mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1631 from sleuthkit/multi_user_docs

Browse Source 
made collaborative vs multi-user consistent, moved multi-user to end …
This commit is contained in:
Brian Carrier 2015-10-20 11:16:55 -04:00
commit 1bc044a500
9 changed files with 227 additions and 190 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/doxygen-user/case_management.dox
View File

@ -16,6 +16,8 @@ The New Case wizard dialog will open and you will need to enter the case name an
\image html case-newcase.png \image html case-newcase.png
NOTE: You will only have the option of making a multi-user case if you have configured Autopsy with multi-user settings. See \ref install_multiuser_page for installation instructions and \ref creating_multi_user_cases for details on creating multi-user cases.
You will also be prompted for optional information, such as investigator name and case number. You will also be prompted for optional information, such as investigator name and case number.
After you create the case, you will be prompted to add a data source, as described in \ref ds_add. After you create the case, you will be prompted to add a data source, as described in \ref ds_add.

2
docs/doxygen-user/data_sources.dox
View File

@ -25,6 +25,8 @@ Regardless of the type of data source, there are some common steps in the proces
\image html select-data-source-type.PNG \image html select-data-source-type.PNG
NOTE: If you are adding a data source to a multi-user case, ensure that all Autopsy clients will have access to the data source at the same path. We recommend using UNC paths to ensure this consistent mapping.
2) Autopsy will perform a basic examination of the data source and populate an embedded database with an entry for each file in the data source. No content is analyzed in the process, only the files are enumerated. 2) Autopsy will perform a basic examination of the data source and populate an embedded database with an entry for each file in the data source. No content is analyzed in the process, only the files are enumerated.
3) While it is examining the data source, you will be prompted with a list of ingest modules to enable. 3) While it is examining the data source, you will be prompted with a list of ingest modules to enable.

173
docs/doxygen-user/installActiveMQ.dox
View File

@ -1,61 +1,81 @@
/*! \page install_activemq Install and Configure ActiveMQ /*! \page install_activemq Install and Configure ActiveMQ
To install ActiveMQ, perform the following steps: To install ActiveMQ, perform the following steps:
1. You need a 32-bit or 64-bit version of the Java Runtime Environment (JRE) installed, depending upon the version of Autopsy you have installed. You can test this by running _where java_ from the command line. If you see output like the yellow results below, you have a JRE.
\section install_activemq_prereq Prerequisites
You will need:
- 64-bit version of the Java Runtime Environment (JRE) from http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html.
- Download ActiveMQ-5.11.1 from: http://activemq.apache.org/activemq-5111-release.html
\section install_activemq_install Installation
\subsection install_activemq_install_java JRE Installation
Install the Java JRE if needed. You can test this by running _where java_ from the command line. If you see output like the yellow results below, you have a JRE.
<br><br> <br><br>
\image html wherejava.PNG \image html wherejava.PNG
<br><br> <br><br>
You can test if you have a 32-bit or 64-bit JRE installed via the following: If you need the JRE, install it with the default settings.
- _java -d32 -version_ &nbsp;&nbsp;&nbsp; for a 32-bit JRE
- _java -d64 -version_ &nbsp;&nbsp;&nbsp; for a 64-bit JRE
<br><br> \subsection install_activemq_install_mq ActiveMQ Installation
The screenshot below shows that there is a no 32-bit JRE on this machine, and there is a 64-bit JRE.
<br><br> 1. Extract the contents of the ActiveMQ archive folder to a location of your choice, bearing in mind that the files should be in a location that the running process will have write permissions to the folder. A typical folder choice is <i>C:\\Program Files\\apache-activemq-5.11.1</i>. Typically, it will ask for administrator permission to move the folder. Allow it if required.
\image html JRE_bitness.PNG
<br><br> 2. Edit the <i>conf\\activemq.xml</i> in the extracted folder to add <i>"&amp;wireFormat.maxInactivityDuration=0"</i> to the URI for the _transportConnector_ named _openwire_. Add the text highlighted in yellow below:
If you do not have a JRE installed, proceed to step 2. If you have a JRE installed, proceed to step 3.
