Skip to content
Snippets Groups Projects
Commit 066101a7 authored by Karl Mortensen's avatar Karl Mortensen
Browse files

update user documentation for 3.1.2

parent 2719d22b
Branches
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 326 additions and 95 deletions
docs/doxygen-user/Doxyfile 100644 → 100755
+ 6
6
View file @ 066101a7
...@@ -38,7 +38,7 @@ PROJECT_NAME = "Autopsy User Documentation" ...@@ -38,7 +38,7 @@ PROJECT_NAME = "Autopsy User Documentation"
# could be handy for archiving the generated documentation or if some version # could be handy for archiving the generated documentation or if some version
# control system is used. # control system is used.
PROJECT_NUMBER = 3.1 PROJECT_NUMBER = 3.1.2
# Using the PROJECT_BRIEF tag one can provide an optional one line description # Using the PROJECT_BRIEF tag one can provide an optional one line description
# for a project that appears at the top of each page and should give viewer a # for a project that appears at the top of each page and should give viewer a
...@@ -1372,7 +1372,7 @@ DISABLE_INDEX = NO ...@@ -1372,7 +1372,7 @@ DISABLE_INDEX = NO
# The default value is: NO. # The default value is: NO.
# This tag requires that the tag GENERATE_HTML is set to YES. # This tag requires that the tag GENERATE_HTML is set to YES.
GENERATE_TREEVIEW = YES GENERATE_TREEVIEW = NO
# The ENUM_VALUES_PER_LINE tag can be used to set the number of enum values that # The ENUM_VALUES_PER_LINE tag can be used to set the number of enum values that
# doxygen will group on one line in the generated HTML documentation. # doxygen will group on one line in the generated HTML documentation.
...@@ -1486,7 +1486,7 @@ MATHJAX_CODEFILE = ...@@ -1486,7 +1486,7 @@ MATHJAX_CODEFILE =
# The default value is: YES. # The default value is: YES.
# This tag requires that the tag GENERATE_HTML is set to YES. # This tag requires that the tag GENERATE_HTML is set to YES.
SEARCHENGINE = YES SEARCHENGINE = NO
# When the SERVER_BASED_SEARCH tag is enabled the search engine will be # When the SERVER_BASED_SEARCH tag is enabled the search engine will be
# implemented using a web server instead of a web client using Javascript. There # implemented using a web server instead of a web client using Javascript. There
...@@ -2040,14 +2040,14 @@ ALLEXTERNALS = NO ...@@ -2040,14 +2040,14 @@ ALLEXTERNALS = NO
# listed. # listed.
# The default value is: YES. # The default value is: YES.
EXTERNAL_GROUPS = YES EXTERNAL_GROUPS = NO
# If the EXTERNAL_PAGES tag is set to YES, all external pages will be listed in # If the EXTERNAL_PAGES tag is set to YES, all external pages will be listed in
# the related pages index. If set to NO, only the current project's pages will # the related pages index. If set to NO, only the current project's pages will
# be listed. # be listed.
# The default value is: YES. # The default value is: YES.
EXTERNAL_PAGES = YES EXTERNAL_PAGES = NO
# The PERL_PATH should be the absolute path and name of the perl script # The PERL_PATH should be the absolute path and name of the perl script
# interpreter (i.e. the result of 'which perl'). # interpreter (i.e. the result of 'which perl').
...@@ -2117,7 +2117,7 @@ DOT_NUM_THREADS = 0 ...@@ -2117,7 +2117,7 @@ DOT_NUM_THREADS = 0
# The default value is: Helvetica. # The default value is: Helvetica.
# This tag requires that the tag HAVE_DOT is set to YES. # This tag requires that the tag HAVE_DOT is set to YES.
DOT_FONTNAME = FreeSans DOT_FONTNAME =
# The DOT_FONTSIZE tag can be used to set the size (in points) of the font of # The DOT_FONTSIZE tag can be used to set the size (in points) of the font of
# dot graphs. # dot graphs.
......
docs/doxygen-user/EXIF_parser_page.dox 0 → 100755
+ 29
0
View file @ 066101a7
/*! \page EXIF_parser_page EXIF Parser Module
What Does It Do
========
The EXIF Parser module extracts EXIF (Exchangeable Image File Format) information from ingested pictures. This information can contain geolocation data for the picture, time, date, camera model and settings (exposure values, resolution, etc) and other information. The discovered attributes are added to the BlackBoard.
