From 674e97cd9a2c14ded4c25f22c27d56aa3867b1e3 Mon Sep 17 00:00:00 2001 From: Brian Carrier <carrier@sleuthkit.org> Date: Sat, 14 Mar 2015 23:49:54 -0400 Subject: [PATCH] Updated docs - added interesting files --- docs/doxygen-user/interesting.dox | 67 +++++++++++++++++++++++++++++++ docs/doxygen-user/main.dox | 1 + docs/doxygen/main.dox | 1 + 3 files changed, 69 insertions(+) create mode 100644 docs/doxygen-user/interesting.dox diff --git a/docs/doxygen-user/interesting.dox b/docs/doxygen-user/interesting.dox new file mode 100644 index 0000000000..63beedcc5d --- /dev/null +++ b/docs/doxygen-user/interesting.dox @@ -0,0 +1,67 @@ +/*! \page interesting_page Interesting Files Module +Overview +======== + +The Interesting Files module allows you to search for files or directories in a data source and generate alerts when they are found. You configure rules for the files that you want to find. + +You would use this to be notified when certain things are found. There are examples later in this file to generate alerts when VMWare images are found or when iPhone backup files are found. This module is useful for file types that will frequently have a consistent name and that may not be part of the stanadrd checklist that you look for (or if you simply want to automated your checklist). + + + +Rules +======= + +Add rules using Tools -> Options -> Interesting Files. + +All rules need to be part of a set. Sets need to have the following defined: + +- Set Name (required) +- Set Description (optional) + +Rules specify what to look for in a data source. Each rule specifies: +- Type: If the rule should be applied to only files, only directories, or both files and directories. +- Name Pattern: String to match the file name against. +- Name Pattern Type: Should the pattern be matched against the full file type or just the extension. +- Path Pattern: A substring of the parent path that must be matched. This allows you to restrict generic names to a specific structure (such as an appliation name). A substring match is performed. +- Rule Name: Additional details that are displayed in the UI when that rule is matched. Allows you to determine which rule in the set matched. + + +Example +======= +From slides: + +VMWare +-------- +This set of rules is to detect VMWare Player or vmdk files. This would help to make sure you look into the virtual machines for additional evidence. + +NOTE: This is not extensive and is simply a minimal example: + + +- Set Name: VMWare +- Rule 1: + - Type: Files + - Full Name: vmplayer.exe + - Name: Program EXE +- Rule 2: + - Type: Files + - Extension: vmdk + - Name: VMDK File + +iPhone Backups +------------- +This set of rules is to detect a folder for iPhone Backups. These are typically in a folder such as "%AppData%\Roaming\Apple Computer\MobileSync\Backup" on Windows. Here is a rule that you could use for that. + +- Set Name: iPhone Backups +- Rule 1: + - Type: Directory + - Name: Backup + - Path: Apple Computer/MobileSync + +Using the Module +====== + +When you enable the Interesting Files module, you can choose what rule sets to enable. To add rules, use the "Advanced" button from the ingest module panel. + +When files are found, they will be in the Interesting Files area of the tree. You shoudl see the set and rule names with the match. + +*/ diff --git a/docs/doxygen-user/main.dox b/docs/doxygen-user/main.dox index 29eccc6f29..87e00744af 100644 --- a/docs/doxygen-user/main.dox +++ b/docs/doxygen-user/main.dox @@ -23,6 +23,7 @@ The following topics are available here: - \subpage hash_db_page - \subpage keyword_search - \subpage android_page + - \subpage interesting_page - Manual Analysis - \subpage directory_tree "Directory Tree" - \subpage file_search "File Search" diff --git a/docs/doxygen/main.dox b/docs/doxygen/main.dox index 7e567d0bb4..154ad8583c 100644 --- a/docs/doxygen/main.dox +++ b/docs/doxygen/main.dox @@ -24,6 +24,7 @@ These pages are more detailed if you want to modify Autopsy code instead of writ - \subpage workflow_page - \subpage regression_test_page - \subpage native_page +- \subpage mod_debugTsk_page <!-- Note that Case still has lots of content in package.dox --> */ -- GitLab