Autopsy, which is an open-source, digital forensics platform used by law enforcement agencies across the globe to determine how a digital device was used in a crime and recover evidence, is undergoing enhancement.
Nearly every crime committed today involves some type of digital media, such as computers and cell phones.
In most cases, these devices contain vital evidence, including call logs, location information, text and email messages, images, and audio and video recordings that could help law enforcement investigators close a case. At the same time, the types and sizes of these devices are proliferating at an incredible rate, but the budgets of most state and local law enforcement agencies are not keeping pace.
Since it released 15 years ago, a community has grown around Autopsy development that continues to grow and deliver law enforcement investigators the new capabilities and functionality they have identified as pressing needs.
The Department of Homeland Security (DHS) Science and Technology Directorate previously funded the development and open-source release of Autopsy modules and its stewardship continues today as part of the Cyber Security Division’s (CSD) Cyber Security Forensics project. CSD is part of the Homeland Security Advanced Research Projects Agency.
As part of the current Cyber Forensics project work plan, the following capabilities will be developed or enhanced within Autopsy:
• A New Communication Analysis Framework: This will develop a storage framework for communications-based data and a graphical interface, making it easier for investigators to view messages from a variety of sources, visualize the messages, and see the relationships between accounts.
• Advanced Image Analysis Functionality: This will expand Autopsy’s existing photo and video analysis capabilities.
• Advanced Timeline Visualization: New features will be added, including integration with existing open-source parsing tools, allowing users to create events and highlight events, and filter by file type to the timeline module to more efficiently analyze activity to determine what events occurred.
Each capability enhancement was identified through a survey of law enforcement agencies conducted by Cambridge, Massachusetts-based Basis Technology Corporation, Autopsy’s primary developer.
Basis Technology queried agencies about their biggest challenges and where they spend the bulk of their investigative time. These new/enhanced capabilities will be provided through future open-source releases of Autopsy.
“These enhancements will substantially increase Autopsy’s ease-of-use for law enforcement agencies,” said Megan Mahle, program manager of S&T’s Cyber Security Forensics project. “The modules we’re focusing on through our effort will add new functionalities and promote flexibility for use by each law enforcement investigator.”
Autopsy, built as an extensible platform, has thousands of users around the world and is downloaded an average of 4,000 times each week.
It supports all types of criminal investigations from fraud to terrorism to child exploitation.
As an open-source platform, it is a cost-effective tool investigators can use to solve crimes, especially in these days of shrinking budgets. In addition to the development activity, the platform also supports the incorporation of third-party modules (either open or closed source).
The easy-to-use software system has standard forensic tool features regularly used by federal, state, and local law enforcement organizations, including disk-image analysis, hash-set analysis, indexed keyword search, registry analysis, and Android and web-artifact analysis. Additionally, Autopsy includes unique capabilities such as support for multi-user cases, automated ingest and correlation analysis. It is taught at many law enforcement conferences and training courses, including at DHS’s four Federal Law Enforcement Training Centers, and used by many agencies as either a primary and validation tool for casework.
The overarching Cyber Security Forensics project develops solutions law enforcement uses to investigate criminal activity. It addresses DHS law enforcement components specific needs and collaborates with investigators from federal, state, and local agencies as well as international partners. The project encompasses efforts in the persistent areas of cyber forensics, including mobile device forensics, GPS forensics, and data acquisition and analysis.