4.21.0 Release with Faster Search and Malware Scanning

The 4.21 version of Autopsy is out and this blog post will cover three of the most notable new features.  You can see the full list of changes here. We’re going to cover:

  • Inline Keyword Search
  • Cyber Triage Malware Scanner Module
  • Logical File Timestamps

To download the latest version, go here.  

You can also attend a Webinar on Sept 12. Register here.

Search for Keywords Without Building an Index

The Keyword Search module has a new feature that allows you to not populate the Solr index, which means that ingests are faster (but later searches will be slower). 

The traditional way of keyword searching in Autopsy was to:

  • Extract text from files
  • Add the text to Solr, which would break it into words (tokens)
  • Periodically, search the index

This is great when you want to perform many searches on the data because each later search is going to be fast. But, it was a waste when you may have only one set of keywords and you want to triage the device for them. 

Now, you can search with the following process:

  • Extract text from the files
  • Search the text for keywords in the ingest pipeline

But, if you later realize you have more keywords to search for, you’ll have to run ingest all over again and read in all of the file content. 

Otherwise, the user experience is nearly the same. You’ll see results in the tree on the left and be able to see the highlighted text on the bottom. 

You can choose during ingest if you want to add text to the index or not. The default is to add the text. 

One note is that a small amount of text is still maintained in the Solr index. Any file that had a keyword hit will be added to the index so that it can be later viewed. 

Scan Files for Malware Without Locally Mounting

A new “Cyber Triage Malware Scanner” ingest module was added that will scan executables for malware. This module is a bit different from others in Autopsy because it requires a commercial license to use. 

The traditional use case is that you want to know if a disk image has backdoors and remote access that someone could have used to plant evidence. Some labs will mount disk images as local drives and scan them with their local AV. This often works, but is limited by:

  • Results from a single scanner
  • The malware could infect the examiner system if it gets run

The new Autopsy module will use 40+ malware scanning engines from Cyber Triage and the executable files are not written to disk. This service DOES NOT use VirusTotal and therefore if files are uploaded, they are not broadcasted to the world. 

Results show up in the tree as usual:

The module ships with Autopsy and you can get an evaluation key from CyberTriage.com

Logical File Timestamps

Autopsy has historically ignored timestamps when you import a folder of files. That’s because the times on those files could be anything. Autopsy never had any idea if they were accurate or not. 

Well, Autopsy still doesn’t know if they are accurate, but it will now let you pick which timestamps to copy in. You can choose to import the modified, created, or accessed time on the files and that will get stored in the database. 

Another change on the above panel is that you can remove file or folder entries in the top table before adding them. 

Try It Out

Download the latest version of Autopsy today and try out these new features. 

Autopsy 4.20.0 is Finally Out With New Pipelines and Fixes

After over 1-year, a new Autopsy release is out and this blog post will cover some of the new features, outline why we’ve been unusually silent for a year, and map out what to expect in the future. 

If you want to skip right to the download, you can find that here

What’s In the 4.20.0 Release

Let’s first start off with what’s in the release. There have been over 700 commits to the GitHub repo since the last release, so we haven’t exactly been sitting idle. The 4.20.0 release has a lot of smaller bug fixes and features that you can skim through in the NEWS file. Examples include Chromium browser support, Solr and Tesseract upgrades, and numerous bug fixes. 

I wanted to call out a few more notable infrastructure things though:

  • Module writers can now create Jython-based Data Source Processor modules. These allow you to add different kinds of data sources into a case. You can see a sample module here. This came from a community contribution from Ruben Nogueira, which was used for an OSDFCon module submission. 
  • There is a new kind of module and pipeline for data artifacts. This allows Autopsy to do more analytics on artifacts that are extracted from files. The Keyword Search module is now using this as a way to index artifacts.
  • There are new scripts to make installation on Linux and Mac easier. See the new instructions here.

Where Have the Releases Been

It’s been over a year since our last release because of changes with contracts that BasisTech held. Much of the Autopsy development was from generous contracts that let us release much of our work as open source. The scope of those contracts changed and we have not had as much engineering resources on open source releases. 

But, we are NOT abandoning the project. We will continue to support it while we also build out a new business model to support its development. There are several open source-based business models out there and our goal is to continue to provide an entry-level, no-cost digital forensics platform. 

