You can add files or folders that are on your local computer (or on a shared drive) without putting them into a disk image. This is useful if you have only a collection of files that you want to analyze.
You can add files or folders that are on your local computer (or on a shared drive) without putting them into a disk image. This is useful if you have only a collection of files that you want to analyze.
Some things to note when doing this:
Some things to note when doing this:
- Autopsy ignores the time stamps on files that it adds this way because they could be the timestamps when they were copied onto your examination device.
- Autopsy by default ignores the time stamps on files that it adds this way because they could be the timestamps when they were copied onto your examination device.
- You do have the option to have time stamps added on files by checking the timestamps you want, these time stamps are taken from the examination device. Directories will not have time stamps.
- If you have a USB-attached device that you are analyzing and you choose to add the device's contents using this method, then note that it will not look at unallocated space or deleted files. Autopsy will only be able to see the allocated files. You should add the device as a "Logical Drive" to analyze the unallocated space.
- If you have a USB-attached device that you are analyzing and you choose to add the device's contents using this method, then note that it will not look at unallocated space or deleted files. Autopsy will only be able to see the allocated files. You should add the device as a "Logical Drive" to analyze the unallocated space.
- You can modify the name of the Logical File Set from the default LogicalFileSet# by clicking the "Change" button as shown in the screenshot below:
- You can modify the name of the Logical File Set from the default LogicalFileSet# by clicking the "Change" button as shown in the screenshot below:
...
@@ -114,6 +115,8 @@ To add logical files:
...
@@ -114,6 +115,8 @@ To add logical files:
-# Leave the top combo box on "Local files and folders"
-# Leave the top combo box on "Local files and folders"
-# Press the "Add" button and navigate to a folder or file to add. Choosing a folder will cause all of its contents (including sub-folders) to be added.
-# Press the "Add" button and navigate to a folder or file to add. Choosing a folder will cause all of its contents (including sub-folders) to be added.
-# Continue to press "Add" until all files and folders have been selected.
-# Continue to press "Add" until all files and folders have been selected.
-# If you want any of the files to be added with time stamps from the file system then check the box associated with the timestamp you would like associaed with the file.
-# If a file or directory was mistakenly add then highlight it and press the "Delete" button to remove the item from the list of files/folders
All of the files that you added in the panel will be grouped together into a single data source, called "LogicalFileSet" in the main UI.
All of the files that you added in the panel will be grouped together into a single data source, called "LogicalFileSet" in the main UI.
