Be notified of new releases
Create your free GitHub account today to subscribe to this repository for new releases and build software alongside 50 million developers.Sign up
- Added streaming ingest capability for disk images that allow files to be analyzed as soon as they are added to the database.
- Changed backend code so that disk image-based files are added by Java code instead of C/C++ code.
- Include Interesting File set rules for cloud storage, encryption, cryptocurrency and privacy programs.
- Updated PhotoRec 7.1 and include 64-bit version.
- Updated RegRipper in Recent Activity to 2.8
- Create artifacts for Prefetch, Background Activity Monitor, and System Resource Usage.
- Support MBOX files greater than 2GB.
- Document metadata is saved as explicit artifacts and added to the timeline.
- New “no change” hashset type that does not change status of file.
Central Repository / Personas:
- Accounts in the Central Repository can be grouped together and associated with a digital persona.
- All accounts are now stored in the Central Repository to support correlation and persona creation.
- Created artifact-specific viewers in the Results viewer for contact book and call log.
- Moved Message viewer to a Results sub-viewer and expanded to show accounts.
- Added Application sub-viewer for PDF files based on IcePDF.
- Annotation viewer now includes comments from hash set hits.
- Different data types now are displayed using different colors.
- Track points in a track are now displayed as small, connected circles instead of full pins.
- Filter panel shows only data sources with geo location data.
- Geolocation artifact points can be tagged and commented upon.
- Changed UI to have more of a search flow and content viewer is hidden until an item is selected.
- Can be generated for a single data source instead of the entire case.
- CASE / UCO report module now includes artifacts in addition to files.
- Added backend concept of Tag Sets to support Project Vic categories from different countries.
- Add throttling of UI refreshes to ensure data is quickly displayed and the tree does not get backed up with requests.
- Improved efficiency of adding a data source with many orphan files.
- Improved efficiency of loading file systems.
- Jython interpreter is preloaded at application startup.
Misc bug fixes and improvements:
- Fixed bug from last release where hex content viewer text was no longer fixed width.
- Altered locking to allow multiple data sources to be added at once more smoothly and to support batch inserts of file data.
- Central repository comments will no longer store tag descriptions.
- Account type nodes in the Accounts tree show counts.
- Full time stamps displayed for messages in ingest inbox.
- More detailed status during file exports.
- Improved efficiency of adding timeline events.
- Fixed bug with CVT most recent filter.
- Improved documentation and support for running on Linux/macOS.
New UI Features:
- Added Document view to File Discovery.
- Expanded Context Content Viewer to show if an app accessed a file.
- Added translation feature to Message Content Viewer.
- Added waypoint type filter to the Geolocation viewer.
- Added zoom feature to Indexed Text Content Viewer.
New Ingest Modules Features:
- New GPX ingest module.
- New Drone ingest module for DJI drones based on DatCon.
- Create artifacts for files opened by Adobe Reader, Windows Media Player, Office Docs (Most Recently Used (MRU) and TrustRecords), 7Zip MRU, WinRAR MRU, Applets, Microsoft Management Console (MMC) via RegRipper.
New Central Repository Features:
- Central Repository stores account IDs that were previously seen.
- Central Repository is enabled by default to store past hashes. Feature to flag previously seen files is disabled by default.
Other New Features:
- Multi-user cases can be created via command line
- Prevent entire application from crashing when gstreamer crashes on videos.
- Improve Geolocation viewer with large data sets.
- Fix error with non-sector aligned reads on local disks.
- Times from Recycle Bin files are now in timeline.
- Validate timeline events and ignore events too far in the future.
- Moved some database queries off of UI thread.
- Remove hard coded sizes from UI that cause issues with other languages.
- New File Discovery UI that allows you to search and filter for certain types of files. Works best with the Central Repository storing all of the hashes you've seen.
- New Map viewer that uses either Bing (when online) or offline map tiles.
- Communications UI shows country names for phone numbers and fixed bug in summary panel.
- Fixed bugs in timeline filtering.
