Cyber Triage Gives Back to Autopsy

Cyber Triage 3.0 will be out in a couple of weeks and will once again unite it with Autopsy. Cyber Triage started its life off as an Autopsy module, but then went its own direction. In order to reunite them, we had to add several features that evolved in Cyber Triage back into Autopsy.  

This blog post is about the scoring, OS Account, and host address functionality that Cyber Triage pushed into Autopsy.  

Autopsy vs. Cyber Triage

First, let’s talk about how Autopsy and Cyber Triage are different.  

I call Autopsy a general purpose digital forensics tool. It is general purpose because it can be used for a wide variety of investigation types, such as murders, child exploitation, employee misconduct, counter terrorism, and intrusions. As long as the investigator knows what kinds of artifacts are relevant, they can use Autopsy to find them.  

Cyber Triage on the other hand is a specialized digital forensics tool that focuses on intrusions.  It collects the artifacts specific to intrusions and scores them based on their likelihood to be from an intrusion.  It is nearly useless for a child exploitation or a counter terrorism investigation because those involve different kinds of artifacts. 

So, they are similar but different. Cyber Triage is more automated than Autopsy, but not as general purpose. And, of course, Autopsy is open source and Cyber Triage is not. 

Why the Break Up

When we first built Cyber Triage as an Autopsy module, it had so many unique requirements that were not supported by Autopsy, such as scoring, a data model for volatile data, and many others.  

Because Autopsy was built to be a platform that 3rd party module writers can rely on, we don’t want to change its API and data model, which will break previous modules. So, infrastructure changes are somewhat methodical to reduce the chances that we’ll introduce something that we will later regret. 

During Cyber Triage’s initial development, we decided to try a new database (graphing and NoSQL) so that we could experiment with data models and not commit Autopsy to an experimental API.  So, Cyber Triage had its own database and Autopsy continued to use The Sleuth Kit (TSK) database. 

Why The Reunification

The Cyber Triage database was having stability and scaling issues. We decided it was time to re-unite Cyber Triage and Autopsy because they now had much more in common and we realized the graphing and NoSQL buzzwords weren’t worth it. 

Cyber Triage 3.0 will use the same SQLite and PostgreSQL TSK database that Autopsy uses. To do that, we had to add several things into the TSK database, which then worked their way into Autopsy. 

What Got Pushed In

There are three main changes that are getting added into the TSK Database from Cyber Triage. 

Let’s go through them:

  • OS Accounts: Cyber Triage associates as many artifacts as possible with OS Accounts to enable users to pivot and fully understand the context of an artifact.  For example, program run or web download artifacts are associated with the user who performed them. But, the TSK database stored OS Accounts as only stand alone artifacts that were not linked to activity. The new TSK database associates files and other data artifacts with an OS Account and OS Accounts are organized by domains. You can read more about the details here
  • Scoring: Cyber Triage has long focused on giving a score to files and artifacts to help focus the user on those that are relevant. The TSK database didn’t support this and infrastructure was added to introduce the concept of “Analysis Results” with a score. There are a lot of details to this that we can ignore for now, but we’ll soon have an Autopsy blog post about the details. 
  • Host Addresses: Cyber Triage performs analytics on host addresses to flag high flux host names, use IP-based IOCs, etc. In order to apply scores to IPs and host names, they had to be “first class citizens” in the database.  So, infrastructure was added to keep track of the unique host names, IP addresses, and mappings between the two at a given time. 

When Does This Become Available?

The Autopsy 4.19 release came out last week and included enhanced support for OS Accounts and scoring. Future releases will continue to leverage the capabilities that are now in its database. 

Cyber Triage 3.0 will be out in a couple of weeks.  The 3.0 release is less about new features and more about a better starting point where new features can be more easily added.  

Trying Out the New Features

You can get Autopsy 4.19.1 from here

While Cyber Triage 3.0 is still a couple of weeks out, you can download the latest version from here

Share

FacebookTwitterLinkedInReddit

Cyber RespondIR Newsletter

Like to learn about DFIR?

Sign up for our newsletter to get updates when we push out new technical posts and videos.