<br><br>
2. Install the appropriate 32 or 64-bit version of the JRE, depending upon the version of Autopsy you have installed. Download one from: http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html. If you installed 32-bit Autopsy, be sure to select a package that has "x86" in the name. If you installed 64-bit Autopsy, be sure to select a package that has "x64" in the name. Follow the installation prompts to install the JRE.
3. Download ActiveMQ-5.11.1 from: http://activemq.apache.org/activemq-5111-release.html
4. Extract the files in the archive
5. Edit <i>apache-activemq-5.11.1\\conf\\activemq.xml</i> to add <i>"&amp;wireFormat.maxInactivityDuration=0"</i> to the URI for the _transportConnector_ named _openwire_. Add the text highlighted in yellow below:
<br><br> <br><br>
\image html maxinactivityduration.PNG \image html maxinactivityduration.PNG
<br><br> <br><br>
6. Move the <i>apache-activemq-5.11.1</i> folder to a location of your choice, bearing in mind that the files should be in a location that the running process will have write permissions to the folder. A typical folder choice is <i>C:\\Program Files\\apache-activemq-5.11.1</i>. Typically, it will ask for administrator permission to move the folder. Allow it if required.
7. Install ActiveMQ as a service by navigating to the folder <i>apache-activemq-5.11.1-bin\\apache-activemq-5.11.1\\bin\\win64</i>, right-clicking _InstallService.bat_, clicking _Run as administrator_, then click _Yes_.
8. If you desire authentication for your ActiveMQ server (a good idea), the following directions allow you to set up credentials: 3. Install ActiveMQ as a service by navigating to the folder <i>bin\\win64</i>, right-clicking _InstallService.bat_, clicking _Run as administrator_, then click _Yes_.
+ Copy and paste the following text to the file <i>"C:\Program Files\apache-activemq-5.11.1-bin\apache-activemq-5.11.1\conf\groups.properties"</i>, overwriting the text highlighted in yellow in the screenshot below:
4. Start the ActiveMQ service by pressing _Start_, type _services.msc_, and press _Enter_. Find _ActiveMQ_ in the list and press the _Start the service_ link.
admins=system,sslclient,client,broker1,broker2
tempDestinationAdmins=system,user,sslclient,client,broker1,broker2 5. ActiveMQ should now be installed and configured using the default credentials. You should go to the next section to change the default passwords. To test your installation, you can access the admin pages in your web browser via a URL like this (set your host): http://localhost:8161/admin. The default administrator username is _admin_ with a password of _admin_ and the default regular username is _user_ with a default password of _password_. You can change these passwords by following the instructions below. If you can see a page that looks like the following, it is ready to function.
users=system,user,sslclient,client,broker1,broker2 <br><br>
guests=guest \image html activemq.PNG
<br><br>
<br><br>
\image html groups.properties.before.PNG If you do not see a screen like the above screenshot and you have double checked that the ActiveMQ service is running, contact your network administrator. For the ActiveMQ service to be accessible by network clients you may need to configure your Windows firewall (and any other 3rd party firewall in use) to allow communication.
<br><br>
When complete, the file should look like this:
<br><br> \subsection install_activemq_install_pw Configuring Authentication
\image html groups.properties.after.PNG
<br><br> You can optionally add authentication to your ActiveMQ server. The ActiveMQ communications are not encrypted and contain basic messages between the systems about when new data has been found.
