Softpedia >Windows >Others >Miscellaneous >Autopsy >  Changelog

Autopsy Changelog

What's new in Autopsy 4.19.3

Dec 27, 2021
  • Bug Fixes:
  • Updates for log4j vulnerabilities.
  • Solr 8.11.0 Upgrade
  • Manual update of log4j to 2.16.0

New in Autopsy 4.19.2 (Nov 12, 2021)

  • GUI Updates:
  • Special handling of Interesting Files and Interesting Results analysis results was removed from the tree and they are now shown as individual nodes.
  • Updated display of analysis results in the tabular results viewer.
  • Improved algorithm for populating the S(core) column in the tabular results view.
  • Updated the right-click menu options for data artifacts and analysis results.
  • The O(ther Cases) column in the tabular results view and the Other Occurrences content viewer now count cases in the same way.
  • Misc:
  • Installed applications are now added to the central repository.
  • The Central Repository ingest module no longer uses the generic Interesting Item analysis result and instead creates more specific Previously Seen, Previously Unseen, and Previously Notable analysis results.
  • Automatic destinations (jump lists) parsing added to the Recent Activity module.
  • French translation of user documentation contributed by github user @Seb2lyon .
  • Bug Fixes:
  • Analysis Results and Annotation content viewers now work when parent is a data artifact.
  • Fixed bug that prevented media attachments from being displayed in the Communications Viewer.
  • Fixed RegRipper bug to support parsing of ShellBags with non-Latin characters.
  • Assorted GUI responsiveness fixes.
  • Fixed NTFS handling of compressed files that were not fully initialized (via TSK).
  • Other assorted bug fixes.

New in Autopsy 4.19.1 (Aug 10, 2021)

  • Bug Fixes:
  • Fixed connection leak associated with creating OS Accounts
  • Decreased priority of OS Account Content Viewer
  • Misc bound check fixes in TSK

New in Autopsy 4.19.0 (Aug 2, 2021)

  • Data Source Management:
  • To make managing big cases easier, all data sources are now associated with a host that can be specified in the “Add Data Source” wizard.
  • Hosts can be grouped by “person”, which is simply a name of the owner.
  • The main tree viewer can be configured to group by person and host.
  • OS Accounts:
  • Operating System (OS) accounts and realms are their own data types and no longer generic artifacts.
  • OS Accounts are created for Windows accounts found in the registry. Domain-scoped realms are not fully detected yet.
  • NTFS files are associated with OS Accounts by SID.
  • The Recent Activity module associates artifacts with OS Accounts based on SID or path of database. Other modules still need to be updated.
  • OS accounts appear in a dedicated sub-tree of the main tree view and their properties can be viewed in the results view.
  • A new content viewer in the lower right area of the main window was built to display OS account data for the item selected in the results view.
  • Analysis Result and Data Artifacts
  • All modules make either Analysis Results or Data Artifacts instead of “Blackboard Artifacts.”
  • New “Analysis Result” content viewer shows the results for a given file and its score.
  • The tabular results viewer shows an icon for the aggregate score of a file.
  • The tree organizes results into "Analysis Results" and "Data Artifacts" instead of simply “Results.”
  • Discovery UI:
  • Domain categorization and account types are displayed in Domain Discovery results.
  • The Domain Discovery results view more explicitly shows when a downloaded file no longer exists.
  • Check boxes are now used to select search options instead of shift-based multi-select.
  • Ingest Modules:
  • File metadata updates are batched up before being saved to the case database for better performance.
  • Parsing of iLEAPP and aLEAPP output was expanded to create communication relationships which can be displayed in the Communications UI.
  • EML email parsing handles EML messages that are attachments (and have their own attachments).
  • Domain categorization within Recent Activity can be customized by user-defined rules that can be imported and exported.
  • Account IDs and Installed Applications are added to the Central Repository.
  • Keyword search can be configured to only do OCR and skip non-OCR files.
  • Miscellaneous:
  • A “Reset Windows” feature was created to help redock windows.
  • A case-insensitive wordlist of all words in the keyword search index can be exported as a text document.
  • Information from the Data Source Summary panels can be exported as an Excel spreadsheet.
  • More artifacts are added to the timeline and artifacts with multiple time-based attributes are mapped to multiple timeline events.
  • Added option to only perform optical character recognition on certain file types.
  • Heap dumps can be saved to a custom location.
  • More detailed error messages about encrypted disks when they are added.
  • Added file size filter to Ingest Filters.
  • Performance:
  • Keyword search does not make an explicit commit for each report if ingest is running.
  • Language ID is performed on a small subset of a file instead of the entire file.
  • Recent Activity is more efficient because of TSK changes to file searching (using extension).
  • Embedded file extractor module has been made faster by doing file typing in memory and adding extracted files in batches.
  • Moved Content Viewers setNode() and isSupported()/isPreferred() code to background threads.
  • Moved Data Source Summary Panel population code to background threads.
  • Moved Node/Tree queries to background threads.
  • Bug Fixes:
  • Fixed embedded file extractor file name escaping bug.
  • Detect VHD files by signature and not extension.
  • Fixed iLEAPP path error.
  • Content viewers UIs are more consistent.
  • Assorted bug fixes are included.
  • Auto Ingest:
  • The Auto Ingest Dashboard is resizable.
  • Get thread dumps from AID
  • Added beta pause feature that pauses auto ingest for a set amount of time at a scheduled date and time.