This can tell you where and when a picture was taken, and give clues to the camera that took it.
Configuration
=======
There is no configuration required.
Using the Module
======
Select the checkbox in the Ingest Modules settings screen to enable the EXIF Parser.
Ingest Settings
------
There are no runtime ingest settings required.
Seeing Results
------
Results are shown in the Results tree.
\image html EXIF-tree.PNG
*/
docs/doxygen-user/README.txt 100644 → 100755
+ 0
0
View file @ 066101a7
File mode changed from 100644 to 100755
docs/doxygen-user/android_analyzer.dox 0 → 100755
+ 47
0
View file @ 066101a7
/*! \page android_analyzer_page Android Analyzer Module
What Does It Do
========
The Android Analyzer module allows you to analyze SQLite and other files from an Android device. It works on Physical dumps from most Android devices (note that we do not provide an acquisition method). Autopsy will not support older Android devices that do not have a volume system. These devices will often have a single physical image file for them and there is no information in the image that describes the layout of the file systems. Autopsy will therefore not be able to detect what it is.
The module should be able to extract the following:
- Text messages / SMS / MMS
- Call Logs
- Contacts
- Tango Messages
- Words with Friends Messages
- GPS from the browser and Google Maps
- GPS from cache.wifi and cache.cell files
NOTE: These database formats vary by version of OS and different vendors can place the databaes in different places. Autopsy may not support all versions and vendors.
NOTE: This module is not exhaustive with its support for Android. It was created as a starting point for others to contribute plug-ins for 3rd party apps. See the Developer docs (http://sleuthkit.org/autopsy/docs/api-docs/3.1/mod_mobile_page.html) for information on writing modules.
Configuration
=======
There is no configuration required.
Using the Module
======
Simply add your physical images or file system dumps as data sources and enable the Android Analyzer module.
Ingest Settings
------
There are no runtime ingest settings required.
Seeing Results
------
The results show up in the tree under "Results", "Extracted Content".
\image html android_analyzer_output.PNG
*/
*/
docs/doxygen-user/archive_extractor.dox 0 → 100755
+ 34
0
View file @ 066101a7
/*! \page archive_extractor_page Archive Extractor Module
What Does It Do
========
The Archive Extractor module opens ZIP, RAR, and other archive formats and sends the files from those archive files back through the ingest pipeline for analysis.
Why would you use it?
This module expands archive files to enable Autopsy to analyze all files on the system. It enables keyword search and hash lookup to analyze files inside of archives
Configuration
=======
There is no configuration required.
Using the Module
======
Select the checkbox in the Ingest Modules settings screen to enable the Archive Extractor.
Ingest Settings
------
There are no runtime ingest settings required.
Seeing Results
------
Each file extracted shows up in the data source tree view as a child of the archive containing it,
\image html zipped_children_1.PNG
<br>
<br>
and as an archive under "Views", "File Types", "Archives".
\image html zipped_children_2.PNG
*/
docs/doxygen-user/case_management.dox 100644 → 100755
+ 7
5
View file @ 066101a7
...@@ -2,13 +2,15 @@ ...@@ -2,13 +2,15 @@
You need to create a case before you can analyze data in Autopsy. A case can contain one or more data sources (disk images, disk devices, logical files). The data sources can be from multiple drives in a single computer or from multiple computers. It's up to you. You need to create a case before you can analyze data in Autopsy. A case can contain one or more data sources (disk images, disk devices, logical files). The data sources can be from multiple drives in a single computer or from multiple computers. It's up to you.
Each case has its own directory that is named based on the case name. The directory will contain configuration files, a database, reports, and other files that modules generates. The main Autopsy case configuration file has a .aut extension. Each case has its own directory that is named based on the case name. The directory will contain configuration files, a database, reports, and other files that modules generates. The main Autopsy case configuration file has an ".aut" extension.
