted view section of Autopsy.

Parse SQLite DBs

Parse any SQLite files and import them into the extracted content section of Autopsy.

Parse SQLite DB Del Records

Parse any SQLite databases and look for deleted records. It will then create a SQLite database with the deleted records and then be imported into the extracted content section of Autopsy.

Parse Shellbags

Export the NTUSER Hive(s) and then call the command line version of shell bags program. A SQLite database that contains the shellbag information is created then imported into the extracted view section of Autopsy.

Parse Usnj

Export the $UsnJrnl:$J and then call the command line version of parseusn program. A SQLite database that contains the NTFS UsrJrnl information is created and imported into the extracted view section of Autopsy.

Plaso

Execute plaso or import a plaso file.

Parse Amache

Export the Amache Registry and then call the command line version of Export_Amache program. A SQLite database contains the Amache information is created then imported into the extracted content view of Autopsy.

Parse EVTX

Export the Windows Event Logs and then call the command line version of the Export_EVTX program. A SQLite database that contains the Event Log information is created and imported into the extracted view section of Autopsy.

Parse EVTX by Event ID

Export all the Windows Event Logs and thenc all the command line version of the Export_EVTX program. A SQLite database that conains the Event Log information is created then imported into the extracted view section of Autopsy as a Table based on Event_Log_Id. the user can then run the module again and extract user supplied events from the Evtx SQLite database.

Process Extract VSS

Example of the different types of things you can do with Autopsy plugin?

Process Prefetch V41

Export the prefetch files and thenc all the command line version of the prefetch_parser. A SQLite database that contains the prefetch information is created and then imported into the extracted view section of Autopsy.

Process SRUDB

Export the System Resource Usage Database and then call the command line version of the Export SRUDB program. A SQLite database that contains the Resource Usage information is created then imported into the extracted view of Autopsy.

Shimache Parser

Export the System Registry Hive and then call the command line version of the shimache_parser program. A SQLite database that contains the shimache information is created then imported into the extracted view section of Autopsy.

Thumbcache Parser

Export all the thumbcache_*.db files in the image and then run the thumbcache_viewer_cmd program against them and export the embedded files to the ModuleOutput directory so that the files can then be added back into Autopsy.

Thumbs Parser

Export all the thumbs.db files in the image and then run the thumbs_viewer program against them and export the embedded files to the ModuleOutput directory so that the files can then be added back into Autopsy.

Volatility

Execute Volatility against a memory image. It will ask the user for the directory where the Volatility executable reside then it will run volatility against the memory image using options the user specifies.

Webcache

Module will export the WebcacheV01 file and then call the command line version of the Export_Esedb. A SQLite database that contains the Webcache information is created then imported into the extracted view section of Autopsy.

Windows Internals

Several windows plugins combined into one plugin. You pick with checkboxes what you want it to do.

Linux Compatible Plugins

The following plugins are compatible on Linux systems. Other plugins may work, but were designed to be run on Windows. More Linux plugin support on the roadmap.

  • Volatility Plugins
  • SQLite Plugins
  • Amazon Echosystem Plugins
  • Gui Test Plugins

Other Resources

You can read about some of the plugins at https://medium.com/@markmckinnon_80619

Need Help?

If you have any questions/comments/suggestions please let me know. Create an issue. Enjoy!