New in Autopsy 4.18.0 (Aug 1, 2021)

  • Keyword Search:
  • A major upgrade from Solr 4 to Solr 8.6.3. Single user cases continue to use the embedded server.
  • Multi-user clusters need to install a new Solr 8 server and can now create a Solr cloud with multiple servers.
  • NOTE: Cases created with Autopsy 4.18 cannot be opened by previous versions of Autopsy. Autopsy 4.18 can open older cases though.
  • See http://sleuthkit.org/autopsy/docs/user-docs/4.18.0/upgrade_solr8_page.html for more details.
  • Improved text indexing speed by not doing language detection on unknown file formats and unallocated space.
  • Domain Discovery:
  • Added details view to Domain Discovery to show what web-based artifacts are associated with the selected domain.
  • Updat

New in Autopsy 4.17.0 (Nov 10, 2020)

  • GUI:
  • Expanded the Data Source Summary panel to show recent activity, past cases, analysis results, etc. Also made this available from the main UI when a data source is selected.
  • Expanded Discovery UI to support searching for and basic display of web domains. It collapses the various web artifacts into a single view.
  • Ingest Modules:
  • Added iOS Analyzer module based on iLEAPP and a subset of its artifacts.
  • New Picture Analyzer module that does EXIF extraction and HEIC conversion. HEIC/HEIF images are converted to JPEGs that retain EXIF using ImageMagick (replaces the previous EXIF ingest module).
  • Added support for the latest version of Edge browser that is based on Chromium into Recent Activity. Other Chromium-based browsers are also supported.
  • Updated the rules that search Web History artifacts for search queries. Expanded module to support multiple search engines for ambiguous URLs.
  • Bluetooth pairing artifacts are created based on RegRipper output.
  • Prefetch artifacts record the full path of exes.
  • PhotoRec module allows you to include or exclude specific file types.
  • Upgraded to Tika 1.23.
  • Performance:
  • Documents are added to Solr in batches instead of one by one.
  • More efficient queries to find WAL files for SQLite databases.
  • Use a local drive for temp files for multi-user cases instead of the shared folder.
  • Command Line:
  • Command line support for report profiles.
  • Restored support for Windows file type association for opening a case in Autopsy by double clicking case metadata (.aut) file.
  • Better feedback for command line argument errors.
  • Misc:
  • Updated versions of libvmdk, libvhdi, and libewf.
  • Persona UI fixes: Pre-populate account and changed order of New Persona dialog.
  • Streaming ingest support added to auto ingest.
  • Recent Activity module processes now use the global timeout.
  • Option to include Autopsy executable in portable case (Windows only.)
  • Upgraded to NetBeans 11 Rich Client Platform.
  • Added debug feature to save the stack trace on all threads.

New in Autopsy 4.16.0 (Sep 10, 2020)

  • Ingest:
  • Added streaming ingest capability for disk images that allow files to be analyzed as soon as they are added to the database.
  • Changed backend code so that disk image-based files are added by Java code instead of C/C++ code.
  • Ingest Modules:
  • Include Interesting File set rules for cloud storage, encryption, cryptocurrency and privacy programs.
  • Updated PhotoRec 7.1 and include 64-bit version.
  • Updated RegRipper in Recent Activity to 2.8
  • Create artifacts for Prefetch, Background Activity Monitor, and System Resource Usage.
  • Support MBOX files greater than 2GB.
  • Document metadata is saved as explicit artifacts and added to the timeline.
  • New “no change” hashset type that does not change status of file.
  • Central Repository / Personas:
  • Accounts in the Central Repository can be grouped together and associated with a digital persona.
  • All accounts are now stored in the Central Repository to support correlation and persona creation.
  • Content viewers:
  • Created artifact-specific viewers in the Results viewer for contact book and call log.
  • Moved Message viewer to a Results sub-viewer and expanded to show accounts.
  • Added Application sub-viewer for PDF files based on IcePDF.
  • Annotation viewer now includes comments from hash set hits.
  • Geolocation Viewer:
  • Different data types now are displayed using different colors.
  • Track points in a track are now displayed as small, connected circles instead of full pins.
  • Filter panel shows only data sources with geo location data.
  • Geolocation artifact points can be tagged and commented upon.
  • File Discovery:
  • Changed UI to have more of a search flow and content viewer is hidden until an item is selected.
  • Reports:
  • Can be generated for a single data source instead of the entire case.
  • CASE / UCO report module now includes artifacts in addition to files.
  • Added backend concept of Tag Sets to support Project Vic categories from different countries.
  • Performance:
  • Add throttling of UI refreshes to ensure data is quickly displayed and the tree does not get backed up with requests.
  • Improved efficiency of adding a data source with many orphan files.
  • Improved efficiency of loading file systems.
  • Jython interpreter is preloaded at application startup.
  • Misc bug fixes and improvements:
  • Fixed bug from last release where hex content viewer text was no longer fixed width.
  • Altered locking to allow multiple data sources to be added at once more smoothly and to support batch inserts of file data.
  • Central repository comments will no longer store tag descriptions.
  • Account type nodes in the Accounts tree show counts.
  • Full time stamps displayed for messages in ingest inbox.
  • More detailed status during file exports.
  • Improved efficiency of adding timeline events.
  • Fixed bug with CVT most recent filter.
  • Improved documentation and support for running on Linux/macOS.

