L-Andrade/LFA: Log Forensics for Autopsy 1.4

Log Forensics for Autopsy consists of two Jython modules for The Sleuth Kit's Autopsy.

Tested in Autopsy 4.6.0. With this version, LFA targets Windows logs even further. If you have any question regarding LFA, please contact us:

• Luís Andrade: luis.m.andrade@outlook.com
• João Silva: 2180073@my.ipleiria.pt

Developed by Luís Andrade and João Silva under the guidance of Patrício Domingues and Miguel Frade.

Changelog:

1.4. (7th August 2018)

• Added licenses for BS4, XlsxWriter, netaddr and LFA.
• Added the Protocol attribute to the Logged IP artifact.
  • LFA looks for certain protocols in the same line that the IP was found.
• Refactored some code to log exact exceptions instead of general errors.
• Added three new artifacts:
  • Invalid WER
    • When an error occurs while attempting to extract information from a .wer file, LFA now adds that file as an artifact so the user can figure what's wrong with that .wer.
    • Attributes:
      • File path
      • Reason
  • Windows Startup files
    • When a Windows Startup file is found, and it's '-slack' counterpart. Each file contains information about apps that are in Windows Startup.
    • Has the same attributes as any other artifact file type.
  • Windows Startup information
    • Information extracted from a Windows Startup file. Contains data about a process that was or is started by Windows on Startup.
    • Attributes:
      • Name (the name of the process)
      • PID
      • Started in trace sec
      • Command line
      • Disk usage (B)
      • CPU usage (ms)
      • Parent PID
      • Parent start time
      • Parent name
      • File path
• Added the previously mentioned artifacts to the report module.
• Updated DB and UI, so that the user can disable Windows Startup file search.
• Added an 'All files' sheet to reports. Contains general information about all the artifact files.
• Fixed the links to each page on the HTML report.
• The DFXML report now only contains information about all files, and not logged IPs, reported programs, etc.
• Changed the behavior of charts in the Excel format and made them more dynamic.
• Changed the position of the Excel charts to make it easier to read.
• Added try-catches to attempt to avoid TSK exceptions and errors.
• Some bugs from previous versions have been fixed in this version, but are too minor to detail each one here.
• Updated the README a little, but should update it

1.3. (12th July 2018)

• Added Windows version to Reported programs.
• New UI for the file ingest module.
• User can now add, (de) activate, remove, clear, and save RegExs.
  • The file ingest module will search for these RegExs in .log files.
  • Each RegEx is validated on entry.
  • Counts occurrences per file.
  • Individual artifact for each custom RegEx.
• User can now disable the IP RegEx.
• RegEx information added to report (missing statistics).

1.2.

Changed chart positions, so there are no overlapping charts.
Added logging for execution times.
Refactoring.
Removal of useless files for the Zenodo version (.pyc, $py.class, Git files).
Separated log file artifacts, now each format has its own artifact (Ad hoc logs, WER files, etc).

1.1.

DFXML now saves as UTF-8 from the start, to avoid errors when generating the report because of certain characters.
Changed the position of some charts in the Excel report.
Removed the 'Windows log' attribute since it had no value.

1.0.

Initial LFA version