Software Update: Autopsy 4.18.0

The Sleuth Kit is a collection of forensic tools that can be used to take a closer look at the hard drive or memory card. It is possible to recover or partially view deleted files. Autopsy is a graphical interface for this kit, and it runs on Linux, macOS and Windows. It is released under the Apache 2.0 license and is written in Java. For more information, please refer to this manual. The developers have released a new version with 4.18.0 as the version number. The changelog for this release looks like this:

Keyword Search:

• A major upgrade from Solr 4 to Solr 8.6.3. Single user cases continue to use the embedded server.
  Multi-user clusters need to install a new Solr 8 server and can now create a Solr cloud with multiple servers.
  — NOTE: Cases created with Autopsy 4.18 cannot be opened by previous versions of Autopsy. Autopsy 4.18 can open older cases though.
  — See here for more details.
• Improved text indexing speed by not doing language detection on unknown file formats and unallocated space.

Domain Discovery:

• Added details view to Domain Discovery to show what web-based artifacts are associated with the selected domain.
• Updated the Domain Discovery grouping and sorting by options.
• Added basic domain categorization for webmail-based domains.

Content Viewers:

• Built more specialized viewers for web-based artifacts.

Data Source Summary:

• Added a “Geolocations” tab that shows what cities the data source was near (based on geolocation data).
• Added a “Timeline” tab that shows counts of events from the last 30 days the data source was used.
• Added navigation buttons to jump from the summary view to the main Autopsy UI (for example to go to the map).

Ingest Modules:

• New YARA ingest module to flag files based on regular expression patterns.
• New “Android Analyzer (aLEAPP)” module based on aLEAPP. Previous “Android Analyzer” also still exists.
• Updated “iOS Analyzer (iLEAPP)” module to create more artifacts and work on disk images.
• Hash Database module will calculate SHA-256 hash in addition to MD5.
• Removed Interesting Item rule that flagged existence of Bitlocker (since it ships with Windows).
• Fixed a major bug in the PhotoRec module that could result in an incorrect file layout if the carved file spanned non-contiguous sectors.
• Fixed MBOX detection bug in Email module.

Reporting:

• Attachments from tagged messages are now included in a Portable Case.

Misc:

• Added support for Ext4 inline data and sparse blocks (via TSK fix).
• Updated PostgreSQL JDBC driver to support any recent version of PostgreSQL for multi-user cases and PostgreSQL Central Repository.
• Added personas to the summary viewer in CVT.
• Handling of bad characters in auto ingest manifest files.
• Assorted minor bug fixes.

Autopsy 4.2, click on the image for a larger version.