+ Copy and paste the following text to the file <i>"C:\Program Files\apache-activemq-5.11.1-bin\apache-activemq-5.11.1\conf\users.properties"</i>, overwriting the text highlighted in yellow in the screenshot below: The following directions allow you to set up credentials:
system=manager 1. Copy and paste the following text to the file <i>"conf\groups.properties"</i>, overwriting the text highlighted in yellow in the screenshot below:
user=password <BLOCKQUOTE>
guest=password admins=system,sslclient,client,broker1,broker2<br />
sslclient=CN=localhost, OU=activemq.org, O=activemq.org, L=LA, ST=CA, C=US tempDestinationAdmins=system,user,sslclient,client,broker1,broker2<br />
users=system,user,sslclient,client,broker1,broker2<br />
<br><br> guests=guest<br />
\image html users.properties.before.PNG </BLOCKQUOTE>
<br><br> <br><br>
When complete, the file should look like this: \image html groups.properties.before.PNG
<br><br> <br><br>
\image html users.properties.after.PNG When complete, the file should look like this:
<br><br> <br><br>
\image html groups.properties.after.PNG
+ Copy and paste the following text to the file <i>"C:\Program Files\apache-activemq-5.11.1-bin\apache-activemq-5.11.1\conf\activemq.xml"</i>, inserting the text at the line shown in yellow in the screenshot below. <br><br>
2. Copy and paste the following text to the file <i>"conf\users.properties"</i>, overwriting the text highlighted in yellow in the screenshot below:
<BLOCKQUOTE>
system=manager<br />
user=password<br />
guest=password<br />
sslclient=CN=localhost, OU=activemq.org, O=activemq.org, L=LA, ST=CA, C=US<br />
</BLOCKQUOTE>
<br><br>
\image html users.properties.before.PNG
<br><br>
When complete, the file should look like this:
<br><br>
\image html users.properties.after.PNG
<br><br>
3. Copy and paste the following text to the file <i>"conf\activemq.xml"</i>, inserting the text at the line shown in yellow in the screenshot below.
<plugins> <plugins>
<jaasAuthenticationPlugin configuration="activemq-domain" /> <jaasAuthenticationPlugin configuration="activemq-domain" />
<simpleAuthenticationPlugin> <simpleAuthenticationPlugin>
@ -67,41 +87,28 @@ If you do not have a JRE installed, proceed to step 2. If you have a JRE install
</simpleAuthenticationPlugin> </simpleAuthenticationPlugin>
</plugins> </plugins>
<br><br>
\image html insertTextHere.PNG
<br><br>
After insertion, the file should look like the screenshot below, with the inserted portion highlighted in yellow. This is where you can change the username and password for your ActiveMQ setup.
<br><br>
\image html insertedText.PNG
<br><br>
To add a new user or change the password:
+ Stop the ActiveMQ service by pressing _Start_, type _services.msc_, and press _Enter_. Find _ActiveMQ_ in the list and press the _Stop the service_ link.
<br>
<br>
\image html StopActiveMQService.PNG
<br>
<br>
+ Edit <i>"C:\Program Files\apache-activemq-5.11.1-bin\apache-activemq-5.11.1\conf\activemq.xml"</i> adding the desired line. Both _username_ and _password_ are case sensitive. You will very likely want to keep your new users in the _users_ group.
<br>
<br>
\image html newUserAndPassword.PNG
<br>
<br>
+ Start the ActiveMQ service by pressing _Start_, type _services.msc_, and press _Enter_. Find _ActiveMQ_ in the list and press the _Start the service_ link.
<br>
<br>
\image html StartActiveMQService.PNG
<br>
<br>
9. If not already started, start the ActiveMQ service by pressing _Start_, type _services.msc_, and press _Enter_. Find _ActiveMQ_ in the list and press the _Start the service_ link.
10. ActiveMQ should now be fully installed and configured. You can access the admin pages in your web browser via a URL like this (set your host): http://localhost:8161/admin. The default administrator username is _admin_ with a password of _admin_ and the default regular username is _user_ with a default password of _password_. You can change these passwords by editing the file <i>"C:\Program Files\apache-activemq-5.11.1-bin\apache-activemq-5.11.1\conf\activemq.xml"</i> on the ActiveMQ server as discussed above. If you can see a page that looks like the following, it is ready to function.
<br><br> <br><br>
\image html activemq.PNG \image html insertTextHere.PNG
<br>
<br>
If you do not see a screen like the above screenshot and you have double checked that the ActiveMQ service is running, contact your network administrator. For the ActiveMQ service to be accessible by network clients you may need to configure your Windows firewall (and any other 3rd party firewall in use) to allow communication.