New in Autopsy 4.15.0 (May 1, 2020)

  • New UI Features:
  • Added Document view to File Discovery.
  • Expanded Context Content Viewer to show if an app accessed a file.
  • Added translation feature to Message Content Viewer.
  • Added waypoint type filter to the Geolocation viewer.
  • Added zoom feature to Indexed Text Content Viewer.
  • New Ingest Modules Features:
  • New GPX ingest module.
  • New Drone ingest module for DJI drones based on DatCon.
  • Create artifacts for files opened by Adobe Reader, Windows Media Player, Office Docs (Most Recently Used (MRU) and TrustRecords), 7Zip MRU, WinRAR MRU, Applets, Microsoft Management Console (MMC) via RegRipper.
  • New Central Repository Features:
  • Central Repository stores account IDs that were previously seen.
  • Central Repository is enabled by default to store past hashes. Feature to flag previously seen files is disabled by default.
  • Other New Features:
  • Multi-user cases can be created via command line
  • Bug fixes:
  • Prevent entire application from crashing when gstreamer crashes on videos.
  • Improve Geolocation viewer with large data sets.
  • Fix error with non-sector aligned reads on local disks.
  • Times from Recycle Bin files are now in timeline.
  • Validate timeline events and ignore events too far in the future.
  • Moved some database queries off of UI thread.
  • Remove hard coded sizes from UI that cause issues with other languages.

New in Autopsy 4.14.0 (Jan 25, 2020)

  • Specialized UIs:
  • New File Discovery UI that allows you to search and filter for certain types of files. Works best with the Central Repository storing all of the hashes you've seen.
  • New Map viewer that uses either Bing (when online) or offline map tiles.
  • Communications UI shows country names for phone numbers and fixed bug in summary panel.
  • Fixed bugs in timeline filtering.
  • Refactored backend timeline filtering code based on The Sleuth Kit data model changes to remove JavaFX dependency.
  • Data Sources:
  • Added limited support for APFS disk images. Does not include encrypted volumes or ones that span multiple disks. Uses contribution to The Sleuth Kit from Black Bag Technologies.
  • New data source processor that parses “XRY File Exports”.
  • Content Viewers:
  • Added a new “Context” viewer to show where a file came from. Currently shows what message a file was attached to or what URL a file was downloaded from.
  • Added support to seek and change playback speed for videos in “Application” viewer.
  • Improved support for Unicode HTML files in “Application” viewer.
  • Added support for webp image files in “Application” viewer.
  • Ingest Modules:
  • Keyword Search module uses Decodetect statistical encoding detection for plain text files. Fixes issues with incorrect detection of Japanese files.
  • Embedded File Extractor module uses statistical analysis to determine encoding of file names in ZIP files. Fixes issues with ZIP files created on Windows Japanese computers.
  • Solr (Keyword Search module) now uses Japanese-specific tokenization using Kuromoji.
  • Fixed Shellbags module in RegRipper (used by Autopsy Recent Activity module) to fix parsing errors.
  • Plaso module no longer generates an error if enabled for non-disk image data sources.
  • Added support for message attachments that are stored as an external file system file. Expanded Email and Android modules to use this technique.
  • General:
  • Fixed crashes by gstreamer when a video is selected.
  • Added initial capability to delete a data source from a case (excludes data in the CR).
  • Changed behavior of portable case menu item to automatically open the case and warn if it was already unpacked.
  • Fixed bug that caused issues when case metadata had Unicode values.
  • Added new Attachment APIs to the CommunicationsArtifactHelper class to support attachments stored as external file system files.

