sleuthkit · mahdi999-h · Nov 29, 2019 · May 1, 2020 · May 1, 2020 · May 26, 2020
diff --git a/ContentViewerModules/BinEd_Binary_Viewer/README.md b/ContentViewerModules/BinEd_Binary_Viewer/README.md
@@ -0,0 +1,6 @@
+- __Description:__ Alternative binary/hexadecimal data content viewer and file viewer/editor plugin.
+- __Author:__ ExBin Project
+- __Minimum Autopsy version:__ 4.20.0
+- __Module Location__: https://bined.exbin.org/autopsy-plugin/
+- __Source Code:__ https://github.com/exbin/bined-autopsy-plugin
+- __License:__ Apache V2.0 License
diff --git a/ContentViewerModules/Event_Log_viewer/Event_Log_Viewer.nbm b/ContentViewerModules/Event_Log_viewer/Event_Log_Viewer.nbm
diff --git a/ContentViewerModules/Event_Log_viewer/README.md b/ContentViewerModules/Event_Log_viewer/README.md
@@ -0,0 +1,5 @@
+- __Description:__ A module package containing a Data Content Viewer. Allows the user to view individual Event Log (EVTX) files from a windows system.
+- __Author:__ Mark McKinnon
+- __Minimum Autopsy version:__ 4.18.0
+- __Source Code:__ https://github.com/markmckinnon/Autopsy-NBM-Plugins/tree/main/AutopsyEventLogViewer
+- __License:__ Apache V2.0 License
diff --git a/ContentViewerModules/Kafka_Viewer/KafkaLogForensic.nbm b/ContentViewerModules/Kafka_Viewer/KafkaLogForensic.nbm
diff --git a/ContentViewerModules/Kafka_Viewer/README.md b/ContentViewerModules/Kafka_Viewer/README.md
@@ -0,0 +1,5 @@
+- __Description:__ Kafka Log Forensic is a Data Content Viewer for the big data streaming software Apache Kafka. It allows the user to view records stored cluster-side in Apache Kafka log files.
+- __Author:__ Tom Wayne
+- __Minimum Autopsy version:__ 4.18.0
+- __Source Code:__ https://github.com/tomwayne1984/autopsy_kafka_forensics/tree/main/source
+- __License:__ GNU GPL v3
diff --git a/ContentViewerModules/LNK_File_Viewer/README.md b/ContentViewerModules/LNK_File_Viewer/README.md
@@ -0,0 +1,5 @@
+- __Description:__ A module package containing a Data Content Viewer. Allows the user to view individual Link (*.lnk) files from a windows system.
+- __Author:__ Mark McKinnon
+- __Minimum Autopsy version:__ 4.16.0
+- __Source Code:__ https://github.com/markmckinnon/Autopsy-NBM-Plugins/tree/main/LNK_File_Viewer
+- __License:__ Apache V2.0 License
diff --git a/ContentViewerModules/LNK_File_Viewer/lnk_file_viewer.nbm b/ContentViewerModules/LNK_File_Viewer/lnk_file_viewer.nbm
diff --git a/ContentViewerModules/PolySwarm/README.md b/ContentViewerModules/PolySwarm/README.md
@@ -0,0 +1,6 @@
+- __Description:__ Perform hash lookups and file scans on PolySwarm via right click menu on files.
+- __Author:__ PolySwarm Developers
+- __Minimum Autopsy version:__ 4.8.0
+- __Current Source Code and Releases:__ https://github.com/polyswarm/autopsy-module/releases
+- __Original Source Code:__ https://github.com/polyswarm/autopsy-module
+- __License:__ MIT
diff --git a/ContentViewerModules/Video_Triage/README.md b/ContentViewerModules/Video_Triage/README.md
@@ -1,5 +1,5 @@
 - __Description:__ Analyzes video files and displays a series of images so that you can get a basic idea of what the video contains without viewing the entire thing.