\section case_create Creating a Case \section case_create Creating a Case
\image html splashscreen.PNG
There are several ways to create a new case: There are several ways to create a new case:
- The opening window has a button to create a new case. - The opening splash screen has a button to create a new case.
- The "File" -> "New Case..." menu item - The "File", "New Case..." menu item
The "New Case" wizard dialog will open and you will need to enter the case name and base directory. A directory for the case will be created inside of the "base directory". If the directory already exists, you will need to either delete the existing directory or choose a different combination of names. The "New Case" wizard dialog will open and you will need to enter the case name and base directory. A directory for the case will be created inside of the "base directory". If the directory already exists, you will need to either delete the existing directory or choose a different combination of names.
...@@ -21,8 +23,8 @@ After you create the case, you will be prompted to add a data source, as describ ...@@ -21,8 +23,8 @@ After you create the case, you will be prompted to add a data source, as describ
\section case_open Opening a Case \section case_open Opening a Case
To open a case, either: To open a case, either:
- Choose "Open Case" or "Open Recent Case" from the opening window. - Choose "Open Case" or "Open Recent Case" from the opening splash screen.
- The "File" -> "Open Case" menu item or "File" -> "Open Recent Case" - The "File", "Open Case" menu item or "File", "Open Recent Case"
Navigate to the case directory and select the ".aut" file. Navigate to the case directory and select the ".aut" file.
......
docs/doxygen-user/content_viewer.dox 0 → 100755
+ 23
0
View file @ 066101a7
/*! \page content_viewer_page Content Viewer
The Content Viewer lives in the lower right-hand side of the Autopsy main screen and show pictures, video, hex, text, extracted strings, metadata, etc. They are enabled when you select a file in the file list above it.
The Content Viewer is context-aware, meaning it will present different views of the content based on the type of file selected. For example, a .JPG would show up as a picture, a text file would show up as text, and a .bin file would show up as hex output.
The screenshots below show some examples of content viewers in action.
<br>
\image html content-viewer-1.PNG
<br>
<br>
\image html content-viewer-2.PNG
<br>
<br>
\image html content-viewer-3.PNG
<br>
<br>
\image html content-viewer-4.PNG
<br>
<br>
\image html content-viewer-5.PNG
<br>
*/
docs/doxygen-user/data_sources.dox 100644 → 100755
+ 3
11
View file @ 066101a7
/*! \page ds_page Data Sources /*! \page ds_page Data Sources
Data source is the term that we use in Autopsy to refer to disk images, logical files, etc. This is the data that you want to add in to analyze. You must have a case open before you can add a data source. A data source the thing you want to analyze. It can be a disk image, some logical files, a local drive, etc. You must open a case prior to adding a data source to Autopsy.
Autopsy supports three types of data sources: Autopsy supports three types of data sources:
- Disk Image: A file (or set of files) that is a byte-for-byte copy of a hard drive or media card. (see \ref ds_img) - Disk Image: A file (or set of files) that is a byte-for-byte copy of a hard drive or media card. (see \ref ds_img)
...@@ -15,14 +15,10 @@ Autopsy supports three types of data sources: ...@@ -15,14 +15,10 @@ Autopsy supports three types of data sources:
You can add a data source in several ways: You can add a data source in several ways:
- After you create a case, it automatically prompts you to add a data source. - After you create a case, it automatically prompts you to add a data source.
- There is a toolbar item to add a Data Source when a case is open. - There is a toolbar item to add a Data Source when a case is open.
- The "File" -> "Add Data Source" menu item when a case is open. - The "File", "Add Data Source" menu item when a case is open.
The data source must remain accessible for the duration of the analysis because the case contains only a reference to the data source. It does not copy the data source into the case folder. The data source must remain accessible for the duration of the analysis because the case contains only a reference to the data source. It does not copy the data source into the case folder.