- Refactored backend timeline filtering code based on The Sleuth Kit data model changes to remove JavaFX dependency.
- Added limited support for APFS disk images. Does not include encrypted volumes or ones that span multiple disks. Uses contribution to The Sleuth Kit from Black Bag Technologies.
- New data source processor that parses “XRY File Exports”.
- Added a new “Context” viewer to show where a file came from. Currently shows what message a file was attached to or what URL a file was downloaded from.
- Added support to seek and change playback speed for videos in “Application” viewer.
- Improved support for Unicode HTML files in “Application” viewer.
- Added support for webp image files in “Application” viewer.
- Keyword Search module uses Decodetect statistical encoding detection for plain text files. Fixes issues with incorrect detection of Japanese files.
- Embedded File Extractor module uses statistical analysis to determine encoding of file names in ZIP files. Fixes issues with ZIP files created on Windows Japanese computers.
- Solr (Keyword Search module) now uses Japanese-specific tokenization using Kuromoji.
- Fixed Shellbags module in RegRipper (used by Autopsy Recent Activity module) to fix parsing errors.
- Plaso module no longer generates an error if enabled for non-disk image data sources.
- Added support for message attachments that are stored as an external file system file. Expanded Email and Android modules to use this technique.
- Fixed crashes by gstreamer when a video is selected.
- Added initial capability to delete a data source from a case (excludes data in the CR).
- Changed behavior of portable case menu item to automatically open the case and warn if it was already unpacked.
- Fixed bug that caused issues when case metadata had Unicode values.
- Added new Attachment APIs to the CommunicationsArtifactHelper class to support attachments stored as external file system files.
- Switch from Oracle JDK to OpenJDK.
- Full command line support (case creation, adding of data sources, running ingest, and generating reports).
- Output can be individual files instead of VHD image (uses less space).
- More fine grained progress during collection and importing.
- Log of files and make artifacts.
- All console messages are saved to a log file too.
- Improved handling of cancellation when adding results into a case.
- Added Android support as Python modules for: Android installed apps, Android browser, Facebook Messenger, IMO, LINE, Opera, ORUX Maps, Samsung SBrowser, Skype, ShareIt, TextNow, Viber, WhatsApp, Xender, Zapya.
- Recycle Bin files are parsed in Recent Activity module, new artifacts are created, and deleted file entries are created at the original location of the deleted files. Code is based on Mark McKinnon’s RecycleBin module (https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Recycle_Bin).
- ShellBag registry data is extracted from RegRipper in the Recent Activity module. New artifacts are recreated for the data. Based on Mark McKinnon’s “Parse ShellBags” module (https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_Shellbags).
- Additional data is extracted about users from SAM hive in Recent Activity module. Data includes password dates, permissions, groups, and full name. Based on Mark McKinnon’s “Parse SAM” module (https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_SAM).
- Email ingest module parses EML files. Based on Mark McKinnon’s “EML Parser” module (https://github.com/markmckinnon/Autopsy-Plugins/tree/master/EML_Parser).
- Fixed bug in MBOX module that caused attachments to have a “_” in the name.
- New Plaso ingest module that runs Plaso and generates events for the timeline.
- Fixed bug in Email module for VCard files to better parse phone number types.
- Keyword Search module waits longer for Solr to start to prevent incorrectly reporting a problem and disabling the feature.
- Embedded file extractor module was updated to not report compression bombs for GZIP files.
- New approach for storing event data. A dedicated events table exists and is populated as files and artifacts are added to the database. No longer requires an explicit step of populating a local events table.
- Users can create their own events from the Timeline UI.
- Filtering was simplified based or existence of tag or hash set hit versus a specific name.
- Fixed bug that hid contact book entries with duplicate numbers.
- Fixed bug in schema that caused errors with very long file names.
- CASE report is included in a portable case.
- Image tags are included in portable case.
- More size options for a packaged portable case.
- New Infrastructure to support command line-based generation.
- Developers should use new new Blackboard.postArtifact() method to ensure artifact is indexed and added to the timeline.
- New classes were created to make it easier to write modules for apps.
