S&T enhancing the Autopsy digital forensics tool

·  Advanced Timeline Visualization—New features will be added, including integration with existing open-source parsing tools, allowing users to create events and highlight events, and filter by file type to the timeline module to more efficiently analyze activity to determine what events occurred.

Each capability enhancement was identified through a survey of law enforcement agencies conducted by Cambridge, Massachusetts-based Basis Technology Corporation, Autopsy’s primary developer. Basis Technology queried agencies about their biggest challenges and where they spend the bulk of their investigative time. These new/enhanced capabilities will be provided through future open-source releases of Autopsy.

“These enhancements will substantially increase Autopsy’s ease-of-use for law enforcement agencies,” said Megan Mahle, program manager of S&T’s Cyber Security Forensics project. “The modules we’re focusing on through our effort will add new functionalities and promote flexibility for use by each law enforcement investigator.”

Autopsy — built as an extensible platform — boasts thousands of users around the world and is downloaded an average of 4,000 times each week. It supports all types of criminal investigations—from fraud to terrorism to child exploitation. As an open-source platform, it is a cost-effective tool investigators can use to solve crimes, especially in these days of shrinking budgets. In addition to the development activity, the platform also supports the incorporation of third-party modules (either open or closed source).

The easy-to-use software system has standard forensic tool features regularly used by federal, state, and local law enforcement organizations, including disk-image analysis, hash-set analysis, indexed keyword search, registry analysis, and Android and web-artifact analysis. Additionally, Autopsy includes unique capabilities such as support for multi-user cases, automated ingest and correlation analysis. It is taught at many law enforcement conferences and training courses, including at DHS’s four Federal Law Enforcement Training Centers, and used by many agencies as either a primary and validation tool for casework.

The overarching Cyber Security Forensics project develops solutions law enforcement use to investigate criminal activity. It addresses DHS law enforcement components specific needs and collaborates with investigators from federal, state, and local agencies as well as international partners. The project encompasses efforts in the persistent areas of cyber forensics, including mobile device forensics, GPS forensics, and data acquisition and analysis.

Project requirements are established by the Cyber Forensics Working Group (CFWG), which is composed of representatives from law enforcement agencies at all levels of government. The group, led by CSD, meets biannually to discuss capability gaps, prioritize technology development foci, and set solution requirements. members also serve as testing-and-evaluation partners for prototype technologies developed through the project.

S&T notes that over the last several years, the Cyber Security Forensics project has transitioned the following technologies in support of law enforcement organizations nationwide.

· Tutorials on accessing and analyzing disposable mobile phones

· Previous Autopsy module enhancements

· iVe, a digital forensics tool that acquires user data from the vehicle infotainment and telematics systems of more than 10,000 vehicle makes and models

The Cyber Security Forensics project, through a partnership with the National Institute of Standards and Technology (NIST), also is providing resources and standards to the broader digital forensics community, including the National Software Reference Library, Computer Forensics Tool Testing and Computer Forensics Reference Dataset.