New in Autopsy 4.13.0 (Oct 15, 2019)

  • General:
  • Switch from Oracle JDK to OpenJDK.
  • Full command line support (case creation, adding of data sources, running ingest, and generating reports).
  • Logical Imager:
  • Output can be individual files instead of VHD image (uses less space).
  • More fine grained progress during collection and importing.
  • Log of files and make artifacts.
  • All console messages are saved to a log file too.
  • Improved handling of cancellation when adding results into a case.
  • Ingest Modules:
  • Added Android support as Python modules for: Android installed apps, Android browser, Facebook Messenger, IMO, LINE, Opera, ORUX Maps, Samsung SBrowser, Skype, ShareIt, TextNow, Viber, WhatsApp, Xender, Zapya.
  • Recycle Bin files are parsed in Recent Activity module, new artifacts are created, and deleted file entries are created at the original location of the deleted files. Code is based on Mark McKinnon’s RecycleBin module (https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Recycle_Bin).
  • ShellBag registry data is extracted from RegRipper in the Recent Activity module. New artifacts are recreated for the data. Based on Mark McKinnon’s “Parse ShellBags” module (https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_Shellbags).
  • Additional data is extracted about users from SAM hive in Recent Activity module. Data includes password dates, permissions, groups, and full name. Based on Mark McKinnon’s “Parse SAM” module (https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_SAM).
  • Email ingest module parses EML files. Based on Mark McKinnon’s “EML Parser” module (https://github.com/markmckinnon/Autopsy-Plugins/tree/master/EML_Parser).
  • Fixed bug in MBOX module that caused attachments to have a “_” in the name.
  • New Plaso ingest module that runs Plaso and generates events for the timeline.
  • Fixed bug in Email module for VCard files to better parse phone number types.
  • Keyword Search module waits longer for Solr to start to prevent incorrectly reporting a problem and disabling the feature.
  • Embedded file extractor module was updated to not report compression bombs for GZIP files.
  • Timeline:
  • New approach for storing event data. A dedicated events table exists and is populated as files and artifacts are added to the database. No longer requires an explicit step of populating a local events table.
  • Users can create their own events from the Timeline UI.
  • Filtering was simplified based or existence of tag or hash set hit versus a specific name.
  • Communications:
  • Fixed bug that hid contact book entries with duplicate numbers.
  • Image Gallery:
  • Fixed bug in schema that caused errors with very long file names.
  • Report:
  • CASE report is included in a portable case.
  • Image tags are included in portable case.
  • More size options for a packaged portable case.
  • New Infrastructure to support command line-based generation.
  • Backend:
  • Developers should use new new Blackboard.postArtifact() method to ensure artifact is indexed and added to the timeline.
  • New classes were created to make it easier to write modules for apps.

New in Autopsy 4.12.0 (Aug 6, 2019)

  • New Features:
  • Initial logical imager feature
  • Changed file type detection so that Tika does not rely only on extension.
  • Communications:
  • Emails are threaded
  • Added Account Summary view
  • Added Contacts panel to show all contacts associated with an account.
  • Added Media panel to show media attachments associated with an account
  • Added filter to show accounts if they involved with the most recent messages.
  • Added ability to draw a box on a picture while tagging it.
  • Improved speed of displaying results when a column was sorted.
  • Portable cases can contain files marked as Interesting Items and be compressed.
  • New “Text” viewer that consolidates previous Strings and “Indexed Text” viewers.
  • New “Translation” panel with integrations for Google and Bing (credentials required)
  • Added Willi Ballentin’s “Registry Hive Viewer” panel to the “Application” viewer.
  • Improved HTML viewer to use style sheets and better layout.
  • Added paging to all views for faster loading of large data sets.

New in Autopsy 4.11.0 (Apr 29, 2019)

  • New Features:
  • Adding Data:
  • Hashes can optionally be entered when adding a disk image data source to a case.
  • Acquisition details can be stored when the data source is added.
  • Ingest Modules:
  • Added support for Microsoft Edge browser (cookies, history, and bookmarks)
  • Added support for Safari web browser (downloads, cookies, history, and bookmarks)
  • Expanded Chrome browser support to include cache parsing and form/auto fill.
  • Expanded Firefox browser support to extract form/auto fill fields.
  • Parse Zone.Identifier files to identify the source of files.
  • Added a TSK_SOURCE artifact to downloaded files to help users trace back to where it came from.
  • Added support for parsing vCards (virtual cards).
  • Extract more information about Windows user accounts (number of logins, creation date, and last login)
  • Detect more operating system types, which get saved as a TSK_OS_INFO artifact.
  • Detect Android media cards, which gets saved as a TSK_DATA_SOURCE_USAGE artifact.
  • UI:
  • The Application content viewer now displays HTML files.
  • Video playback now uses gstreamer on 64-bit systems, which supports more video formats.
  • Pictures can be rotated and zoomed in the Application content viewer.
  • The Other Occurrences content viewer layout was reorganized to make viewing the data easier.
  • New "Data Source Summary" panel shows high-level statistics and details about the data sources in the case.
  • Data sources are now listed in the data sources tree in alphabetical order.
  • The presentation of finding common properties within a case was revised to group results in a more helpful way.
  • Report / Export:
  • Portable Cases can be created based on tagged data. These cases contain a subset of the case data and can be opened anywhere.
  • Users can now choose tabs or commas as the delimiter for a files report.
  • Case notes are included in the HTML report.
  • Other:
  • Added a new file type that allows module writers to specify a file based on its byte range.
  • Data sources can be analyzed and have a CASE/UCO report generated using only the command line.
  • Bug Fixes"
  • Decreased the time required to execute inter-case common properties searches of the Central Repository.
  • Assorted small bug fixes are included.

