The latest release (4.6.0) of Autopsy introduces many new features and fixes and this post will give a high-level overview of the notable ones.  We’ll dive into details in the coming weeks with additional posts.

• Communications: As part of our work with DHS S&T, we’ve been improving the infrastructure in Autopsy to store and display communications.  This will make Autopsy more powerful for email and smartphone analysis.  This release has a new content viewer for messages (in lower right) and a new interface (Tools Menu -> Communications) that shows the accounts and messages between them.   We’ll have a more detailed posting about this topic.  The new content viewer is shown here:
  
• Central Hash Sets: The Central Repository was introduced in Autopsy 4.5.0 as a way to correlate between cases.  You can now also use the repository to centrally store hash sets, such as the NIST NSRL. This will make it easier to manage hash sets in your lab.   We’ll have a more detailed posting about this topic later, but all you need to do is enable the Central Repository and choose “Remote” when you create or import a hash set.
• Encryption Detection Module: There is a new module that uses a standard “Truecrypt” detection algorithm to look for files that could be encrypted volumes. It basically looks for files that have high entropy, a size that is a multiple of 512-bytes, and does not have a known file type.
• Live USB Triage: You can now more easily run Autopsy from a USB drive on a live system without modifying the target system.  Previously, Autopsy would write to the AppData folder of the logged in user.  Now, it will write configuration settings to the USB drive.  This also allows you to preconfigure the drive.  To make such a USB drive, use the “Make Live Triage Drive” item in the “Tools” menu.
• Performance: We’ve been profiling the application a lot lately and have made some changes.  This will be an ongoing process.  In this most recent release we have increased the number of Solr connections, delayed writes to the database in the pipeline, upgraded Tika to reduce memory usage, and more.  You can now also more easily change the amount of memory that Autopsy uses.
• Linux: We are going to release our first Linux beta installer.  We’ve been working through some build and packaging issues and will be releasing a precompiled version for Debian. It’s not perfect yet, but we’ll probably release some more incremental versions of this before the next Windows release.

The full list of changes can be found here.  

Download the latest version from here.