- Added ability to configure a USB drive to use new logical imager tool.
- Added logical imager tool that runs on a live Windows computer and saves results to a USB drive.
- Added ability to import logical imager results into Autopsy as a data source.
- Changed file type detection so that Tika does not rely only on extension.
- Email ingest module assigns thread IDs to messages
- Android ingest modules store thread ID from their databases.
Content Viewers (lower right of UI):
- New “Text” viewer that consolidates previous Strings and “Indexed Text” viewers.
- New “Translation” panel was added to the new “Text” viewer.
- Added integration with Google and Bing translation (credentials required)
- Redesigned “Other Occurrences” viewer to have 4th column with details of selected item.
- Added Willi Ballentin’s “Registry Hive Viewer” panel to the “Application” viewer.
- Improved HTML viewer to use style sheets and better layout.
- Added ability to draw a box on a picture while tagging it.
Result Table (upper right of UI)
- Added paging to all views for faster loading of large data sets.
- Improved speed of displaying results when a column was sorted.
- Portable cases can contain files marked as Interesting Items
- Portable cases can be compressed and chunked
- “Files - Text” report can use either tabs or commas as the delimiter
- “Files - Text” report better handles Unicode text.
- Added ability to create a CSV report for the contents of a table
- HTML report for tagged pictures includes a copy with the overlay box
- Added Account Summary view
- Added Contacts panel to show all contacts associated with an account.
- Added Media panel to show media attachments associated with an account
- Added filter to show accounts if they involved with the most recent messages.
- Messages can be grouped by thread.
- New Test button was added to help diagnose permission and configuration issues.
- Created new Triage Standard Operating Procedure (SOP) section to the User Docs
- Hashes can optionally be entered when adding a disk image data source to a case.
- Acquisition details can be stored when the data source is added.
- Added support for Microsoft Edge browser (cookies, history, and bookmarks)
- Added support for Safari web browser (downloads, cookies, history, and bookmarks)
- Expanded Chrome browser support to include cache parsing and form/auto fill.
- Expanded Firefox browser support to extract form/auto fill fields.
- Parse Zone.Identifier files to identify the source of files.
- Added a TSK_SOURCE artifact to downloaded files to help users trace back to where it came from.
- Added support for parsing vCards (virtual cards).
- Extract more information about Windows user accounts (number of logins, creation date, and last login)
- Detect more operating system types, which get saved as a TSK_OS_INFO artifact.
- Detect Android media cards, which gets saved as a TSK_DATA_SOURCE_USAGE artifact.
- The Application content viewer now displays HTML files.
- Video playback now uses gstreamer on 64-bit systems, which supports more video formats.
- Pictures can be rotated and zoomed in the Application content viewer.
- The Other Occurrences content viewer layout was reorganized to make viewing the data easier.
- New "Data Source Summary" panel shows high-level statistics and details about the data sources in the case.
- Data sources are now listed in the data sources tree in alphabetical order.
- The presentation of finding common properties within a case was revised to group results in a more helpful way.
Report / Export:
- Portable Cases can be created based on tagged data. These cases contain a subset of the case data and can be opened anywhere.
- Users can now choose tabs or commas as the delimiter for a files report.
- Case notes are included in the HTML report.
- Added a new file type that allows module writers to specify a file based on its byte range.
- Data sources can be analyzed and have a CASE/UCO report generated using only the command line.
- Decreased the time required to execute inter-case common properties searches of the Central Repository.
- Assorted small bug fixes are included.
- Central Repository
- Case Manager shows data source details
- SSID, MAC address, IMEI, IMSI, and ICCID can be stored and correlated on
- SSID, MAC address, IMEI, IMSI, and ICCID values from past cases are flagged if they are seen again in the current case.
- File types can be specified when searching for common files with past cases.
- Results from finding common files with past cases is now organized by case instead of by number of occurrences.
- The Central Repository can now be searched for a specific value (hash, email, etc.)
