├── .gitmodules ├── ContentViewerModules ├── BinEd_Binary_Viewer │ └── README.md ├── Event_Log_viewer │ ├── Event_Log_Viewer.nbm │ └── README.md ├── Image_Fingerprint │ ├── README.md │ └── de-fau-imagefingerprintcomparison-modules.nbm ├── Kafka_Viewer │ ├── KafkaLogForensic.nbm │ └── README.md ├── LNK_File_Viewer │ ├── README.md │ └── lnk_file_viewer.nbm ├── Multi_Content │ └── README.md ├── PolySwarm │ └── README.md ├── README.md ├── UsnCorrelation │ ├── README.md │ └── uk-oshawk-UsnCorrelation.nbm ├── Video_Triage │ └── README.md ├── Windows_Prefetch_Viewer │ ├── Prefetch_File_Viewer.nbm │ └── README.md └── Windows_Registry │ └── README.md ├── DataSourceProcessorModules └── README.md ├── DocsForDevelopers ├── DeveloperInstructions.md └── README_template.md ├── IngestModules ├── Amazon_Echosystem_Parser │ └── README.md ├── Antivirus_scanner │ └── README.md ├── Atomic_Wallet │ └── README.md ├── Bam_Key │ └── README.md ├── Bitcoin_Detection │ └── README.md ├── CCM_RecentlyUsedApps │ └── README.md ├── Child_Exploitation_Hashsets │ └── README.md ├── Chrome_Passwords │ ├── README.md │ └── chrome_password_identifier │ │ └── ChromePasswords.py ├── CopyMove │ ├── README.md │ └── de-fau-copymoveforgerydetection.nbm ├── Create_Datasource_Hashset │ └── README.md ├── Create_Preview_Data_Container │ └── README.md ├── Cuckoo │ └── README.md ├── EML_Parser │ └── README.md ├── FaceRadar │ └── README.md ├── FileHistory │ └── README.md ├── ForensicVM │ └── README.md ├── GoogleDrive │ ├── README.md │ └── google_drive │ │ └── GDrive.py ├── IE Tiles │ ├── README.md │ └── ie_tiles │ │ └── IETiles.py ├── Jump_List_AD │ └── README.md ├── Log Forensics │ ├── LFA.zip │ └── README.md ├── MS_Office_Telemetry_Parser │ └── README.md ├── MacFSEvents │ └── README.md ├── MacOSX_Account_Parser │ ├── .gitignore │ ├── README.md │ ├── biplist │ │ └── __init__.py │ └── macosx_account_parser.py ├── MacOSX_Recent │ └── README.md ├── MacOSX_Safari │ └── README.md ├── Microsoft_Teams_Parser │ └── README.md ├── Parse_Plist │ └── README.md ├── Parse_SAM │ └── README.md ├── Parse_SQLite_Databases │ └── README.md ├── Parse_SQLite_Del_Records │ └── README.md ├── Parse_Shellbags │ └── README.md ├── Parse_USNJ │ └── README.md ├── Plaso │ └── README.md ├── Process_ActivitiesCache │ └── README.md ├── Process_Amcache │ └── README.md ├── Process_Appx_Programs │ └── README.md ├── Process_Appxreg_Programs │ └── README.md ├── Process_EVTX │ └── README.md ├── Process_EVTX_By_EventID │ └── README.md ├── Process_Extract_VSS │ └── README.md ├── Process_Facebook_Chats │ └── README.md ├── Process_Prefetch_Files_V41 │ └── README.md ├── Process_SRUDB │ └── README.md ├── Process_TeraCopy │ └── README.md ├── Process_Windows_Mail │ └── README.md ├── README.md ├── Recycle_Bin │ └── README.md ├── Registry-Explorer │ └── README.md ├── Shimcache_parser │ └── README.md ├── Skype │ ├── README.md │ └── skype_analyzer │ │ └── Skype.py ├── SmutDetect_Skintone │ ├── 20141204_SmutDetect4Autopsy_1.0.2.nbm_.zip │ └── README.md ├── Spotlight_Parser │ └── README.md ├── Thumbcache_parser │ └── README.md ├── Thumbs_parser │ └── README.md ├── Timesketch │ └── README.md ├── UsnCorrelation ├── VirusTotal │ ├── README.md │ └── org-sleuthkit-autopsy-modules-virustotalonlinecheck.nbm ├── Volatility │ └── README.md ├── Webcache │ └── README.md ├── WindowsRegistryIngestModule │ └── README.md ├── Windows_Communication_App │ ├── README.md │ └── windows_communication_App │ │ └── WindowsCommAppFileIngestModule.py ├── Windows_Internals │ └── README.md ├── cLeapp │ ├── README.md │ └── cleappanalyzer.nbm ├── hash_images │ └── README.md ├── iPhone_Backup_Plist_Analyzer │ ├── README.md │ └── connected_iphone_analyzer │ │ └── Iphones.py ├── rLeapp │ ├── README.md │ └── rleappanalyzer.nbm ├── sdhash │ ├── README.md │ └── autopsy-ahbm.nbm └── vLeapp │ ├── README.md │ └── vleappanalyzer.nbm ├── README.md ├── ReportModules ├── FEA-Forensic_Enhanced_Analysis │ └── README.md ├── ForensicExpertWitnessReport │ └── README.md ├── README.md └── SPAI_Model_Report_Module │ └── SPAI_Model_Report_Module │ ├── README.md │ ├── SPAIModelReportModule$py.class │ ├── SPAIModelReportModule.py │ ├── SPAIModelReportModule_py_GPL_License.txt │ ├── base_folder │ ├── Ajuda.htm │ └── autorun.inf │ └── res │ ├── Background.gif │ ├── Bookmarks.css │ ├── Footer.gif │ ├── Header.gif │ ├── ajuda_estilo.css │ ├── ajuda_main.css │ ├── bg_nav.jpg │ ├── common.css │ ├── icon.ico │ └── navigation.css └── images └── download.png /.gitmodules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sleuthkit/autopsy_addon_modules/38e9e5934bca90f68d3acf421ddef8910ffb9b4b/.gitmodules -------------------------------------------------------------------------------- /ContentViewerModules/BinEd_Binary_Viewer/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Alternative binary/hexadecimal data content viewer and file viewer/editor plugin. 2 | - __Author:__ ExBin Project 3 | - __Minimum Autopsy version:__ 4.20.0 4 | - __Module Location__: https://bined.exbin.org/autopsy-plugin/ 5 | - __Source Code:__ https://github.com/exbin/bined-autopsy-plugin 6 | - __License:__ Apache V2.0 License 7 | -------------------------------------------------------------------------------- /ContentViewerModules/Event_Log_viewer/Event_Log_Viewer.nbm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sleuthkit/autopsy_addon_modules/38e9e5934bca90f68d3acf421ddef8910ffb9b4b/ContentViewerModules/Event_Log_viewer/Event_Log_Viewer.nbm -------------------------------------------------------------------------------- /ContentViewerModules/Event_Log_viewer/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ A module package containing a Data Content Viewer. Allows the user to view individual Event Log (EVTX) files from a windows system. 2 | - __Author:__ Mark McKinnon 3 | - __Minimum Autopsy version:__ 4.18.0 4 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-NBM-Plugins/tree/main/AutopsyEventLogViewer 5 | - __License:__ Apache V2.0 License 6 | -------------------------------------------------------------------------------- /ContentViewerModules/Image_Fingerprint/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ A module package containing a File Ingest Module and its corresponding Data Content Viewers. Allows the user to create different perceptual hashes as fingerprints from images in the datasource. This also creates an additional database, which is managed from the expanded options menu of the ingest module. Images can be compared to images in the database. Please read the readme before using the package. 2 | - __Author:__ Tobias Maushammer 3 | - __Minimum Autopsy version:__ 4.1.0 4 | - __Source Code:__ https://github.com/LoWang123/ImageFingerprintModulePackage 5 | - __License:__ The MIT License (MIT) 6 | -------------------------------------------------------------------------------- /ContentViewerModules/Image_Fingerprint/de-fau-imagefingerprintcomparison-modules.nbm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sleuthkit/autopsy_addon_modules/38e9e5934bca90f68d3acf421ddef8910ffb9b4b/ContentViewerModules/Image_Fingerprint/de-fau-imagefingerprintcomparison-modules.nbm -------------------------------------------------------------------------------- /ContentViewerModules/Kafka_Viewer/KafkaLogForensic.nbm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sleuthkit/autopsy_addon_modules/38e9e5934bca90f68d3acf421ddef8910ffb9b4b/ContentViewerModules/Kafka_Viewer/KafkaLogForensic.nbm -------------------------------------------------------------------------------- /ContentViewerModules/Kafka_Viewer/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Kafka Log Forensic is a Data Content Viewer for the big data streaming software Apache Kafka. It allows the user to view records stored cluster-side in Apache Kafka log files. 2 | - __Author:__ Tom Wayne 3 | - __Minimum Autopsy version:__ 4.18.0 4 | - __Source Code:__ https://github.com/tomwayne1984/autopsy_kafka_forensics/tree/main/source 5 | - __License:__ GNU GPL v3 6 | -------------------------------------------------------------------------------- /ContentViewerModules/LNK_File_Viewer/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ A module package containing a Data Content Viewer. Allows the user to view individual Link (*.lnk) files from a windows system. 2 | - __Author:__ Mark McKinnon 3 | - __Minimum Autopsy version:__ 4.16.0 4 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-NBM-Plugins/tree/main/LNK_File_Viewer 5 | - __License:__ Apache V2.0 License 6 | -------------------------------------------------------------------------------- /ContentViewerModules/LNK_File_Viewer/lnk_file_viewer.nbm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sleuthkit/autopsy_addon_modules/38e9e5934bca90f68d3acf421ddef8910ffb9b4b/ContentViewerModules/LNK_File_Viewer/lnk_file_viewer.nbm -------------------------------------------------------------------------------- /ContentViewerModules/Multi_Content/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Content viewer for dozens of file types: html, pdf, eml, emlx, rtf, doc, docx, xls, xlsx, ppt, pptx, odt, ods, odp, wps, wpd, sxw, eps, dbf, csv, tif, emf, wmf, odg, pcx, pbm, svg, pict, vsd, psd, cdr, dxf, and more. Also highlights and enables navigation through keyword hits on the rendered preview. 2 | - __Author:__ Luis Filipe Nassif 3 | - __Minimum Autopsy version:__ 3.1 4 | - __Module Location__: https://github.com/lfcnassif/MultiContentViewer/releases 5 | - __Source Code:__ https://github.com/lfcnassif/MultiContentViewer 6 | - __License:__ LGPL v3.0 7 | -------------------------------------------------------------------------------- /ContentViewerModules/PolySwarm/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Perform hash lookups and file scans on PolySwarm via right click menu on files. 2 | - __Author:__ PolySwarm Developers 3 | - __Minimum Autopsy version:__ 4.8.0 4 | - __Current Source Code and Releases:__ https://github.com/polyswarm/autopsy-module/releases 5 | - __Original Source Code:__ https://github.com/polyswarm/autopsy-module 6 | - __License:__ MIT 7 | -------------------------------------------------------------------------------- /ContentViewerModules/README.md: -------------------------------------------------------------------------------- 1 | # Content Viewer Modules 2 | 3 | Content viewer modules are located in the lower right of Autopsy and in other panels (such as timeline). They allow the user to view or analyze a specific file in different ways. 4 | 5 | 6 | -------------------------------------------------------------------------------- /ContentViewerModules/UsnCorrelation/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Uses `$UsnJrnl` to create file history timelines and recover information about deleted files. 2 | - __Author:__ Oshawk 3 | - __Minimum Autopsy version:__ 4.21.0 (no others tested) 4 | - __Module Location__: Here (and https://github.com/Oshawk/usn-correlation) 5 | - __Website:__ https://github.com/Oshawk/usn-correlation 6 | - __Source Code:__ https://github.com/Oshawk/usn-correlation 7 | - __License:__ MIT 8 | -------------------------------------------------------------------------------- /ContentViewerModules/UsnCorrelation/uk-oshawk-UsnCorrelation.nbm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sleuthkit/autopsy_addon_modules/38e9e5934bca90f68d3acf421ddef8910ffb9b4b/ContentViewerModules/UsnCorrelation/uk-oshawk-UsnCorrelation.nbm -------------------------------------------------------------------------------- /ContentViewerModules/Video_Triage/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Analyzes video files and displays a series of images so that you can get a basic idea of what the video contains without viewing the entire thing. 2 | - __Author:__ Basis Technology 3 | - __Minimum Autopsy version:__ 3.0.7 4 | - __Module Location__: https://www.autopsy.com/add-on-modules/video-triage/ 5 | - __License:__ Closed source 6 | -------------------------------------------------------------------------------- /ContentViewerModules/Windows_Prefetch_Viewer/Prefetch_File_Viewer.nbm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sleuthkit/autopsy_addon_modules/38e9e5934bca90f68d3acf421ddef8910ffb9b4b/ContentViewerModules/Windows_Prefetch_Viewer/Prefetch_File_Viewer.nbm -------------------------------------------------------------------------------- /ContentViewerModules/Windows_Prefetch_Viewer/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ A module package containing a Data Content Viewer. Allows the user to view individual Prefetch (*.pf) files from a windows system. 2 | - __Author:__ Mark McKinnon 3 | - __Minimum Autopsy version:__ 4.18.0 4 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-NBM-Plugins/tree/main/Prefetch_File_Viewer 5 | - __License:__ Apache V2.0 License 6 | -------------------------------------------------------------------------------- /ContentViewerModules/Windows_Registry/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Content viewer that analyzes a registry hive and allows you to navigate the tree and its key and value pairs. Functions something like Regedit.exe. Winner of the OSDFCon 2013 challenge. 2 | - __Author:__ Willi Ballenthin 3 | - __Minimum Autopsy version:__ 3.0.7 4 | - __Current Source Code and Releases:__ https://github.com/sleuthkit/Autopsy-WindowsRegistryContentViewer 5 | - __Original Source Code:__ https://github.com/williballenthin/Autopsy-WindowsRegistryContentViewer 6 | - __License:__ Apache 2 7 | -------------------------------------------------------------------------------- /DataSourceProcessorModules/README.md: -------------------------------------------------------------------------------- 1 | # Data Source Processor Modules 2 | 3 | Data source processor modules are used to add data sources to a case. They are responsible for parsing input data and populating the database with files (or other items) so that ingest modules and other modules can analyze them. 4 | 5 | 6 | -------------------------------------------------------------------------------- /DocsForDevelopers/DeveloperInstructions.md: -------------------------------------------------------------------------------- 1 | This document outlines how to get your Autopsy module into this repository. The goal of this repository is to make it easy for Autopsy users to get the latest versions of modules and know what modules exist. 2 | 3 | Our goal is to make this as simple as possible for you so that you can get the biggest userbase for your module. 4 | 5 | 1. Fork this repo so that you can make a pull request. 6 | 2. Make a folder in the appropriate folder based on your type of module. Folder name should be descriptive about what it does. 7 | 3. Copy the DocsForDevelopers/README_template.md file into your folder and name it README.md. 8 | 4. Fill in as much README.md info as possible and add more items that you think are relevant. 9 | 5. Decide where you will be storing the module. Options include: 10 | - Place a copy of the NBM or Python ZIP file into the current folder. 11 | - If the NBM or ZIP file contains several modules and each has its own folder, then pick which folder will contain the NBM or ZIP and the other folders should refer to that folder in the README.md. We do not want multiple copies of the same NBM/ZIP. 12 | - Host the NBM or ZIP on your own site and put the URL into the README.md. 13 | 5. Copy your NBM or Python ZIP file into the folder. Or, if you would prefer to host the module, then ensure that the URL is listed in the README.md file. 14 | 6. Submit a pull request. 15 | 16 | If you have any questions, please create an Issue on the repository. 17 | 18 | -------------------------------------------------------------------------------- /DocsForDevelopers/README_template.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Module does X, Y, and Z. 2 | - __Author:__ John Doe (Email optional) 3 | - __Minimum Autopsy version:__ 4.0.0 4 | - __Module Location__: (Only use this if module is at another site or in a different folder on this repo) 5 | - __Website:__ URL of website if it contains more documentation, etc. 6 | - __Source Code:__ URL here if open source 7 | - __License:__ License name here 8 | -------------------------------------------------------------------------------- /IngestModules/Amazon_Echosystem_Parser/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parse the databases from an Amazon Alexa image. 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Amazon_Echosystem_Parser 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Amazon_Echosystem_Parser 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Amazon_Echosystem_Parser 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Antivirus_scanner/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Module for malware scanning using ClamAV antivirus. 2 | - __Author:__ Askar Dyussekeyev 3 | - __Minimum Autopsy version:__ 4.19.3 4 | - __Module Location__: https://github.com/dyussekeyev/ClamPsy/releases 5 | - __Website:__ https://github.com/dyussekeyev/ClamPsy/blob/main/README.md 6 | - __Source Code:__ https://github.com/dyussekeyev/ClamPsy 7 | - __License:__ MIT License 8 | -------------------------------------------------------------------------------- /IngestModules/Atomic_Wallet/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parse Atomic Wallet Artifacts, connections log and crypto currency transactions 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Atomic_Wallet 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Atomic_Wallet 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Atomic_Wallet 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Bam_Key/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parse the BAM key for the user and System registry 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Bam_Key 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Bam_Key 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Bam_Key 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Bitcoin_Detection/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Module can detect the traces of Electrum, Ledger Live app, bitaddress.org and Ledger Nano X connection (USB; Bluetooth) at Windows 10 systems 2 | - __Author:__ dgo-berlin (https://github.com/dgo-berlin) 3 | - __Minimum Autopsy version:__ 4.19.2 4 | - __Module Location__: https://github.com/dgo-berlin/bitcoin_usage_detection_autopsy_plugin/blob/master/BitcoinDetection/build/org-bitcoin-detection.nbm 5 | - __Website:__ https://github.com/dgo-berlin/bitcoin_usage_detection_autopsy_plugin/ 6 | - __Source Code:__ https://github.com/dgo-berlin/bitcoin_usage_detection_autopsy_plugin/tree/master/BitcoinDetection/src 7 | -------------------------------------------------------------------------------- /IngestModules/CCM_RecentlyUsedApps/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ This plugin will parse the WMI database for Recently used apps. 2 | - __Author:__ Mark McKinnon - Mark dot McKinnon at Gmail dot Com 3 | - __Minimum Autopsy version:__ 4.1.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/CCM_RecentlyUsedApps 6 | - __Website:__ https://medium.com/@markmckinnon_80619/ccm-recentlyusedapps-e4f11baf63d6 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/CCM_RecentlyUsedApps 8 | - __License:__ GPL Full license can be found in CCM_RecentlyUsedAppst_py_GPL_License.txt 9 | -------------------------------------------------------------------------------- /IngestModules/Child_Exploitation_Hashsets/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Hash lookup modules that integrate with [ProjectVic](http://www.projectvic.org/) and C4All databases. These allow you to use Autopsy in child exploitation investigations and leverage hashsets of pre-categorized images. 2 | - __Author:__ Basis Technology 3 | - __Minimum Autopsy version:__ 3.1.0 4 | - __Module Location__: https://www.autopsy.com/add-on-modules/le-bundle-module/ 5 | - __Website:__ https://www.autopsy.com/add-on-modules/le-bundle-module/ 6 | - __License:__ Closed source 7 | -------------------------------------------------------------------------------- /IngestModules/Chrome_Passwords/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ The plugin will go through identified Chrome Password Databases and extract certain artifacts. This can demonstrate knowledge and help in triaging. 2 | - __Author:__ Tom Van der Mussele 3 | - __Minimum Autopsy version:__ 4.3.0 4 | - __Source Code:__ https://github.com/tomvandermussele/autopsy-plugins/tree/master/Chrome%20Passwords%20Identifier 5 | - __License:__ GNU General Public License Version 3 6 | -------------------------------------------------------------------------------- /IngestModules/Chrome_Passwords/chrome_password_identifier/ChromePasswords.py: -------------------------------------------------------------------------------- 1 | # This module extracts the usernames, websites for Chrome and organizes it in the Tree Viewer Window 2 | 3 | 4 | # Please note this a non-exhaustive extraction of data, it is recommended to 5 | # manually inspect the database for more forensic artifacts and use this as an indicator. 6 | # 7 | # Contact: Tom Van der Mussele [tomvandermussele gmail [dot] com] 8 | # 9 | # This is free and unencumbered software released into the public domain. 