New in Autopsy 4.10.0 (Jan 16, 2019)

  • New Features:
  • Central Repository
  • Case Manager shows data source details
  • SSID, MAC address, IMEI, IMSI, and ICCID can be stored and correlated on
  • SSID, MAC address, IMEI, IMSI, and ICCID values from past cases are flagged if they are seen again in the current case.
  • File types can be specified when searching for common files with past cases.
  • Results from finding common files with past cases is now organized by case instead of by number of occurrences.
  • The Central Repository can now be searched for a specific value (hash, email, etc.)
  • The E01 Verifier ingest module was renamed to Data Source Integrity module and it will:
  • Calculate hashes if none exist for a non-E01 data source
  • Validate hashes if they are defined
  • MD5, SHA1, or SHA256 hash values of raw data sources can now be specified when they are added.
  • Added the ability for examiners to select the time zone for displaying dates.
  • Tesseract OCR text extraction for keyword search now supports languages other than English, if language packs are installed.
  • Custom headers and footers can now be added to HTML reports.
  • New report module to export basic file data in CASE/UCO format.
  • Ingest filter rules (for triage) can now specify a list of extensions (such as "jpg,jpeg,png") instead of needing to make a rule for each extension.
  • Image Gallery:
  • Refactored to ensure database was fully closed when case was closed.
  • No longer pre-populate DrawableDB database.
  • Added caching to reduce time required to insert files after analysis.
  • Bug Fixes:
  • Duplicate interesting item and EXIF metadata artifacts are no longer created when you run the modules that generate them more than once.
  • The Application content viewer now displays SQLite table column names even when the table is empty.
  • Assorted small bug fixes are included.

New in Autopsy 4.9.1 (Nov 10, 2018)

  • Bug Fixes:
  • Fixed possible ingest deadlock from Image Gallery database inserts.
  • Image Gallery does not need lock on Case DB during pre-population, which makes UI more responsive.
  • Other misc Image Gallery fixes.

New in Autopsy 4.8.0 (Aug 8, 2018)

  • New Features:
  • Data Source Grouping:
  • The case tree view can now be grouped by data source.
  • Keyword and file search can now be restricted to a data source.
  • Central Repository / Correlation:
  • New common files search feature that finds files that exist in multiple devices in the same case.
  • The Other Occurrences content viewer now shows matches in the current case (in addition to central repository).
  • Central repository options panel now shows cases that are in repo.
  • A comment about a file can be created and saved in the central repository so that future cases and see it.
  • Keyword Search:
  • Can enable OCR text extraction of PDF and JPG files using Tesseract.
  • Keyword search module normalizes Unicode text.
  • Keyword search module uses ICU to convert text files that do not have a BOM.
  • Tagging:
  • Tagging menu changed to have user defined tags at top and "quick tag" removed one level of menus.
  • New "Replace Tag" feature to change the tag on an item.
  • Other:
  • SQLite tables can be now be exported to CSV files.
  • An interesting file artifact is now created when a "zip bomb" is detected.
  • An object detection ingest module was added to the Experimental module. It requires an OpenCV trained model.
  • Bug Fixes:
  • Expanding the case tree is more efficient.
  • Improved "zip bomb" detection.
  • Assorted small bug fixes are included.

New in Autopsy 4.7.0 (May 9, 2018)

  • A graph visualization was added to the Communications tool to make it easier to find messages and relationships.
  • A new "Application" content viewer (lower right) that will contain file-type specific viewers (to reduce number of tabs).
  • New viewer for SQLite databases (in Application content viewer)
  • New viewer for binary PLists (in Appilcation content viewer)
  • L01 files can be imported as data sources.
  • Ingest filters can now use date range conditions for triage.
  • Passwords to open password protected archive files can be entered (by right clicking on the file).
  • Reports (e.g., RegRipper output) generated by ingest modules are now indexed for keyword search.
  • PhotoRec carving module can be configured to keep corrupted files.
  • Sector size can be specified for local drives and images when E01 is wrong or it is a raw image.
  • New data source processor in Experimental module that runs Volatility, adds the outputs as files, and parses the reports to provide INTERESTING_FILE artifacts.
  • Assorted small enhancements are included.