\section ds_process Data Source Adding Process
Regardless of the type of data source, there are some common steps in the process: Regardless of the type of data source, there are some common steps in the process:
1) You will be prompted to specify the data source to add (details are provided below) 1) You will be prompted to specify the data source to add (details are provided below)
...@@ -41,7 +37,7 @@ Regardless of the type of data source, there are some common steps in the proces ...@@ -41,7 +37,7 @@ Regardless of the type of data source, there are some common steps in the proces
5) After the ingest modules have been configured and the basic examination of the data source is complete, the ingest modules will begin to analyze the file contents. 5) After the ingest modules have been configured and the basic examination of the data source is complete, the ingest modules will begin to analyze the file contents.
You cannot remove a data source from a case.
\section ds_img Adding a Disk Image \section ds_img Adding a Disk Image
...@@ -89,8 +85,4 @@ To add logical files: ...@@ -89,8 +85,4 @@ To add logical files:
All of the files that you added in the panel will be grouped together into a single data source, called "LogicalFileSet" in the main UI. All of the files that you added in the panel will be grouped together into a single data source, called "LogicalFileSet" in the main UI.
\section ds_rem Removing a Data Source
You cannot currently remove an data source from a case.
*/ */
\ No newline at end of file
docs/doxygen-user/directory_tree.dox deleted 100644 → 0
+ 0
44
View file @ 2719d22b
/*! \page directory_tree Directory Tree
\section about_data_explorer About Data Explorer (Directory Tree)
The data explorer tree is a very important area of the interface. This is where you will start many of your analysis approaches and find saved results from automated procedures (ingest). The tree has three main areas:
\li <b>Images:</b> \n Where you can find the directory tree hierarchy of the file systems in the images. Go here to navigate to a specific file or directory.
\li <b>Views:</b> \n Where you can view all of the files in the images, but organized by file type or dates instead of directories. Go here if you are looking for files of a given type or that were recently used.
\li <b>Results:</b> \n Where you can see the results from the background ingest tasks and you can see your previous search results. Go here to see what was found by the ingest modules and to find your previous search results.
\li <b>Bookmarks:</b> \n Where you can view all file and results that have been bookmarked for easy access.
Below is an example of an Data Explorer Tree window:
image html explorer-tree.PNG
\section image_details_window Image Detail Window
The Image Details window shows you basic information about a disk image. You can access it by right-clicking on an image in the tree and choosing "Image Details".
\image html show-image-details.PNG
An example is shown here:
\image html image-detail-window.PNG
\section volume_details_window Volume Detail Window
The Volume Details window shows you information about a volume. It shows information such as the starting sector, length, and description. You can view the information by right clicking on a volume in the tree and choosing "Volume Details".
\image html show-volume-details.PNG
An example is shown here:
\image html volume-detail-window.PNG
\section extracting_unallocated_space Extracting Unallocated Space
Unallocated space are chunks of the file system that is currently not being used for anything. Unallocated space can store deleted files and other interesting artifacts. On the actual image, Unallocated space is stored in blocks with distinct locations on the system. However, because of the way various carving tools work, it is more ideal to feed them a single, large unallocated file. Autopsy provides access to both methods of looking at unallocated space.
\li Individual Blocks Underneath a volume, there is a folder named Unalloc. This folder contains all the individual unallocated blocks as the image is storing them. You can right click and extract them the same way you can extract any other type of file in the Directory Tree.
\li Single Files There are two ways to extract unallocated space as a single file. Right clicking on a volume and selecting "Extract Unallocated Space as Single File" will concatenate all the unallocated files into a single, continuous file for the volume. The second way is to right click on an image, and select "Extract Unallocated Space to Single Files". This option will extract one single file for each volume in the image. Progress on extraction is sent to the progress bar in the bottom right. Progress is based on number of files concatenated. These files are stored in the Export folder under the case directory. Files are named according to ImageName-Unalloc-ImageObjectID-VolumeID.dat This naming scheme ensures that no duplicate file names will occur even if an there are two images with the same name in a case.
Below is where to find the single file extraction option
\image html extracting-unallocated-space.PNG
*/
\ No newline at end of file
docs/doxygen-user/e01_verifier.dox 0 → 100755
+ 31
0
View file @ 066101a7
/*! \page e01_verifier_page E01 Verifier Module
What Does It Do
========
The E01 Verifier module computes a checksum on E01 files and compares with the E01 file's internal checksum to ensure they match.
