Autopsy—an open-source, digital forensics platform used by law enforcement agencies worldwide to determine how a digital device was used in a crime and recover evidence—is being enhanced with the addition of several new capabilities requested by law enforcement.
Nearly every crime committed today involves digital media – such as computers and cell phones. In most cases, these devices contain vital evidence, including call logs, location information, text and email messages, images, and audio and video recordings that could help law enforcement investigators close a case. At the same time, the types and sizes of these devices are proliferating at an incredible rate, but the budgets of most state and local law enforcement agencies are not keeping pace.
Since it was first released 15 years ago, a community has grown around Autopsy development that continues to grow and deliver law enforcement investigators the new capabilities and functionality they have identified as pressing needs. The DHS Science and Technology Directorate previously funded the development and open-source release of Autopsy modules and its stewardship continues today as part of the Cyber Security Division’s (CSD) Cyber Security Forensics project. CSD is part of the Homeland Security Advanced Research Projects Agency.
As part of the current Cyber Forensics project work plan, the following capabilities will be developed or enhanced within Autopsy:
- A New Communication Analysis Framework—This will develop a storage framework for communications-based data and a graphical interface, making it easier for investigators to view messages from a variety of sources, visualize the messages, and see the relationships between accounts.
- Advanced Image Analysis Functionality—This enhancement will expand Autopsy’s existing photo and video analysis capabilities to more efficiently analyze large numbers of images stored on a device’s hard drive.
- Advanced Timeline Visualization—New features will be added, including integration with existing open-source parsing tools, allowing users to create events and highlight events, and filter by file type to the timeline module to more efficiently analyze activity to determine what events occurred.
Each capability enhancement was identified through a survey of law enforcement agencies conducted by Cambridge, Massachusetts-based Basis Technology Corporation, Autopsy’s primary developer. Basis Technology queried agencies about their biggest challenges and where they spend the bulk of their investigative time. These new/enhanced capabilities will be provided through future open-source releases of Autopsy.
“These enhancements will substantially increase Autopsy’s ease-of-use for law enforcement agencies,” said Megan Mahle, program manager of S&T’s Cyber Security Forensics project. “The modules we’re focusing on through our effort will add new functionalities and promote flexibility for use by each law enforcement investigator.”
Autopsy—built as an extensible platform—boasts thousands of users around the world and is downloaded an average of 4,000 times each week. It supports all types of criminal investigations—from fraud to terrorism to child exploitation. As an open-source platform, it is a cost-effective tool investigators can use to solve crimes, especially in these days of shrinking budgets. In addition to the development activity, the platform also supports the incorporation of third-party modules (either open or closed source).
The easy-to-use software system has standard forensic tool features regularly used by federal, state, and local law enforcement organizations, including disk-image analysis, hash-set analysis, indexed keyword search, registry analysis, and Android and web-artifact analysis. Additionally, Autopsy includes unique capabilities such as support for multi-user cases, automated ingest and correlation analysis. It is taught at many law enforcement conferences and training courses, including at DHS’s four Federal Law Enforcement Training Centers, and used by many agencies as either a primary and validation tool for casework.
The overarching Cyber Security Forensics project develops solutions law enforcement use to investigate criminal activity. It addresses DHS law enforcement components specific needs and collaborates with investigators from federal, state, and local agencies as well as international partners. The project encompasses efforts in the persistent areas of cyber forensics, including mobile device forensics, GPS forensics, and data acquisition and analysis.
Project requirements are established by the Cyber Forensics Working Group (CFWG), which is composed of representatives from law enforcement agencies at all levels of government. The group, led by CSD, meets biannually to discuss capability gaps, prioritize technology development foci, and set solution requirements. members also serve as testing-and-evaluation partners for prototype technologies developed through the project.
Over the last several years, the Cyber Security Forensics project has transitioned the following technologies in support of law enforcement organizations nationwide.
- Tutorials on accessing and analyzing disposable mobile phones
- Previous Autopsy module enhancements
- iVe, a digital forensics tool that acquires user data from the vehicle infotainment and telematics systems of more than 10,000 vehicle makes and models
The Cyber Security Forensics project, through a partnership with the National Institute of Standards and Technology, also is providing resources and standards to the broader digital forensics community, including the National Software Reference Library, Computer Forensics Tool Testing and Computer Forensics Reference Dataset.
A screenshot of the Autopsy image gallery module. Displayed within the image gallery is different searches a user could use. The highlighted boxes, noted in yellow, red, blue, orange and green boxes, designates the user’s search criteria.
A screenshot of the Autopsy timeline analysis. The timeline analysis helps a user understand when items such as call logs, location information, text and email messages, images, and audio and video recordings were accessed on an examined device.