10 | # 11 | # Anyone is free to copy, modify, publish, use, compile, sell, or 12 | # distribute this software, either in source code form or as a compiled 13 | # binary, for any purpose, commercial or non-commercial, and by any 14 | # means. 15 | # 16 | # In jurisdictions that recognize copyright laws, the author or authors 17 | # of this software dedicate any and all copyright interest in the 18 | # software to the public domain. We make this dedication for the benefit 19 | # of the public at large and to the detriment of our heirs and 20 | # successors. We intend this dedication to be an overt act of 21 | # relinquishment in perpetuity of all present and future rights to this 22 | # software under copyright law. 23 | # 24 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 25 | # EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 26 | # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 27 | # IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR 28 | # OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 29 | # ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 30 | # OTHER DEALINGS IN THE SOFTWARE. 31 | # 32 | # Chrome Saved passwords identifier - tvdm 33 | # 34 | 35 | import jarray 36 | import inspect 37 | import os 38 | from java.lang import Class 39 | from java.lang import System 40 | from java.sql import DriverManager, SQLException 41 | from java.util.logging import Level 42 | from java.io import File 43 | from org.sleuthkit.datamodel import SleuthkitCase 44 | from org.sleuthkit.datamodel import AbstractFile 45 | from org.sleuthkit.datamodel import ReadContentInputStream 46 | from org.sleuthkit.datamodel import BlackboardArtifact 47 | #from org.sleuthkit.databases import TskDBBlackboard 48 | from org.sleuthkit.datamodel import BlackboardAttribute 49 | from org.sleuthkit.autopsy.ingest import IngestModule 50 | from org.sleuthkit.autopsy.ingest.IngestModule import IngestModuleException 51 | from org.sleuthkit.autopsy.ingest import DataSourceIngestModule 52 | from org.sleuthkit.autopsy.ingest import IngestModuleFactoryAdapter 53 | from org.sleuthkit.autopsy.ingest import IngestMessage 54 | from org.sleuthkit.autopsy.ingest import IngestServices 55 | from org.sleuthkit.autopsy.ingest import ModuleDataEvent 56 | from org.sleuthkit.autopsy.coreutils import Logger 57 | from org.sleuthkit.autopsy.casemodule import Case 58 | from org.sleuthkit.autopsy.datamodel import ContentUtils 59 | from org.sleuthkit.autopsy.casemodule.services import Services 60 | from org.sleuthkit.autopsy.casemodule.services import FileManager 61 | from org.sleuthkit.autopsy.casemodule.services import Blackboard 62 | 63 | 64 | 65 | # Factory that defines the name and details of the module and allows Autopsy 66 | # to create instances of the modules that will do the analysis. 67 | class ChromePWIngestModuleFactory(IngestModuleFactoryAdapter): 68 | 69 | moduleName = "Chrome Saved Passwords Identifier - tvdm" 70 | 71 | def getModuleDisplayName(self): 72 | return self.moduleName 73 | 74 | def getModuleDescription(self): 75 | return "Identifies Chrome Password databases and extracts information which could be used as indications. The saved passwords can demonstrate knowledge. Note: They will not be decrypted." 76 | 77 | def getModuleVersionNumber(self): 78 | return "1.0" 79 | 80 | def isDataSourceIngestModuleFactory(self): 81 | return True 82 | 83 | def createDataSourceIngestModule(self, ingestOptions): 84 | return ChromePWIngestModule() 85 | 86 | 87 | 88 | class ChromePWIngestModule(DataSourceIngestModule): 89 | 90 | _logger = Logger.getLogger(ChromePWIngestModuleFactory.moduleName) 91 | 92 | def log(self, level, msg): 93 | self._logger.logp(level, self.__class__.__name__, inspect.stack()[1][3], msg) 94 | 95 | def __init__(self): 96 | self.context = None 97 | 98 | 99 | def startUp(self, context): 100 | self.context = context 101 | 102 | pass 103 | 104 | 105 | 106 | 107 | def process(self, dataSource, progressBar): 108 | 109 | test=IngestServices.getInstance() 110 | msgcounter = 0 111 | progressBar.switchToIndeterminate() 112 | ccase = Case.getCurrentCase().getSleuthkitCase() 113 | blackboard = Case.getCurrentCase().getServices().getBlackboard() 114 | fileManager = Case.getCurrentCase().getServices().getFileManager() 115 | files = fileManager.findFiles(dataSource, "Login Data") 116 | numFiles = len(files) 117 | progressBar.switchToDeterminate(numFiles) 118 | fileCount = 0 119 | 120 | for file in files: 121 | fileCount += 1 122 | progressBar.progress(fileCount) 123 | progressBar.progress("Chrome Password Analyzer") 124 | if self.context.isJobCancelled(): 125 | return IngestModule.ProcessResult.OK 126 | self.log(Level.INFO, "++++++Processing file: " + file.getName()) 127 | self.log(Level.INFO, "File count:" + str(fileCount)) 128 | lclDbPath = os.path.join(Case.getCurrentCase().getTempDirectory(), str(file.getId()) + ".db") 129 | ContentUtils.writeToFile(file, File(lclDbPath)) 130 | binary_file = open(lclDbPath, "rb") 131 | data = binary_file.read(15) 132 | binary_file.close() 133 | papa = "" 134 | if str(data) == "SQLite format 3": 135 | papa = file.getParentPath() 136 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 137 | "Chrome Saved passwords", file.getName() + " identified as non-encrypted SQLite database" , str(msgcounter )) 138 | IngestServices.getInstance().postMessage(message) 139 | msgcounter+=1 140 | 141 | try: 142 | Class.forName("org.sqlite.JDBC").newInstance() 143 | dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % lclDbPath) 144 | except SQLException as e: 145 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 146 | "Chrome Saved passwords","Cannot open " + file.getName()+ " as SQLite", str(msgcounter)) 147 | IngestServices.getInstance().postMessage(message) 148 | msgcounter+=1 149 | return IngestModule.ProcessResult.ERROR 150 | 151 | try: 152 | stmt = dbConn.createStatement() 153 | 154 | try: 155 | resultSet = stmt.executeQuery("select origin_url, username_value, datetime(date_created / 1000000 + (strftime('%s', '1601-01-01')), 'unixepoch') 'Creation date', CASE blacklisted_by_user WHEN 0 THEN 'remembered' ELSE 'not remembered' END 'Offered and ...' , times_used 'Times used' from logins;") 156 | ccase = Case.getCurrentCase().getSleuthkitCase() 157 | artifact_name = "TSK_CHRPW" 158 | try: 159 | #Try adding the Articaft Type 160 | 161 | artifact_desc = "Chrome Saved Passwords Identifier - TODO: ACCOUNT" 162 | artID_chrpw = ccase.addArtifactType( artifact_name, artifact_desc) 163 | 164 | except: 165 | self.log(Level.INFO, "Artifacts Creation Error, some artifacts may not exist now. ==> ") 166 | artID_chrpw = ccase.getArtifactTypeID(artifact_name) 167 | artID_chrpw_evt = ccase.getArtifactType(artifact_name) 168 | try: 169 | 170 | attribute_name = "TSK_CHRPW_URL" 171 | attribute_name2 = "TSK_CHRPW_USERNAME" 172 | attribute_name3 = "TSK_CHRPW_DATE" 173 | attribute_name4 = "TSK_CHRPW_REMEMBER" 174 | attribute_name5 = "TSK_CHRPW_TIMES" 175 | attID_ex1 = ccase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "URL") 176 | attID_ex2 = ccase.addArtifactAttributeType(attribute_name2, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Username") 177 | attID_ex3 = ccase.addArtifactAttributeType(attribute_name3, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Date") 178 | attID_ex4 = ccase.addArtifactAttributeType(attribute_name4, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Offered and ...") 179 | attID_ex5 = ccase.addArtifactAttributeType(attribute_name5, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "No of Times Used") 180 | except: 181 | pass 182 | while resultSet.next(): 183 | if self.context.isJobCancelled(): 184 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 185 | "Chrome Saved passwords", "ID : Canceled", str(msgcounter)) 186 | IngestServices.getInstance().postMessage(message) 187 | msgcounter+=1 188 | return IngestModule.ProcessResult.OK 189 | art = file.newArtifact(artID_chrpw) 190 | url = resultSet.getString("origin_url") 191 | username = resultSet.getString("username_value") 192 | date = resultSet.getString("Creation Date") 193 | memory = resultSet.getString("Offered and ...") 194 | times = resultSet.getString("Times used") 195 | 196 | #url 197 | attID_ex1 = ccase.getAttributeType("TSK_CHRPW_URL") 198 | art.addAttribute(BlackboardAttribute(attID_ex1, ChromePWIngestModuleFactory.moduleName, url)) 199 | #username 200 | attID_ex1 = ccase.getAttributeType("TSK_CHRPW_USERNAME") 201 | art.addAttribute(BlackboardAttribute(attID_ex1, ChromePWIngestModuleFactory.moduleName, username)) 202 | #date 203 | attID_ex1 = ccase.getAttributeType("TSK_CHRPW_DATE") 204 | art.addAttribute(BlackboardAttribute(attID_ex1, ChromePWIngestModuleFactory.moduleName, date)) 205 | #memory 206 | attID_ex1 = ccase.getAttributeType("TSK_CHRPW_REMEMBER") 207 | art.addAttribute(BlackboardAttribute(attID_ex1, ChromePWIngestModuleFactory.moduleName, memory)) 208 | attID_ex1 = ccase.getAttributeType("TSK_CHRPW_TIMES") 209 | art.addAttribute(BlackboardAttribute(attID_ex1, ChromePWIngestModuleFactory.moduleName, times)) 210 | artID_chrpw = ccase.getArtifactTypeID(artifact_name) 211 | artID_chrpw_evt = ccase.getArtifactType(artifact_name) 212 | IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(ChromePWIngestModuleFactory.moduleName, artID_chrpw_evt, None)) 213 | else: 214 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 215 | "Chrome Saved passwords","No accounts found in" + file.getName(), str(msgcounter)) 216 | IngestServices.getInstance().postMessage(message) 217 | msgcounter+=1 218 | except SQLException as e: 219 | self.log(Level.INFO, "SQL Error: " + e.getMessage() ) 220 | except SQLException as e: 221 | self.log(Level.INFO, "Error querying database " + file.getName() + " (" + e.getMessage() + ")") 222 | # Clean up 223 | stmt.close() 224 | dbConn.close() 225 | os.remove(lclDbPath) 226 | 227 | else: 228 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 229 | "Chrome Saved passwords","Not a SQLite Database - Missing magic number" , str(msgcounter )) 230 | IngestServices.getInstance().postMessage(message) 231 | msgcounter+=1 232 | return IngestModule.ProcessResult.ERROR 233 | 234 | 235 | 236 | # After all databases, post a message to the ingest messages in box. 237 | if numFiles==0: 238 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 239 | "Chrome Saved passwords", "Nothing to analyze ", str(msgcounter)) 240 | IngestServices.getInstance().postMessage(message) 241 | msgcounter+=1 242 | else: 243 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 244 | "Chrome Saved passwords", "Analyzed %d files" % fileCount, str(msgcounter)) 245 | IngestServices.getInstance().postMessage(message) 246 | msgcounter+=1 247 | return IngestModule.ProcessResult.OK -------------------------------------------------------------------------------- /IngestModules/CopyMove/README.md: -------------------------------------------------------------------------------- 1 | - __Known Issues:__ This module does not work with the latest versions of Autopsy (April 2020 - https://sleuthkit.discourse.group/t/copy-move-module/1026) 2 | 3 | - __Description:__ A module package containing a File Ingest Module and its corresponding Data Content Viewer. Allows the user to identify Copy-Move forgeries within images in the datasource. Please read the readme before using the package. 4 | - __Author:__ Tobias Maushammer 5 | - __Minimum Autopsy version:__ 4.1.0 6 | - __Source Code:__ https://github.com/LoWang123/CopyMoveModulePackage 7 | - __License:__ The MIT License(MIT) 8 | -------------------------------------------------------------------------------- /IngestModules/CopyMove/de-fau-copymoveforgerydetection.nbm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sleuthkit/autopsy_addon_modules/38e9e5934bca90f68d3acf421ddef8910ffb9b4b/IngestModules/CopyMove/de-fau-copymoveforgerydetection.nbm -------------------------------------------------------------------------------- /IngestModules/Create_Datasource_Hashset/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Create a hashset of a data source, the hashset is stored in the case export directory. The datasource must be hashed prior to running this plugin. The hashset can then be brought back into Autopsy. 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Create_Datasource_Hashset 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Create_Datasource_Hashset 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Create_Datasource_Hashset 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Create_Preview_Data_Container/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Create a VHD image of user defined file extensions that can then be brought back into Autopsy. 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Create_Preview_Data_Container 6 | - __Website:__ https://medium.com/@markmckinnon_80619/acreating-a-data-preview-container-in-autopsy-afbdf776d7c4 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Create_Preview_Data_Container 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Cuckoo/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ This plugin will send files to a cuckoo box. 2 | - __Author:__ Mark McKinnon - Mark dot McKinnon at Gmail dot Com 3 | - __Minimum Autopsy version:__ 4.1.0 4 | - __OS's supported on: Windows 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Cuckoo 6 | - __Website:__ https://medium.com/@markmckinnon_80619/im-cuckoo-for-autopsy-733762a689ef 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Cuckoo 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/EML_Parser/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parse email with an EML file extension 2 | - __Minimum Autopsy version:__ 4.4.0 3 | - __OS's supported on: Windows, Linux 4 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/EML_Parser 5 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/EML_Parser 6 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/EML_Parser 7 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/FaceRadar/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Uses OpenCV to detect faces in image files 2 | - __Author:__ Blaize K. Strothers 3 | - __Minimum Autopsy version:__ 4.0.0 4 | - __Module Location__: https://github.com/sazquatch/FaceRadar 5 | - __Website:__ https://github.com/sazquatch/FaceRadar 6 | - __Source Code:__ https://github.com/sazquatch/FaceRadar 7 | - __License:__ Unknown 8 | -------------------------------------------------------------------------------- /IngestModules/FileHistory/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ This plugin will parse windows file history database. 2 | - __Author:__ Mark McKinnon - Mark dot McKinnon at Gmail dot Com 3 | - __Minimum Autopsy version:__ 4.1.0 4 | - __Module Location__: Python module folder 5 | - __OS's supported on: Windows, Linux 6 | - __Website:__ https://medium.com/@markmckinnon_80619/windows-file-history-plugin-a6208da4efa5 7 | - __Source Code:__ Here or https://github.com/markmckinnon/Autopsy-Plugins/tree/master/FileHistory 8 | - __License:__ GPL Full license can be found in Parse_FileHistory_py_GPL_License.txt 9 | -------------------------------------------------------------------------------- /IngestModules/ForensicVM/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ The Autopsy ForensicVM client is an innovative tool designed to streamline the process of digital forensics. It leverages advanced virtualization technology to enable secure and efficient analysis of forensic images. The client is specifically developed for cybersecurity professionals, digital forensics investigators, and information security teams. 2 | - __Author:__ Nuno Mourinho (nuno.mourinho+forensicVM@gmail.com) 3 | - __Minimum Autopsy version:__ 4.20.0 4 | - __Module Location__: https://github.com/nunomourinho/AutopsyForensicVM/releases/tag/v1.0.2 5 | - __Website:__ https://forensicvm-autopsy-plugin-user-manual.readthedocs.io/en/latest/ 6 | - __Source Code:__ https://github.com/nunomourinho/AutopsyForensicVM 7 | - __License:__ EUPL-1.2 license 8 | -------------------------------------------------------------------------------- /IngestModules/GoogleDrive/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ The plugin will investigate investigate Google Drive snapshot databases and list filenames with full path. 2 | - __Author:__ Tom Van der Mussele 3 | - __Minimum Autopsy version:__ 4.3.0 4 | - __Source Code:__ https://github.com/tomvandermussele/autopsy-plugins/tree/master/GoogleDrive 5 | - __License:__ GNU General Public License Version 3 6 | -------------------------------------------------------------------------------- /IngestModules/GoogleDrive/google_drive/GDrive.py: -------------------------------------------------------------------------------- 1 | # This module extracts some data from identified Google Drive databases and organizes it in the Tree Viewer Window 2 | 3 | 4 | # Please note this a non-exhaustive extraction of data, it is recommended to 5 | # manually inspect the database for more forensic artifacts and use this as an indicator. 6 | # 7 | # Contact: Tom Van der Mussele [tomvandermussele gmail [dot] com] 8 | # 9 | # This is free and unencumbered software released into the public domain. 10 | # 11 | # Anyone is free to copy, modify, publish, use, compile, sell, or 12 | # distribute this software, either in source code form or as a compiled 13 | # binary, for any purpose, commercial or non-commercial, and by any 14 | # means. 15 | # 16 | # In jurisdictions that recognize copyright laws, the author or authors 17 | # of this software dedicate any and all copyright interest in the 18 | # software to the public domain. We make this dedication for the benefit 19 | # of the public at large and to the detriment of our heirs and 20 | # successors. We intend this dedication to be an overt act of 21 | # relinquishment in perpetuity of all present and future rights to this 22 | # software under copyright law. 23 | # 24 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 25 | # EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 26 | # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 27 | # IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR 28 | # OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 29 | # ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 30 | # OTHER DEALINGS IN THE SOFTWARE. 31 | # 32 | # Google Drive Analyzer - tvdm 33 | # 34 | 35 | import jarray 36 | import inspect 37 | import shutil 38 | import os 39 | from java.lang import Class 40 | from java.lang import System 41 | from java.sql import DriverManager, SQLException 42 | from java.util.logging import Level 43 | from java.io import File 44 | from org.sleuthkit.datamodel import SleuthkitCase 45 | from org.sleuthkit.datamodel import AbstractFile 46 | from org.sleuthkit.datamodel import ReadContentInputStream 47 | from org.sleuthkit.datamodel import BlackboardArtifact 48 | #from org.sleuthkit.databases import TskDBBlackboard 49 | from org.sleuthkit.datamodel import BlackboardAttribute 50 | from org.sleuthkit.autopsy.ingest import IngestModule 51 | from org.sleuthkit.autopsy.ingest.IngestModule import IngestModuleException 52 | from org.sleuthkit.autopsy.ingest import DataSourceIngestModule 53 | from org.sleuthkit.autopsy.ingest import IngestModuleFactoryAdapter 54 | from org.sleuthkit.autopsy.ingest import IngestMessage 55 | from org.sleuthkit.autopsy.ingest import IngestServices 56 | from org.sleuthkit.autopsy.ingest import ModuleDataEvent 57 | from org.sleuthkit.autopsy.coreutils import Logger 58 | from org.sleuthkit.autopsy.casemodule import Case 59 | from org.sleuthkit.autopsy.datamodel import ContentUtils 60 | from org.sleuthkit.autopsy.casemodule.services import Services 61 | from org.sleuthkit.autopsy.casemodule.services import FileManager 62 | from org.sleuthkit.autopsy.casemodule.services import Blackboard 63 | 64 | 65 | 66 | # Factory that defines the name and details of the module and allows Autopsy 67 | # to create instances of the modules that will do the analysis. 68 | class GDriveDbIngestModuleFactory(IngestModuleFactoryAdapter): 69 | 70 | moduleName = "Google Drive Analyzer - tvdm" 71 | 72 | def getModuleDisplayName(self): 73 | return self.moduleName 74 | 75 | def getModuleDescription(self): 76 | return "Identifies Google Drive databases and extracts information which could be used as indications" 77 | 78 | def getModuleVersionNumber(self): 79 | return "1.0" 80 | 81 | def isDataSourceIngestModuleFactory(self): 82 | return True 83 | 84 | def createDataSourceIngestModule(self, ingestOptions): 85 | return GDriveDbIngestModule() 86 | 87 | 88 | 89 | class GDriveDbIngestModule(DataSourceIngestModule): 90 | 91 | _logger = Logger.getLogger(GDriveDbIngestModuleFactory.moduleName) 92 | 93 | def log(self, level, msg): 94 | self._logger.logp(level, self.__class__.