This can detect if the E01 module is corrupted.
Configuration
=======
There is no configuration required.
Using the Module
======
Select the checkbox in the Ingest Modules list to use this module.
Ingest Settings
------
There are no runtime ingest settings required.
Seeing Results
------
You only see results from this module if the E01 is corrupted. A failure to load is shown below.
\image html e01-verifier.png
*/
docs/doxygen-user/email_parser.dox 0 → 100755
+ 30
0
View file @ 066101a7
/*! \page email_parser_page Email Parser Module
What Does It Do
========
The Email Parser module identifies Thunderbird MBOX files and PST format files based on file signatures, extracting the e-mails from them, adding the results to the Blackboard. This module skips known files and creates a Blackboard artifact for each message. It adds email attachments as derived files.
This allows the user to identify email-based communications from the system being analyzed.
Configuration
=======
There is no configuration required.
Using the Module
======
Explore the "Results", "E-Mail Messages" portion of the tree to review the results of this module.
Ingest Settings
------
There are no runtime ingest settings required.
Seeing Results
------
The results of this show up in the "Results", "E-Mail Messages" portion of the tree.
\image html email_results.PNG
*/
docs/doxygen-user/extension_mismatch.dox 0 → 100755
+ 35
0
View file @ 066101a7
/*! \page extension_mismatch_detector_page Extension Mismatch Detector Module
What Does It Do
========
Extension Mismatch Detector module uses the results from the File Type Identification and flags files that have an extension not traditionally associated with the file's detected type. Ignores 'known' (NSRL) files. You can customize the MIME types and file extensions per MIME type in Tools, Options, File Extension Mismatch.
This detects files that someone may be trying to hide.
Configuration
=======
One can add and remove MIME types in the "Tools", "Options", "File Extension Mismatch" dialog box, as well as add and remove extensions to particular MIME types.
<br>
\image html extension-mismatch-detected-configuration.PNG
<br>
Using the Module
======
Note that you can get a lot of false positives with this module. You can add your own rules to Autopsy to reduce unwanted hits.
Ingest Settings
------
In the ingest settings, the user can choose if the module should skip files without extensions and skip text files. Both of these options are enabled by default.
\image html extension-mismatch-detected-ingest-settings.PNG
Seeing Results
------
Results are shown ini the Results tree under "Extension Mismatch Detected".
\image html extension-mismatch-detected.PNG
*/
docs/doxygen-user/file_search.dox 100644 → 100755
+ 5
17
View file @ 066101a7
/*! \page file_search File Search /*! \page file_search_page File Search
\section about_file_search About File Search \section about_file_search About File Search
File Search tool can be accessed either from the Tools menu or by right-clicking on image node in the Data Explorer / Directory Tree. By using File Search, you can specify, filter, and show the directories and files that you want to see from the images in the current opened case. The File Search results will be populated in a brand new Table Result viewer on the right-hand side. The File Search tool can be accessed either from the Tools menu or by right-clicking on a data source node in the Data Explorer / Directory Tree. By using File Search, you can specify, filter, and show the directories and files that you want to see from the images in the current opened case. The File Search results will be populated in a brand new Table Result viewer on the right-hand side.
Currently, Autopsy only supports 4 categories in File Search: Name, Size, Date, and Known Status based search. Currently, Autopsy only supports 4 categories in File Search: Name, Size, Date, and Known Status based search.
<b>Note: Currently File Search doesn't support regular expression, however the Keyword Search feature of Autopsy does also look in file names and it does support regular expressions, which can complimentary to the File Search.</b>
<b>How to Open File Search:</b>\n Note: Currently File Search doesn't support regular expressions. The Keyword Search feature of Autopsy does support regular expressions and can be used for to search for files and/or directories by name.
To see how to open File Search, click \ref how_to_open_file_search "here".\n
<b>Note: The File Search Window is opened and closed automatically. If there's a case opened and there is at least one image inside that case, File Search Window can't be closed.</b>
<b>How to Use File Search:</b> \n
To see how to use File Search, click \ref how_to_use_file_search "here".
