Forensic Triage Kit

The forensic analysis of Windows systems is usually extremely time consuming. Therefore, in computer forensics, it is important to automatically mark known files whenever possible. This automated process is called forensic triage. The base for forensic triage is a framework, that starts different triage techniques and aggregates all relevant results.

The aim of this project was to create a solution for such a forensic triage kit with a set of standard triage technique features.

In the evaluation phase, different analysis techniques and frameworks were examined. This lead to the use of the Autopsy project as a basis. Autopsy is an open source digital forensics platform already containing a set of forensic triage features.

The implementation was done in a way of contribution to Autopsy itself and the development of several modules. For example, a module performs a check against an uninfected copy of a system, while another module verifies code signing certificates.

The result of the project is a significant improvement of efficiency in the analysis of Windows images when using Autopsy. A huge part of standard Windows images can be automatically marked as known-good with minimal user interaction.