 - __Author:__ Basis Technology
 - __Minimum Autopsy version:__ 3.0.7
-- __Module Location__: http://www.basistech.com/digital-forensics/autopsy/video-triage/
+- __Module Location__: https://www.autopsy.com/add-on-modules/video-triage/
 - __License:__ Closed source
diff --git a/ContentViewerModules/Windows_Prefetch_Viewer/Prefetch_File_Viewer.nbm b/ContentViewerModules/Windows_Prefetch_Viewer/Prefetch_File_Viewer.nbm
diff --git a/ContentViewerModules/Windows_Prefetch_Viewer/README.md b/ContentViewerModules/Windows_Prefetch_Viewer/README.md
@@ -0,0 +1,5 @@
+- __Description:__ A module package containing a Data Content Viewer. Allows the user to view individual Prefetch (*.pf) files from a windows system.
+- __Author:__ Mark McKinnon
+- __Minimum Autopsy version:__ 4.18.0
+- __Source Code:__ https://github.com/markmckinnon/Autopsy-NBM-Plugins/tree/main/Prefetch_File_Viewer
+- __License:__ Apache V2.0 License
diff --git a/IngestModules/Antivirus_scanner/README.md b/IngestModules/Antivirus_scanner/README.md
@@ -0,0 +1,7 @@
+- __Description:__ Module for malware scanning using ClamAV antivirus.
+- __Author:__ Askar Dyussekeyev
+- __Minimum Autopsy version:__ 4.19.3
+- __Module Location__: https://github.com/dyussekeyev/ClamPsy/releases
+- __Website:__ https://github.com/dyussekeyev/ClamPsy/blob/main/README.md
+- __Source Code:__ https://github.com/dyussekeyev/ClamPsy
+- __License:__ MIT License
diff --git a/IngestModules/Bitcoin_Detection/README.md b/IngestModules/Bitcoin_Detection/README.md
@@ -0,0 +1,6 @@
+- __Description:__ Module can detect the traces of Electrum, Ledger Live app, bitaddress.org and Ledger Nano X connection (USB; Bluetooth) at Windows 10 systems
+- __Author:__ dgo-berlin (https://github.com/dgo-berlin)
+- __Minimum Autopsy version:__ 4.19.2
+- __Module Location__: https://github.com/dgo-berlin/bitcoin_usage_detection_autopsy_plugin/blob/master/BitcoinDetection/build/org-bitcoin-detection.nbm
+- __Website:__ https://github.com/dgo-berlin/bitcoin_usage_detection_autopsy_plugin/
+- __Source Code:__ https://github.com/dgo-berlin/bitcoin_usage_detection_autopsy_plugin/tree/master/BitcoinDetection/src
diff --git a/IngestModules/CopyMove/README.md b/IngestModules/CopyMove/README.md
@@ -1,3 +1,5 @@
+- __Known Issues:__ This module does not work with the latest versions of Autopsy (April 2020 - https://sleuthkit.discourse.group/t/copy-move-module/1026)
+
 - __Description:__ A module package containing a File Ingest Module and its corresponding Data Content Viewer. Allows the user to identify Copy-Move forgeries within images in the datasource. Please read the readme before using the package.
 - __Author:__ Tobias Maushammer
 - __Minimum Autopsy version:__ 4.1.0

diff --git a/IngestModules/MacOSX_Account_Parser/.gitignore b/IngestModules/MacOSX_Account_Parser/.gitignore
@@ -0,0 +1,181 @@
+# Created by .ignore support plugin (hsz.mobi)
+### Python template
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+env/
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+*.egg-info/
+.installed.cfg
+*.egg
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*,cover
+.hypothesis/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# IPython Notebook
+.ipynb_checkpoints
+
+# pyenv
+.python-version
+
+# celery beat schedule file
+celerybeat-schedule
+
+# dotenv
+.env
+
+# virtualenv
+venv/
+ENV/
+
+# Spyder project settings
+.spyderproject
+
+# Rope project settings
+.ropeproject
+### VirtualEnv template
+# Virtualenv
+# http://iamzed.com/2009/05/07/a-primer-on-virtualenv/
+.Python
+[Bb]in
+[Ii]nclude
+[Ll]ib
+[Ll]ib64
+[Ll]ocal
+[Ss]cripts
+pyvenv.cfg
+.venv
+pip-selfcheck.json
+### JetBrains template
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and Webstorm
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff:
+.idea/workspace.xml
+.idea/tasks.xml
+.idea/dictionaries
+.idea/vcs.xml
+.idea/jsLibraryMappings.xml
+
+# Sensitive or high-churn files:
+.idea/dataSources.ids
+.idea/dataSources.xml
+.idea/dataSources.local.xml
+.idea/sqlDataSources.xml
+.idea/dynamic.xml
+.idea/uiDesigner.xml
+
+# Gradle:
+.idea/gradle.xml
+.idea/libraries
+
+# Mongo Explorer plugin:
+.idea/mongoSettings.xml
+
+.idea/
+
+## File-based project format:
+*.iws
+
+## Plugin-specific files:
+
+# IntelliJ
+/out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+# General
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+*$py.class
diff --git a/IngestModules/MacOSX_Account_Parser/README.md b/IngestModules/MacOSX_Account_Parser/README.md
@@ -0,0 +1,64 @@
+- __Description:__ Parse OSX 10.8+ account .plist files and extract any available attributes. If a hashed password is available, 
+extract it and present it in a format that can be used with [Hashcat](https://hashcat.net/).