<b>Example</b>
Here's an example of a File Search window:
\image html file-search-top-component.PNG
\section how_to_open_file_search How To Open File Search \section how_to_open_file_search How To Open File Search
How to Open File Search How to Open File Search
To open the File Search, you can do one of the following thing: To open the File Search, you can do one of the following thing:
Right click an image and choose "Open File Search by Attributes". Right click a data source and choose "Open File Search by Attributes".
\image html open-file-search-component-1.PNG \image html open-file-search-component-1.PNG
Select the "Tools" > "File Search by Attributes". Select the "Tools", "File Search by Attributes".
\image html open-file-search-component-2.PNG \image html open-file-search-component-2.PNG
<b>Note: The File Search Window is opened and closed automatically. If there's a case opened and there is at least one image inside that case, File Search Window can't be closed.</b>
\section how_to_use_file_search How To Use File Search \section how_to_use_file_search How To Use File Search
......
docs/doxygen-user/filetype.dox 0 → 100755
+ 41
0
View file @ 066101a7
/*! \page file_type_identification_page File Type Identification Module
What Does It Do
========
The File Type ID module identifies files based on their internal signatures and does not rely on file extensions. Autopsy uses the <a href="http://tika.apache.org/">Tika</a> library to do its primary file ID detection and that can be customized with user-defined rules.
You should enable this module because many other modules depend on its results to determine if they should analyze a file. Some examples include:
- \subpage extension_mismatch_detector_page
- \subpage keyword_search_page
Configuration
=======
You do not need to configure anything with this module unless you want to define your own types. To define your own types, go to "Tools", "Options", "File Type Id" panel.
From there, you can define rules based on the offset of the signature and if the signature is a byte sequence of an ASCII string.
\image html filetype.png
Using the Module
======
Ingest Settings
------
There are no run-time settings for this module when you run it on
a data source. All user-defined and Tika rules are always applied.
Seeing Results
------
This module does not have obvious impacts in the user interface, though it is used by many othe modules.
To see the file type of an individual file, view the "Results" tab in the lower right when you navigate to the file. You should see a page in there that mentions the file type.
The Views area of the tree does not take the results of this module into account. That part of the tree relies on extension. We will be upating it in the future to rely on extension when there is no output from this module for the file.
*/
docs/doxygen-user/footer.html 100644 → 100755
+ 1
1
View file @ 066101a7
<hr/> <hr/>
<p><i>Copyright &#169; 2012-2015 Basis Technology <br/> <p><i>Copyright &#169; 2012-2015 Basis Technology. Generated on $date<br/>
This work is licensed under a This work is licensed under a
<a rel="license" href="http://creativecommons.org/licenses/by-sa/3.0/us/">Creative Commons Attribution-Share Alike 3.0 United States License</a>. <a rel="license" href="http://creativecommons.org/licenses/by-sa/3.0/us/">Creative Commons Attribution-Share Alike 3.0 United States License</a>.
</i></p> </i></p>
......
docs/doxygen-user/hashdb_lookup.dox 100644 → 100755
+ 31
7
View file @ 066101a7
/*! \page hash_db_page Hash Database Lookup Module /*! \page hash_db_page Hash Database Lookup Module
Autopsy has an ingest module that calculates hash values and looks up the hash values in a database to determine if the file is known bad, known (in general), or unknown. This page outlines that module and its configuration. What Does It Do
========
The Hash Database Lookup Module calculates MD5 hash values for files and looks up hash values in a database to determine if the file is known bad, known (in general), or unknown.
\section hash_db_config Configuring the module
Configuration
=======
The Hash Database Management window is where you can set and update your hash database information. Hash databases are used to identify files that are 'known'. The Hash Database Management window is where you can set and update your hash database information. Hash databases are used to identify files that are 'known'.
\li Known good files are those that can be safely ignored. This set of files frequently includes standard OS and application files. Ignoring such uninteresting to the investigator files, can greatly reduce image analysis time. \li Known good files are those that can be safely ignored. This set of files frequently includes standard OS and application files. Ignoring such uninteresting to the investigator files, can greatly reduce image analysis time.