__name__, inspect.stack()[1][3], msg) 95 | 96 | def __init__(self): 97 | self.context = None 98 | 99 | 100 | def startUp(self, context): 101 | self.context = context 102 | 103 | pass 104 | 105 | 106 | 107 | 108 | def process(self, dataSource, progressBar): 109 | 110 | 111 | 112 | msgcounter = 0 113 | global mama 114 | progressBar.switchToIndeterminate() 115 | global ccase 116 | ccase = Case.getCurrentCase().getSleuthkitCase() 117 | blackboard = Case.getCurrentCase().getServices().getBlackboard() 118 | fileManager = Case.getCurrentCase().getServices().getFileManager() 119 | accounts = fileManager.findFiles(dataSource, "sync_config.db") 120 | numFiles = len(accounts) 121 | progressBar.switchToDeterminate(numFiles) 122 | fileCount = 0 123 | 124 | for file in accounts: 125 | fileCount += 1 126 | progressBar.progress(fileCount) 127 | progressBar.progress("Google Drive Analyzer") 128 | if self.context.isJobCancelled(): 129 | return IngestModule.ProcessResult.OK 130 | 131 | 132 | lclDbPath = os.path.join(Case.getCurrentCase().getTempDirectory(), str(file.getId()) + ".db") 133 | ContentUtils.writeToFile(file, File(lclDbPath)) 134 | 135 | #ContentUtils.writeToFile() 136 | binary_file = open(lclDbPath, "rb") 137 | data = binary_file.read(15) 138 | binary_file.close() 139 | if str(data) == "SQLite format 3": 140 | try: 141 | Class.forName("org.sqlite.JDBC").newInstance() 142 | dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % lclDbPath) 143 | except SQLException as e: 144 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 145 | "Initial config database:", "Cannot open " + file.getName()+ " as SQLite", file.getName()+ " not a database") 146 | #IngestServices.getInstance().postMessage(message) 147 | pass 148 | return IngestModule.ProcessResult.ERROR 149 | 150 | try: 151 | stmt = dbConn.createStatement() 152 | stmt2 = dbConn.createStatement() 153 | stmt3 = dbConn.createStatement() 154 | stmt4 = dbConn.createStatement() 155 | stmt5 = dbConn.createStatement() 156 | 157 | try: 158 | resultSet1 = stmt.executeQuery("select data_value 'account' from data WHERE entry_key='user_email';") 159 | resultSet2 = stmt2.executeQuery("select count(*) 'count' from data WHERE entry_key='user_email';") 160 | resultSet4 = stmt4.executeQuery("select data_value from data where data_key ='rowkey';") 161 | 162 | 163 | GAccount = resultSet1.getString("account") 164 | no_of_accounts = resultSet2.getInt("count") 165 | 166 | if no_of_accounts > 0: 167 | gBase = fileManager.findFiles(dataSource, "snapshot.db", file.getParentPath()) 168 | #ccase = Case.getCurrentCase().getSleuthkitCase() 169 | artifact_name = "TSK_MSG_" + GAccount 170 | artifact_desc = "Google Drive Account: " + GAccount 171 | try: 172 | #Try adding the Articaft Type 173 | artID_Gdrive = ccase.addArtifactType(artifact_name, artifact_desc) 174 | 175 | except: 176 | #do nothing 177 | pass 178 | artID_Gdrive = ccase.getArtifactTypeID(artifact_name) 179 | artID_Gdrive_evt = ccase.getArtifactType(artifact_name) 180 | 181 | for gDatabase in gBase: 182 | if str(file.getParentPath()) in str(gDatabase): 183 | lclDbPath2 = os.path.join(Case.getCurrentCase().getTempDirectory(), str(GAccount) + ".db") 184 | ContentUtils.writeToFile(gDatabase, File(lclDbPath2)) 185 | binary_file = open(lclDbPath2, "rb") 186 | data = binary_file.read(15) 187 | binary_file.close() 188 | if str(data) == "SQLite format 3": 189 | try: 190 | Class.forName("org.sqlite.JDBC").newInstance() 191 | dbFiles = DriverManager.getConnection("jdbc:sqlite:%s" % lclDbPath2) 192 | dbSMT = dbFiles.createStatement() 193 | dbSMT2 = dbFiles.createStatement() 194 | dbSMT3 = dbFiles.createStatement() 195 | dbSMT4 = dbFiles.createStatement() 196 | 197 | except SQLException as e: 198 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 199 | "Google Drive Analyzer","Cannot open " + file.getName()+ " as SQLite","FATAL") 200 | IngestServices.getInstance().postMessage(message) 201 | msgcounter+=1 202 | return IngestModule.ProcessResult.ERROR 203 | 204 | 205 | resultSet4 = dbSMT2.executeQuery("select count(filename) 'Count' from cloud_entry;") 206 | resultSet5 = dbSMT3.executeQuery("select child_doc_id, parent_doc_id from cloud_relations;") 207 | 208 | if resultSet4.getInt("Count") > 0: 209 | try: 210 | attribute_name = "TSK_GDRIVE_FILENAME" 211 | attribute_name2 = "TSK_GDRIVE_TIME" 212 | attribute_name3 = "TSK_GDRIVE_SIZE" 213 | attribute_name4 = "TSK_GDRIVE_SHARED" 214 | attribute_name5 = "TSK_GDRIVE_TYPE" 215 | attribute_name0 = "TSK_GDRIVE_PARENT" 216 | attID_ex0 = ccase.addArtifactAttributeType(attribute_name0, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Parent Directory") 217 | attID_ex1 = ccase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Filename or directory") 218 | attID_ex2 = ccase.addArtifactAttributeType(attribute_name2, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Modification date") 219 | attID_ex3 = ccase.addArtifactAttributeType(attribute_name3, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Size in KiB") 220 | attID_ex4 = ccase.addArtifactAttributeType(attribute_name4, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Shared with others") 221 | attID_ex5 = ccase.addArtifactAttributeType(attribute_name5, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Type") 222 | except: 223 | pass 224 | 225 | parent = "" 226 | mama = "" 227 | child ="" 228 | ouder = "" 229 | papa = "" 230 | child2 = "" 231 | while resultSet5.next(): #Loop for the files within dbase - cloud_relations 232 | parent = resultSet5.getString("parent_doc_id") 233 | 234 | 235 | dbFiles = DriverManager.getConnection("jdbc:sqlite:%s" % lclDbPath2) 236 | dbSMT6 = dbFiles.createStatement() 237 | resultSet6 = dbSMT6.executeQuery("select filename from cloud_entry where doc_id='" + str(parent) + "';") 238 | parentfilename = resultSet6.getString("filename") 239 | PathCheck = 0 240 | mama = "" 241 | papa = "" 242 | child = "" 243 | child = resultSet5.getString("child_doc_id") 244 | child2 = child 245 | teller = 0 246 | while PathCheck == 0: 247 | teller +=1 248 | try: 249 | #Should work = gets the parent_doc_id from relations table 250 | 251 | try: 252 | 253 | dbSMT7 = dbFiles.createStatement() 254 | resultSet10 = dbSMT7.executeQuery("select parent_doc_id from cloud_relations where child_doc_id = '" +str(child)+"';") 255 | ouder = resultSet10.getString("parent_doc_id") 256 | except: 257 | break 258 | try: 259 | dbSMT7 = dbFiles.createStatement() 260 | resultSet11 = dbSMT7.executeQuery("select filename from cloud_entry where doc_id = '" + str(ouder)+"';") 261 | papa = resultSet11.getString("filename") 262 | except: 263 | break 264 | if len(papa) == 0 or str(papa) == "root": 265 | PathCheck = 1 266 | mama = "[root]\\" + str(mama) 267 | break 268 | else: 269 | tijdelijk = mama 270 | mama = str(papa) + "\\" + str(tijdelijk) 271 | child = ouder 272 | except: 273 | break 274 | 275 | SQLFiles = "select f.filename, datetime(f.modified, 'unixepoch') 'Time', f.size/1024 'KB', f.doc_id, CASE f.shared WHEN 0 THEN 'No' ELSE 'Yes' END Shared , CASE f.doc_type WHEN 0 THEN 'Directory' ELSE 'File' END Type from cloud_entry f, cloud_relations c where c.parent_doc_id ='"+ str(parent) +"' and f.doc_id='" + str(child2)+"' and f.doc_id=c.child_doc_id;" 276 | 277 | resultSet3 = dbSMT.executeQuery(SQLFiles) 278 | 279 | while resultSet3.next(): 280 | if self.context.isJobCancelled(): 281 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Canceling","Enumeration of files") 282 | ngestServices.getInstance().postMessage(message) 283 | msgcounter+=1 284 | return IngestModule.ProcessResult.OK 285 | 286 | filename = resultSet3.getString("filename") 287 | time = resultSet3.getString("Time") 288 | Size = resultSet3.getString("KB") 289 | sharing = resultSet3.getString("Shared") 290 | filetype = resultSet3.getString("Type") 291 | # 292 | # 293 | # 294 | artifact_name = "TSK_MSG_" + GAccount 295 | art = gDatabase.newArtifact(artID_Gdrive) 296 | attID_ex0 = ccase.getAttributeType("TSK_GDRIVE_PARENT") 297 | art.addAttribute(BlackboardAttribute(attID_ex1, GDriveDbIngestModuleFactory.moduleName, str(mama + "\\" +filename))) 298 | attID_ex2 = ccase.getAttributeType("TSK_GDRIVE_TIME") 299 | art.addAttribute(BlackboardAttribute(attID_ex2, GDriveDbIngestModuleFactory.moduleName, time)) 300 | attID_ex3 = ccase.getAttributeType("TSK_GDRIVE_SIZE") 301 | art.addAttribute(BlackboardAttribute(attID_ex3, GDriveDbIngestModuleFactory.moduleName, Size)) 302 | attID_ex4 = ccase.getAttributeType("TSK_GDRIVE_SHARED") 303 | art.addAttribute(BlackboardAttribute(attID_ex4, GDriveDbIngestModuleFactory.moduleName, sharing)) 304 | attID_ex5 = ccase.getAttributeType("TSK_GDRIVE_TYPE") 305 | art.addAttribute(BlackboardAttribute(attID_ex5, GDriveDbIngestModuleFactory.moduleName, filetype)) 306 | IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(GDriveDbIngestModuleFactory.moduleName, artID_Gdrive_evt, None)) 307 | 308 | dbSMT6.close() 309 | 310 | else: 311 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 312 | "Google Drive Analyzer","No accounts found in" + file.getName(), "Error findings accounts") 313 | IngestServices.getInstance().postMessage(message) 314 | msgcounter+=1 315 | return IngestModule.ProcessResult.ERROR 316 | except SQLException as e: 317 | self.log(Level.INFO, "SQL Error: " + e.getMessage() ) 318 | except SQLException as e: 319 | self.log(Level.INFO, "Error querying database " + file.getName() + " (" + e.getMessage() + ")") 320 | # 321 | 322 | 323 | 324 | # Clean up 325 | try: 326 | stmt.close() 327 | stmt2.close() 328 | stmt3.close() 329 | stmt4.close() 330 | stmt5.close() 331 | 332 | dbSMT.close() 333 | dbConn.close() 334 | os.remove(lclDbPath) 335 | os.remove(lclDbPath2) 336 | except: 337 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 338 | "Google Drive Analyzer","Unable to clean up", "Error - Cleanup") 339 | #IngestServices.getInstance().postMessage(message) 340 | msgcounter+=1 341 | 342 | else: 343 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 344 | "Google Drive Analyzer","Not a SQLite Database - Missing magic number" , "Not database") 345 | #IngestServices.getInstance().postMessage(message) 346 | msgcounter+=1 347 | return IngestModule.ProcessResult.ERROR 348 | 349 | 350 | 351 | # After all databases, post a message to the ingest messages in box. 352 | if numFiles==0: 353 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 354 | "Google Drive Analyzer", "Info:", "Nothing to analyze ") 355 | #IngestServices.getInstance().postMessage(message) 356 | msgcounter+=1 357 | else: 358 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 359 | "Google Drive Analyzer", "Info:" , "Analyzed %d files" % fileCount) 360 | #IngestServices.getInstance().postMessage(message) 361 | msgcounter+=1 362 | return IngestModule.ProcessResult.OK -------------------------------------------------------------------------------- /IngestModules/IE Tiles/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ The plugin will enumerate Internet Explorer Tiles 2 | - __Author:__ Tom Van der Mussele 3 | - __Minimum Autopsy version:__ 4.3.0 4 | - __Source Code:__ https://github.com/tomvandermussele/autopsy-plugins/tree/master/IE%20Tiles 5 | - __License:__ GNU General Public License Version 3 6 | -------------------------------------------------------------------------------- /IngestModules/IE Tiles/ie_tiles/IETiles.py: -------------------------------------------------------------------------------- 1 | # This module quickly extracts some data from identified Internet Explorer Tiles 2 | # Please note this a non-exhaustive extraction of data, it is recommended to 3 | # manually inspect the files for more forensic artifacts and use this as an indicator 4 | # 5 | # Contact: Tom Van der Mussele [tomvandermussele gmail [dot] com] 6 | # 7 | # This is free and unencumbered software released into the public domain. 8 | # 9 | # Anyone is free to copy, modify, publish, use, compile, sell, or 10 | # distribute this software, either in source code form or as a compiled 11 | # binary, for any purpose, commercial or non-commercial, and by any 12 | # means. 13 | # 14 | # In jurisdictions that recognize copyright laws, the author or authors 15 | # of this software dedicate any and all copyright interest in the 16 | # software to the public domain. We make this dedication for the benefit 17 | # of the public at large and to the detriment of our heirs and 18 | # successors. We intend this dedication to be an overt act of 19 | # relinquishment in perpetuity of all present and future rights to this 20 | # software under copyright law. 21 | # 22 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 23 | # EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 24 | # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 25 | # IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR 26 | # OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 27 | # ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 28 | # OTHER DEALINGS IN THE SOFTWARE. 29 | # 30 | # Looks for files of a given name, verifies the validity of the file, reads elements out of it 31 | # and makes artifacts 32 | 33 | import jarray 34 | import inspect 35 | import os 36 | from java.lang import Class 37 | from java.lang import System 38 | from java.sql import DriverManager, SQLException 39 | from java.util.logging import Level 40 | from java.io import File 41 | from org.sleuthkit.datamodel import SleuthkitCase 42 | from org.sleuthkit.datamodel import AbstractFile 43 | from org.sleuthkit.datamodel import ReadContentInputStream 44 | from org.sleuthkit.datamodel import BlackboardArtifact 45 | #from org.sleuthkit.databases import TskDBBlackboard 46 | from org.sleuthkit.datamodel import BlackboardAttribute 47 | from org.sleuthkit.autopsy.ingest import IngestModule 48 | from org.sleuthkit.autopsy.ingest.IngestModule import IngestModuleException 49 | from org.sleuthkit.autopsy.ingest import DataSourceIngestModule 50 | from org.sleuthkit.autopsy.ingest import IngestModuleFactoryAdapter 51 | from org.sleuthkit.autopsy.ingest import IngestMessage 52 | from org.sleuthkit.autopsy.ingest import IngestServices 53 | from org.sleuthkit.autopsy.ingest import ModuleDataEvent 54 | from org.sleuthkit.autopsy.coreutils import Logger 55 | from org.sleuthkit.autopsy.casemodule import Case 56 | from org.sleuthkit.autopsy.datamodel import ContentUtils 57 | from org.sleuthkit.autopsy.casemodule.services import Services 58 | from org.sleuthkit.autopsy.casemodule.services import FileManager 59 | from org.sleuthkit.autopsy.casemodule.services import Blackboard 60 | import xml.etree.ElementTree as ET 61 | from datetime import datetime, timedelta, tzinfo 62 | import time 63 | import calendar 64 | 65 | 66 | # Factory that defines the name and details of the module and allows Autopsy 67 | # to create instances of the modules that will do the analysis. 68 | 69 | def CalculateTime(arg1, arg2): 70 | microseconds = 0 71 | seconds = 0 72 | days = 0 73 | #Already Big Endian no need to swap bytes 74 | L = str(arg1).split('x') 75 | H =str(arg2).split('x') 76 | #print "LoValue: " + L[1] + " " + str( int(L[1], 16)) 77 | #print "HiValue: " + H[1] + " " + str(int(H[1], 16)) 78 | both = H[1] + L[1] 79 | nano = int(both, 16) 80 | (s, rest) = divmod(nano - 116444736000000000 , 10000000) 81 | temp = datetime.utcfromtimestamp(s) 82 | return str(temp) 83 | 84 | 85 | class IETilesIngestModuleFactory(IngestModuleFactoryAdapter): 86 | 87 | moduleName = "Tom IE Tiles Analyzer" 88 | 89 | def getModuleDisplayName(self): 90 | return self.moduleName 91 | 92 | def getModuleDescription(self): 93 | return "Tom IE Tiles Analyzer" 94 | 95 | def getModuleVersionNumber(self): 96 | return "1.0" 97 | 98 | def isDataSourceIngestModuleFactory(self): 99 | return True 100 | 101 | def createDataSourceIngestModule(self, ingestOptions): 102 | return IETilesIngestModule() 103 | 104 | 105 | 106 | class IETilesIngestModule(DataSourceIngestModule): 107 | 108 | _logger = Logger.getLogger(IETilesIngestModuleFactory.moduleName) 109 | 110 | def log(self, level, msg): 111 | self._logger.logp(level, self.__class__.__name__, inspect.stack()[1][3], msg) 112 | 113 | def __init__(self): 114 | self.context = None 115 | 116 | 117 | def startUp(self, context): 118 | self.context = context 119 | 120 | pass 121 | 122 | 123 | def process(self, dataSource, progressBar): 124 | 125 | PostBoard=IngestServices.getInstance() 126 | progressBar.switchToIndeterminate() 127 | #Current case 128 | ccase = Case.getCurrentCase().getSleuthkitCase() 129 | blackboard = Case.getCurrentCase().getServices().getBlackboard() 130 | fileManager = Case.getCurrentCase().getServices().getFileManager() 131 | files = fileManager.findFiles(dataSource, "msapplication.xml") 132 | numFiles = len(files) 133 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,"IE Tiles Analyzer","About to analyze " + str(numFiles) + " files") 134 | PostBoard.postMessage(message) 135 | progressBar.switchToDeterminate(numFiles) 136 | 137 | 138 | try: 139 | #Try adding the Articaft Type 140 | artifact_name = "TSK_IETILES" 141 | artifact_desc = "IE Tiles Analyzer" 142 | 143 | artID_tiles = ccase.addArtifactType(artifact_name, artifact_desc) 144 | artID_tiles_evt = ccase.getArtifactType(artifact_name) 145 | attribute_name = "TSK_TILES_SITE" 146 | attribute_name2 = "TSK_TILES_DATE" 147 | attribute_name3 = "TSK_TILES_ACCESSDATE" 148 | attID_ex1 = ccase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Site") 149 | attID_ex2 = ccase.addArtifactAttributeType(attribute_name2, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Date") 150 | attID_ex3 = ccase.addArtifactAttributeType(attribute_name3, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Access Date") 151 | except: 152 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 153 | "IE Tiles Analyzer","Already created?") 154 | PostBoard.postMessage(message) 155 | 156 | fileCount = 0 157 | for file in files: 158 | fileCount += 1 159 | progressBar.progress(fileCount) 160 | progressBar.progress("IE Tiles Analyzer") 161 | if self.context.isJobCancelled(): 162 | return IngestModule.ProcessResult.OK 163 | self.log(Level.INFO, "++++++Processing file: " + file.getName()) 164 | self.log(Level.INFO, "File count:" + str(fileCount)) 165 | lclXMLPath = os.path.join(Case.getCurrentCase().getTempDirectory(), str(file.getId()) + ".xml") 166 | ContentUtils.writeToFile(file, File(lclXMLPath)) 167 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 168 | "IE Tiles Analyzer",lclXMLPath) 169 | #PostBoard.postMessage(message) 170 | try: 171 | tree = ET.ElementTree(file=lclXMLPath) 172 | root = tree.getroot() 173 | for config in root.iter('site'): 174 | site = config.attrib.get('src') 175 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 176 | "IE Tiles Analyzer",site) 177 | PostBoard.postMessage(message) 178 | for dates in root.iter('accdate'): 179 | accessD = dates.text.split(",") 180 | AloValue = accessD[0] 181 | AhiValue = accessD[1] 182 | accessdate = CalculateTime(AloValue, AhiValue) 183 | 184 | for dates in root.iter('date'): 185 | createD = dates.text.split(",") 186 | CloValue = createD[0] 187 | ChiValue = createD[1] 188 | normaldate = CalculateTime(CloValue, ChiValue) 189 | 190 | if len(site) > 0: 191 | artifact_name = "TSK_IETILES" 192 | artifact_desc = "IE Tiles Analyzer" 193 | artID_tiles_evt = ccase.getArtifactType(artifact_name) 194 | artID_tiles = ccase.getArtifactTypeID(artifact_name) 195 | art = file.newArtifact(artID_tiles) 196 | attID_ex1 = ccase.getAttributeType("TSK_TILES_SITE") 197 | art.addAttribute(BlackboardAttribute(attID_ex1, IETilesIngestModuleFactory.moduleName, site)) 198 | attID_ex1 = ccase.getAttributeType("TSK_TILES_DATE") 199 | art.addAttribute(BlackboardAttribute(attID_ex1, IETilesIngestModuleFactory.moduleName, normaldate)) 200 | attID_ex1 = ccase.getAttributeType("TSK_TILES_ACCESSDATE") 201 | art.addAttribute(BlackboardAttribute(attID_ex1, IETilesIngestModuleFactory.moduleName, accessdate)) 202 | PostBoard.fireModuleDataEvent(ModuleDataEvent(IETilesIngestModuleFactory.moduleName, \ 203 | artID_tiles_evt, None)) 204 | else: 205 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 206 | "IE Tiles Analyzer", "No sites found: " + lclXMLPath) 207 | PostBoard.postMessage(message) 208 | 209 | except: 210 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 211 | "IE Tiles Analyzer","SOMETHING WENT WRONG") 212 | PostBoard.postMessage(message) 213 | # Clean up 214 | os.remove(lclXMLPath) 215 | 216 | 217 | # After all XML files, post a message to the ingest messages in box. 218 | if numFiles==0: 219 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 220 | "IE Tiles Analyzer", "Nothing to analyze ") 221 | PostBoard.postMessage(message) 222 | else: 223 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 224 | "IE Tiles Analyzer", "Analyzed %d files" % fileCount) 225 | PostBoard.postMessage(message) 226 | return IngestModule.ProcessResult.OK -------------------------------------------------------------------------------- /IngestModules/Jump_List_AD/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ This plugin will parse the Jump List Auto Destinations. 2 | - __Author:__ Mark McKinnon - Mark dot McKinnon at Gmail dot Com 3 | - __Minimum Autopsy version:__ 4.1.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Jump_List_AD 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Jump_List_AD 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Jump_List_AD 8 | - __License:__ GPL Full license can be found in jump_list_AD_py_GPL_License.txt 9 | -------------------------------------------------------------------------------- /IngestModules/Log Forensics/LFA.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sleuthkit/autopsy_addon_modules/38e9e5934bca90f68d3acf421ddef8910ffb9b4b/IngestModules/Log Forensics/LFA.zip -------------------------------------------------------------------------------- /IngestModules/Log Forensics/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Log Forensics for Autopsy is a 2-part Jython module for Autopsy. It consists of a file ingest and report. The file ingest tags certain log files, specific to Windows, such as: .wer, .etl, .evtx, .dmp, .log, and specific .xml. Extracts information from .wer, .log and .xml: Windows Error Reporting events, startup processes, and RegEx patterns from .log (IPs by default). 2 | - __Author:__ Luís Andrade, João Silva, Patrício Domingues, Miguel Frade. 3 | - __Minimum Autopsy version:__ 4.6.0 4 | - __Source Code:__ https://github.com/L-Andrade/LFA 5 | - __License:__ GNU General Public License v3.0 -------------------------------------------------------------------------------- /IngestModules/MS_Office_Telemetry_Parser/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parser for Microsoft Office Telemetry files (.tbl). 2 | - __Author:__ Sam Koffman 3 | - __Minimum Autopsy version:__ 4.8.0 4 | - __Module Location__: https://github.com/MadScientistAssociation/Autopsy-MSOT 5 | - __Website:__ https://madscientistassociation.org 6 | - __Source Code:__ https://github.com/MadScientistAssociation/Autopsy-MSOT 7 | - __License:__ MIT License 8 | 9 | # Microsoft Office Telemetry Parser for Autopsy 10 | 11 | ## Overview 12 | 13 | In Office 2013, Microsoft introduced telemetry collection in Office. This created a gold mine of data for digital forensics examiners. 14 | 15 | Included in Office telemetry collection are: 16 | * File name 17 | * User name 18 | * File open/close date/times 19 | * File size 20 | * Document title 21 | * Document author 22 | * Office version 23 | * Last loaded date/times 24 | 25 | This ingest module searches for folders containing all three of the files sln.tbl, user.tbl, and evt.tbl. It then combines the data from these 3 files and outputs artifacts to the blackboard as type TSK_RECENT_OBJECT. 26 | 27 | ## Usage 28 | 29 | Unzip all files from the repo into an unique folder in the Autopsy Python directory. 30 | 31 | ## License 32 | 33 | This project constitutes a work of the United States Government and is not subject to domestic copyright protection under 17 USC § 105. 34 | 35 | However, because the project utilizes code licensed from contributors and other third parties, it therefore is licensed under the MIT License. http://opensource.org/licenses/mit-license.php. Under that license, permission is granted free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the conditions that any appropriate copyright notices and this permission notice are included in all copies or substantial portions of the Software. 36 | 37 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 38 | -------------------------------------------------------------------------------- /IngestModules/MacFSEvents/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Reads the FS Events from a macOS 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/MacFSEvents 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/MacFSEvents 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/MacFSEvents 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/MacOSX_Account_Parser/.gitignore: -------------------------------------------------------------------------------- 1 | # Created by .ignore support plugin (hsz.mobi) 2 | ### Python template 3 | # Byte-compiled / optimized / DLL files 4 | __pycache__/ 5 | *.py[cod] 6 | *$py.class 7 | 8 | # C extensions 9 | *.so 10 | 11 | # Distribution / packaging 12 | .Python 13 | env/ 14 | build/ 15 | develop-eggs/ 16 | dist/ 17 | downloads/ 18 | eggs/ 19 | .eggs/ 20 | lib/ 21 | lib64/ 22 | parts/ 23 | sdist/ 24 | var/ 25 | *.egg-info/ 26 | .installed.cfg 27 | *.egg 28 | 29 | # PyInstaller 30 | # Usually these files are written by a python script from a template 31 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 32 | *.manifest 33 | *.spec 34 | 35 | # Installer logs 36 | pip-log.txt 37 | pip-delete-this-directory.txt 38 | 39 | # Unit test / coverage reports 40 | htmlcov/ 41 | .tox/ 42 | .coverage 43 | .coverage.* 44 | .cache 45 | nosetests.xml 46 | coverage.xml 47 | *,cover 48 | .hypothesis/ 49 | 50 | # Translations 51 | *.mo 52 | *.pot 53 | 54 | # Django stuff: 55 | *.log 56 | local_settings.py 57 | 58 | # Flask stuff: 59 | instance/ 60 | .webassets-cache 61 | 62 | # Scrapy stuff: 63 | .scrapy 64 | 65 | # Sphinx documentation 66 | docs/_build/ 67 | 68 | # PyBuilder 69 | target/ 70 | 71 | # IPython Notebook 72 | .ipynb_checkpoints 73 | 74 | # pyenv 75 | .python-version 76 | 77 | # celery beat schedule file 78 | celerybeat-schedule 79 | 80 | # dotenv 81 | .env 82 | 83 | # virtualenv 84 | venv/ 85 | ENV/ 86 | 87 | # Spyder project settings 88 | .spyderproject 89 | 90 | # Rope project settings 91 | .ropeproject 92 | ### VirtualEnv template 93 | # Virtualenv 94 | # http://iamzed.com/2009/05/07/a-primer-on-virtualenv/ 95 | .Python 96 | [Bb]in 97 | [Ii]nclude 98 | [Ll]ib 99 | [Ll]ib64 100 | [Ll]ocal 101 | [Ss]cripts 102 | pyvenv.cfg 103 | .venv 104 | pip-selfcheck.json 105 | ### JetBrains template 106 | # Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and Webstorm 107 | # Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839 108 | 109 | # User-specific stuff: 110 | .idea/workspace.xml 111 | .idea/tasks.xml 112 | .idea/dictionaries 113 | .idea/vcs.xml 114 | .idea/jsLibraryMappings.xml 115 | 116 | # Sensitive or high-churn files: 117 | .idea/dataSources.ids 118 | .idea/dataSources.xml 119 | .idea/dataSources.local.xml 120 | .idea/sqlDataSources.xml 121 | .idea/dynamic.xml 122 | .idea/uiDesigner.xml 123 | 124 | # Gradle: 125 | .idea/gradle.xml 126 | .idea/libraries 127 | 128 | # Mongo Explorer plugin: 129 | .idea/mongoSettings.xml 130 | 131 | .idea/ 132 | 133 | ## File-based project format: 134 | *.iws 135 | 136 | ## Plugin-specific files: 137 | 138 | # IntelliJ 139 | /out/ 140 | 141 | # mpeltonen/sbt-idea plugin 142 | .idea_modules/ 143 | 144 | # JIRA plugin 145 | atlassian-ide-plugin.xml 146 | 147 | # Crashlytics plugin (for Android Studio and IntelliJ) 148 | com_crashlytics_export_strings.xml 149 | crashlytics.properties 150 | crashlytics-build.properties 151 | fabric.properties 152 | 153 | # General 154 | .DS_Store 155 | .AppleDouble 156 | .LSOverride 157 | 158 | # Icon must end with two \r 159 | Icon 160 | 161 | 162 | # Thumbnails 163 | ._* 164 | 165 | # Files that might appear in the root of a volume 166 | .DocumentRevisions-V100 167 | .fseventsd 168 | .Spotlight-V100 169 | .TemporaryItems 170 | .Trashes 171 | .VolumeIcon.icns 172 | .com.apple.timemachine.donotpresent 173 | 174 | # Directories potentially created on remote AFP share 175 | .AppleDB 176 | .AppleDesktop 177 | Network Trash Folder 178 | Temporary Items 179 | .apdisk 180 | 181 | *$py.class -------------------------------------------------------------------------------- /IngestModules/MacOSX_Account_Parser/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parse OSX 10.8+ account .plist files and extract any available attributes. If a hashed password is available, 2 | extract it and present it in a format that can be used with [Hashcat](https://hashcat.net/). 3 | - __Author:__ Luke Gaddie 4 | - __Minimum Autopsy version:__ 4.0.0 5 | - __License:__ [MIT](https://opensource.org/licenses/MIT), with the exception of dependencies: 6 | - [biplist](https://pypi.org/project/biplist/) - BSD License (BSD) 7 | 8 | ## Installation & Usage 9 | Copy MacOSX_Account_Parser into your Autopsy Python Plugins Folder. 10 | 11 | Run Ingest modules against your data source, making sure to enable to "MacOSX Account Parser" module. 12 | 13 | Any extracted account information will be placed in one of two spots: 14 | 15 | - Extracted Content 16 | - Operating System User Account 17 | - Hashed Credentials 18 | 19 | ## Hashcat Usage 20 | 21 | In the event that hashed credentials can be extracted from the user account, they'll be placed in "Extracted Content" -> 22 | "Hashed Credentials". 23 | 24 | Assuming that you place the "Hashcat Entry" value found in an artifact in hashes.txt, a sample hashcat session might look like: 25 | 26 | ``` 27 | C:\hashcat> hashcat64.exe -m 7100 ./hashes.txt ./dictionary.txt 28 | hashcat (v5.1.0) starting... 29 | 30 | [...] 31 | 32 | Approaching final keyspace - workload adjusted. 33 | 34 | $ml$68027$fccff02010450ae731c883d638b2a3028bf6504937bab584c283a3a44e8f7ad8$e945d8df4ca67261ff45b07a71e5d695816c53532b42988ae1e91268e869c877ef0186a4b2bdaa75d4b316d03274f5b453ee1c5fef067638041fc696fd091400:TestPassword 35 | 36 | Session..........: hashcat 37 | Status...........: Cracked 38 | Hash.Type........: macOS v10.8+ (PBKDF2-SHA512) 39 | Hash.Target......: $ml$68027$fccff02010450ae731c883d638b2a3028bf650493...091400 40 | Time.Started.....: Mon Sep 28 18:01:20 2020 (1 sec) 41 | Time.Estimated...: Mon Sep 28 18:01:21 2020 (0 secs) 42 | Guess.Base.......: File (dictionary.txt) 43 | Guess.Queue......: 1/1 (100.00%) 44 | Speed.#2.........: 2 H/s (0.45ms) @ Accel:64 Loops:32 Thr:64 Vec:1 45 | Speed.#3.........: 0 H/s (0.00ms) @ Accel:64 Loops:32 Thr:64 Vec:1 46 | Speed.#*.........: 2 H/s 47 | Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts 48 | Progress.........: 2/2 (100.00%) 49 | Rejected.........: 0/2 (0.00%) 50 | Restore.Point....: 0/2 (0.00%) 51 | Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:68000-68026 52 | Restore.Sub.#3...: Salt:0 Amplifier:0-0 Iteration:0-32 53 | Candidates.#2....: TestPassword -> hashcat 54 | Candidates.#3....: [Copying] 55 | Hardware.Mon.#2..: Temp: 58c Fan: 41% Util: 87% Core:1936MHz Mem:4513MHz Bus:8 56 | Hardware.Mon.#3..: Temp: 53c Fan: 36% Util: 0% Core:1695MHz Mem:4513MHz Bus:8 57 | 58 | ``` 59 | 60 | ## Misc. Information 61 | 62 | * Accounts are stored in /private/var/db/dslocal/nodes/Default/*.plist 63 | * Credentials are hashed as SALTED-SHA512-PBKDF2 (Hashcat -m 7100) 64 | * Hashes are formatted as $ml$[iterations]$[salt]$[first 128 bits of entropy] -------------------------------------------------------------------------------- /IngestModules/MacOSX_Account_Parser/macosx_account_parser.py: -------------------------------------------------------------------------------- 1 | """ 2 | Copyright 2020 Luke Gaddie 3 | 4 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated 5 | documentation files (the "Software"), to deal in the Software without restriction, including without limitation 6 | the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, 7 | and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 8 | 9 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the 10 | Software. 11 | 12 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 13 | WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS 14 | OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, 15 | TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 16 | """ 17 | 18 | import os 19 | import inspect 20 | from biplist import readPlist, NotBinaryPlistException, InvalidPlistException 21 | from StringIO import StringIO 22 | 23 | from java.io import File 24 | from java.util.logging import Level 25 | from org.sleuthkit.datamodel import BlackboardArtifact 26 | from org.sleuthkit.datamodel import BlackboardAttribute 27 | from org.sleuthkit.autopsy.ingest import IngestModule 28 | from org.sleuthkit.autopsy.ingest import DataSourceIngestModule 29 | from org.sleuthkit.autopsy.ingest import IngestModuleFactoryAdapter 30 | from org.sleuthkit.autopsy.ingest import IngestMessage 31 | from org.sleuthkit.autopsy.ingest import IngestServices 32 | from org.sleuthkit.autopsy.coreutils import Logger 33 | from org.sleuthkit.autopsy.casemodule import Case 34 | from org.sleuthkit.autopsy.casemodule.services import Blackboard 35 | from org.sleuthkit.autopsy.datamodel import ContentUtils 36 | 37 | 38 | class OSXAccountParserDataSourceIngestModuleFactory(IngestModuleFactoryAdapter): 39 | moduleName = "MacOSX Account Parser" 40 | 41 | def getModuleDisplayName(self): 42 | return self.moduleName 43 | 44 | def getModuleDescription(self): 45 | return "Extract user account information and account shadows from OSX v10.8+ for hashcat cracking." 46 | 47 | def getModuleVersionNumber(self): 48 | return "1.0" 49 | 50 | def isDataSourceIngestModuleFactory(self): 51 | return True 52 | 53 | def createDataSourceIngestModule(self, ingestOptions): 54 | return OSXAccountParserDataSourceIngestModule() 55 | 56 | 57 | class OSXAccountParserDataSourceIngestModule(DataSourceIngestModule): 58 | _logger = Logger.getLogger(OSXAccountParserDataSourceIngestModuleFactory.moduleName) 59 | 60 | def log(self, level, msg): 61 | self._logger.logp(level, self.__class__.__name__, inspect.stack()[1][3], msg) 62 | 63 | def __init__(self): 64 | self.context = None 65 | 66 | self.osAccountAttributeTypes = { 67 | 'home': { 68 | 'attr_key': 'TSK_HOME_DIRECTORY', 69 | 'attr_type': BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, 70 | 'display_name': 'Home Directory', 71 | 'custom': True, 72 | }, 73 | 'shell': { 74 | 'attr_key': 'TSK_SHELL', 75 | 'attr_type': BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, 76 | 'display_name': 'Shell', 77 | 'custom': True, 78 | }, 79 | 'hint': { 80 | 'attr_key': 'TSK_PASSWORD_HINT', 81 | 'attr_type': BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, 82 | 'display_name': 'Password Hint', 83 | 'custom': True, 84 | }, 85 | 'failedLoginTimestamp': { 86 | 'attr_key': 'TSK_FAILED_LOGIN_TIMESTAMP', 87 | 'attr_type': BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME, 88 | 'display_name': 'Last Failed Login', 89 | 'custom': True, 90 | }, 91 | 'failedLoginCount': { 92 | 'attr_key': 'TSK_FAILED_LOGIN_COUNT', 93 | 'attr_type': BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, 94 | 'display_name': 'Failed Login Count', 95 | 'custom': True, 96 | }, 97 | 'passwordLastSetTime': { 98 | 'attr_key': 'TSK_PASSWORD_LAST_SET_TIME', 99 | 'attr_type': BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME, 100 | 'display_name': 'Password Last Set', 101 | 'custom': True, 102 | }, 103 | 'generateduuid': { 104 | 'attr_key': 'TSK_GENERATED_UUID', 105 | 'attr_type': BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, 106 | 'display_name': 'Generated UUID', 107 | 'custom': True, 108 | }, 109 | 'IsHidden': { 110 | 'attr_key': 'TSK_IS_HIDDEN', 111 | 'attr_type': BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, 112 | 'display_name': 'Hidden', 113 | 'custom': True, 114 | }, 115 | 'creationTime': { 116 | 'attr_key': 'TSK_DATETIME_CREATED', 117 | }, 118 | 'realname': { 119 | 'attr_key': 'TSK_NAME', 120 | }, 121 | 'uid': { 122 | 'attr_key': 'TSK_USER_ID', 123 | }, 124 | 'name': { 125 | 'attr_key': 'TSK_USER_NAME', 126 | }, 127 | } 128 | 129 | self.hashedCredentialAttributeTypes = { 130 | 'hashType': { 131 | 'attr_key': 'TSK_HASH_TYPE', 132 | 'attr_type': BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, 133 | 'display_name': 'Hash Type', 134 | 'custom': True, 135 | }, 136 | 'salt': { 137 | 'attr_key': 'TSK_SALT', 138 | 'attr_type': BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, 139 | 'display_name': 'Salt', 140 | 'custom': True, 141 | }, 142 | 'iterations': { 143 | 'attr_key': 'TSK_ITERATIONS', 144 | 'attr_type': BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, 145 | 'display_name': 'Iterations', 146 | 'custom': True, 147 | }, 148 | 'entropy': { 149 | 'attr_key': 'TSK_HASH_ENTROPY', 150 | 'attr_type': BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, 151 | 'display_name': 'Entropy', 152 | 'custom': True, 153 | }, 154 | 'verifier': { 155 | 'attr_key': 'TSK_VERIFIER', 156 | 'attr_type': BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, 157 | 'display_name': 'Verifier', 158 | 'custom': True, 159 | }, 160 | 'hashcatEntry': { 161 | 'attr_key': 'TSK_HASHCAT_ENTRY', 162 | 'attr_type': BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, 163 | 'display_name': 'Hashcat Entry', 164 | 'custom': True, 165 | }, 166 | 167 | } 168 | 169 | self.moduleName = "MacOSX Account Parser" 170 | self.temporary_dir = os.path.join(Case.getCurrentCase().getTempDirectory(), self.moduleName.replace(' ', '_')) 171 | 172 | self.case = Case.getCurrentCase().getSleuthkitCase() 173 | self.file_manager = Case.getCurrentCase().getServices().getFileManager() 174 | self.blackboard = Case.getCurrentCase().getSleuthkitCase().getBlackboard() 175 | 176 | def startUp(self, context): 177 | self.context = context 178 | 179 | def process(self, dataSource, progressBar): 180 | 181 | try: 182 | os.mkdir(self.temporary_dir) 183 | except: 184 | pass 185 | 186 | progressBar.switchToIndeterminate() 187 | 188 | self.setup_custom_artifact_types() 189 | self.setup_custom_attribute_types() 190 | 191 | filesProcessed = 0 192 | 193 | files = self.file_manager.findFiles(dataSource, "%.plist", "%var/db/dslocal/nodes/Default/users/") 194 | 195 | totalNumberFiles = len(files) 196 | progressBar.switchToDeterminate(totalNumberFiles) 197 | 198 | self.log(Level.INFO, "Found " + str(totalNumberFiles) + " files to process.") 199 | for file in files: 200 | self.log(Level.INFO, "Processing %s" % file.getName()) 201 | 202 | # Check if the user pressed cancel while we were busy 203 | if self.context.isJobCancelled(): 204 | return IngestModule.ProcessResult.OK 205 | 206 | # Copy the Plist file to a temporary directory to work with 207 | tmpPlistFile = self.copy_to_temp_directory(file) 208 | self.log(Level.INFO, "Reading %s as a plist" % tmpPlistFile) 209 | 210 | try: 211 | # Read the Plist file using biplist 212 | plist = readPlist(tmpPlistFile) 213 | 214 | # Extract all of the plist data that we can 215 | extractedData = self.extract_plist_data(plist) 216 | 217 | # Each Plist file gets a generic TSK_OS_ACCOUNT Artifact Type 218 | osAccountArtifact = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_ACCOUNT) 219 | osArtifactAttributes = [] 220 | 221 | # We can iterate over any expected attribute types and assign them to the artifact. 222 | for dictKey in self.osAccountAttributeTypes: 223 | try: 224 | osArtifactAttributes.append(BlackboardAttribute( 225 | self.case.getAttributeType(self.osAccountAttributeTypes[dictKey]['attr_key']), 226 | self.moduleName, extractedData[dictKey])) 227 | except KeyError: 228 | # Discarding the attribute type if, for whatever reason, they're not in the Plist. 229 | pass 230 | 231 | # When we're done, go ahead and add them to the OS Account Artifact. We'll post it later. 232 | osAccountArtifact.addAttributes(osArtifactAttributes) 233 | 234 | # An account shadow can have multiple hashes (e.g. SALTED-SHA512-PBKDF2 & SRP-RFC5054-4096-SHA512-PBKDF2) 235 | # so we'll create an array to handle them all, then add them all at the end. 236 | hashedCredArtifacts = [] 237 | 238 | # For each extracted hash 239 | for shadow in extractedData['shadows']: 240 | # Create a new artifact using our custom TSK_HASHED_CREDENTIAL artifact type we set up earlier. 241 | hashedCredArtifact = file.newArtifact(self.case.getArtifactTypeID("TSK_HASHED_CREDENTIAL")) 242 | 243 | hashedCredArtifactAttributes = [] 244 | # We can iterate over any expected attribute types and assign them to the artifact. 245 | for dictKey in self.hashedCredentialAttributeTypes: 246 | try: 247 | hashedCredArtifactAttributes.append(BlackboardAttribute( 248 | self.case.getAttributeType( 249 | self.hashedCredentialAttributeTypes[dictKey]['attr_key']), 250 | self.moduleName, shadow[dictKey] 251 | )) 252 | except KeyError: 253 | # Discarding the attribute type if, for whatever reason, they're not in the Plist. 254 | pass 255 | 256 | # Add the attributes to the artifact. 257 | hashedCredArtifact.addAttributes(hashedCredArtifactAttributes) 258 | # and add our artifact to the array of found shadows for the account. 259 | hashedCredArtifacts.append(hashedCredArtifact) 260 | 261 | try: 262 | # Post our extracted account information. 263 | self.blackboard.postArtifact(osAccountArtifact, self.moduleName) 264 | 265 | # Then iterate over our harvested credential hashes for the account, posting them. 266 | for hashedCredArtifact in hashedCredArtifacts: 267 | self.blackboard.postArtifact(hashedCredArtifact, self.moduleName) 268 | 269 | except Blackboard.BlackboardException: 270 | self.log(Level.SEVERE, 271 | "Unable to index blackboard artifact " + str(osAccountArtifact.getArtifactTypeName())) 272 | 273 | except (InvalidPlistException, NotBinaryPlistException), e: 274 | self.log(Level.INFO, "Unable to parse %s as a Plist file. Skipping." % file.getName()) 275 | 276 | # We're done processing the Plist file, clean it up from our temporary directory. 277 | self.remove_from_temp_directory(file) 278 | 279 | # Update the progress bar, as progress has been made. 280 | filesProcessed += 1 281 | progressBar.progress(filesProcessed) 282 | 283 | # We're done. Post a status message for the user. 284 | IngestServices.getInstance().postMessage( 285 | IngestMessage.createMessage(IngestMessage.MessageType.DATA, self.moduleName, 286 | "Done processing %d OSX user accounts." % totalNumberFiles)) 287 | 288 | return IngestModule.ProcessResult.OK 289 | 290 | # Given a Plist object obtained from biplist, iterate through and extract the information we're interested in. 291 | def extract_plist_data(self, plist): 292 | # Basic shell, will be returned at the end of all of this. 293 | extractedInformation = {'shadows': []} 294 | 295 | # Keys in the Plist that we're going to be extracting as strings. 296 | interestingStrKeys = ['uid', 'home', 'shell', 'realname', 'uid', 'hint', 'name', 'generateduuid', 'IsHidden'] 297 | 298 | # Plist objects are stored values in an array by default. 299 | # If they don't exist, set them as an empty array, otherwise we really do nothing. 300 | for key in interestingStrKeys: 301 | try: 302 | extractedInformation[key] = plist.setdefault(key, [])[0] 303 | except (IndexError, KeyError): 304 | pass 305 | 306 | # accountPolicyData is where some basic information about the account is stored. 307 | if 'accountPolicyData' in plist and len(plist['accountPolicyData']): 308 | accountPolicyData = self.readPlistFromString(plist['accountPolicyData'][0]) 309 | 310 | # Timestamp keys that we're interested in. 311 | interestingTsKeys = ['failedLoginTimestamp', 'creationTime', 'passwordLastSetTime'] 312 | # Integer keys that we're interested in. 313 | interestingIntKeys = ['failedLoginCount'] 314 | 315 | for key in interestingIntKeys: 316 | if key in accountPolicyData: 317 | extractedInformation[key] = accountPolicyData[key] 318 | 319 | for key in interestingTsKeys: 320 | if key in accountPolicyData: 321 | # Convert the String into a Long for Autopsy 322 | extractedInformation[key] = long(float(accountPolicyData[key])) 323 | 324 | # ShadowHashData is where the account credentials are stored. 325 | if 'ShadowHashData' in plist: 326 | try: 327 | # as a Plist inside of the current Plist. Plist-ception. 328 | shadowHashPlist = self.readPlistFromString(plist['ShadowHashData'][0]) 329 | # Multiple hash types can be stored inside of here - we want all of them. 330 | for hashType in shadowHashPlist: 331 | hashDetails = { 332 | 'hashType': hashType, 333 | 'salt': '', 334 | 'entropy': '', 335 | 'iterations': '', 336 | 'verifier': '', 337 | # hashcatEntry is not stored in the ShadowHashData - we'll be generating it later. 338 | 'hashcatEntry': '', 339 | } 340 | 341 | for key in shadowHashPlist[hashType]: 342 | # We'll want to convert these into hex for storage 343 | if key in ['salt', 'entropy', 'verifier']: 344 | shadowHashPlist[hashType][key] = shadowHashPlist[hashType][key].encode('hex') 345 | 346 | # Add what we find to our results 347 | hashDetails[key] = shadowHashPlist[hashType][key] 348 | 349 | # If the hash is of type SALTED-SHA512-PBKDF2, 350 | # then we generate the hash that we would feed to Hashcat in the form of: 351 | # $ml$(iterations)$(salt)$(first 128 bits of entropy) 352 | if hashDetails['hashType'] == 'SALTED-SHA512-PBKDF2': 353 | hashDetails['hashcatEntry'] = "$ml$%s$%s$%s" % ( 354 | hashDetails['iterations'], hashDetails['salt'], hashDetails['entropy'][:128]) 355 | else: 356 | hashDetails['hashcatEntry'] = '' 357 | 358 | # Add it to our list of found shadows 359 | extractedInformation['shadows'].append(hashDetails) 360 | 361 | except (InvalidPlistException, NotBinaryPlistException), e: 362 | print "Not a plist:", e 363 | return extractedInformation 364 | 365 | def setup_custom_attribute_types(self): 366 | self.log(Level.INFO, "Setting up custom attribute types.") 367 | # Set up custom attribute types of OS Accounts 368 | for attribute in self.osAccountAttributeTypes: 369 | if self.osAccountAttributeTypes[attribute].setdefault('custom', False): 370 | self.create_custom_attribute_type(self.osAccountAttributeTypes[attribute]['attr_key'], 371 | self.osAccountAttributeTypes[attribute]['attr_type'], 372 | self.osAccountAttributeTypes[attribute]['display_name']) 373 | 374 | # Set up custom attribute types for hashed credentials. 375 | for attribute in self.hashedCredentialAttributeTypes: 376 | if self.hashedCredentialAttributeTypes[attribute].setdefault('custom', False): 377 | self.create_custom_attribute_type(self.hashedCredentialAttributeTypes[attribute]['attr_key'], 378 | self.hashedCredentialAttributeTypes[attribute]['attr_type'], 379 | self.hashedCredentialAttributeTypes[attribute]['display_name']) 380 | 381 | self.log(Level.INFO, 'Done setting up custom attribute types.') 382 | 383 | def create_custom_attribute_type(self, attr_key, attr_type, attr_display_name): 384 | try: 385 | self.case.addArtifactAttributeType(attr_key, attr_type, attr_display_name) 386 | except: 387 | self.log(Level.INFO, 388 | "Exception while creating the \"%s\" Attribute Type." % 389 | attr_display_name) 390 | 391 | def setup_custom_artifact_types(self): 392 | self.log(Level.INFO, "Setting up custom artifact types.") 393 | try: 394 | self.case.addArtifactType("TSK_HASHED_CREDENTIAL", "Hashed Credentials") 395 | except: 396 | self.log(Level.INFO, 397 | "Exception while creating the TSK_HASHED_CREDENTIAL Artifact Type.") 398 | self.log(Level.INFO, "Done setting up custom artifact types.") 399 | 400 | # Read a string as a Plist 401 | # We have to use this instead of the biplist readPlistFromString method, as io.BytesIO is native 402 | def readPlistFromString(self, data): 403 | return readPlist(StringIO(data)) 404 | 405 | # Given a file object, simply copies a file to a temporary location and returns the file path. 406 | def copy_to_temp_directory(self, file): 407 | filepath = self.get_temporary_file_path(file) 408 | ContentUtils.writeToFile(file, File(filepath)) 409 | return filepath 410 | 411 | # Given a file object, removes it from the temporary directory. 412 | def remove_from_temp_directory(self, file): 413 | filepath = self.get_temporary_file_path(file) 414 | try: 415 | os.remove(filepath) 416 | except: 417 | self.log(Level.INFO, "Failed to remove file " + filepath) 418 | 419 | # Returns the location we should be storing temporary files. 420 | def get_temporary_file_path(self, file): 421 | return os.path.join(self.temporary_dir, str(file.getId()) + "-" + file.getName()) 422 | -------------------------------------------------------------------------------- /IngestModules/MacOSX_Recent/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parses recent macOS artifacts 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/MacOSX_Recent 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/MacOSX_Recent 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/MacOSX_Recent 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/MacOSX_Safari/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parses Safari webhistory from a macOS 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/MacOSX_Safari 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/MacOSX_Safari 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/MacOSX_Safari 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Microsoft_Teams_Parser/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ This plugin enumerates Microsoft Teams LevelDB database and extracts information such as: 2 | - Call data 3 | - Messages (chats, posts and comments) and their attachments, such as SharePoint links for files and hyperlinks 4 | - Reactions for messages 5 | - Calendar entries 6 | - Contacts 7 | - __Author:__ Alexander Bilz 8 | - __Minimum Autopsy version:__ 4.18.0 9 | - __OS's supported on: Windows 10 | - __Module Location__: https://github.com/lxndrblz/forensicsim/ 11 | - __Website:__ https://forensics.im 12 | - __Source Code:__ https://github.com/lxndrblz/forensicsim/ 13 | - __License:__ MIT License -------------------------------------------------------------------------------- /IngestModules/Parse_Plist/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parses plists on a macos system, user defined 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_Plist 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_Plist 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_Plist 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Parse_SAM/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parses the SAM database from a Windows image 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_SAM 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_SAM 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_SAM 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Parse_SQLite_Databases/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parses SQLite database defined by the user 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_SQLite_Databases 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_SQLite_Databases 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_SQLite_Databases 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Parse_SQLite_Del_Records/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Extracts deleted records from a SQLite database 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_SQLite_Del_Records 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_SQLite_Del_Records 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_SQLite_Del_Records 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Parse_Shellbags/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parses the user's shellbags 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_Shellbags 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_Shellbags 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_Shellbags 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Parse_USNJ/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parses the USN Journal in a Windows image 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_SQLite_Del_Records 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_SQLite_Del_Records 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_SQLite_Del_Records 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Plaso/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Runs Plaso against a image 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Plaso 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Plaso 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Plaso 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Process_ActivitiesCache/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parses the Users Activity cache (Timeline) 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_ActivitiesCache 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_ActivitiesCache 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_ActivitiesCache 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Process_Amcache/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parses the Amcache on a Windows system 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_Amcache 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_Amcache 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_Amcache 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Process_Appx_Programs/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parses all Appx programs installed on the image 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_Appx_Programs 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_Appx_Programs 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_Appx_Programs 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Process_Appxreg_Programs/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parses AppX progams from the user's registry 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_Appxreg_Programs 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_Appxreg_Programs 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_Appxreg_Programs 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Process_EVTX/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parse EVTX records in Windows Vist and above. 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_EVTX 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_EVTX 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_EVTX 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Process_EVTX_By_EventID/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Processes Event logs based on selected Event id's 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_EVTX_By_EventID 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_EVTX_By_EventID 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_EVTX_By_EventID 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Process_Extract_VSS/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parses the Volume Shadow of a image and stores the data as logical data stores 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_Extract_VSS 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_Extract_VSS 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_Extract_VSS 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Process_Facebook_Chats/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parse Facbook Windows app chat's 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_Facebook_Chats 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_Facebook_Chats 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_Facebook_Chats 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Process_Prefetch_Files_V41/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parse Windows prefetch files 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_Prefetch_Files_V41 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_Prefetch_Files_V41 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_Prefetch_Files_V41 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Process_SRUDB/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parses the System Resource Usage database 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_SRUDB 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_SRUDB 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_SRUDB 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Process_TeraCopy/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parses the Teracopy database 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_TeraCopy 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_TeraCopy 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_TeraCopy 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Process_Windows_Mail/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parses Windows Mail 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_Windows_Mail 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_Windows_Mail 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Process_Windows_Mail 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/README.md: -------------------------------------------------------------------------------- 1 | # Ingest Modules 2 | 3 | Ingest modules analyze data sources in pipelines. They can run in parallel and all files in the data source will typically be analyzed by them (unless there are ingest filters in place for triage situations). 4 | 5 | This is the most common extension point in Autopsy and modules can be written in either Java or Python. 6 | 7 | These modules will analyze the content for differnet things and then post their results to the backend database so that they can be seen to the user. These modules do not have a user interface except for configuration. 8 | 9 | -------------------------------------------------------------------------------- /IngestModules/Recycle_Bin/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parse the information in the Recycle Bin from WIndows Vista and above. 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Recycle_Bin 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Recycle_Bin 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Recycle_Bin 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Registry-Explorer/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Analyze Registry Hives based on bookmarks provided by EricZimmerman for his tool RegistryExplorer. 2 | - __Author:__ Mohammed Hasan (0xmohammedhassan@gmail.com) 3 | - __Minimum Autopsy version:__ 4.19.3 4 | - __Module Location__: https://github.com/0xMohammed/Autopsy-Registry-Explorer/releases/download/v0.1Beta/RegistryExplorerv0.2Beta.zip 5 | - __Website:__ https://github.com/0xMohammed/Autopsy-Registry-Explorer 6 | - __Source Code:__ https://github.com/0xMohammed/Autopsy-Registry-Explorer 7 | - __License:__ GNU General Public License v3.0 8 | -------------------------------------------------------------------------------- /IngestModules/Shimcache_parser/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parses the shimcache on a Windows system 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Shimcache_parser 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Shimcache_parser 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Shimcache_parser 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Skype/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ The plugin will investifate Skype databases within a Windows environment and extract information such as: 2 | - Call data 3 | - IP Address 4 | - Chats 5 | - Names 6 | - __Author:__ Tom Van der Mussele 7 | - __Minimum Autopsy version:__ 4.3.0 8 | - __Source Code:__ https://github.com/tomvandermussele/autopsy-plugins/tree/master/Skype%20Analyzer 9 | - __License:__ GNU General Public License Version 3 10 | -------------------------------------------------------------------------------- /IngestModules/Skype/skype_analyzer/Skype.py: -------------------------------------------------------------------------------- 1 | # This module extracts some data (chats, IP addresses, calls info,...) from identified Skype databases and organizes it in the Tree Viewer Window 2 | 3 | 4 | # Please note this a non-exhaustive extraction of data, it is recommended to 5 | # manually inspect the database for more forensic artifacts and use this as an indicator. 6 | # 7 | # Contact: Tom Van der Mussele [tomvandermussele gmail [dot] com] 8 | # 9 | # This is free and unencumbered software released into the public domain. 10 | # 11 | # Anyone is free to copy, modify, publish, use, compile, sell, or 12 | # distribute this software, either in source code form or as a compiled 13 | # binary, for any purpose, commercial or non-commercial, and by any 14 | # means. 15 | # 16 | # In jurisdictions that recognize copyright laws, the author or authors 17 | # of this software dedicate any and all copyright interest in the 18 | # software to the public domain. We make this dedication for the benefit 19 | # of the public at large and to the detriment of our heirs and 20 | # successors. We intend this dedication to be an overt act of 21 | # relinquishment in perpetuity of all present and future rights to this 22 | # software under copyright law. 23 | # 24 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 25 | # EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 26 | # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 27 | # IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR 28 | # OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 29 | # ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 30 | # OTHER DEALINGS IN THE SOFTWARE. 31 | # 32 | # Skype Analyzer - tvdm 33 | # 34 | 35 | import jarray 36 | import inspect 37 | import os 38 | from java.lang import Class 39 | from java.lang import System 40 | from java.sql import DriverManager, SQLException 41 | from java.util.logging import Level 42 | from java.io import File 43 | from org.sleuthkit.datamodel import SleuthkitCase 44 | from org.sleuthkit.datamodel import AbstractFile 45 | from org.sleuthkit.datamodel import ReadContentInputStream 46 | from org.sleuthkit.datamodel import BlackboardArtifact 47 | #from org.sleuthkit.databases import TskDBBlackboard 48 | from org.sleuthkit.datamodel import BlackboardAttribute 49 | from org.sleuthkit.autopsy.ingest import IngestModule 50 | from org.sleuthkit.autopsy.ingest.IngestModule import IngestModuleException 51 | from org.sleuthkit.autopsy.ingest import DataSourceIngestModule 52 | from org.sleuthkit.autopsy.ingest import IngestModuleFactoryAdapter 53 | from org.sleuthkit.autopsy.ingest import IngestMessage 54 | from org.sleuthkit.autopsy.ingest import IngestServices 55 | from org.sleuthkit.autopsy.ingest import ModuleDataEvent 56 | from org.sleuthkit.autopsy.coreutils import Logger 57 | from org.sleuthkit.autopsy.casemodule import Case 58 | from org.sleuthkit.autopsy.datamodel import ContentUtils 59 | from org.sleuthkit.autopsy.casemodule.services import Services 60 | from org.sleuthkit.autopsy.casemodule.services import FileManager 61 | from org.sleuthkit.autopsy.casemodule.services import Blackboard 62 | 63 | 64 | 65 | # Factory that defines the name and details of the module and allows Autopsy 66 | # to create instances of the modules that will do the analysis. 67 | class SkypeDbIngestModuleFactory(IngestModuleFactoryAdapter): 68 | 69 | moduleName = "Skype Analyzer - tvdm" 70 | 71 | def getModuleDisplayName(self): 72 | return self.moduleName 73 | 74 | def getModuleDescription(self): 75 | return "Identifies Skype databases and extracts information which could be used as indications" 76 | 77 | def getModuleVersionNumber(self): 78 | return "1.0" 79 | 80 | def isDataSourceIngestModuleFactory(self): 81 | return True 82 | 83 | def createDataSourceIngestModule(self, ingestOptions): 84 | return SkypeDbIngestModule() 85 | 86 | 87 | 88 | class SkypeDbIngestModule(DataSourceIngestModule): 89 | 90 | _logger = Logger.getLogger(SkypeDbIngestModuleFactory.moduleName) 91 | 92 | def log(self, level, msg): 93 | self._logger.logp(level, self.