The 2023 Plan

As we start 2023, our goal is to return to quarterly releases and fix bugs. You can submit bug reports to the Github Issue tracker and we will try to recreate and fix them. Any community help with organizing the issues and debugging will be greatly appreciated. 

Autopsy and Log4J Vulnerability

This post outlines Autopsy and the associated  Log4J vulnerability released in Dec 2021 and outlined in CVE 2021-44228.

The last several Autopsy releases (the most recent was 4.19.2 on Nov 11) have shipped with two versions of log4j.

  • Autopsy itself uses version 1.2
  • Apache Solr embeds 2.13.2

The version Solr embeds has the vulnerability. Note that we have not done any review to determine if it is possible for user data to be logged.

See below for mitigation techniques based on the type of Autopsy deployment and type of case you are opening.

For more information, refer to the Solr page on this issue. Thanks to Ann Priestman for her testing of these fixes.

Dec 22 Update: Autopsy 4.19.3 was released with the fixed version of Log4J.  Autopsy continues to use Log4J v1 and we will be looking into upgrading that in the next major release.

Single User Case

When you open a single user case in Autopsy, the embedded version of Solr is used.  To disable the vulnerable feature:

  • Close Autopsy.
  • Open the following file in a text editor:
    • C:\Program Files\Autopsy-4.19.2\autopsy\solr\bin\autopsy-solr.in.cmd
  • Go to line 81 where you’ll see a line that starts with “set SOLR_OPTS=”.  Append the following to the end: “-Dlog4j2.formatMsgNoLookups=true”.   So, it should look like:
  • To confirm it worked, open Autopsy and open a case.
  • Open a web browser on the same system and point it at:
    • http://localhost:23232/solr/#/
  • Confirm you can see the above log4j configuration.

Multi-User Case

In a multi-user cluster, you need to configure and install your own version of Solr. We recommend you upgrade to 8.11.1 once it is available.  In the mean time, you can use one of the techniques outlined in the Solr page  The easiest fix at this point is to edit the solr.in.cmd file and edit the line to disable the lookups.

set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true

New Release

After this initial posting, Autopsy 4.19.3 was released with the updated version of the log4j libraries.

 

Autopsy 4.19.0 with Hosts, Analysis Results, and OS Accounts

By Brian Carrier

Autopsy 4,19.0 is out!  We got a bit off from our quarterly release cycle in the past year and this release has code that started 9-months ago.  So there’s a lot in here and therefore this release blog post is a bit longer than usual. 

We’re happy to announce that we’ve aligned Autopsy with our Cyber Triage tool so that they use the same database, so many of the features that came into Autopsy were with the help of that team (also at Basis Technology). 

You can download the latest version here.

This blog summarizes the following new features:

  • Organizing data sources by hosts and persons.
  • Data Artifacts vs Analysis Results
  • Associating files and artifacts with OS Accounts
  • Performance improvements 

There’s a lot more too, which you can see here in the release notes.

Hosts and Persons

The first thing you’ll notice when you make a new case in the new version is that it is going to prompt you to specify the host the data source is from. A default one will be selected if you don’t want to specify it.

The main concept is that each data source is part of a host (or phone, device, etc.) and you can group them together. For example, if a host has multiple drives, then they can be grouped to make them easier to find in a big case.

Next, you can optionally add hosts and associate them with a Person. This allows you to put a name, such as “John Doe” to a phone, computer, and media card. The main idea is to allow you to more easily organize the data sources in your case instead of relying only on the data source name. 

Data Artifacts and Analysis Results

Another thing you may notice next is that the tree has slightly changed and there is another “Analysis Results” viewer in the lower right. Autopsy 4.19.0 separated the concepts of “Analysis Results” and “Data Artifacts”, which were previously stored in the same way as “Blackboard Artifacts”. 

  • A Data Artifact is data extracted from some other file or artifact.  For example, a Web History artifact from a SQLite database. 
  • An Analysis Result stores the conclusions from some kind of analysis technique, such as searching a file for keywords or hash values. 

Autopsy could always store these kinds of data, but they were not separated. 

The separation occurred because Analysis Results can now include a score to show how relevant it is to the investigation.  Cyber Triage needed the scoring because its modules vote on how likely an artifact is to be associated with an intrusion. We’ll talk more about that later. 