\li Known bad (also called notable) files are those that should raise awareness. This set will vary depending on the type of investigation, but common examples include contraband images and malware. \li Known bad (also called notable) files are those that should raise awareness. This set will vary depending on the type of investigation, but common examples include contraband images and malware.
...@@ -17,17 +19,39 @@ Autopsy allows for multiple known bad hash databases to be set. Autopsy supports ...@@ -17,17 +19,39 @@ Autopsy allows for multiple known bad hash databases to be set. Autopsy supports
\li NSRL: The format of the NSRL database. \li NSRL: The format of the NSRL database.
\li HashKeeper: Hashset file conforming to the HashKeeper standard. \li HashKeeper: Hashset file conforming to the HashKeeper standard.
<b>NIST_NSRL:</b>
Autopsy can use the <A HREF="http://www.nsrl.nist.gov">NIST NSRL</A> to detect 'known files'. Note that the NSRL contains hashes of 'known files' that may be good or bad depending on your perspective and investigation type. For example, the existence of a piece of financial software may be interesting to your investigation and that software could be in the NSRL. Therefore, Autopsy treats files that are found in the NSRL as simply 'known' and does not specify good or bad. Ingest modules have the option of ignoring files that were found in the NSRL.
To use the NSRL, you must concatenate all of the NSRLFile.txt files together. You can use 'cat' on a Unix system or from within Cygwin to do this.
\section adding_hashsets Adding Hashsets \section adding_hashsets Adding Hashsets
Autopsy needs an index of the hashset to actualy use a hash database. It can create the index if you import only the hashset. When you select the database from within this window, it will tell you if the index needs to be created. Autopsy uses the hash database management system from The Sleuth Kit. You can manually create an index using the 'hfind' command line tool or you can use Autopsy. If you attempt proceed without indexing a database, Autopsy will offer to automatically produce an index for you. Autopsy needs an index of the hashset to actualy use a hash database. It can create the index if you import only the hashset. When you select the database from within this window, it will tell you if the index needs to be created. Autopsy uses the hash database management system from The Sleuth Kit. You can manually create an index using the 'hfind' command line tool or you can use Autopsy. If you attempt proceed without indexing a database, Autopsy will offer to automatically produce an index for you.
You can also specify only the index file and not use the full hashset - the index file is sufficient to identify known files. This can save space. To do this, specify the .idx file from the Hash Database Management window. You can also specify only the index file and not use the full hashset - the index file is sufficient to identify known files. This can save space. To do this, specify the .idx file from the Hash Database Management window.
\section using_hashsets Using Hashsets \section using_hashsets Using Hashsets
There is an \ref ingest "ingest module" that will hash the files and look them up in the hashsets. It will flag files that were in the notable hashset and those results will be shown in the Results tree of the \ref directory_tree "Data Explorer". There is an \ref ingest_page "ingest module" that will hash the files and look them up in the hashsets. It will flag files that were in the notable hashset and those results will be shown in the Results tree of the \ref tree_viewer_page.
Other ingest modules are able to use the known status of a file to decide if they should ignore the file or process it. Other ingest modules are able to use the known status of a file to decide if they should ignore the file or process it.
You can also see the results in the \ref how_to_open_file_search "File Search" window. There is an option to choose the 'known status'. From here, you can do a search to see all 'known bad' files. From here, you can also choose to ignore all 'known' files that were found in the NSRL. You can also see the status of the file in a column when the file is listed. You can also see the results in the \ref how_to_open_file_search "File Search" window. There is an option to choose the 'known status'. From here, you can do a search to see all 'known bad' files. From here, you can also choose to ignore all 'known' files that were found in the NSRL. You can also see the status of the file in a column when the file is listed.
\image html hash-database-configuration.PNG \image html hash-database-configuration.PNG
<b>NIST NSRL:</b>
Autopsy can use the <A HREF="http://www.nsrl.nist.gov">NIST NSRL</A> to detect 'known files'. Note that the NSRL contains hashes of 'known files' that may be good or bad depending on your perspective and investigation type. For example, the existence of a piece of financial software may be interesting to your investigation and that software could be in the NSRL. Therefore, Autopsy treats files that are found in the NSRL as simply 'known' and does not specify good or bad. Ingest modules have the option of ignoring files that were found in the NSRL.