New in Autopsy 4.6.0 (Feb 23, 2018)

  • New Features:
  • A new Message content viewer was added to make it easier to view email message contents.
  • A new Communications interface was added to make it easier to find messages and relationships.
  • Hash sets can be centrally stored and shared in the Central Repository.
  • New Encryption Detection module that will flag possibly encrypted files.
  • Can more easily run Autopsy from a USB drive and leave few traces on target system.
  • Tag definitions now have a "notable" property. The Central Repository uses this to mark files as notable.
  • Large slack files are now file typed.
  • The maximum number of Solr connections and ingest threads have increased.
  • Periodic keyword search will dynamically change based on how long queries are taking.
  • Users can change the amount of memory allocated to the application.
  • The amount of memory required for processing keyword hits has been reduced.
  • Layout of HTML reports has been modified make it easier to open.
  • "Databases" was added to File Type by Extension view.
  • Users can now enter more information about cases including examiner, organization, etc.
  • New dialog to open multi-user cases that allows for searching.
  • Auto ingest metrics are collected and displayed in dashboard.
  • Auto ingest module that extracts disk images from archive files.
  • Keyword search has been made more responsive to both search and ingest job cancellation.
  • Number of log files to keep before rollover is now configurable.
  • Preliminary changes to make Linux and OS X builds easier.
  • Bug Fixes:
  • Memory leaks and other issues revealed by fuzzing the SleuthKit have
  • Been fixed.
  • Memory issues caused by Tika are fixed (by upgrading to 1.17)
  • Assorted small enhancements and bug fixes are included.

New in Autopsy 4.5.0 (Oct 26, 2017)

  • Memory usage has been reduced to improve support for very large cases.
  • New central repository feature has been added that allows you to correlate between cases and track if an item was previously identified as being "bad" or notable.
  • Message attachments are not associated with the message (and not just the source file). These can be found in the data sources and messages parts of the tree.
  • Credit card number search has added logic to reduce false positives based on number lengths.
  • Virtual directory nodes in the tree view are distinguished in the Data Sources tree by the addition of a "V" to their icon. These are folders that Autopsy/TSK created.
  • A new version of the automated ingest dashboard has been added to allow insight into pending, running and completed automated ingest jobs in automated ingest Examiner mode.
  • All occurrences of "Known Bad" in the user interface have been changed to "Notable."
  • Assorted small enhancements and bug fixes are included.

New in Autopsy 4.4.1 (Aug 10, 2017)

  • Beta version of new central repository feature has been added for correlating artifacts across cases; results are displayed using an Interesting Artifacts branch of the Interesting Items tree and an Other Data Sources content viewer.
  • Results viewer (top right area of desktop application) sorts are persistent and can be applied to either the table viewer or the thumbnail viewer.
  • The View Source File in Directory context menu item now works correctly.
  • Tagged image files in the HTML report are now displayed full-size.
  • Case deletion is now done using a Case menu item and both single-user and general (not auto ingest) multi-user cases can be deleted.
  • Content viewers (bottom right area of desktop application) now resize correctly.
  • Some potential deadlocks during ingest have been eliminated.
  • Assorted performance improvements, enhancements, and bug fixes.

New in Autopsy 4.4.0 (May 30, 2017)

  • Keyword search regular expressions now work with spaces.
  • A sparse VHD file can be created when analyzing a local drive (USB) so that you don't need to acquire first.
  • Ingest filters allow you to run the ingest modules only a subset of files during triage
  • Ingest profiles allow you to pick an ingest filter and set of ingest modules to make it eaiser to preprogram for triage
  • User can edit keyword lists.
  • Import/export of interesting files set membership rules.
  • Fix resolution issue with high DPI systems
  • Updated Recent Activity ingest module to use RegRipper 2.8 plugins.
  • Ability to customize HTML report logo.
  • Assorted small enhancements and bug fixes.

New in Autopsy 4.3.0 (Jan 19, 2017)

  • Support for slack space on files (as separate virtual files) to enable keyword searching and other analysis
  • Simple mode for the file extension mismatch module that focuses on only only multimedia and executable files to reduce false positives
  • New view in tree that shows the MIME types
  • Tagged items are highlighted in table views
  • Ordering of columns is saved when user changes them
  • Support for Android devices with preloaders (uses backup GPT)
  • Support for images with no file systems (all data is added as unallocated space)
  • User can bulk add list of keywords to a keyword list
  • New "Experimental" module (activate via Tools, Plugins) with auto ingest feature
  • Assorted bug fixes and minor enhancements

New in Autopsy 4.2.0 (Oct 26, 2016)

  • Credit card account search.
  • Encoding/decoding of extracted files to avoid anti-virus alerts/quarantine.
  • Ingest history used to warn before doing redundant analysis.
  • Options panel for managing custom tag names.
  • Options panel for setting external viewer associations.
  • Keyboard shortcut for applying Bookmark tags.
  • Improved PhotoRec carver ingest module cancellation responsiveness.
  • Results content viewer formats dates.
  • Update to PostgreSQL 9.5.
  • Assorted bug fixes and minor enhancements.