There are two main impacts that you’ll see in the newest version. First, the tree now has sections for Data Artifacts and another for Analysis Results. Look in the Data Artifacts section for things extracted from other things. Look in the Analysis Results section for outputs of analysis techniques. 

Lastly, we used to always have a “Results” viewer in the lower right that had both of these types of data. Now, there is a new Analysis Results viewer that lists the results that a given item has (such as its keyword hits or Yara hits).

Operating System Accounts

Another Cyber Triage-motived feature is that Operating System Accounts are now “First Class Citizens”. They were previously stored as the more generic “Blackboard Artifacts” and not linked with any activity of that user.  Now, files and data artifacts can be associated with a user.  

Cyber Triage needed this feature in the database so that examiners can easily determine what processes, artifacts, and logins were associated with a given account. This makes it easier to look for account take over.

Autopsy’s use of the data is not quite yet as robust, but you can now see all of the OS Accounts in the tree. 

And you can see which account is associated with a selected item. 

You can learn more about them here.

Performance Improvements

We also spent a lot of time looking at bottlenecks and fixing those to give performance improvements in various places.  The details are not relevant for this level of blog, but here are some examples:

  • Recent Activity was made faster by using more efficient file searches and not committing the Solr index for each RegRipper report. 
  • Language ID is performed only on a small chunk of a file instead of all of the text.
  • Embedded file extractor module has been made faster by doing file typing in memory and adding extracted files in batches.
  • Various UI panels do more DB queries on background threads. 

Get It Today

You can download the latest version and try out these new features from here

Cyber Triage 3.0 will be out in a couple of weeks with the new database, but you can try version 2 from here in the mean time. 

 

Yara, Android (aLEAPP), Domains, and More in 4.18.0

The Autopsy 4.18.0 release is out with lots of new features, enhancements, and bug fixes. This blog dives a little deeper into some key digital forensics features. 

  • New Android, iOS, and Yara Modules.
  • New Domain Discovery interface to focus on overloads of web artifacts.
  • Upgraded to Solr 8, which has impact on who can open new cases. 

You can see the full list here.

You can find the latest version on the download page

New Modules

You’ll see two new modules in the new release (Yara and aLEAPP) and a significant update to the iLEAPP module added to the last release. Let’s cover the highlights: 

  • Yara allows you to search files for regular expression patterns and is popular for intrusion and DFIR investigations. You can now search files in Autopsy data sources using Yara rules.  Simply add the rule files to a folder.   More details can be found in the user docs.
  • aLEAPP allows you to analyze Android databases and files.  The “Android Analyzer (aLEAPP)” module wraps the aLEAPP tool and creates Autopsy artifacts with the results. It will work on both physical images and logical file sets. You can read more about it in the user docs.
  • iLEAPP is the iOS version of aLEAPP and we introduced it into Autopsy in 4.17.0, but in a limited capacity.  It used to work only on tar file inputs, but it now will work on physical images as well. The iLEAPP team added the ability for us to know which files it wanted to parse.  Our module queries for those files, writes them to disk, and then runs iLEAPP on them. More artifacts are also created in this release. The user docs for this module can be found here

Web Domain Analysis

There are often thousands and thousands of web artifacts in an investigation. It can be overwhelming. The “Domain Discovery” interface is our new way of reviewing web domains and it allows you to focus on the domain first (i.e. “sleuthkit.org”) and then the various types of artifacts that are known about it.

You first pick what kinds of domains you are interested in and how you want to display them. Autopsy will group the domain names by some characteristic (number of visits, date of visits, popularity of domain, etc.). 

You can then navigate the domains and then dive into what the user did on those domains. 

This feature makes it easier to understand the web activity on this system and focus on sites that are most relevant to the investigation. 

The user docs for the feature is here

Solr 8

We finally upgraded our Keyword Search module to use Apache Solr 8 (from version 4). It has the same core search functionality from within Autopsy, but here are some notable changes:

  • Indexing should be faster because we add files in batches instead of individually (we actually slipped this into the last release…). 
  • Cases created with Autopsy 4.18.0 and beyond cannot be opened with Autopsy 4.17.0 and earlier.  But, Autopsy 4.18.0 can open older cases (it still has SOlr 4 embedded in it). 
  • You can use Solr Cloud in multi-user setups.
  • If you have a multi-user cluster, you’ll need to set up a new Solr 8 server(s). But, you can have both Solr 4 and 8 at the same time (on different servers or ports).

