Software-update: Autopsy 4.18.0

The Sleuth Kit is een collectie forensische tools die gebruikt kunnen worden om de harde schijf of geheugenkaartje nader te bekijken. Het is mogelijk om verwijderde bestanden terug te halen of gedeeltelijk te bekijken. Autopsy is een grafische interface voor deze kit, en draait op Linux, macOS en Windows. Het wordt uitgegeven onder de Apache 2.0-licentie en is geschreven in Java. Voor meer informatie verwijzen we naar deze handleiding. De ontwikkelaars hebben een nieuwe versie uitgebracht met 4.18.0 als versienummer. De changelog voor deze uitgave ziet er als volgt uit:

Keyword Search:

• A major upgrade from Solr 4 to Solr 8.6.3. Single user cases continue to use the embedded server.
  Multi-user clusters need to install a new Solr 8 server and can now create a Solr cloud with multiple servers.
  -- NOTE: Cases created with Autopsy 4.18 cannot be opened by previous versions of Autopsy. Autopsy 4.18 can open older cases though.
  -- See here for more details.
• Improved text indexing speed by not doing language detection on unknown file formats and unallocated space.

Domain Discovery:

• Added details view to Domain Discovery to show what web-based artifacts are associated with the selected domain.
• Updated the Domain Discovery grouping and sorting by options.
• Added basic domain categorization for webmail-based domains.

Content Viewers:

• Built more specialized viewers for web-based artifacts.

Data Source Summary:

• Added a “Geolocations” tab that shows what cities the data source was near (based on geolocation data).
• Added a “Timeline” tab that shows counts of events from the last 30 days the data source was used.
• Added navigation buttons to jump from the summary view to the main Autopsy UI (for example to go to the map).

Ingest Modules:

• New YARA ingest module to flag files based on regular expression patterns.
• New “Android Analyzer (aLEAPP)” module based on aLEAPP. Previous “Android Analyzer” also still exists.
• Updated “iOS Analyzer (iLEAPP)” module to create more artifacts and work on disk images.
• Hash Database module will calculate SHA-256 hash in addition to MD5.
• Removed Interesting Item rule that flagged existence of Bitlocker (since it ships with Windows).
• Fixed a major bug in the PhotoRec module that could result in an incorrect file layout if the carved file spanned non-contiguous sectors.
• Fixed MBOX detection bug in Email module.

Reporting:

• Attachments from tagged messages are now included in a Portable Case.

Misc:

• Added support for Ext4 inline data and sparse blocks (via TSK fix).
• Updated PostgreSQL JDBC driver to support any recent version of PostgreSQL for multi-user cases and PostgreSQL Central Repository.
• Added personas to the summary viewer in CVT.
• Handling of bad characters in auto ingest manifest files.
• Assorted small bug fixes.