Filtering Email Addresses, Credit Card Numbers and Searching for Bitcoin Artifacts with the Autopsy Digital Forensics Software

Abstract

Email addresses and credit card numbers found on digital forensic images are frequently an important asset in a forensic casework. However, the automatic harvesting of these data often yields many false positives. This paper presents the Forensic Enhanced Analysis (FEA) module for the Autopsy digital forensic software. FEA aims to eliminate false positives of email addresses and credit card numbers harvested by Autopsy, thus reducing the workload of the forensic examiner. FEA also harvests potential Bitcoin public addresses and private keys and validates them by looking into Bitcoin’s blockchain for the transactions linked to public addresses. FEA explores the report functionality of Autopsy and allows exports in CSV, HTML and XLS formats. Experimental results over four digital forensic images show that FEA eliminates as many as of email addresses and of credit card numbers.