You can find out more about the upgrade here

Try It Out

You can download the latest Autopsy from the downloads page.

#OSDFCon 2020, One for the Record Books

While many events were feeling downsized and forlorn with having to go virtual, the Open Source Digital Forensics Conference this year was a huge success — the largest virtual event in Basis Technology’s history.

Most years when OSDFCon is held in-person in the Washington, D.C. area attendees vary between 400 to 600. This year, over 13,000 people registered, and more than 5,700 people participated throughout the day.

Brian Carrier again served as conference chair and emceed the whole day from his self-made studio. Other speakers included:

  • Brian Moran BriMor Labs
  • Jamie Levy, Volatility
  • Kumarshankar Raychaudhuri, LNJN National Institute of Criminology and Forensic Science, Ministry of Home Affairs, Government of India
  • Sarah Edwards, BlackBag Technologies and SANS
  • Harlan Carvey, DFIR Nerd
  • Joseph Mccormack, Champlain College
  • Austin Grupposo, Champlain College
  • Ali Hadi, Champlain College
  • Asif Matadar, Tanium
  • Alexis Brignoni, FBI

Thank you to our Autopsy Module Contest participants, this year’s winners were:

  1. SpeechToText module
  2. AD1_Extractor
  3. Forensic Analysis for Mobile Apps (FAMA)

Once again thank you to our sponsors:

A huge thank you to everyone else who made this event a rousing success!

Autopsy 4.17 Highlights (Summary, iLEAPP, & HEIC)

Autopsy 4.17 is out with a long list of changes. Let’s cover a few new things that were introduced.  You’ll notice a common theme that these were incrementally released with future evolutions in the works. You can see the full list of changes here and download the latest version from here

In this post, we’ll cover:

  • Data Source Summary
  • iOS Forensics using iLEAPP
  • HEIC Pictures and Picture Analyzer Module

Data Source Summary

We re-organized and added more information to the Data Source Summary panel that was introduced last year.  The goal of the panel is to give the examiner a quick overview of the data source to help make prioritization decisions or to help direct the examination. 

You can get to the panel in a few ways, but the easiest is to select the data source and choose the “Summary” tab on the right.

For each data source, you’ll see tabs for the following:

  • Types: Shows basic information such as the number of files, file types, OS Type, etc. for the data source. The goal is to get some basic understanding of size and types of files. 
  • User Activity: Shows the 10 most recent programs launched, domains visited, web searches, USB devices attached, and account types used.  The goal is to get an idea about what kinds of high-level things the user does with the device.
  • Analysis: Highlights the hashsets, keyword lists, and Interesting Item sets that had hits on the data source.
  • Recent Files: Shows the 10 most recent files opened by common apps or downloaded by web browsers. The goal is to get more specific on what files were interesting to the user. 
  • Past Cases: This will show which cases had the same files or artifacts as this data source AND those cases marked the item as notable.  This relies on data from the Central Repository.  
  • Ingest History: Shows you what ingest modules were run on the data source.
  • Container: Provides overview information about the E01 or raw image file.

If there is anything else you’d like to see here, then please let us know.  The next release will add panels to show a mini-timeline of activity and cities that the geolocation data is associated with.

iOS Forensics With iLEAPP 

There is a new “iOS Analyzer (iLEAPP)” ingest module that wraps the iLEAPP program from Alexis Brignoni, Yogesh Khatri, and others. This effort is a work in progress and this release parses a limited number of the wide variety of results that iLEAPP can produce. The next release will add the rest of the artifacts, support for disk images, and aLEAPP for Androids!

Inputs

For this release, the input to iLEAPP needs to be a tar file. If you add the tar file as a logical file to Autopsy and it is in the root folder, then the iOS Analyzer module will detect it and run iLEAPP on it.  

For example:

  • Your data source is at c:\images\case123\phone1.tar
  • You add the c:\images\case123\phone1.tar file as a logical file into Autopsy.

Artifacts

This release focuses on artifacts that Autopsy already had support for. Such as web browsers, Wifi, installed programs, programs run, etc. 

Autopsy gets them by running iLEAPP to produce TSV files.  Autopsy has a configuration file that maps the files and columns to an Autopsy artifact.  As iLEAPP adds new modules, all someone needs to do is update this XML file. No code is required!

