Autopsy Plugin - URLcheck

Urlhaus check

url check 111 (ZIP, 4.04 KB)

Sha256: 673d983a9c44ac5c953c9301475e23c8e1b62c2588a857a94138e4c43628483d (ZIP FILE)

releases

version 1.11 - added that no accumulation happens if the plugins runs more times. Simpler copy paste to text file.

version 1.10 - initial release

Prerequisites

Copy the content from https://urlhaus.abuse.ch/downloads/text/ to a textfile that looks like this blocklist.txt (exact name for autopsy to read). This file is places in your output folder in the root.

extract this csv.txt and rename this file to urlhaus.csv and place the file here DRIVE:\Autopsy_out\YOUR_CASE\ModuleOutput (Im working on automation to this)

Then in autopsy

Then in autopsy first run the ingestmodule "recent history" this extracts the output from the SQLite databases from the browsers in the data set. then you can run the "URLhaus Lookup Module"

The output is shown 2 places in the left pane under Analysis Results - Interesting Results - URLhaus Match and the Autopsy output folder DRIVE:\Autopsy_out\Ubuntu_test\ModuleOutput\URLhaus_Lookup_Module with the extract file "urlhaus_output.csv" that contains the match against URLhaus list.

You can verify the module works and matches, by looking in the logfile DRIVE:\Autopsy_out\Ubuntu_test\Log\autopsy.log.0 this will show something like this

"
INFO: Found ingest module factory: name = URLhaus Lookup Module, version = 1.10
2025-04-09 09:14:08.369 URLhausCheckModule startUp
INFO: Starting up URLhaus module.
2025-04-09 09:14:09.664 URLhausCheckModule startUp
INFO: Loaded 47879 unique domains/hosts from URLhaus.
2025-04-09 09:14:09.664 URLhausCheckModule startUp
INFO: URLhaus module startup complete.
INFO: URLhaus Lookup Module analysis of Ubuntu2025.vmdk starting
2025-04-09 09:14:09.685 URLhausCheckModule process
2025-04-09 09:14:09.692 URLhausCheckModule process

....
tested URLs list
....

2025-04-09 09:14:09.817 URLhausCheckModule process
2025-04-09 09:14:09.818 URLhausCheckModule process
INFO: Constructed module output directory path: DRIVE:\Autopsy_out\Ubuntu_test\ModuleOutput\URLhaus_Lookup_Module
2025-04-09 09:14:09.819 URLhausCheckModule process
INFO: Created module output directory: DRIVE:\Autopsy_out\Ubuntu_test\ModuleOutput\URLhaus_Lookup_Module
2025-04-09 09:14:09.819 URLhausCheckModule process
INFO: Writing 18 matches to DRIVE:\Autopsy_out\Ubuntu_test\ModuleOutput\URLhaus_Lookup_Module\urlhaus_output.csv
2025-04-09 09:14:09.821 URLhausCheckModule process
INFO: Successfully wrote URLhaus output CSV.
INFO: URLhaus Lookup Module analysis of Ubuntu2025.vmdk finished
2025-04-09 09:14:09.822 URLhausCheckModule shutDown
INFO: Shutting down URLhaus module.
INFO: Found ingest module factory: name = URLhaus Lookup Module, version = 1.10
"

The tool is free to use and download and modity and share as you like. Hope you give me some credit :)

LEGAL DISCLAIMER: This software is provided "as is" for educational and investigative purposes only. Use the software at your own risk!