<br><br> <br><br>
After insertion, the file should look like the screenshot below, with the inserted portion highlighted in yellow. This is where you can change the username and password for your ActiveMQ setup.
<br><br>
\image html insertedText.PNG
<br><br>
To add a new user or change the password:
1. Stop the ActiveMQ service by pressing _Start_, type _services.msc_, and press _Enter_. Find _ActiveMQ_ in the list and press the _Stop the service_ link.
<br><br>
\image html StopActiveMQService.PNG
<br><br>
2. Edit <i>"conf\activemq.xml"</i> adding the desired line. Both _username_ and _password_ are case sensitive. You will very likely want to keep your new users in the _users_ group.
<br><br>
\image html newUserAndPassword.PNG
<br><br>
3. Start the ActiveMQ service by pressing _Start_, type _services.msc_, and press _Enter_. Find _ActiveMQ_ in the list and press the _Start the service_ link.
<br><br>
\image html StartActiveMQService.PNG
<br><br>
*/ */

31
docs/doxygen-user/installMultiUser.dox Normal file
View File

@ -0,0 +1,31 @@
/*! \page install_multiuser_page Setting Up Multi-user Environment
\section multiuser_install Multi-user Installation
Autopsy can be setup to work in an environment where multiple users on different computers can have the same case open at the same time. To set up this type of environment, you will need to configure additional (free and open source) network-based services.
\subsection multiuser_install_services Network-based Services
You will need the following that all Autopsy clients can access:
- Centralized storage that all clients running Autopsy have access to. The central storage should be either mounted at the same Windows drive letter or UNC paths should be used everywhere. All clients need to be able to access data using the same path.
- A central PostgreSQL database. A database will be created for each case and will be stored on the local drive of the database server. Installation and configuration is explained in \ref install_postgresql.
- A central Solr text index. A Solr core will be created for each case and will be stored in the case folder (not on the local drive of the Solr server). We recommend using Bitnami Solr. This is explained in \ref install_solr.
- An ActiveMQ messaging server to allow the various clients to communicate with each other. This service has minimal storage requirements. This is explained in \ref install_activemq.
When you setup the above services, write down the addresses, user names, and passwords or each so that you can configure each of the client systems afterwards.
We recommend using at least 2 dedicated computers for this additional infrastructure. Spreading the services out across several machines can improve throughput.
If possible, place Solr on a machine by itself, as it is the largest RAM and CPU utilizer among the servers.
Ensure that the central storage and PostgreSQL servers are regularly backed up.
\subsection multiuser_install_clients Autopsy Clients
Once the infrastructure is in place, you will need to configure Autopsy to use them.
- Install Autopsy on each client system as normal using the steps from \ref installation_page.
- Start Autopsy and open the multi-user options panel from “Tools”, “Options”, “Multi-user”. As shown in the screenshot below, you can then enter all of the address and authentication information for the network-based services. Note that in order to create or open Multi-user cases, "Enable Multi-user cases" must be checked and the settings below must be correct.
\image html multiuser_settings.PNG
*/

68
docs/doxygen-user/installSolr.dox
View File

@ -1,32 +1,42 @@
/*! \page install_solr Install and Configure Solr /*! \page install_solr Install and Configure Solr
A central Solr server is needed to store keyword indexes. To install Solr, perform the following steps: A central Solr server is needed to store keyword indexes. To install Solr, perform the following steps:
1. You need a 32-bit or 64-bit version of the Java Runtime Environment (JRE) installed, depending upon the version of Autopsy you have installed. You can test this by running _where java_ from the command line. If you see output like the yellow results below, you have a JRE.
\section install_solr_prereq Prerequisites
You will need:
- 64-bit version of the Java Runtime Environment (JRE) from http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html.
- Download the Apache Solr 4.10.3-0 installation package from https://bitnami.com/stack/solr/installer.
- Access to an installed version of Autopsy so that you can copy files from it.
\section install_solr_install Installation
\subsection install_solr_install_java JRE Installation
Install the Java JRE if needed. You can test this by running _where java_ from the command line. If you see output like the yellow results below, you have a JRE.