Next Release

In addition to mapping more artifacts, the next release will also allow you to analyze disk images or logical images that are not in a TAR file.  iLEAPP added a feature to output the list of files it needs. We’ve used that list to query Autopsy’s file manager for them, export them to disk, and then run iLEAPP on them.

HEIC Support and Picture Analyzer Module

There is a new module named “Picture Analyzer”.  It will be the central module focused on image and video-based analysis. The EXIF module functionality has been moved to this module and support for HEIC pictures was added. HEIC files are now converted to JPG files and added as children of the HEIC picture. 

Try it Out

You can download the latest version from here.

Autopsy 4.16 Release Highlights

Autopsy 4.16.0 is out and has a lot of new enhancements and fixes. You can see the detailed list and get the downloads from here. This blog highlights a few notable new features and themes.

Flag Cloud, CryptoCurrency, and Other Files

Autopsy will now alert you to the existence of cloud synchronization programs, CryptoCurrency wallets, encryption programs, and VPN programs using its “Interesting Files” ingest modules. This general capability has always been in Autopsy, but we are now shipping with rules instead of relying on you to make them.

You’ll see them as options on the right when you configure the Interesting Files module:

You’ll see the results in the Results part of the tree. It’s important to point out that we are not parsing any of these files. We’re just making sure you are aware of them.

If you’d like to contribute rules back to help your colleagues, we have a page that describes how to get rules back to us so that we can incorporate them.

Streaming Ingest

When you add a disk image to a case, Autopsy will now start analyzing the files faster. This will get you results even faster than before.

In previous versions of Autopsy, there was a discrete phase where Autopsy would use The Sleuth Kit to enumerate all of the files and add a row for each into the database. Once all files were added, the ingest pipelines would start and analyze the files based on a priority order. We call this batch processing since it ended up analyzing all of the files in the DB.

The challenge was that sometimes it took a while to enumerate all of the files on large systems and you were stuck waiting for it to find every file before you got any hashset or keyword hits. Another problem was that if you added a disk image and were already analyzing one, then the analysis would pause while the disk image was being added.

Now, Autopsy will add small sets of files to the database as it enumerates them and they will be immediately scheduled for analysis. So, now you can start to get hashset hits and such while files are still being enumerated. We call this stream processing because files are added to the scheduler as they are found.

This change has no process impact on users or ingest module writers. It’s all transparent. If you are a developer making a DataSourceProcessor module and you want to make your module streaming, then you’ll need to implement runWithIngestStream.

Personas in the Central Repository

The last new feature to highlight is Personas, which allow you to group accounts and assign a name to them in the Central Repository. The Central Repository stores info from your past cases and allows you to correlate with past cases and prioritize your data.

The Persona feature allows you to link accounts together and assign a name. For example, you may know that a phone number and email address are used by the same person based on a contact book entry. Previously, that linking could not be stored in the Central Repository. Now it can.

This feature is most useful for those doing long-running investigations that involve multiple parties and cases. For example, a drug ring or gang investigation.

When Autopsy shows accounts as part of call logs or messages, it will try to resolve that account to a name using the Persona feature. From this panel, you can create a Persona if one is not defined for that account.

You can manage personas from the “Personas” item in the Tools menu.

This is the initial release of an evolving feature and will have incremental enhancements in future releases.

Get The Latest Version

You can get the latest version of Autopsy from here. To learn more about Autopsy and other open source tools, sign up for our annual OSDFCon conference in November. Registration is free this year for the virtual event.

 

Autopsy 4.15 Release Highlights

Autopsy 4.15 is out and we wanted to cover some of the key new features. You can download Autopsy from here and see the full list of changes here.

Central Repository Enabled By Default

We have changed the default configuration so that the Central Repository is enabled by default. We did this because we have found the data can help you ignore previously seen and common files. As an example, the new File Discovery feature takes advantage of data in the Central Repository when it shows you files that you’ve never seen before (i.e. unique pictures).

The Central Repository is a database that can store many types of things:

  • Hash values from past cases
  • Identifiers (such as Wifi SSID) and account names from past cases
  • Hash sets
  • Comments from past cases

The database can be stored as either a local SQLite or a central PostgreSQL database.

You can use the data in the repository for several things:

  • To determine how common or rare a file is
  • To determine if a file was seen in a past case
  • To automatically flag a file that was previously marked as notable

The changes to the repository in 4.15 release include:

  • By default, a SQLite database will be created in your AppData folder. To disable this, use the Options panel.
  • By default, hashes and other identifiers will be sent to the Central Repository for future use. To disable this, do not enable the Correlation Engine ingest module.
  • By default, the Correlation Engine module will NOT flag files if they were previously marked as notable. This is a change in behavior, but is consistent with some people’s concerns of searching past cases and violating search warrant scope. To enable this feature, use the Correlation Engine ingest module settings.

The usual benefits of the Central Repository still exist:

  • The “Other Occurrences” viewer in the lower right will show you where else a file or identifier was previously seen
  • You can search past cases for a given hash or identifier using the “Tools” menu
  • You can comment on a file and see it in future cases.

The changes in this release will be fairly transparent to you (except perhaps that you have a SQLite database growing in size), but will benefit you in the long-term as more features take into account how often items have been seen in the past.

Drones & GPX

There are two new ingest modules focused on Geolocation data in the latest release.

The Drone Analyzer ingest module uses the DatCon library to parse “.dat” files from the internal storage on DJI drones. These files contain track points about where a drone traveled.

Autopsy does not have the ability to acquire data from a drone, but it can analyze the disk image, find the “.dat” files, and make artifacts that can be displayed in the main UI tree and as track points in the geolocation viewer.

This module was funded by DHS S&T and used data acquired by VTO Labs. More information can be found in the user documentation.

Another new geolocation module is the GPX module. This module will find gpx files, parse them, and produce tracks, routes, and bookmarks. They as well can be found in the tree or the geolocation viewer.

Expanded Context Viewer

In the last release, we announced a new “Context” content viewer in the lower right. In the 4.15 release, this viewer was expanded to show when a file was used (based on MRU and other data). In its initial debut last release, it showed only where it was downloaded from.

To support this viewer, Autopsy now also parses more locations of file usage based on the output of RegRipper.

Try It Out

Download Autopsy today to try these new features and many more.

Autopsy 4.14 Release Highlights

This blog summarizes some of the highlights of the latest Autopsy release. It’s a new format to give you a summary of the most important changes. The full list of changes is here.

File Discovery

  • What Is It?  New UI that allows you to focus on relevant images and videos (more file types coming later). You specify filter and display settings.
  • When Would You Use It?  To find unique content on the device.
  • How Do You Use It?  Press the “File Discovery” toolbar button. Specify filters (such as only medium and big images and only ones that have been seen fewer than 10 times before) and how to organize results (such as by parent folder or by size). This UI is most powerful when you have enabled the Central Repository and have been collecting hash values for all of your past cases. It lets you ignore all of the files that you’ve seen before.

APFS

  • What Is It?  Initial support for Apple’s file system. Donated by Black Bag Technologies into The Sleuth Kit and refactored by Basis to generalize the “Pool” concept.
  • When Would You Use It?  When analyzing a MacBook or other Apple device.
    How Do You Use It?  Add the disk image as you would any other disk image, such as NTFS.

Map Viewer

  • What Is It?  New UI dedicated to viewing geo location data. Can use online tiles (from Bing) or offline tiles (from https://openmaptiles.com/).
  • When Would You Use It?  To view coordinates from Exif, GPS devices, Drones, and Android artifacts.
  • How Do You Use It? Use the Tools -> Geolocation menu item, and select filters to restrict what is shown.

Context Content Viewer

  • What Is It?  New viewer in the lower right that shows where a file came from (i.e. the context about the file). Currently shows where a file was downloaded from or what message a file was attached to. The next release will show if it was opened, etc.
  • When Would You Use It?  If you find a file of interest, then you can more easily figure out how it got there and if it was used.
  • How Do You Use It?  Select the “Context” viewer for any file of interest.

Improved Japanese Support

What Is It?  Various fixes that were found from testing with Japanese data. Specifically: encoding of file names in ZIP files (which do not support Unicode), encoding of plain text files, and tokenization in Solr using Kuromoji).
When Would You Use It?  When analyzing computers with Japanese data and locales.
How Do You Use It?  All of the changes are transparent to the user. They happen automatically during ingest or when searching for keywords.

Download It

To try Autopsy 4.14, go to the download page.