As part of our work with DHS S&T, we added some new features last year into Autopsy around storing and displaying messaging-based data. You could always store messages and contact book entires in Autopsy, but the display of them was limited. The work that was done last year (and is ongoing) focuses on better display and analysis of those data types.
This blog post is a quick pointer for the module writers out there so that they can put data into the correct place and it will be automatically displayed.
Displaying Communications
I did a talk at last year’s OSDFCon about the new features. You can find the slides here.
The basic idea is that we built a UI (and underlying storage framework) to allow the user to focus on certain types of communications and date ranges. We prioritized some triage use cases, such as who did this person most communicate with or who did they recently communicate with.
You can use this UI to view call logs, messages, contact books, etc. We’ll later to a posting on the best way to use this UI.
Getting Data Into the UI
We created some special database tables to store the data needed for this UI. So, you’ll need to make a couple of additional API calls when creating communications-based data. We have a document that outlines this in The Sleuth Kit developers documentation. You can find the specific page here.
As you’ll see from that page, you need to:
Create a Blackboard Artifact for the message (like you always would have)
Create an Account for each email, phone, etc. account
Create a relationship between the Accounts in the message.
We have pointers to our modules that are already doing this, such as Android and Email.
Get Started
It’s easy to get started writing Autopsy modules with the communications data. You can start by copy and pasting our past tutorial that focused on an app database and then update it for the database you want to parse. Note that sample files need to be updated to use the Communications API.
You can then submit your module to the 2019 Autopsy Module Competition at OSDFCon for cash prizes. Details can be found here.
The post Getting Data Into the Communications UI appeared first on Autopsy.