If you have been following the Polito blog, then you know we have been touting the capabilities of using OPSWAT for gaining additional threat intelligence and indicators on the fly right within your forensic software. In our last blog, we discussed the capabilities of using the OPSWAT MetaDefender extension with the highly customizable forensic tool “X-Ways”. This time we are bringing our extension to the open source world by creating the same extension for the well-known open source forensic suite Autopsy.
Download Polito's Autopsy extension here: https://github.com/PolitoInc/Autopsy-Opswat-Plugin
From the description of their site Autopsy is the premier end-to-end open source digital forensics platform. Built by Basis Technology with the core features you expect in commercial forensic tools, Autopsy is a fast, thorough, and efficient hard drive investigation solution that evolves with your needs. What this means for us is that we can forensicate and do not have to dish thousands of dollars for forensic software. Althought this won't fully replace your Encase/FTK/X-Ways dongle, it is a robust, open source solution to add to your arsenal.
This blog is going to walk you through using the OPSWAT MetaDefender service with the Autopsy digital forensic tool. The first step would be installing the application, create a case, and ingest your image file, file, directory etc. that contains your evidence files that you suspect to contain malware. For this example, we are using our beloved test DD image that we suspect to be patient zero for our intrusion on our client’s network. So, like the name says we are going perform an autopsy to see what kind of malware (virus) could have infected this computer to cause the infection across the network (lateral movement/privilege escalation etc.).
Ingesting Evidence Step by Step
Ingesting Images (Examination Preparation) Once Autopsy is installed, you have the option to either select an existing case or start a new case. For the purpose of this blog post, we are going to start a new case and enter dummy information, but of course for your case you would enter in all pertinent information required to identify this case for future examiners to be able to start from where you finished. Once your case is created you add the suspected forensic artifact image.
Plugin Installation – Polito OPSWAT Plugin Before you start ingestion, this is probably the best time to install the plugin as it requires a restart of the Autopsy application. To install our plugin, navigate to the tool’s menu on the top bar and select plugins as shown in the screenshot below:
This will take you to a menu that will have a tab for you to install downloaded plugins. Navigate to the downloaded tab and select the add plugins button.
A file dialog box will show up that will allow you to add new plugins to the Autopsy modules list. Select the Polito OPSWAT plugin that you downloaded from GitHub.
You will be greeted by a popup that asks you to validate that you are installing a third-party plugin and that it is unsigned.
Once you click the continue box continue to follow the dialog box to finalize the installation.
3. Image Processing (Ingest Module)
Once the plugin has been installed and the Autopsy tool has been restarted, you should now be able to process your image with the newly added plugin from the ingestion module. If you decided to add your evidence later, you can get to the ingestion module from the add data source menu once you add your image. Below is the dialog box that you should be presented with and allows you to select multiple source types.
If you already have ingested data within your Autopsy case, you can get to the ingestion module screen by right clicking your evidence source that you want processed.
Once you click the run Ingest Module option, you should be presented with the dialog below that allows you to select a set of ingestion modules to can be run across your selected set of data. MetaDefender uses MD5 hashes, so the “MD5 hash lookup” ingestion module should also be selected.
Select the MetaDefender Lookup Utility and any other modules you would like to process your evidence files. When you highlight the MetaDefender Lookup Utility, it will give you the option to enter the MetaDefender API key. You can sign up for an API Key at the Metadefender site at:
Once you have selected all the ingestion modules you would like to process on your evidence file click finish and Autopsy will start to process your files with the selected modules. After your evidence is fully processed, Autopsy will start to populate fields with pertinent data needed for your investigation. For this blog post’s purposes, I moved around a few important fields.
Autopsy uses the Score field to note if a file has some interesting artifacts that should be further investigated. In the screenshot below, you will see that a few of the files in this case have a yellow icon in the Score field noting that there is some interesting information; also notice that the MD5 Hash field has also been populated.
Once you click a notable file there will be a “results” tab in the bottom sub-menu, and this menu will provide the results that were returned when Autopsy sent the MD5 hash to the OPSWAT cloud file submission API.
Based on the MD5 hash the edgar_rules.docx file has been identified as “Malware” and in the comments the assumed malware variant description identified this as a “Trojan Downloader”. An examiner can use this information to start building a timeline of when the Trojan downloader was first placed onto the computer and focus their investigation around this time to find additional artifacts.
Part II of this OPSWAT Autopsy Forensic blog will go into further detail on how to use these indicators to start developing a forensic storyline and building additional hashes and signatures to streamline processing multiple evidence files in your case.
Our team is also going to implement smarter filtering, speed improvements, and more, so bookmark our Github page!
Polito, Inc. offers a wide range of security consulting services including threat hunting, penetration testing, vulnerability assessments, incident response, digital forensics, and more. If your business or your clients have any cyber security needs, contact our experts and experience what Masterful Cyber Security is all about.
Phone: 571-969-7039
E-mail: info@politoinc.com
Website: politoinc.com