<br><br> <br><br>
\image html wherejava.PNG \image html wherejava.PNG
<br><br> <br><br>
You can test if you have a 32-bit or 64-bit JRE installed via the following: If you need the JRE, install it with the default settings.
- _java -d32 -version_ &nbsp;&nbsp;&nbsp; for a 32-bit JRE
- _java -d64 -version_ &nbsp;&nbsp;&nbsp; for a 64-bit JRE
<br><br> \subsection install_solr_install_solr Solr Installation
The screenshot below shows that there is a no 32-bit JRE on this machine, and there is a 64-bit JRE.
<br><br> The following steps will configure Solr to run using an account that will have access to the network storage.
\image html JRE_bitness.PNG
<br><br> 1. Run the Bitnami installer, <i>bitnami-solr-4.10.3-0-windows-installer.exe</i>
If you do not have a JRE installed, proceed to step 2. If you have a JRE installed, proceed to step 3. 2. If Windows prompts with User Account Control, click _Yes_
<br><br> 3. Follow the prompts through to completion. You do not need to "Learn more about Bitnami cloud hosting" so you can clear the check box.
2. Install the appropriate 32 or 64-bit version of the JRE, depending upon the version of Autopsy you have installed. Download one from: http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html. If you installed 32-bit Autopsy, be sure to select a package that has "x86" in the name. If you installed 64-bit Autopsy, be sure to select a package that has "x64" in the name. Follow the installation prompts to install the JRE. 4. If you see an error dialog like the following, you may safely ignore it.
3. Download the Apache Solr 4.10.3-0 installation package from https://bitnami.com/stack/solr/installer. The following steps will configure Solr to run using an account that will have access to the network storage.
4. Run the Bitnami installer, <i>bitnami-solr-4.10.3-0-windows-installer.exe</i>
5. If Windows prompts with User Account Control, click _Yes_
6. Follow the prompts through to completion. You do not need to "Learn more about Bitnami cloud hosting" so you can clear the check box.
7. If you see an error dialog like the following, you may safely ignore it.
<br><br> <br><br>
\image html apachebadmessage.PNG \image html apachebadmessage.PNG
<br> <br>
8. When the installation completes, clear the "Launch Bitnami Apache Solr Stack Now?" checkbox and click _Finish_. 5. When the installation completes, clear the "Launch Bitnami Apache Solr Stack Now?" checkbox and click _Finish_.
9. Stop _solrApache_ and _solrJetty_ services by pressing _Start_, typing _services.msc_, pressing _Enter_, and locating the _solrApache_ and _solrJetty_ Windows services. Select the services one at a time, and press _Stop the service_ once for each of them. If the service is already stopped and there is no _Stop the service_ available, this is okay.
10. Edit the <i>C:\\Bitnami\\solr-4.10.3-0\\apache-solr\\scripts\\serviceinstall.bat</i> script. You need administrator permission to change this file. The easiest way around this is to save a copy on the Desktop, edit the Desktop version, and copy the new one back over the top of the old. Windows will ask for permission to overwrite the old file; allow it. You should make the following changes to this file: \subsection install_solr_config Solr Configuration
1. Stop _solrApache_ and _solrJetty_ services by pressing _Start_, typing _services.msc_, pressing _Enter_, and locating the _solrApache_ and _solrJetty_ Windows services. Select the services one at a time, and press _Stop the service_ once for each of them. If the service is already stopped and there is no _Stop the service_ available, this is okay.