New in Autopsy 4.1.1 (Aug 19, 2016)

  • Bug fix to enable some Python modules to run again.

New in Autopsy 4.1.0 (Jul 20, 2016)

  • New list view in Timeline tool
  • VMWare virtual machine files (vmdk) and Microsoft Virtual Hard Drives (vhd) can be added as data sources.
  • New ingest module detects vmdk and vhd files embedded in other data sources and adds them as data sources.
  • Text associated with blackboard artifacts is indexed and searched for keywords.
  • Custom (user-defined) blackboard artifact and attribute types are displayed in the UI and included in reports.
  • File size and MIME type conditions can be specified for interesting files set membership rules.
  • Assorted bug fixes and minor enhancements.

New in Autopsy 4.0.0 (Jan 20, 2016)

  • Multi-user cases supported that allow collaboration using network-based services.
  • Image Gallery feature released.
  • Assorted minor fixes and enhancements.

New in Autopsy 3.1.3 (Jul 11, 2015)

  • New Embedded File Extractor module that incorporates ZIP file module and extracts images from Office documents
  • Views area counts updates when ZIP files and such are found
  • Updates to python scripting for Python 2.7, scripts are reloaded each time ingest is run, and errors are better shown.
  • Updated right click actions to be consistent across all file types
  • Changed logic of Interesting Files module to look for substrings of parent path.
  • Lots of minor fixes and enhancements

New in Autopsy 3.1.2 (Mar 5, 2015)

  • Improvements:
  • New PhotoRec carving ingest module
  • Regripper output is available as a report instead of TOOL_OUTPUT artifact
  • Updated version of RegRipper
  • New STIX/Cybox report module (manually run after image has been analyzed)
  • File type module supports user defined file types and can alert when they are found
  • More artifacts are extracted from registry
  • Metadata tab in lower right now also shows istat (TSK) output for more metadata details
  • User docs were moved online

New in Autopsy 3.1.1 (Nov 4, 2014)

  • Improvements:
  • New time line feature
  • New Interesting Files module
  • Added support for Python modules
  • Updated HTML report
  • Media Content viewer uses blackboard artifacts and detects PNG by sig.
  • New logo
  • Bug Fixes:
  • Adding local disk errors
  • ZIP files inside of RAR files are properly extracted

New in Autopsy 3.1.0 (Aug 25, 2014)

  • Multi-threaded pipelines
  • File type ingest module
  • File extension mismatch ingest module
  • Android ingest module
  • KML report module
  • Tags can be deleted
  • Hash databases can be created and maintained

New in Autopsy 3.0.10 (Apr 28, 2014)

  • This is a bug fix release. It adds the correct Windows dlls for the 64-bit installer.

New in Autopsy 3.0.9 (Feb 5, 2014)

  • Regular expression keyword search works on file names
  • Fixed thunderbird parser for subject and dates
  • Fixed errors in hex viewer
  • New "EnCase-style" report that lists files and metadata in tab delimited file
  • Removed xdock definitions -> some claim this helps with memory problems
  • More lazy loading to help performance with big folders and sets of files
  • Times can be displayed in local time or GMT
  • Changed report wizard to make one report at a time
  • Updated SQLite to 3.8.0
  • Enhanced reporting on keyword search module errors
  • report improvements (only regnerate if data exists)
  • more error messages if recent activity module fails
  • more error checking in recent activity module and don't bail as quickly
  • Cleanup of recent activity module
  • better handle if ingest module throws exception during init()
  • do not run ingest if any module faile to init()
  • Added FILE_DONE event to ingest manager
  • Added search engine parsers for linkedin, twitter, and facebook
  • HTML text is better formatted
  • Report generation performance
  • HTML parser is skipped for files bigger than 50MB

New in Autopsy 3.0.8 (Oct 17, 2013)

  • This fixes a broken installer from 3.0.7 that caused Keyword Search to not work on some systems. No other features in this release.

New in Autopsy 3.0.7 (Sep 30, 2013)

  • Improvements:
  • 64-bit support (JavaFX for video)
  • Multi-select
  • different sized thumbnails
  • Custom tags persist across runs of the app
  • RegRipper is run on each hive and raw output is available.
  • Metadata content viewer
  • Bug Fixes:
  • Several -> Didn't keep good track in this file.
  • TSK Bug fixes, including fix for showing deleted NTFS files in wrong parent folder.
  • Error messages from adding disk to database are better displayed.
  • RecentActivity better reports errors parsing data

New in Autopsy 3.0.6 (Jun 20, 2013)