To use the NSRL, you must concatenate all of the NSRLFile.txt files together. You can use 'cat' on a Unix system or from within Cygwin to do this.
Using the Module
======
Ingest Settings
------
When hashsets are configured, the user can select the hashsets to use during the ingest process.
\image html hash-lookup.png
Seeing Results
------
Results show up in the tree as "Hashset Hits", grouped by the name of the hash set.
\image html hashset-hits.png
*/ */
docs/doxygen-user/image_viewer.dox 100644 → 100755
+ 3
4
View file @ 066101a7
/*! \page image_viewer Image and Video Viewer /*! \page image_viewer_page Image and Video Viewer
Overview Overview
======== ========
This document outlines the use of the new Image Analyzer feature of Autopsy. This feature was funded by DHS S&T to help provide free and open source digital forensics tools to law enforcement. This document outlines the use of the new Image Analyzer feature of Autopsy. This feature was funded by DHS S&T to help provide free and open source digital forensics tools to law enforcement.
...@@ -8,12 +8,11 @@ The new image analyzer feature has been designed specifically with child-exploit ...@@ -8,12 +8,11 @@ The new image analyzer feature has been designed specifically with child-exploit
- Allows examiner to start viewing images immediately upon adding them to the case. As images are hashed, they are updated in the interface. You do not need to wait until the entire image is ingested. - Allows examiner to start viewing images immediately upon adding them to the case. As images are hashed, they are updated in the interface. You do not need to wait until the entire image is ingested.
This document assumes basic familiarity with Autopsy. This document assumes basic familiarity with Autopsy.
Quick Start Quick Start
=========== ===========
1. The Image Analysis tool can be configured to collect data about images/videos as ingest runs or all at once after ingest. To change this setting go to Tools->Options->Image /Video Analyzer. This setting is saved per case, but can not be changed during ingest. 1. The Image Analysis tool can be configured to collect data about images/videos as ingest runs or all at once after ingest. To change this setting go to "Tools", "Options", "Image /Video Analyzer". This setting is saved per case, but can not be changed during ingest.
2. Create a case as normal and add a disk image (or folder of files) as a data source. Ensure that you have the hash lookup module enabled with NSRL and known bad hashsets, the EXIF module enabled, and the File Type module enabled. 2. Create a case as normal and add a disk image (or folder of files) as a data source. Ensure that you have the hash lookup module enabled with NSRL and known bad hashsets, the EXIF module enabled, and the File Type module enabled.
3. Click Tools->Analyze Images/Videos in the menu. This will open the Autopsy Image/Video Analysis tool in a new window. 3. Click "Tools", "Analyze Images/Videos" in the menu. This will open the Autopsy Image/Video Analysis tool in a new window.
4. Groups of images will be presented as they are analyzed by the background ingest modules. You can later resort and regroup, but it is required to keep it grouped by folder while ingest is still ongoing. 4. Groups of images will be presented as they are analyzed by the background ingest modules. You can later resort and regroup, but it is required to keep it grouped by folder while ingest is still ongoing.
5. As each group is reviewed, the next highest priority group is presented, according to a sorting criteria (the default is the density of hash set hits). 5. As each group is reviewed, the next highest priority group is presented, according to a sorting criteria (the default is the density of hash set hits).
6. Images that were hits from hashsets, will have a dashed border around them. 6. Images that were hits from hashsets, will have a dashed border around them.
......
docs/doxygen-user/images/EXIF-tree.PNG 0 → 100755
+ 0
0
View file @ 066101a7
docs/doxygen-user/images/EXIF-tree.PNG

47.8 KiB

docs/doxygen-user/images/add-data-source.PNG 100644 → 100755
+ 0
0
View file @ 066101a7
File mode changed from 100644 to 100755
docs/doxygen-user/images/android_analyzer_output.PNG 0 → 100755
+ 0
0
View file @ 066101a7
docs/doxygen-user/images/android_analyzer_output.PNG

36.3 KiB

0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment