28 sept 2016

Los módulos de ingesta de Autopsy. Parte 2



Buenas a todos, en el post de hoy continuaremos con la cadena de análisis forense digital con Autopsy, hablando de los módulos de ingesta de terceros.

Los módulos de terceros son módulos desarrollados por la comunidad, y que pueden ser desplegados en las instalaciones de Autopsy, en sus últimas versiones.

Desde el siguiente enlace podéis acceder a los módulos compartidos oficialmente:


A continuación os listamos todos ellos, junto con una descripción sobre su funcionamiento:

Prefetch Parser

  • Description: This module will process thru all the prefetch files in the C:\Windows\Prefetch directory and parse out the information in them. It works on the following windows versions XP, Vista/7, 8/8.1 and 10. Winner of the OSDFCon 2015 Python Module challenge.
  • Author: Mark McKinnon

sdhash (Autopsy AHBM)

  • Description: This module allows you to use sdhash to perform fuzzy hash matching. The investigator can match files against other files or sdhash reference sets during ingest, or search for similar files from the directory viewer or search results after ingest. Released as part of OSDFCon 2013 Development contest. 
  • Author: Petter Bjelland

SmutDetect Module

  • Scans JPG, BMP, PNG & GIF files (selection of files based on file signatures) for pixels with skin tone and computes file percentage. Files are tagged with skin-tone percentage in increments of 10 to allow a categorised view of thumbnails.
  • Author: Rajmund Witt

Windows Registry Ingest Module

  • Description: An ingest module that extracts Registry keys and values into derived directories and files so that they show up as nodes in the directory tree. First place winner in the OSDFCon 2013 challenge.
  • Author: Willi Ballenthin

Child Exploitation Hashset Modules

  • Description: Hash lookup modules that integrate with ProjectVic and C4All databases. These allow you to use Autopsy in child exploitation investigations and leverage hashsets of pre-categorized images.
  • Author: Basis Technology

VirusTotal Online Checker

  • Description: Autopsy File Ingest Module to check file hashes against online VirusTotal Database
  • Author: Mathias Vetsch, Luca Tännler

Copy-Move Module Package

  • Description: A module package containing a File Ingest Module and its corresponding Data Content Viewer. Allows the user to identify Copy-Move forgeries within images in the datasource. Please read the readme before using the package.
  • Author: Tobias Maushammer

Image Fingerprint Module Package

  • Description: A module package containing a File Ingest Module and its corresponding Data Content Viewers. Allows the user to create different perceptual hashes as fingerprints from images in the datasource. This also creates an additional database, which is managed from the expanded options menu of the ingest module. Images can be compared to images in the database. Please read the readme before using the package.
  • Author: Tobias Maushammer

Video Triage

  • Description: Analyzes video files and displays a series of images so that you can get a basic idea of what the video contains without viewing the entire thing. 
  • Author: Basis Technology

Windows Registry Content Viewer

  • Description: Content viewer that analyzes a registry hive and allows you to navigate the tree and its key and value pairs. Functions something like Regedit.exe. Winner of the OSDFCon 2013 challenge.
  • Author: Willi Ballenthin

Multi Content Viewer

  • Description: Content viewer for dozens of file types: html, pdf, eml, emlx, rtf, doc, docx, xls, xlsx, ppt, pptx, odt, ods, odp, wps, wpd, sxw, eps, dbf, csv, tif, emf, wmf, odg, pcx, pbm, svg, pict, vsd, psd, cdr, dxf, and more. Also highlights and enables navigation through keyword hits on the rendered preview.

Como veis, hay un poco de todo, y disponemos de módulos más orientados a fuerzas y cuerpos de seguridad, como el de "Child Exploitation Hashset", o los de análisis de vídeos e imágenes, otros módulos más orientados a analistas de malware y software dañino, como los módulos de Virus Total, Prefetch o de Windows Registry Content Viewer, y otros módulos más generales. En el enlace anterior podéis encontrar la versión mínimo de Autopsy necesaria para el funcionamiento de cada uno de ellos y el enlace para su descarga.

Os animo a probar Autopsy con sus módulos de ingesta de terceros y a compartir con nosotros vuestras experiencias. 

Hasta el próximo post, 

Saludos!
en
Etiquetas: ,

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)