2. Edit the <i>C:\\Bitnami\\solr-4.10.3-0\\apache-solr\\scripts\\serviceinstall.bat</i> script. You need administrator permission to change this file. The easiest way around this is to save a copy on the Desktop, edit the Desktop version, and copy the new one back over the top of the old. Windows will ask for permission to overwrite the old file; allow it. You should make the following changes to this file:
<br> <br>
<br> <br>
- Add the following options in the _JvmOptions_ section of the line that begins with <i>"C:\Bitnami\solr-4.10.3-0/apache-solr\scripts\prunsrv.exe"</i> : - Add the following options in the _JvmOptions_ section of the line that begins with <i>"C:\Bitnami\solr-4.10.3-0/apache-solr\scripts\prunsrv.exe"</i> :
@ -49,7 +59,7 @@ If you do not have a JRE installed, proceed to step 2. If you have a JRE install
<br><br> <br><br>
\image html updatedServiceInstall.PNG \image html updatedServiceInstall.PNG
<br><br> <br><br>
11. Edit <i>"C:\Bitnami\solr-4.10.3-0\apache-solr\solr\solr.xml"</i> to set the _transientCacheSize_ to the maximum number of cases expected to be open concurrently. If you expect ten concurrent cases, the text to add is 3. Edit <i>"C:\Bitnami\solr-4.10.3-0\apache-solr\solr\solr.xml"</i> to set the _transientCacheSize_ to the maximum number of cases expected to be open concurrently. If you expect ten concurrent cases, the text to add is
<i>\<int name="transientCacheSize">10\</int></i> <i>\<int name="transientCacheSize">10\</int></i>
<br><br> <br><br>
The added part is highlighted in yellow below. Ensure that it is inside the <i>\<solr></i> tag as follows: The added part is highlighted in yellow below. Ensure that it is inside the <i>\<solr></i> tag as follows:
@ -58,7 +68,7 @@ The added part is highlighted in yellow below. Ensure that it is inside the <i>\
<br> <br>
Again you may have trouble saving to the file in the current location. If so, just save it out to the desktop and copy the edited file back over the top of the original. Again you may have trouble saving to the file in the current location. If so, just save it out to the desktop and copy the edited file back over the top of the original.
<br><br> <br><br>
12. Edit <i>"C:\Bitnami\solr-4.10.3-0\apache-solr\resources/log4j.properties"</i> to configure Solr log settings: 4. Edit <i>"C:\Bitnami\solr-4.10.3-0\apache-solr\resources/log4j.properties"</i> to configure Solr log settings:
- Increase the log rotation size threshold (_log4j\.appender\.file\.MaxFileSize_) from 4MB to 100MB. - Increase the log rotation size threshold (_log4j\.appender\.file\.MaxFileSize_) from 4MB to 100MB.
- Remove the _CONSOLE_ appender from the _log4j\.rootLogger_ line. - Remove the _CONSOLE_ appender from the _log4j\.rootLogger_ line.
<br><br> <br><br>
@ -66,17 +76,17 @@ The log file should end up looking like this (modified lines are highlighted in
<br><br> <br><br>
\image html log4j.PNG \image html log4j.PNG
<br><br> <br><br>
13. Edit the file <i>"C:\Bitnami\solr-4.10.3-0\apache-solr\solr\zoo.cfg"</i> to increase the _tickTime_ value to 15000 as shown in the screenshot below. 5. Edit the file <i>"C:\Bitnami\solr-4.10.3-0\apache-solr\solr\zoo.cfg"</i> to increase the _tickTime_ value to 15000 as shown in the screenshot below.
<br><br> <br><br>
\image html tickTime.PNG \image html tickTime.PNG
<br><br> <br><br>
14. Edit the file <i>"C:\Bitnami\solr-4.10.3-0\apache-solr\solr\zoo.cfg"</i> to set the value <i>dataDir=C:/Bitnami/zookeeper</i> as shown in the screenshot below. 6. Edit the file <i>"C:\Bitnami\solr-4.10.3-0\apache-solr\solr\zoo.cfg"</i> to set the value <i>dataDir=C:/Bitnami/zookeeper</i> as shown in the screenshot below.
<br><br> <br><br>
\image html dataDir.PNG \image html dataDir.PNG
<br><br> <br><br>
15. Copy the folder _configsets_ from your Autopsy installation (<i>"C:\Program Files (x86)\Autopsy-4.0\autopsy\solr\solr"</i> for 32-bit or <i>"C:\Program Files\Autopsy-4.0\autopsy\solr\solr"</i> for 64-bit) to <i>"C:\\Bitnami\\solr-4.10.3-0\\apache-solr\\solr"</i> 7. From an Autopsy installation, copy the folder <i>"C:\Program Files\Autopsy-4.0\autopsy\solr\solr\configsets"</i> to <i>"C:\Bitnami\solr-4.10.3-0\apache-solr\solr"</i>.
16. Copy the folder _lib_ from your Autopsy installation (<i>"C:\Program Files (x86)\Autopsy-4.0\autopsy\solr\solr"</i> for 32-bit or <i>"C:\Program Files\Autopsy-4.0\autopsy\solr\solr"</i> for 64-bit) to <i>"C:\\Bitnami\\solr-4.10.3-0\\apache-solr\\solr"</i> 8. From an Autopsy installation, copy the folder <i>"C:\Program Files\Autopsy-4.0\autopsy\solr\solr\lib"</i> to <i>"C:\Bitnami\solr-4.10.3-0\apache-solr\solr"</i>.
17. Right-click on the file <i>"C:\Bitnami\solr-4.10.3-0\apache-solr\scripts\serviceinstall.bat"</i> and click "Run As Administrator", selecting _Yes_ if prompted by User Account Control. 9. Right-click on the file <i>"C:\Bitnami\solr-4.10.3-0\apache-solr\scripts\serviceinstall.bat"</i> and click "Run As Administrator", selecting _Yes_ if prompted by User Account Control.
If there is no "Run as administrator" option when you right-click the _serviceinstall.bat_ file, start a Windows command prompt as administrator by pressing _Start_, typing _command_, right clicking on _Command Prompt_, and clicking on _Run as administrator_. Then run the following command to install the _solrJetty_ service: If there is no "Run as administrator" option when you right-click the _serviceinstall.bat_ file, start a Windows command prompt as administrator by pressing _Start_, typing _command_, right clicking on _Command Prompt_, and clicking on _Run as administrator_. Then run the following command to install the _solrJetty_ service:
<br><br> <br><br>
@ -86,13 +96,13 @@ The log file should end up looking like this (modified lines are highlighted in
<br><br> <br><br>
\image html solrinstall1.PNG \image html solrinstall1.PNG
<br><br> <br><br>
18. Press _Start_, type _services.msc_, and press _Enter_. Find _solrJetty_. If the service is running, press _Stop the service_, then double click it, and switch to the _Log On_ tab to change the logon credentials to a user who will have access to read and write the primary shared drive. If the machine is on a domain, the Account Name will be in the form of _DOMAINNAME\\username_ as shown in the example below. Note that in the screenshot below, the domain name is _DOMAIN_ and the user name is _username_. These are just examples, not real values. 10. Press _Start_, type _services.msc_, and press _Enter_. Find _solrJetty_. If the service is running, press _Stop the service_, then double click it, and switch to the _Log On_ tab to change the logon credentials to a user who will have access to read and write the primary shared drive. If the machine is on a domain, the Account Name will be in the form of _DOMAINNAME\\username_ as shown in the example below. Note that in the screenshot below, the domain name is _DOMAIN_ and the user name is _username_. These are just examples, not real values.
<br><br> <br><br>
\image html solrinstall2.PNG \image html solrinstall2.PNG
<br> <br>
If the machine is on a domain, **make sure** to select the domain with the mouse by going to the _Log On_ tab, clicking _Browse_, then clicking _Locations_ and selecting the domain of interest. Then enter the user name desired and press _Check Names_. When that completes, press _OK_, type in the password once for each box and press _OK_. You may see "The user has been granted the log on as a service right." If the machine is on a domain, **make sure** to select the domain with the mouse by going to the _Log On_ tab, clicking _Browse_, then clicking _Locations_ and selecting the domain of interest. Then enter the user name desired and press _Check Names_. When that completes, press _OK_, type in the password once for each box and press _OK_. You may see "The user has been granted the log on as a service right."
19. You should be able to see the Solr service in a web browser via the URL <i>http://localhost:8983/solr/#/</i> as shown in the screenshot below. 11. You should be able to see the Solr service in a web browser via the URL <i>http://localhost:8983/solr/#/</i> as shown in the screenshot below.
