Thursday Apr 18, 2013

Digital Forensics Platform on the NetBeans Platform

Autopsy is a graphical interface to The Sleuth Kit and other analysis tools. It is designed to be an extensible platform so that it can be an end-to-end digital forensics solution that incorporates plug-in modules from both open and closed source projects.  The focus of the application is to make a fast, easy to use, and extensible platform for digital forensic analysts.

The screenshot below shows that Autopsy provides a natural tree view interface to a disk image, as well as nodes that display common data views, such as all images, videos, and documents found on a system, with the ability to view those files using a hex view, string view, or even applicable modules (i.e., a media viewer):

Next, you can see that Autopsy has a timelining feature that graphically depicts activity on the system (events) over a specified period of time.  A user can "zoom in" and "zoom out" and focus on specific days or even years:

As can be seen above, Autopsy uses JavaFX. Currently, Autopsy uses JavaFX in its Timeline Viewer (for bar charts) and in its Media Viewer (for viewing images). The Autopsy team is very excited to start integrating JavaFX into Autopsy for several reasons.  Firstly, JavaFX components add a more modern look and feel to a slightly dated looking Swing and add the missing rich-client capabilities. Secondly, JavaFX simplifies the build and integration process as it is a drop-in replacement for some of the external libraries, with consistent functionality and behavior across the operating systems. In the near future, the Autopsy team would like to utilize the built-in WebKit HTML renderer and web browser, as the team begins to add support for HTML viewers that integrate with existing native Java components. In short, the Autopsy team is very impressed with JavaFX and has hopes to use it more in the future. They have found that the JavaFX programming model looks very familiar, is easy to get into, and components integrate nicely with Swing components.

Next, notice that Autopsy has multiple ingest modules that perform fast indexing and custom keyword searching that can be configured before processing a disk image.  This creates real-time results as keywords and patterns that are configured and are discovered while an analyst is performing other searching tasks. In addition, the indexing makes ad-hoc querying very fast during an investigation.

Next, you can see that when items of interest are found on a hard drive image, an analyst can use Autopsy to quickly categorize and tag the information to recall quickly later on or include in their report:

Finally, you can see that as a final step for an investigation, Autopsy includes flexible report generation in multiple formats, out of the box, including HTML, XML, and CSV:

How the NetBeans Platform Helps

The NetBeans Platform was chosen because an extensible platform was needed that other open source developers would write modules for. The aim is to make a complete end-to-end digital forensics solution, instead of people needing to use lots of small tools for various tasks, many of those tools without a GUI. The NetBeans Platform allows third-party modules to be contributed in three places in Autopsy:

  • Ingest Modules. Run on each disk image as they are added to the case and perform some type of analysis to find evidence.

  • Report Modules. Run after the analysis to create a final report in HTML, XML, etc.

  • Content Viewers. In the lower right (where you see the skull and hex views above) is a framework that can be extended to offer different modes of viewing different file types.

Geertjan Wielenga (@geertjanw) is a Principal Product Manager in the Oracle Developer Tools group living & working in Amsterdam. He is a Java technology enthusiast, evangelist, trainer, speaker, and writer. He blogs here daily.

The focus of this blog is mostly on NetBeans (a development tool primarily for Java programmers), with an occasional reference to NetBeans, and sometimes diverging to topics relating to NetBeans. And then there are days when NetBeans is mentioned, just for a change.


« April 2013 »