+- __Author:__ Luke Gaddie
+- __Minimum Autopsy version:__ 4.0.0
+- __License:__ [MIT](https://opensource.org/licenses/MIT), with the exception of dependencies: 
+    - [biplist](https://pypi.org/project/biplist/) - BSD License (BSD)
+
+## Installation & Usage
+Copy MacOSX_Account_Parser into your Autopsy Python Plugins Folder.
+
+Run Ingest modules against your data source, making sure to enable to "MacOSX Account Parser" module.
+
+Any extracted account information will be placed in one of two spots: 
+
+- Extracted Content
+    - Operating System User Account
+    - Hashed Credentials
+
+## Hashcat Usage
+
+In the event that hashed credentials can be extracted from the user account, they'll be placed in "Extracted Content" ->
+"Hashed Credentials".
+
+Assuming that you place the "Hashcat Entry" value found in an artifact in hashes.txt, a sample hashcat session might look like: 
+
+```
+C:\hashcat> hashcat64.exe -m 7100 ./hashes.txt ./dictionary.txt
+hashcat (v5.1.0) starting...
+
+[...]
+
+Approaching final keyspace - workload adjusted.
+
+$ml$68027$fccff02010450ae731c883d638b2a3028bf6504937bab584c283a3a44e8f7ad8$e945d8df4ca67261ff45b07a71e5d695816c53532b42988ae1e91268e869c877ef0186a4b2bdaa75d4b316d03274f5b453ee1c5fef067638041fc696fd091400:TestPassword
+
+Session..........: hashcat
+Status...........: Cracked
+Hash.Type........: macOS v10.8+ (PBKDF2-SHA512)
+Hash.Target......: $ml$68027$fccff02010450ae731c883d638b2a3028bf650493...091400
+Time.Started.....: Mon Sep 28 18:01:20 2020 (1 sec)
+Time.Estimated...: Mon Sep 28 18:01:21 2020 (0 secs)
+Guess.Base.......: File (dictionary.txt)
+Guess.Queue......: 1/1 (100.00%)
+Speed.#2.........:        2 H/s (0.45ms) @ Accel:64 Loops:32 Thr:64 Vec:1
+Speed.#3.........:        0 H/s (0.00ms) @ Accel:64 Loops:32 Thr:64 Vec:1
+Speed.#*.........:        2 H/s
+Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
+Progress.........: 2/2 (100.00%)
+Rejected.........: 0/2 (0.00%)
+Restore.Point....: 0/2 (0.00%)
+Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:68000-68026
+Restore.Sub.#3...: Salt:0 Amplifier:0-0 Iteration:0-32
+Candidates.#2....: TestPassword -> hashcat
+Candidates.#3....: [Copying]
+Hardware.Mon.#2..: Temp: 58c Fan: 41% Util: 87% Core:1936MHz Mem:4513MHz Bus:8
+Hardware.Mon.#3..: Temp: 53c Fan: 36% Util:  0% Core:1695MHz Mem:4513MHz Bus:8
+
+``` 
+
+## Misc. Information
+
+* Accounts are stored in /private/var/db/dslocal/nodes/Default/*.plist
+* Credentials are hashed as SALTED-SHA512-PBKDF2 (Hashcat -m 7100)
+* Hashes are formatted as $ml$[iterations]$[salt]$[first 128 bits of entropy]