__class__.__name__, inspect.stack()[1][3], msg) 94 | 95 | def __init__(self): 96 | self.context = None 97 | 98 | 99 | def startUp(self, context): 100 | self.context = context 101 | 102 | pass 103 | 104 | 105 | 106 | 107 | def process(self, dataSource, progressBar): 108 | 109 | test=IngestServices.getInstance() 110 | msgcounter = 0 111 | progressBar.switchToIndeterminate() 112 | ccase = Case.getCurrentCase().getSleuthkitCase() 113 | blackboard = Case.getCurrentCase().getServices().getBlackboard() 114 | fileManager = Case.getCurrentCase().getServices().getFileManager() 115 | files = fileManager.findFiles(dataSource, "main.db") 116 | numFiles = len(files) 117 | progressBar.switchToDeterminate(numFiles) 118 | fileCount = 0 119 | 120 | for file in files: 121 | fileCount += 1 122 | progressBar.progress(fileCount) 123 | progressBar.progress("Skype Analyzer") 124 | if self.context.isJobCancelled(): 125 | return IngestModule.ProcessResult.OK 126 | self.log(Level.INFO, "++++++Processing file: " + file.getName()) 127 | self.log(Level.INFO, "File count:" + str(fileCount)) 128 | lclDbPath = os.path.join(Case.getCurrentCase().getTempDirectory(), str(file.getId()) + ".db") 129 | ContentUtils.writeToFile(file, File(lclDbPath)) 130 | binary_file = open(lclDbPath, "rb") 131 | data = binary_file.read(15) 132 | binary_file.close() 133 | if str(data) == "SQLite format 3": 134 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 135 | "Skype Analyzer", file.getName() + " identified as non-encrypted SQLite database" , str(msgcounter )) 136 | IngestServices.getInstance().postMessage(message) 137 | msgcounter+=1 138 | try: 139 | Class.forName("org.sqlite.JDBC").newInstance() 140 | dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % lclDbPath) 141 | except SQLException as e: 142 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 143 | "Skype Analyzer","Cannot open " + file.getName()+ " as SQLite", str(msgcounter)) 144 | IngestServices.getInstance().postMessage(message) 145 | msgcounter+=1 146 | #return IngestModule.ProcessResult.ERROR 147 | # Query the contacts table in the database and get all columns. 148 | try: 149 | stmt = dbConn.createStatement() 150 | stmt2 = dbConn.createStatement() 151 | stmt3 = dbConn.createStatement() 152 | stmt4 = dbConn.createStatement() 153 | stmt5 = dbConn.createStatement() 154 | try: 155 | resultSet4 = stmt4.executeQuery("select skypename from accounts;") 156 | resultSet5 = stmt5.executeQuery("select count(skypename) 'count' from accounts;") 157 | skypename = resultSet4.getString("skypename") 158 | no_of_accounts = resultSet5.getInt("count") 159 | if no_of_accounts > 0: 160 | ccase = Case.getCurrentCase().getSleuthkitCase() 161 | SQL_String_1 = "Select chatname, author, datetime(timestamp, 'unixepoch') 'Time' ,body_xml 'Message' from messages ORDER by Time asc;" 162 | artifact_name = "TSK_MSG_" + skypename 163 | artifact_desc = "Skype Analyzer Chats: " + skypename 164 | try: 165 | #Try adding the Articaft Type 166 | artID_skype = ccase.addArtifactType(artifact_name, artifact_desc) 167 | except: 168 | self.log(Level.INFO, "Artifacts Creation Error, some artifacts may not exist now. ==> ") 169 | artID_skype = ccase.getArtifactTypeID(artifact_name) 170 | artID_skype_evt = ccase.getArtifactType(artifact_name) 171 | # 172 | # Messages 173 | # 174 | # 175 | resultSet3 = stmt3.executeQuery(SQL_String_1) 176 | resultSet2 = stmt2.executeQuery("SELECT count(*) 'Count' from Messages;") 177 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 178 | "Skype Analyzer", skypename + " has " + str(resultSet2.getInt("Count")) + " messages", str(msgcounter)) 179 | IngestServices.getInstance().postMessage(message) 180 | msgcounter+=1 181 | if resultSet2.getInt("Count") > 0: 182 | 183 | 184 | try: 185 | 186 | attribute_name = "TSK_SKYPE_MSG_AUTHOR" 187 | attribute_name2 = "TSK_SKYPE_MSG_TIME" 188 | attribute_name3 = "TSK_SKYPE_MSG_MESSAGE" 189 | attribute_name4 = "TSK_SKYPE_MSG_CHATNAME" 190 | attID_ex1 = ccase.addArtifactAttributeType(attribute_name2, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Time") 191 | attID_ex2 = ccase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Author") 192 | attID_ex3 = ccase.addArtifactAttributeType(attribute_name3, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Message") 193 | attID_ex4 = ccase.addArtifactAttributeType(attribute_name4, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Chatname") 194 | except: 195 | pass 196 | while resultSet3.next(): 197 | if self.context.isJobCancelled(): 198 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 199 | "Skype Analyzer", "ID : Cancelled", msgcounter) 200 | 201 | IngestServices.getInstance().postMessage(message) 202 | msgcounter+=1 203 | return IngestModule.ProcessResult.OK 204 | art = file.newArtifact(artID_skype) 205 | author = resultSet3.getString("author") 206 | time = resultSet3.getString("Time") 207 | msg = resultSet3.getString("Message") 208 | chatname = resultSet3.getString("chatname") 209 | #Chatname 210 | attID_ex1 = ccase.getAttributeType("TSK_SKYPE_MSG_CHATNAME") 211 | art.addAttribute(BlackboardAttribute(attID_ex1, SkypeDbIngestModuleFactory.moduleName, chatname)) 212 | #Time 213 | attID_ex1 = ccase.getAttributeType("TSK_SKYPE_MSG_TIME") 214 | art.addAttribute(BlackboardAttribute(attID_ex1, SkypeDbIngestModuleFactory.moduleName, time)) 215 | #Author 216 | attID_ex1 = ccase.getAttributeType("TSK_SKYPE_MSG_AUTHOR") 217 | art.addAttribute(BlackboardAttribute(attID_ex1, SkypeDbIngestModuleFactory.moduleName, author)) 218 | #Message 219 | attID_ex1 = ccase.getAttributeType("TSK_SKYPE_MSG_MESSAGE") 220 | art.addAttribute(BlackboardAttribute(attID_ex1, SkypeDbIngestModuleFactory.moduleName, msg)) 221 | IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(SkypeDbIngestModuleFactory.moduleName, \ 222 | artID_skype_evt, None)) 223 | else: 224 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 225 | "Skype Analyzer", skypename + " has no messages", str(msgcounter)) 226 | IngestServices.getInstance().postMessage(message) 227 | msgcounter+=1 228 | # 229 | # Calls 230 | # 231 | # 232 | artifact_name2 = "TSK_CALL_" + skypename 233 | artifact_desc2 = "Skype Analyzer Calls: " + skypename 234 | try: 235 | #Try adding the Articaft Type 236 | artID_skype = ccase.addArtifactType( artifact_name2, artifact_desc2) 237 | except: 238 | self.log(Level.INFO, "Artifacts Creation Error, some artifacts may not exist now. ==> ") 239 | 240 | artID_skype = ccase.getArtifactTypeID(artifact_name2) 241 | artID_skype_evt = ccase.getArtifactType(artifact_name2) 242 | # 243 | resultSet3 = stmt3.executeQuery("select guid, identity, dispname, datetime(start_timestamp, 'unixepoch') 'StartTime', ip_address, call_duration from callmembers ORDER by StartTime asc;") 244 | resultSet2 = stmt2.executeQuery("SELECT count(*) 'Count' from callmembers;") 245 | if resultSet2.getInt("Count") > 0: 246 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 247 | "Skype Analyzer", skypename + " had " + str(resultSet2.getInt("Count")) + " calls", str(msgcounter)) 248 | IngestServices.getInstance().postMessage(message) 249 | msgcounter+=1 250 | 251 | try: 252 | attribute_name = "TSK_SKYPE_CALL_IDENTITY" 253 | attribute_name2 = "TSK_SKYPE_CALL_TIME" 254 | attribute_name3 = "TSK_SKYPE_CALL_GUID" 255 | attribute_name4 = "TSK_SKYPE_CALL_DURATION" 256 | attribute_name5 = "TSK_SKYPE_CALL_IP" 257 | attribute_name6 = "TSK_SKYPE_CALL_DISPLAYNAME" 258 | attID_ex1 = ccase.addArtifactAttributeType(attribute_name2, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Time") 259 | attID_ex2 = ccase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Person") 260 | attID_ex3 = ccase.addArtifactAttributeType(attribute_name3, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "CallGUID") 261 | attID_ex4 = ccase.addArtifactAttributeType(attribute_name4, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Duration (Min)") 262 | attID_ex5 = ccase.addArtifactAttributeType(attribute_name5, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "IP Address") 263 | attID_ex6 = ccase.addArtifactAttributeType(attribute_name6, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "DisplayNamne") 264 | except: 265 | pass 266 | while resultSet3.next(): 267 | if self.context.isJobCancelled(): 268 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 269 | "Skype Analyzer", "ID : Cancelled", str(msgcounter)) 270 | IngestServices.getInstance().postMessage(message) 271 | msgcounter+=1 272 | return IngestModule.ProcessResult.OK 273 | art = file.newArtifact(artID_skype) 274 | identity = resultSet3.getString("identity") 275 | time = resultSet3.getString("StartTime") 276 | guid = resultSet3.getString("guid") 277 | ip = resultSet3.getString("ip_address") 278 | display = resultSet3.getString("dispname") 279 | durtemp = resultSet3.getInt("call_duration") 280 | duration = durtemp / 60 281 | #Time 282 | attID_ex1 = ccase.getAttributeType("TSK_SKYPE_CALL_TIME") 283 | art.addAttribute(BlackboardAttribute(attID_ex1, SkypeDbIngestModuleFactory.moduleName, time)) 284 | #IDENTITY 285 | attID_ex1 = ccase.getAttributeType("TSK_SKYPE_CALL_IDENTITY") 286 | art.addAttribute(BlackboardAttribute(attID_ex1, SkypeDbIngestModuleFactory.moduleName, identity)) 287 | #DISPLAYNAME 288 | attID_ex1 = ccase.getAttributeType("TSK_SKYPE_CALL_DISPLAYNAME") 289 | art.addAttribute(BlackboardAttribute(attID_ex1, SkypeDbIngestModuleFactory.moduleName, display)) 290 | #CALL GUID 291 | attID_ex1 = ccase.getAttributeType("TSK_SKYPE_CALL_GUID") 292 | art.addAttribute(BlackboardAttribute(attID_ex1, SkypeDbIngestModuleFactory.moduleName, guid)) 293 | #DURATION 294 | attID_ex1 = ccase.getAttributeType("TSK_SKYPE_CALL_DURATION") 295 | art.addAttribute(BlackboardAttribute(attID_ex1, SkypeDbIngestModuleFactory.moduleName, str(duration))) 296 | #IP Address 297 | attID_ex1 = ccase.getAttributeType("TSK_SKYPE_CALL_IP") 298 | art.addAttribute(BlackboardAttribute(attID_ex1, SkypeDbIngestModuleFactory.moduleName, ip)) 299 | IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(SkypeDbIngestModuleFactory.moduleName, \ 300 | artID_skype_evt, None)) 301 | else: 302 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 303 | "Skype Analyzer", skypename + " has no calls", str(msgcounter)) 304 | IngestServices.getInstance().postMessage(message) 305 | msgcounter+=1 306 | 307 | else: 308 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 309 | "Skype Analyzer","No accounts found in" + file.getName(), str(msgcounter)) 310 | IngestServices.getInstance().postMessage(message) 311 | msgcounter+=1 312 | except SQLException as e: 313 | self.log(Level.INFO, "SQL Error: " + e.getMessage() ) 314 | except SQLException as e: 315 | self.log(Level.INFO, "Error querying database " + file.getName() + " (" + e.getMessage() + ")") 316 | # 317 | 318 | 319 | 320 | # Clean up 321 | stmt.close() 322 | stmt2.close() 323 | stmt3.close() 324 | stmt4.close() 325 | stmt5.close() 326 | dbConn.close() 327 | os.remove(lclDbPath) 328 | 329 | else: 330 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 331 | "Skype Analyzer","Not a SQLite Database - Missing magic number" , str(msgcounter )) 332 | IngestServices.getInstance().postMessage(message) 333 | msgcounter+=1 334 | #return IngestModule.ProcessResult.ERROR 335 | 336 | 337 | 338 | # After all databases, post a message to the ingest messages in box. 339 | if numFiles==0: 340 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 341 | "Skype Analyzer", "Nothing to analyze ", str(msgcounter)) 342 | IngestServices.getInstance().postMessage(message) 343 | msgcounter+=1 344 | else: 345 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 346 | "Skype Analyzer", "Analyzed %d files" % fileCount, str(msgcounter)) 347 | IngestServices.getInstance().postMessage(message) 348 | msgcounter+=1 349 | return IngestModule.ProcessResult.OK -------------------------------------------------------------------------------- /IngestModules/SmutDetect_Skintone/20141204_SmutDetect4Autopsy_1.0.2.nbm_.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sleuthkit/autopsy_addon_modules/38e9e5934bca90f68d3acf421ddef8910ffb9b4b/IngestModules/SmutDetect_Skintone/20141204_SmutDetect4Autopsy_1.0.2.nbm_.zip -------------------------------------------------------------------------------- /IngestModules/SmutDetect_Skintone/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Scans JPG, BMP, PNG & GIF files (selection of files based on file signatures) for pixels with skin tone and computes file percentage. Files are tagged with skin-tone percentage in increments of 10 to allow a categorised view of thumbnails. 2 | - __Author:__ Rajmund Witt 3 | - __Minimum Autopsy version:__ 3.1.1 4 | - __Website:__ http://www.smutdetect.co.uk 5 | - __Source Code:__ https://github.com/rajwitt/SmutDetect4Autopsy 6 | - __License:__ GPL 3.0 7 | -------------------------------------------------------------------------------- /IngestModules/Spotlight_Parser/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parses the spotlight database on a macOS 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Spotlight_Parser 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Spotlight_Parser 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Spotlight_Parser 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Thumbcache_parser/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parse the Thumbcache from Windows Vista and above and add the files as dervived files. 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Thumbcache_parser 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Thumbcache_parser 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Thumbcache_parser 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Thumbs_parser/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Search for thumbs.db files, extract thumbnails and add them back in as derived files. 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Thumbs_parser 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Thumbs_parser 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Thumbs_parser 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Timesketch/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Finds all time based artifacts and sends them to a Timesketch server 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Timesketch 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Timesketch 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Timesketch 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/UsnCorrelation: -------------------------------------------------------------------------------- 1 | ../ContentViewerModules/UsnCorrelation -------------------------------------------------------------------------------- /IngestModules/VirusTotal/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Autopsy File Ingest Module to check file hashes against online VirusTotal Database 2 | - __Author:__ Mathias Vetsch, Luca Tannler 3 | - __Minimum Autopsy version:__ 4.1.0 4 | - __Requirements:__ API Key which can obtained on https://www.virustotal.com/en/documentation/public-api/ 5 | - __Source Code:__ https://github.com/mvetsch/VirusTotalOnlineChecker 6 | - __License:__ GNU GENERAL PUBLIC LICENSE 7 | -------------------------------------------------------------------------------- /IngestModules/VirusTotal/org-sleuthkit-autopsy-modules-virustotalonlinecheck.nbm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sleuthkit/autopsy_addon_modules/38e9e5934bca90f68d3acf421ddef8910ffb9b4b/IngestModules/VirusTotal/org-sleuthkit-autopsy-modules-virustotalonlinecheck.nbm -------------------------------------------------------------------------------- /IngestModules/Volatility/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parses a Memory Image from a local data store using Volatility 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Volatility 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Volatility 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Volatility 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/Webcache/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parses the Webcache history in Windows 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Webcache 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Webcache 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Webcache 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/WindowsRegistryIngestModule/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ An ingest module that extracts Registry keys and values into derived directories and files so that they show up as nodes in the directory tree. First place winner in the OSDFCon 2013 challenge. 2 | - __Author:__ Willi Ballenthin 3 | - __Minimum Autopsy version:__ 3.0.7 4 | - __Current Source Code and Releases:__ https://github.com/sleuthkit/Autopsy-WindowsRegistryIngestModule 5 | - __Original Source Code:__ https://github.com/williballenthin/Autopsy-WindowsRegistryIngestModule 6 | - __License:__ Apache 2.0 7 | -------------------------------------------------------------------------------- /IngestModules/Windows_Communication_App/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ The plugin will extract the services and contacts from the Windows Communication Application (microsoft.windowscommunicationsapps). 2 | - __Author:__ Tom Van der Mussele 3 | - __Minimum Autopsy version:__ 4.3.0 4 | - __Source Code:__ https://github.com/tomvandermussele/autopsy-plugins/tree/master/Windows%20Communication%20App 5 | - __License:__ GNU General Public License Version 3 6 | -------------------------------------------------------------------------------- /IngestModules/Windows_Communication_App/windows_communication_App/WindowsCommAppFileIngestModule.py: -------------------------------------------------------------------------------- 1 | # This module was an attempt to solve a UCD assignment with the intend 2 | # to teach practical use of Autopsy 3 | # 4 | # Contact: Tom Van der Mussele [tomvandermussele gmail [dot] com] 5 | # 6 | # 7 | #https://github.com/sleuthkit/autopsy/blob/3bb09d8b6457b4116f70068bd7ea240bd7be1f1f/Core/src/org/sleuthkit/autopsy/modules/hashdatabase/HashDbIngestModule.java 8 | #import org.sleuthkit.datamodel.HashHitInfo; 9 | #import org.sleuthkit.datamodel.HashUtility; 10 | #if (md5Hash == null || md5Hash.isEmpty()) { 11 | #md5Hash = HashUtility.calculateMd5(file); 12 | 13 | import jarray 14 | import os 15 | import xml.etree.ElementTree as ET 16 | import inspect 17 | from java.io import File 18 | from java.lang import System 19 | from java.util.logging import Level 20 | from org.sleuthkit.datamodel import SleuthkitCase 21 | from org.sleuthkit.datamodel import AbstractFile 22 | from org.sleuthkit.datamodel import ReadContentInputStream 23 | from org.sleuthkit.datamodel import BlackboardArtifact 24 | from org.sleuthkit.datamodel import BlackboardAttribute 25 | from org.sleuthkit.datamodel import TskData 26 | from org.sleuthkit.autopsy.ingest import IngestModule 27 | from org.sleuthkit.autopsy.ingest.IngestModule import IngestModuleException 28 | from org.sleuthkit.autopsy.ingest import DataSourceIngestModule 29 | from org.sleuthkit.autopsy.ingest import FileIngestModule 30 | from org.sleuthkit.autopsy.ingest import IngestModuleFactoryAdapter 31 | from org.sleuthkit.autopsy.ingest import IngestMessage 32 | from org.sleuthkit.autopsy.ingest import IngestServices 33 | from org.sleuthkit.autopsy.ingest import ModuleDataEvent 34 | from org.sleuthkit.autopsy.coreutils import Logger 35 | from org.sleuthkit.autopsy.casemodule import Case 36 | from org.sleuthkit.autopsy.casemodule.services import Services 37 | from org.sleuthkit.autopsy.casemodule.services import FileManager 38 | from org.sleuthkit.datamodel import HashUtility 39 | from org.sleuthkit.datamodel import HashHitInfo 40 | import xml.etree.ElementTree as ET 41 | from org.sleuthkit.autopsy.datamodel import ContentUtils 42 | 43 | 44 | # Factory that defines the name and details of the module and allows Autopsy 45 | # to create instances of the modules that will do the anlaysis. 46 | # TODO: Rename this to something more specific. Search and replace for it because it is used a few times 47 | 48 | 49 | 50 | class WindowsCommunicationModuleFactory(IngestModuleFactoryAdapter): 51 | 52 | # TODO: give it a unique name. Will be shown in module list, logs, etc. 53 | moduleName = "Windows Communication App - Contacts" 54 | 55 | def getModuleDisplayName(self): 56 | return self.moduleName 57 | 58 | # TODO: Give it a description 59 | def getModuleDescription(self): 60 | return "Windows Communication CONTACTS." 61 | 62 | def getModuleVersionNumber(self): 63 | return "1.0" 64 | 65 | # Return true if module wants to get called for each file 66 | def isDataSourceIngestModuleFactory(self): 67 | return True 68 | 69 | # can return null if isFileIngestModuleFactory returns false 70 | def createDataSourceIngestModule(self, ingestOptions): 71 | return WindowsCommunicationModule() 72 | 73 | 74 | class WindowsCommunicationModule(DataSourceIngestModule): 75 | 76 | _logger = Logger.getLogger(WindowsCommunicationModuleFactory.moduleName) 77 | 78 | def log(self, level, msg): 79 | self._logger.logp(level, self.__class__.__name__, inspect.stack()[1][3], msg) 80 | 81 | def __init__(self): 82 | self.context = None 83 | 84 | 85 | def startUp(self, context): 86 | self.context = context 87 | 88 | pass 89 | # Where the analysis is done. Each file will be passed into here. 90 | # The 'file' object being passed in is of type org.sleuthkit.datamodel.AbstractFile. 91 | # See: http://www.sleuthkit.org/sleuthkit/docs/jni-docs/classorg_1_1sleuthkit_1_1datamodel_1_1_abstract_file.html 92 | # TODO: Add your analysis code in here. 93 | def process(self, datasource, progressbar): 94 | 95 | 96 | PostBoard=IngestServices.getInstance() 97 | progressbar.switchToIndeterminate() 98 | ccase = Case.getCurrentCase().getSleuthkitCase() 99 | blackboard = Case.getCurrentCase().getServices().getBlackboard() 100 | msgcounter = 0 101 | # if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or 102 | # (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or 103 | # (file.isFile() == true)): 104 | # return IngestModule.ProcessResult.OK 105 | # 106 | 107 | #prepare artifacts 108 | 109 | artifact_name = "TSK_WINCOM_CONTACT" 110 | artifact_desc = "Windows Communication Contacts" 111 | 112 | try: 113 | 114 | artID_wincom_contact = ccase.addArtifactType(artifact_name, artifact_desc) 115 | 116 | attribute_name = "TSK_WINCOM_CONTACT_SERVICE" 117 | attribute_name1 = "TSK_WINCOM_CONTACT_APPID" 118 | attribute_name2 = "TSK_WINCOM_CONTACT_FIRSTNAME" 119 | attribute_name3 = "TSK_WINCOM_CONTACT_LASTNAME" 120 | attribute_name4 = "TSK_WINCOM_CONTACT_COUNTRY" 121 | attribute_name5 = "TSK_WINCOM_CONTACT_LOCALITY" 122 | attribute_name6 = "TSK_WINCOM_CONTACT_REGION" 123 | attribute_name7 = "TSK_WINCOM_CONTACT_BIRTHDAY" 124 | 125 | attID_ex= ccase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Service vs Person") 126 | attID_ex1 = ccase.addArtifactAttributeType(attribute_name1, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Application") 127 | attID_ex2 = ccase.addArtifactAttributeType(attribute_name2, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "First Name") 128 | attID_ex3 = ccase.addArtifactAttributeType(attribute_name3, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Last Name") 129 | attID_ex4 = ccase.addArtifactAttributeType(attribute_name4, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Country") 130 | attID_ex5 = ccase.addArtifactAttributeType(attribute_name5, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "City") 131 | attID_ex6 = ccase.addArtifactAttributeType(attribute_name6, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Region") 132 | attID_ex7 = ccase.addArtifactAttributeType(attribute_name7, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Birthday") 133 | 134 | except: 135 | message = IngestMessage.createMessage( 136 | IngestMessage.MessageType.DATA, WindowsCommunicationModuleFactory.moduleName + str(msgcounter), "Error creating artifacts"+ str(msgcounter)) 137 | #IngestServices.getInstance().postMessage(message) 138 | self.log(Level.INFO, "Artifacts Creation Error, some artifacts may not exist now. ==> ") 139 | 140 | artID_wincom_contact = ccase.getArtifactTypeID(artifact_name) 141 | artID_wincom_contact_evt = ccase.getArtifactType(artifact_name) 142 | #get files 143 | 144 | 145 | ##IngestServices.getInstance().postMessage(message) 146 | fileManager = Case.getCurrentCase().getServices().getFileManager() 147 | files = fileManager.findFiles(datasource, "%appcontent-ms") 148 | numFiles = len(files) 149 | progressbar.switchToDeterminate(numFiles) 150 | fileCount = 0 151 | 152 | 153 | for file in files: 154 | fileCount = fileCount + 1 155 | progressbar.progress(fileCount) 156 | progressbar.progress("Windows Communication Analyzer") 157 | msgcounter+=1 158 | # message = IngestMessage.createMessage( 159 | # IngestMessage.MessageType.DATA, WindowsCommunicationModuleFactory.moduleName + str(msgcounter), str(msgcounter) + " - in file loop and found file:" + str(file.getParentPath())) 160 | # #IngestServices.getInstance().postMessage(message) 161 | ParentPath = file.getParentPath() 162 | 163 | #if "microsoft.windowscommunicationsapps" in ParentPath and "_8wekyb3d8bbwe" in ParentPath and file.getName().lower().endswith("appcontent-ms") and "Address" in ParentPath : 164 | if file.getSize() > 0 and "microsoft.windowscommunicationsapps" in ParentPath: 165 | lclXMLPath = os.path.join(Case.getCurrentCase().getTempDirectory(), str(file.getId()) + ".appcontent-ms") 166 | ContentUtils.writeToFile(file, File(lclXMLPath)) 167 | 168 | if self.context.isJobCancelled(): 169 | return IngestModule.ProcessResult.OK 170 | 171 | with open(lclXMLPath, "rb") as XMLFile: 172 | with open(lclXMLPath+".rewrite", 'w+b') as NewXMLFile: 173 | contents = XMLFile.read() 174 | newContent = contents.decode('utf-16').encode('utf-8') 175 | NewXMLFile.write(newContent.replace('','')) 176 | NewXMLFile.close() 177 | XMLFile.close() 178 | f = open(lclXMLPath+".rewrite", "rb") 179 | 180 | all = f.read() 181 | f.close() 182 | message = IngestMessage.createMessage( 183 | IngestMessage.MessageType.DATA, WindowsCommunicationModuleFactory.moduleName + str(msgcounter), all) 184 | #IngestServices.getInstance().postMessage(message) 185 | #XMLFile = open(lclXMLPath, "rb") 186 | AppID="**" 187 | FirstName = "**" 188 | LastName = "**" 189 | HomeAddress1Country = "**" 190 | HomeAddress1Locality = "**" 191 | HomeAddress1Region = "**" 192 | Birthday = "**" 193 | Service = "**" 194 | root = ET.fromstring(all) 195 | 196 | for elem in root.iter(): 197 | 198 | teller = 0 199 | if "System.Contact.ConnectedServiceName" in str(elem.attrib): 200 | if len(elem.text) == 2: 201 | for child in elem: 202 | teller =+1 203 | Service = child.text 204 | # if teller == 1: 205 | break 206 | else: 207 | 208 | Service = elem.text 209 | 210 | 211 | elif "System.AppUserModel.PackageRelativeApplicationID" in str(elem.attrib): 212 | 213 | if len(elem.text) == 2: 214 | 215 | for child in elem: 216 | teller =+1 217 | AppID = child.text 218 | # if teller == 1: 219 | break 220 | else: 221 | if len(elem.text)==0: 222 | AppID = elem.text 223 | else: 224 | AppID = "**" 225 | 226 | elif "System.Contact.FirstName" in str(elem.attrib): 227 | 228 | if len(elem.text) == 2: 229 | for child in elem: 230 | teller =+1 231 | FirstName = child.text 232 | if teller == 1: 233 | break 234 | else: 235 | FirstName = elem.text 236 | elif "System.Contact.LastName" in str(elem.attrib): 237 | 238 | if len(elem.text) == 2: 239 | for child in elem: 240 | teller =+1 241 | LastName = child.text 242 | if teller == 1: 243 | break 244 | else: 245 | LastName = elem.text 246 | elif "System.Contact.HomeAddress1Country" in str(elem.attrib): 247 | 248 | if len(elem.text) == 2: 249 | teller =+1 250 | for child in elem: 251 | HomeAddress1Country = child.text 252 | if teller == 1: 253 | break 254 | else: 255 | HomeAddress1Country = elem.text 256 | elif "System.Contact.HomeAddress1Locality" in str(elem.attrib): 257 | 258 | if len(elem.text) == 2: 259 | for child in elem: 260 | teller =+1 261 | HomeAddress1Locality = child.text 262 | if teller == 1: 263 | break 264 | else: 265 | HomeAddress1Locality = elem.text 266 | elif "System.Contact.HomeAddress1Region" in str(elem.attrib): 267 | 268 | if len(elem.text) == 2: 269 | for child in elem: 270 | teller =+1 271 | HomeAddress1Region = child.text 272 | if teller == 1: 273 | break 274 | else: 275 | HomeAddress1Region = elem.text 276 | elif "System.Contact.Birthday" in str(elem.attrib): 277 | 278 | if len(elem.text) == 2: 279 | for child in elem: 280 | teller =+1 281 | Birthday = child.text 282 | if teller == 1: 283 | break 284 | else: 285 | Birthday = elem.text 286 | else: 287 | #another value - manual forensics 288 | #AppID = "BLAHELSE" 289 | pass 290 | 291 | 292 | #IngestServices.getInstance().postMessage(message) 293 | #end looping through elements 294 | 295 | 296 | #ready for next file 297 | art = file.newArtifact(artID_wincom_contact) 298 | attID_ex =ccase.getAttributeType("TSK_WINCOM_CONTACT_SERVICE") 299 | art.addAttribute(BlackboardAttribute(attID_ex, WindowsCommunicationModuleFactory.moduleName, Service)) 300 | attID_ex1 =ccase.getAttributeType("TSK_WINCOM_CONTACT_APPID") 301 | art.addAttribute(BlackboardAttribute(attID_ex1, WindowsCommunicationModuleFactory.moduleName, AppID)) 302 | attID_ex2 =ccase.getAttributeType("TSK_WINCOM_CONTACT_FIRSTNAME") 303 | art.addAttribute(BlackboardAttribute(attID_ex2, WindowsCommunicationModuleFactory.moduleName, FirstName)) 304 | attID_ex3 =ccase.getAttributeType("TSK_WINCOM_CONTACT_LASTNAME") 305 | art.addAttribute(BlackboardAttribute(attID_ex3, WindowsCommunicationModuleFactory.moduleName, LastName)) 306 | attID_ex4 =ccase.getAttributeType("TSK_WINCOM_CONTACT_COUNTRY") 307 | art.addAttribute(BlackboardAttribute(attID_ex4, WindowsCommunicationModuleFactory.moduleName, HomeAddress1Country)) 308 | attID_ex5 =ccase.getAttributeType("TSK_WINCOM_CONTACT_LOCALITY") 309 | art.addAttribute(BlackboardAttribute(attID_ex5, WindowsCommunicationModuleFactory.moduleName, HomeAddress1Locality)) 310 | attID_ex6 =ccase.getAttributeType("TSK_WINCOM_CONTACT_REGION") 311 | art.addAttribute(BlackboardAttribute(attID_ex6, WindowsCommunicationModuleFactory.moduleName, HomeAddress1Region)) 312 | attID_ex7 =ccase.getAttributeType("TSK_WINCOM_CONTACT_BIRTHDAY") 313 | art.addAttribute(BlackboardAttribute(attID_ex7, WindowsCommunicationModuleFactory.moduleName, Birthday)) 314 | IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(WindowsCommunicationModuleFactory.moduleName, artID_wincom_contact_evt, None)) 315 | else: 316 | pass 317 | 318 | #cleanup 319 | os.remove(lclXMLPath) 320 | os.remove(lclXMLPath+".rewrite") 321 | return IngestModule.ProcessResult.OK 322 | 323 | # def shutDown(self): 324 | # # As a final part of this example, we'll send a message to the ingest inbox with the number of files found (in this thread) 325 | # msg2 = IngestMessage.createMessage( 326 | # IngestMessage.MessageType.DATA, WindowsCommunicationModuleFactory.moduleName, 327 | # "Found " + str(self.filesFound)) 328 | # ingestServices = IngestServices.getInstance().postMessage(msg2) 329 | -------------------------------------------------------------------------------- /IngestModules/Windows_Internals/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Parses several different Windows artifacts, user driven by option panel 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Windows_Internals 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Windows_Internals 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Windows_Internals 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/cLeapp/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Process ChromeOS using cLeapp program 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.16.0 4 | - __OS's supported on: Windows 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-NBM-Plugins/tree/main/cLeapp-Autopsy-Plugin 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-NBM-Plugins/tree/main/cLeapp-Autopsy-Plugin 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-NBM-Plugins/tree/main/cLeapp-Autopsy-Plugin 8 | - __License:__ Apache 2.0 License -------------------------------------------------------------------------------- /IngestModules/cLeapp/cleappanalyzer.nbm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sleuthkit/autopsy_addon_modules/38e9e5934bca90f68d3acf421ddef8910ffb9b4b/IngestModules/cLeapp/cleappanalyzer.nbm -------------------------------------------------------------------------------- /IngestModules/hash_images/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Check a datasource against a supplied md5, sha1 or ftk imager log file 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.4.0 4 | - __OS's supported on: Windows, Linux 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-Plugins/tree/master/hash_images 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/hash_images 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-Plugins/tree/master/hash_images 8 | - __License:__ GNU General Public License Version 3 -------------------------------------------------------------------------------- /IngestModules/iPhone_Backup_Plist_Analyzer/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ The plugin will investigate .plist files related to iTunes backups within a Windows environment. This could be an indicator of connected devices to a Windows environment. In order to connect and backup an iPhone, typically a passcode or fingerprint is required which could change the value of reliability as evidence. 2 | - __Author:__ Tom Van der Mussele 3 | - __Minimum Autopsy version:__ 4.3.0 4 | - __Source Code:__ https://github.com/tomvandermussele/autopsy-plugins/tree/master/Connected%20iPhone%20Analyzer 5 | - __License:__ GNU General Public License Version 3 6 | -------------------------------------------------------------------------------- /IngestModules/iPhone_Backup_Plist_Analyzer/connected_iphone_analyzer/Iphones.py: -------------------------------------------------------------------------------- 1 | # Description: 2 | # This module quickly extracts some data from identified Iphone Backup Plist 3 | # This provides an indicator of possible connected iPhone/iPad/iPod devices. 4 | # Please note this a non-exhaustive extraction of data, it is recommended to 5 | # manually inspect the files for more forensic artifacts and use this as an indicator 6 | # 7 | # Contact: Tom Van der Mussele [tomvandermussele gmail [dot] com] 8 | # 9 | # This is free and unencumbered software released into the public domain. 10 | # 11 | # Anyone is free to copy, modify, publish, use, compile, sell, or 12 | # distribute this software, either in source code form or as a compiled 13 | # binary, for any purpose, commercial or non-commercial, and by any 14 | # means. 15 | # 16 | # In jurisdictions that recognize copyright laws, the author or authors 17 | # of this software dedicate any and all copyright interest in the 18 | # software to the public domain. We make this dedication for the benefit 19 | # of the public at large and to the detriment of our heirs and 20 | # successors. We intend this dedication to be an overt act of 21 | # relinquishment in perpetuity of all present and future rights to this 22 | # software under copyright law. 23 | # 24 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 25 | # EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 26 | # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 27 | # IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR 28 | # OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 29 | # ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 30 | # OTHER DEALINGS IN THE SOFTWARE. 31 | # 32 | # 33 | # Looks for files of a given name, verifies the validity of the file, reads elements out of it 34 | # and makes artifacts 35 | 36 | import jarray 37 | import inspect 38 | import os 39 | from java.lang import Class 40 | from java.lang import System 41 | from java.sql import DriverManager, SQLException 42 | from java.util.logging import Level 43 | from java.io import File 44 | from org.sleuthkit.datamodel import SleuthkitCase 45 | from org.sleuthkit.datamodel import AbstractFile 46 | from org.sleuthkit.datamodel import ReadContentInputStream 47 | from org.sleuthkit.datamodel import BlackboardArtifact 48 | #from org.sleuthkit.databases import TskDBBlackboard 49 | from org.sleuthkit.datamodel import BlackboardAttribute 50 | from org.sleuthkit.autopsy.ingest import IngestModule 51 | from org.sleuthkit.autopsy.ingest.IngestModule import IngestModuleException 52 | from org.sleuthkit.autopsy.ingest import DataSourceIngestModule 53 | from org.sleuthkit.autopsy.ingest import IngestModuleFactoryAdapter 54 | from org.sleuthkit.autopsy.ingest import IngestMessage 55 | from org.sleuthkit.autopsy.ingest import IngestServices 56 | from org.sleuthkit.autopsy.ingest import ModuleDataEvent 57 | from org.sleuthkit.autopsy.coreutils import Logger 58 | from org.sleuthkit.autopsy.casemodule import Case 59 | from org.sleuthkit.autopsy.datamodel import ContentUtils 60 | from org.sleuthkit.autopsy.casemodule.services import Services 61 | from org.sleuthkit.autopsy.casemodule.services import FileManager 62 | from org.sleuthkit.autopsy.casemodule.services import Blackboard 63 | import xml.etree.ElementTree as ET 64 | from datetime import datetime, timedelta, tzinfo 65 | import time 66 | import calendar 67 | 68 | 69 | # Factory that defines the name and details of the module and allows Autopsy 70 | # to create instances of the modules that will do the analysis. 71 | 72 | def Strip (arg1): 73 | temp = arg1.strip() 74 | temp2 = temp[8:] 75 | temp3 = temp2[:-9] 76 | return temp3 77 | 78 | 79 | class IphoneIngestModuleFactory(IngestModuleFactoryAdapter): 80 | 81 | moduleName = "Connected iPhone Analyzer" 82 | 83 | def getModuleDisplayName(self): 84 | return self.moduleName 85 | 86 | def getModuleDescription(self): 87 | return "Identifies artifacts of possible connected iPhone/iPad/iPod devices." 88 | 89 | def getModuleVersionNumber(self): 90 | return "1.0" 91 | 92 | def isDataSourceIngestModuleFactory(self): 93 | return True 94 | 95 | def createDataSourceIngestModule(self, ingestOptions): 96 | return IphoneIngestModule() 97 | 98 | 99 | 100 | class IphoneIngestModule(DataSourceIngestModule): 101 | 102 | _logger = Logger.getLogger(IphoneIngestModuleFactory.moduleName) 103 | 104 | def log(self, level, msg): 105 | self._logger.logp(level, self.__class__.__name__, inspect.stack()[1][3], msg) 106 | 107 | def __init__(self): 108 | self.context = None 109 | 110 | 111 | def startUp(self, context): 112 | self.context = context 113 | 114 | pass 115 | 116 | 117 | def process(self, dataSource, progressBar): 118 | 119 | PostBoard=IngestServices.getInstance() 120 | progressBar.switchToIndeterminate() 121 | ccase = Case.getCurrentCase().getSleuthkitCase() 122 | blackboard = Case.getCurrentCase().getServices().getBlackboard() 123 | fileManager = Case.getCurrentCase().getServices().getFileManager() 124 | files = fileManager.findFiles(dataSource, "Info.plist") 125 | numFiles = len(files) 126 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,"Connected iPhone Analyzer","About to analyze " + str(numFiles) + " files") 127 | PostBoard.postMessage(message) 128 | progressBar.switchToDeterminate(numFiles) 129 | 130 | 131 | try: 132 | artifact_name = "TSK_IPHONE" 133 | artifact_desc = "Connected iPhone Analyzer" 134 | 135 | artID_iphone = ccase.addArtifactType(artifact_name, artifact_desc) 136 | artID_iphone_evt = ccase.getArtifactType(artifact_name) 137 | attribute_name = "TSK_IPHONE_DEVICENAME" 138 | attribute_name2 = "TSK_IPHONE_PRODUCTTYPE" 139 | attribute_name3 = "TSK_IPHONE_BACKUPDATE" 140 | attribute_name4 = "TSK_IPHONE_PHONENUMBER" 141 | attribute_name5 = "TSK_IPHONE_SERIALNUMBER" 142 | attribute_name6 = "TSK_IPHONE_IMEI" 143 | attribute_name7 = "TSK_IPHONE_ICCID" 144 | attribute_name8 = "TSK_IPHONE_BUILD" 145 | attID_ex1 = ccase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Name") 146 | attID_ex2 = ccase.addArtifactAttributeType(attribute_name2, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Type") 147 | attID_ex3 = ccase.addArtifactAttributeType(attribute_name3, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "BackupDate") 148 | attID_ex4 = ccase.addArtifactAttributeType(attribute_name4, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Phone Number") 149 | attID_ex5 = ccase.addArtifactAttributeType(attribute_name5, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Serial") 150 | attID_ex6 = ccase.addArtifactAttributeType(attribute_name6, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "IMEI") 151 | attID_ex7 = ccase.addArtifactAttributeType(attribute_name7, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "ICCID") 152 | attID_ex8 = ccase.addArtifactAttributeType(attribute_name8, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "BUILD") 153 | except: 154 | a = 1 155 | 156 | fileCount = 0 157 | for file in files: 158 | fileCount += 1 159 | progressBar.progress(fileCount) 160 | progressBar.progress("Connected iPhone Analyzer") 161 | if self.context.isJobCancelled(): 162 | return IngestModule.ProcessResult.OK 163 | self.log(Level.INFO, "++++++Processing file: " + file.getName()) 164 | 165 | lclPlistPath = os.path.join(Case.getCurrentCase().getTempDirectory(), str(file.getId()) + ".plist") 166 | ContentUtils.writeToFile(file, File(lclPlistPath)) 167 | try: 168 | plist_file = open(lclPlistPath, 'r') 169 | lines = plist_file.readlines() 170 | 171 | BUILDVERSION = "" 172 | devicename = "" 173 | GUID = "" 174 | ICCID = "" 175 | IMEI="" 176 | LASTBACKUP = "" 177 | PHONENUMBER = "" 178 | PRODUCTTYPE = "" 179 | SERIALNUMBER = "" 180 | if "Build Version" in lines[counter]: 185 | IPHONE_PLIST = 1 186 | else: 187 | a = 1 + 1 188 | counter += 1 189 | 190 | 191 | if IPHONE_PLIST == 1: 192 | j = 0 193 | while j!=counter: 194 | 195 | if "Build Version" in lines[j]: 196 | BUILDVERSION = Strip(lines[j + 1]) 197 | print "BUILD:" + BUILDVERSION 198 | j += 1 199 | if "Device Name" in lines[j]: 200 | devicename = Strip(lines[j + 1]) 201 | j += 1 202 | if "GUID" in lines[j]: 203 | GUID = Strip(lines[j + 1]) 204 | j += 1 205 | if "ICCID" in lines[j]: 206 | ICCID = Strip(lines[j + 1]) 207 | j += 1 208 | if "IMEI" in lines[j]: 209 | IMEI = Strip(lines[j + 1]) 210 | j += 1 211 | if "Last Backup Date" in lines[j]: 212 | LASTBACKUP = Strip(lines[j + 1]) 213 | j += 1 214 | if "Phone Number" in lines[j]: 215 | PHONENUMBER = Strip(lines[j + 1]) 216 | j += 1 217 | if "Product Type" in lines[j]: 218 | PRODUCTTYPE = Strip(lines[j + 1]) 219 | j += 1 220 | if "ey>Serial Number" in lines[j]: 221 | SERIALNUMBER = Strip(lines[j + 1]) 222 | j += 1 223 | j += 1 224 | 225 | artifact_name = "TSK_IPHONE" 226 | artifact_desc = "Connected iPhone Analyzer" 227 | artID_iphone_evt = ccase.getArtifactType(artifact_name) 228 | artID_iphone = ccase.getArtifactTypeID(artifact_name) 229 | art = file.newArtifact(artID_iphone) 230 | attID_ex1 = ccase.getAttributeType("TSK_IPHONE_DEVICENAME") 231 | art.addAttribute(BlackboardAttribute(attID_ex1, IphoneIngestModuleFactory.moduleName, devicename)) 232 | attID_ex1 = ccase.getAttributeType("TSK_IPHONE_PRODUCTTYPE") 233 | art.addAttribute(BlackboardAttribute(attID_ex1, IphoneIngestModuleFactory.moduleName, PRODUCTTYPE)) 234 | attID_ex1 = ccase.getAttributeType("TSK_IPHONE_BACKUPDATE") 235 | art.addAttribute(BlackboardAttribute(attID_ex1, IphoneIngestModuleFactory.moduleName, LASTBACKUP)) 236 | attID_ex1 = ccase.getAttributeType("TSK_IPHONE_PHONENUMBER") 237 | art.addAttribute(BlackboardAttribute(attID_ex1, IphoneIngestModuleFactory.moduleName, PHONENUMBER)) 238 | attID_ex1 = ccase.getAttributeType("TSK_IPHONE_SERIALNUMBER") 239 | art.addAttribute(BlackboardAttribute(attID_ex1, IphoneIngestModuleFactory.moduleName, SERIALNUMBER)) 240 | attID_ex1 = ccase.getAttributeType("TSK_IPHONE_IMEI") 241 | art.addAttribute(BlackboardAttribute(attID_ex1, IphoneIngestModuleFactory.moduleName, IMEI)) 242 | attID_ex1 = ccase.getAttributeType("TSK_IPHONE_ICCID") 243 | art.addAttribute(BlackboardAttribute(attID_ex1, IphoneIngestModuleFactory.moduleName, ICCID)) 244 | attID_ex1 = ccase.getAttributeType("TSK_IPHONE_BUILD") 245 | art.addAttribute(BlackboardAttribute(attID_ex1, IphoneIngestModuleFactory.moduleName, BUILD)) 246 | PostBoard.fireModuleDataEvent(ModuleDataEvent(IphoneIngestModuleFactory.moduleName, \ 247 | artID_iphone_evt, None)) 248 | IPHONE_PLIST = 0 249 | plist_file.close() 250 | else: 251 | 252 | plist_file.close() 253 | else: 254 | 255 | plist_file.close() 256 | except: 257 | 258 | plist_file.close() 259 | 260 | os.remove(lclPlistPath) 261 | 262 | 263 | # After all Plist files, post a message to the ingest messages in box. 264 | if numFiles==0: 265 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 266 | "Connected iPhone Analyzer", "Nothing to analyze ") 267 | PostBoard.postMessage(message) 268 | else: 269 | message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, 270 | "Connected iPhone Analyzer", "Analyzed %d files" % fileCount) 271 | PostBoard.postMessage(message) 272 | return IngestModule.ProcessResult.OK -------------------------------------------------------------------------------- /IngestModules/rLeapp/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Process Returns and Archives using rLeapp program 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.18.0 4 | - __OS's supported on: Windows 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-NBM-Plugins/tree/main/rLeapp-Autopsy-Plugin 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-NBM-Plugins/tree/main/rLeapp-Autopsy-Plugin 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-NBM-Plugins/tree/main/rLeapp-Autopsy-Plugin 8 | - __License:__ Apache 2.0 License -------------------------------------------------------------------------------- /IngestModules/rLeapp/rleappanalyzer.nbm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sleuthkit/autopsy_addon_modules/38e9e5934bca90f68d3acf421ddef8910ffb9b4b/IngestModules/rLeapp/rleappanalyzer.nbm -------------------------------------------------------------------------------- /IngestModules/sdhash/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ This module allows you to use sdhash to perform fuzzy hash matching. The investigator can match files against other files or sdhash reference sets during ingest, or search for similar files from the directory viewer or search results after ingest. Released as part of OSDFCon 2013 Development contest. 2 | - __Author:__ Petter Bjelland 3 | - __Minimum Autopsy version:__ 3.0.7 4 | - __Source Code:__ https://github.com/pcbje/autopsy-ahbm 5 | - __License:__ Apache 2.0 6 | -------------------------------------------------------------------------------- /IngestModules/sdhash/autopsy-ahbm.nbm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sleuthkit/autopsy_addon_modules/38e9e5934bca90f68d3acf421ddef8910ffb9b4b/IngestModules/sdhash/autopsy-ahbm.nbm -------------------------------------------------------------------------------- /IngestModules/vLeapp/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Process Vehicle data using vLeapp program 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at gmail dot com) 3 | - __Minimum Autopsy version:__ 4.18.0 4 | - __OS's supported on: Windows 5 | - __Module Location__: https://github.com/markmckinnon/Autopsy-NBM-Plugins/tree/main/vLeapp-Autopsy-Plugin 6 | - __Website:__ https://github.com/markmckinnon/Autopsy-NBM-Plugins/tree/main/vLeapp-Autopsy-Plugin 7 | - __Source Code:__ https://github.com/markmckinnon/Autopsy-NBM-Plugins/tree/main/vLeapp-Autopsy-Plugin 8 | - __License:__ Apache 2.0 License -------------------------------------------------------------------------------- /IngestModules/vLeapp/vleappanalyzer.nbm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sleuthkit/autopsy_addon_modules/38e9e5934bca90f68d3acf421ddef8910ffb9b4b/IngestModules/vLeapp/vleappanalyzer.nbm -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Autopsy Add-on Modules 2 | 3 | This repository contains the 3rd party add-on modules to the [Autopsy Digital Forensics Platform](http://www.autopsy.com). Each module has a folder in the repository that contains a README file. Some of the modules are stored in this repository and others are hosted on another site with a link in its README. 4 | 5 | How To Use The Site: 6 | 1. Find the module that meets your needs 7 | 2. Download and install it 8 | 9 | 10 | # Finding A Module 11 | 12 | The modules in the repository are organized by their type. 13 | - **Ingest modules** analyze files as they are added to the case. This is most common type of module. 14 | - **Content viewer modules** are in the lower right corner of Autopsy and they display a file or selected item in some way. 15 | - **Report modules** run at the end of the analysis and can generate various types of reports (or can do various types of analysis). 16 | - **Data source processors** allow for different types of data sources to be added to a case. 17 | 18 | Each module has its own folder with a README.md file that outlines the basics of what the module does. 19 | 20 | You can either navigate the folder structure or use the [Search](https://sleuthkit.github.io/autopsy_addon_modules/) page that will search the contents of the README files. 21 | 22 | 23 | # Downloading A Module 24 | 25 | Once you've found a module, you need to get it. You have two choices for doing that. 26 | 27 | 1. Make a copy of this repository by downloading a ZIP file of it. You can do this by clicking on "Clone or download" and then "Download ZIP".
28 | ![Download Image](images/download.png) 29 | 30 | 2. You can download specific modules from the site. This is easier for Java NBM modules than it is for Python modules, which may contain a number of files. 31 | 32 | # Installing a Module 33 | 34 | Instructions for installing a module can be found here: http://sleuthkit.org/autopsy/docs/user-docs/latest/module_install_page.html 35 | 36 | # Updating this Site 37 | If you are a developer and want your module listed on here, then please refer to the 38 | [Instructions for Developers](DocsForDevelopers/DeveloperInstructions.md). 39 | 40 | -------------------------------------------------------------------------------- /ReportModules/FEA-Forensic_Enhanced_Analysis/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ FEA comprises three separate tools: i) for email filtering and validation, ii) for credit card number validation and iii) for Bitcoin wallet addresses and private key search and validation. 2 | - __Author:__ João Mota, Miguel Frade, Patrício Domingues 3 | - __Minimum Autopsy version:__ 3.0.7 4 | - __Source Code:__ https://bitbucket.org/psychodeath/fea-forensics-enhanced-analysis 5 | - __License:__ Open source 6 | - __Video:__ https://vimeo.com/237483225 7 | -------------------------------------------------------------------------------- /ReportModules/ForensicExpertWitnessReport/README.md: -------------------------------------------------------------------------------- 1 | - __Known Issue:__ This module will cause Autopsy to lose its Tools menu (April 2020). 2 | 3 | - __Description:__ Adds tagged evidence into structured and styled tables automatically and directly inside a forensic expert witness report, whilst coming with three pre-existing forensic expert witness report templates to choose from. 4 | - __Author:__ Chris Wipat 5 | - __Minimum Autopsy version:__ : 3.0.7 6 | - __Source Code:__ https://github.com/chriswipat/forensic_expert_witness_report_module 7 | - __Release Download:__ https://github.com/chriswipat/forensic_expert_witness_report_module/releases/download/v1.0/ForensicExpertWitnessReport.nbm 8 | - __License:__ GNU General Public License Version 3 9 | - __Installation Instructions:__ https://github.com/chriswipat/forensic_expert_witness_report_module/blob/master/README.md 10 | -------------------------------------------------------------------------------- /ReportModules/README.md: -------------------------------------------------------------------------------- 1 | # Report Modules 2 | 3 | Report modules are typically run at the end of an investigation to produce an output report. The extension point is also used as a place to manually start analysis techniques. 4 | 5 | -------------------------------------------------------------------------------- /ReportModules/SPAI_Model_Report_Module/SPAI_Model_Report_Module/README.md: -------------------------------------------------------------------------------- 1 | - __Description:__ Custom Report Module Created for The DGPTC - Technical Police. 2 | - __Author:__ Mark McKinnon (Mark dot McKinnon at Gmail dot Com) 3 | - __Minimum Autopsy version:__ 4.1.0 4 | - __Module Location__: Here 5 | - __Website:__ https://github.com/markmckinnon/Custom_Autopsy_Plugins/tree/master/Report_Modules/SPAI_Model_Report_Module 6 | - __Source Code:__ Here or https://github.com/markmckinnon/Custom_Autopsy_Plugins/tree/master/Report_Modules/SPAI_Model_Report_Module 7 | - __License:__ GPL Full license can be found in SPAIModelReportModule_py_GPL_License.txt 8 | -------------------------------------------------------------------------------- /ReportModules/SPAI_Model_Report_Module/SPAI_Model_Report_Module/SPAIModelReportModule$py.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sleuthkit/autopsy_addon_modules/38e9e5934bca90f68d3acf421ddef8910ffb9b4b/ReportModules/SPAI_Model_Report_Module/SPAI_Model_Report_Module/SPAIModelReportModule$py.class -------------------------------------------------------------------------------- /ReportModules/SPAI_Model_Report_Module/SPAI_Model_Report_Module/base_folder/Ajuda.htm: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | My Institution 5 | 6 | 7 | 8 | 9 | 10 |
11 |

Help

12 | 13 | Menu's items:

14 | 15 | 16 |
  • Summary of Analysis 17 | 18 |
  • Case information: start page with informations about the case, like case number, forensic examiner, etc. 19 |
  • Help: this help page. 20 |
    • 21 |
    • 22 | 23 | 24 |
  • Selected Evidences 25 | 26 |
  • Images (for example): page(s) containing name, link and others metadata of selected files for each evidence category (tag). 27 |
    • 28 |
    • 29 | 30 |
    31 | 32 |

    33 | 34 | Storage and visualization of files

    35 | 36 |
  • It's recommended to configure the browser application to offline mode, in order to avoid that HTML temporary files be visualized and updated in external servers.

    37 |
  • In order to visualize the optical media content, in UNIX and UNIX-like (GNU/Linux, for instance), the system's locales must be set up to ISO-8859-1 charset.

    38 |
  • Not all of the evidence files exported to this optical media can be opened up in the browser application. In this case, it can be needed the instalation of the proper application.

    39 |
    • 40 |
    41 | 42 |


    43 |
    44 | 45 | 46 | -------------------------------------------------------------------------------- /ReportModules/SPAI_Model_Report_Module/SPAI_Model_Report_Module/base_folder/autorun.inf: -------------------------------------------------------------------------------- 1 | [autorun] 2 | OPEN=Explorer.exe Index.htm 3 | ICON=res\brasao.ico 4 | 5 | -------------------------------------------------------------------------------- /ReportModules/SPAI_Model_Report_Module/SPAI_Model_Report_Module/res/Background.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sleuthkit/autopsy_addon_modules/38e9e5934bca90f68d3acf421ddef8910ffb9b4b/ReportModules/SPAI_Model_Report_Module/SPAI_Model_Report_Module/res/Background.gif -------------------------------------------------------------------------------- /ReportModules/SPAI_Model_Report_Module/SPAI_Model_Report_Module/res/Bookmarks.css: -------------------------------------------------------------------------------- 1 | /* CSS Document */ 2 | 3 | /* This css contains definitions that are used excusively by 4 | the Bookmarks and Registry report sections */ 5 | 6 | /* .bkmkSeparator class selector is used in conjuction with 7 | .bkmkValue class selector which defined the border-bottom-style::inset 8 | and border-bottom-width:thin properties for .bkmkSeparator; 9 | .bkmkValue class selector is defined in Common.css */ 10 | .bkmkSeparator 11 | { 12 | border-top-style:double; 13 | clear:both; 14 | } 15 | .bkmkLblFileSel 16 | { 17 | font-weight:bold; 18 | text-decoration:underline; 19 | margin-top:12pt; 20 | clear:both; 21 | } 22 | .bkmkColLeft 23 | { 24 | float:left; 25 | width:185px; 26 | } 27 | .bkmkColRight 28 | { 29 | float:left; 30 | } -------------------------------------------------------------------------------- /ReportModules/SPAI_Model_Report_Module/SPAI_Model_Report_Module/res/Footer.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sleuthkit/autopsy_addon_modules/38e9e5934bca90f68d3acf421ddef8910ffb9b4b/ReportModules/SPAI_Model_Report_Module/SPAI_Model_Report_Module/res/Footer.gif -------------------------------------------------------------------------------- /ReportModules/SPAI_Model_Report_Module/SPAI_Model_Report_Module/res/Header.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sleuthkit/autopsy_addon_modules/38e9e5934bca90f68d3acf421ddef8910ffb9b4b/ReportModules/SPAI_Model_Report_Module/SPAI_Model_Report_Module/res/Header.gif -------------------------------------------------------------------------------- /ReportModules/SPAI_Model_Report_Module/SPAI_Model_Report_Module/res/ajuda_estilo.css: -------------------------------------------------------------------------------- 1 | * { 2 | font-family: Verdana, Arial, Tahoma; 3 | font-size: 10pt; 4 | } 5 | 6 | body { 7 | margin: 0; 8 | color: black; 9 | background-color: white; 10 | } 11 | 12 | img { 13 | border: 0; 14 | } 15 | 16 | a { 17 | color: rgb(0, 102, 204); 18 | background-color: inherit; 19 | text-decoration: none; 20 | } 21 | a:hover { 22 | color: rgb(153, 153, 153); 23 | background-color: inherit; 24 | text-decoration: underline; 25 | } 26 | 27 | table * { 28 | vertical-align: top; 29 | } -------------------------------------------------------------------------------- /ReportModules/SPAI_Model_Report_Module/SPAI_Model_Report_Module/res/ajuda_main.css: -------------------------------------------------------------------------------- 1 | div#conteudo { 2 | margin-left: 20px; 3 | margin-right: 10px; 4 | margin-top: 10px; 5 | width: 100%; 6 | } 7 | 8 | hr { 9 | height: 1px; 10 | color: rgb(200,200,200); 11 | width: 90%; 12 | margin-top: 0px; 13 | text-align: left; 14 | } 15 | 16 | .HeaderText { 17 | font-size: 25px; 18 | /*color: #034D86; */ 19 | color: #000000; 20 | font-family: 'Arial Black'; 21 | text-decoration: none; 22 | border-bottom: 4px solid rgb(200,200,200); 23 | width: 80%; 24 | } 25 | -------------------------------------------------------------------------------- /ReportModules/SPAI_Model_Report_Module/SPAI_Model_Report_Module/res/bg_nav.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sleuthkit/autopsy_addon_modules/38e9e5934bca90f68d3acf421ddef8910ffb9b4b/ReportModules/SPAI_Model_Report_Module/SPAI_Model_Report_Module/res/bg_nav.jpg -------------------------------------------------------------------------------- /ReportModules/SPAI_Model_Report_Module/SPAI_Model_Report_Module/res/common.css: -------------------------------------------------------------------------------- 1 | /* CSS Document */ 2 | 3 | /* This css contains definitions that are used by all 4 | the generated report html pages (except Index.html) 5 | All of the report sections used one or more of the 6 | following definitions */ 7 | 8 | /* The body selector applies to all the pages, thus 9 | if you want to change font, font-size etc, change 10 | the properties here */ 11 | body 12 | { 13 | font-family: Arial, Helvetica, sans-serif; 14 | } 15 | /* all html table set to no border */ 16 | table 17 | { 18 | border:none; 19 | } 20 | 21 | /* define color of light gray used within header etc */ 22 | .clrBkgrnd 23 | { 24 | background-color:#F2F0E6 25 | } 26 | 27 | /* define a value used within bookmark section */ 28 | .bkmkValue 29 | { 30 | border-bottom-style:inset; 31 | border-bottom-width:thin; 32 | } 33 | 34 | /* define all the Heading properties */ 35 | .contentHead, .bkmkColHead, .bkmkLblFiles 36 | { 37 | border-bottom:groove; 38 | border-top:groove; 39 | background-color:#D2C8AE; 40 | text-align:left; 41 | font-size: 20px; 42 | /*color:#21536A*/ 43 | color:#000000 44 | } 45 | 46 | /* .labelBorderless used in conjuction with .clrBkgrnd 47 | for the background-color property */ 48 | .labelBorderless 49 | { 50 | font-weight:bold; 51 | text-align:left; 52 | } 53 | 54 | /* all graohic numbers definition */ 55 | .graphicNumbers 56 | { 57 | font-weight:bold 58 | } 59 | 60 | /* define all link properties */ 61 | a 62 | { 63 | text-decoration:none; 64 | } 65 | a:hover 66 | { 67 | text-decoration:underline; 68 | } 69 | 70 | th.columnHead 71 | { 72 | border-bottom:double; 73 | border-top:ridge; 74 | text-align:left; 75 | background-color:#D2C8AE 76 | } 77 | 78 | td 79 | { 80 | border-left:none; 81 | border-right:none; 82 | border-top:none 83 | } 84 | /* td.label used in conjuction with .clrBkgrnd 85 | for the background-color property */ 86 | td.label 87 | { 88 | font-weight:bold; 89 | text-align:left; 90 | border-right:solid; 91 | border-right-width:thin; 92 | } 93 | /* td.graphicNumber used in conjuction with .clrBkgrnd 94 | and graphicNumbers; For the background-color property 95 | and font-weight property*/ 96 | td.graphicNumber 97 | { 98 | text-align:center; 99 | border:groove; 100 | } 101 | td.graphicPath 102 | { 103 | border:none; 104 | } 105 | td.graphic 106 | { 107 | border:solid; 108 | border-width:thin 109 | } 110 | 111 | div.row, p { 112 | clear:both; 113 | } -------------------------------------------------------------------------------- /ReportModules/SPAI_Model_Report_Module/SPAI_Model_Report_Module/res/icon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sleuthkit/autopsy_addon_modules/38e9e5934bca90f68d3acf421ddef8910ffb9b4b/ReportModules/SPAI_Model_Report_Module/SPAI_Model_Report_Module/res/icon.ico -------------------------------------------------------------------------------- /ReportModules/SPAI_Model_Report_Module/SPAI_Model_Report_Module/res/navigation.css: -------------------------------------------------------------------------------- 1 | /* CSS Document */ 2 | 3 | /* This css contains definitions used excusively by 4 | Table_of_Contents.html; These definitions provided the 5 | behavior for the button style links as seen on the left 6 | panel of the html report */ 7 | 8 | a.sectionLinks:link, a.sectionLinks:visited 9 | { 10 | display: block; 11 | border-top: 1px solid #ffffff; 12 | border-bottom: 1px solid #cccccc; 13 | background-image: url(bg_nav.jpg); 14 | font-weight: bold; 15 | padding: 3px 0px 3px 10px; 16 | /*color: #21536A;*/ 17 | color: #000000; 18 | } 19 | a.sectionLinks:hover 20 | { 21 | border-top: 1px solid #cccccc; 22 | background-color: #e2e4e1; 23 | background-image: none; 24 | font-weight: bold; 25 | text-decoration: none; 26 | } -------------------------------------------------------------------------------- /images/download.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sleuthkit/autopsy_addon_modules/38e9e5934bca90f68d3acf421ddef8910ffb9b4b/images/download.png --------------------------------------------------------------------------------