  • Improvements:
  • Logical files and folders support
  • New file views in directory tree to view: deleted, executable, archive files and files by size
  • ext4 and yaffs2 support (via TSK 4.1.0)
  • Improvements to tagging of files and keyword search results
  • Any file and folder can be selectively ingested using the directory tree view
  • Bug Fixes:
  • Keyword Search: fix when Solr does not cleanly shutdown
  • fix for "Process Unallocated Space" option doesn't do anything
  • fixed result viewer for "File Search by MD5 Hash"
  • fix Solr, Timeline and RecentActivity issues with java 7.0.21
  • Views->Recent Files showing inconsistent results when clicked many times
  • reduced memory usage in Timeline

New in Autopsy 3.0.5 (Jun 20, 2013)

  • Improvements:
  • New ingest module for ZIP and other archive formats
  • Timeline (Beta)
  • improved image loading in Media View and Thumbnail View (faster loading, handles large files better)
  • Uses more signatures instead of extensions (keyword search and exif modules)
  • Updated Ingest Message Inbox
  • Bug Fixes:
  • fixed memory leaks in "Add Image"
  • The "media view" tab is inactive for deleted files (#165)
  • fixed directory tree history being reset when tree is refreshed.

New in Autopsy 3.0.4 (Jun 20, 2013)

  • Improvements:
  • File tagging.
  • Error notification in lower right.
  • Bug Fixes:
  • DLL installation issues fixed.
  • Out of memory configuration changed.
  • Issue that caused duplicate keyword search results.
  • Crash when generating HTML and Excel reports with special characters.
  • MS Office text extraction
  • EXIF data not being extracted

New in Autopsy 3.0.3 (Jun 20, 2013)

  • Improvements:
  • Upgrade to Solr4.0 / Tika 1.2: Improved performance and highlighting
  • Remake of reporting UI and functionality
  • Significant increase in reporting speed
  • New option to keep the most specific file viewer (default) or the lastly used viewer active.
  • Bug Fixes:
  • Fixed bug that caused the ends of large amounts of text to not be indexed (occurs mostly in unallocated space). All users should upgrade.

New in Autopsy 3.0.2 (Jun 20, 2013)

  • Improvements:
  • New feature to extract unallocated space as a single file.
  • Hashkeeper database support
  • Can add comments to bookmarks and bookmarks are reported.
  • Queuing time is reduced during ingest.
  • Jump to arbitrary pages in thumbnail view.
  • Changed flow of add image wizard to configure modules while database is being populated.
  • Changed HTML report layout.
  • Bug Fixes:
  • Fixed keyword search interval (did not run until end)
  • Fixed domain type in Web Downloads adata.
  • Added hash and keyword search results to report.
  • Fixed UI issue whereby NSRL was always being looked up.

New in Autopsy 3.0.1 (Jun 20, 2013)

  • Improvements:
  • Significant performance improvements when adding images.
  • Slight improvements in UI performance for large number of results.
  • Improved stability when running ingest on multiple images.
  • Removed limit on number of results displayed.
  • Thumbnail viewer - added paging and removed limit of images.
  • Better HTML report navigation, handling large reports better.
  • Updated Add image wizard to support local devices.
  • Bug Fixes:
  • Fixed reading content from multiple file attributes (NTFS, HFS).
  • Added ability to extract contents of the unalloc files.
  • Enable user to select any image file extension when opening image.
  • Thunderbird parser module fixes.
  • Reporting fixes: added missing artifacts (keyword search, hash hits, file bookmarks).

New in Autopsy 3.0.0 (Jun 20, 2013)

  • Improvements:
  • Upgraded versions of libraries
  • Internal ingest framework enhancements
  • Bug Fixes:
  • UI fixes in content and result viewers
  • UI fixes in Hash Database and Keyword Search options.
  • Excel report export produced corrupt files sometimes.
  • Fixed issue where SOLR would not always launch.

New in Autopsy 3.0.0b5 (Jun 20, 2013)

  • New Features:
  • Extract non-English strings from unknown file types.
  • Extract more data from HTML files.
  • Extract EXIF data
  • Basic bookmark support
  • Body file report module
  • Bug Fixes:
  • Better memory footprint of keyword search
  • Media player occasionaly crashes

New in Autopsy 3.0.0b4 (Jun 20, 2013)

  • New Features:
  • MBOX / Thunderbird parsing module
  • Better lnk file parsing
  • Bug Fixes:
  • Included needed jar file for Recent Activity (Issue #52).
  • Fixed error handling from ingest (Issue #53)

New in Autopsy 3.0.0b3 (Jun 20, 2013)

  • Ingest manager runs triage/ingest task after disk is added.
  • Keyword search (indexed via SOLR)
  • Recent activity extract (web artifacts, recent documents, devices, etc.)
  • Improved UI

New in Autopsy 3.0.0b2 (Jun 20, 2013)

  • New database design
  • Hashlookup / calculation
  • Minor overall improvements
  • NOTE: Cases created with b1 are not supported in b2 (different DB)

New in Autopsy 3.0.0b1 (Jun 20, 2013)

  • Windows only
  • Directory tree
  • File Search
  • Table and thumbnail viewer