- The E01 Verifier ingest module was renamed to Data Source Integrity module and it will:
- Calculate hashes if none exist for a non-E01 data source
- Validate hashes if they are defined
- MD5, SHA1, or SHA256 hash values of raw data sources can now be specified when they are added.
- Added the ability for examiners to select the time zone for displaying dates.
- Tesseract OCR text extraction for keyword search now supports languages other than
English, if language packs are installed.
- Custom headers and footers can now be added to HTML reports.
- New report module to export basic file data in CASE/UCO format.
- Ingest filter rules (for triage) can now specify a list of extensions (such as "jpg,jpeg,png") instead of needing to make a rule for each extension.
- Image Gallery
- Refactored to ensure database was fully closed when case was closed.
- No longer pre-populate DrawableDB database.
- Added caching to reduce time required to insert files after analysis.
- Duplicate interesting item and EXIF metadata artifacts are no longer created
when you run the modules that generate them more than once.
- The Application content viewer now displays SQLite table column names even
when the table is empty.
- Assorted small bug fixes are included.
This release has only Image Gallery fixes, but one of the bugs can cause the entire application to hang if there is a ' in the name.
- Fixed possible ingest deadlock from Image Gallery database inserts.
- Image Gallery does not need lock on Case DB during pre-population, which makes UI more responsive.
- Other misc Image Gallery fixes.
- Removed data from table that are time intensive and can be found in content viewers (such as hash set hits)
- Added ability to find common items (files, emails, etc.) between current case and past cases using the Central Repository.
- Added ability to ignore common items that exist in a large number of cases by using Central Repository data.
- Data is validated and normalized before being entered into the Central Repository.
- Allow users to specify that an ad-hoc keyword search should not be saved to database
- New “Annotations” content viewer that shows all tags and comments associated with an item
- Added 2 icons to the table to show the item’s score (if it is notable or suspicious) and if it has a comment.
- Added column to the table to show previous number of occurrences.
- Tags are now associated with the user (in a multi-user environment) and you can hide other people’s tags
- New Display options area that unifies various new settings.
- Hash sets can be copied into the user’s config folder (AppData), which makes it easier to run Autopsy from a Live Triage USB and not care about what drive letter it gets.
- Image Gallery stores its groups and seen status in Case DB instead of its own.
- Image Gallery works better in multi-user setups and reloads the database when other nodes add data sources.
- Image Gallery saves which user saw a group and gives user option of seeing only their unseen groups or all unseen groups.
- Saves last export location and pre-populates that in the file picker
- Provide feedback about why some right click options are disabled (ingest is running, not file content, etc.)
- Substring keyword search is more accurate (now uses regular expression)
- New text extractor for SQLite that better deals with full text search tables
- Better deal with Unicode text files that do not have Byte Order Marker
- Embedded file extractor module is now faster because it uses a different 7ZIP API.
- Fixed various HTML report bugs
- Duplicate hash set hits are not created when you run the Hash Ingest Module twice.
- Auto ingest (in Experimental) scan times of input folders is faster.
- Data Source Grouping:
-- The case tree view can now be grouped by data source.
-- Keyword and file search can now be restricted to a data source.
- Central Repository / Correlation:
-- New common files search feature that finds files that exist in multiple devices in the same case.
-- The Other Occurrences content viewer now shows matches in the current case (in addition to central repository).
-- Central repository options panel now shows cases that are in repo.
- A comment about a file can be created and saved in the central repository so that future cases and see it.
- Keyword Search:
-- Can enable OCR text extraction of PDF and JPG files using Tesseract.
-- Keyword search module normalizes Unicode text.
-- Keyword search module uses ICU to convert text files that do not have a BOM.
-- Tagging menu changed to have user defined tags at top and "quick tag" removed one level of menus.
-- New "Replace Tag" feature to change the tag on an item.
-- SQLite tables can be now be exported to CSV files.
-- An interesting file artifact is now created when a "zip bomb" is detected.
-- An object detection ingest module was added to the Experimental module. It requires an OpenCV trained model.
- Expanding the case tree is more efficient.
- Improved "zip bomb" detection.
- Assorted small bug fixes are included.