<br><br> <br><br>
\image html solrinstall3.PNG \image html solrinstall3.PNG
<br><br> <br><br>

64
docs/doxygen-user/installation.dox
View File

@ -5,68 +5,28 @@
\section prereqs Prerequisites \section prereqs Prerequisites
It is _highly_ recommended to remove or disable any antivirus software from computers that will be processing or reviewing cases. Antivirus software will often conflict with forensic software, and may quarantine or even delete some of your results before you get a chance to look at them. It is _highly_ recommended to remove or disable any antivirus software from computers that will be processing or reviewing cases. Antivirus software will often conflict with forensic software, and may quarantine or even delete some of your results before you get a chance to look at them.
<br><br> <br><br>
\section install Deployment Types
Starting with Autopsy 4.0, there are two ways to deploy Autopsy:
- **Single-User**: Cases can be open by only a single instance of Autopsy at a time. Autopsy installations do not communicate with each other. This is the easiest to install and deploy. This page outlines that installation process.
- **Multi-User**: Cases can be open by multiple users at the same time and users can see what each other is doing. This collaborative deployment requires installation and configuration of other network-based services. The installation of this deployment is covered in \ref install_multiuser_page.
\section download Download \section download Download
Download Autopsy from the website: Download Autopsy from the website:
http://sleuthkit.org/autopsy/download.php http://sleuthkit.org/autopsy/download.php
The current version of Autopsy 3 runs only on Microsoft Windows. The current version of Autopsy 4 is distributed on sleuthkit.org only as a Windows installer. It can run on Linux and OS X, but requires some manual setup.
We have gotten older versions to run on other platforms, such as Linux and OS X, but we do not have it in a state that makes it easy to distribute and find the needed libraries.
<br><br>
\section installation_section Installation
\section install_standalone Installation
To install Autopsy, perform the following steps: To install Autopsy, perform the following steps:
1. Run the Autopsy _msi_ file 1. Run the Autopsy _msi_ file
2. If Windows prompts with User Account Control, click _Yes_ 2. If Windows prompts with User Account Control, click _Yes_
3. Click through the dialog boxes until you click a button that says _Finish_ 3. Click through the dialog boxes until you click a button that says _Finish_
4. Core Autopsy should now be fully installed 4. Autopsy should now be fully installed
<br>
\section deployment_types Deployment Types
There are two types of cases that Autopsy can create and use:
- **Standalone**: A single user with a single computer. Not intended to have multiple examiners working on the same case.
- **Collaborative**: A multi-user environment with multiple computers. Multiple examiners can work on the same case at the same time.
Both deployment types use the same analysis modules and the same base installer.
<br><br>
\subsection standalone_install Standalone (Single User) Installation
1. Install Autopsy as explained in \ref installation_section above. The Windows installer is self-contained and will place everything in the needed places. Simply follow the standard prompts for installation.
<br>
\subsection collab_install Collaborative (Multi-user) Installation
To use the Multi-user collaboration feature, three additional software packages are required. These packages install servers that need to be accessible to machines running Autopsy collaborative cases via the network. These servers do not have to be installed on the same machine as Autopsy, nor on the same machine as each other.
1. Install Autopsy just as in \ref standalone_install above
2. Install and configure Apache ActiveMQ on a machine accessible to Autopsy nodes. This is explained in \ref install_activemq.
3. Install and configure Bitnami Solr on a machine accessible to Autopsy nodes. This is explained in \ref install_solr.
4. Install and configure PostgreSQL on a machine accessible to Autopsy nodes. This is explained in \ref install_postgresql.
5. Configure Multi-user settings. This is explained in \ref multi_user_options.
<br>
While you may run all of the external services (ActiveMQ, Solr, and PostgreSQL) on the same machine that is running Autopsy, this is not ideal. Spreading the services out across several machines can improve throughput. Keep in mind that all the machines need to be able to communicate with each other and see the shared drive over the network.
If possible, place Solr on a machine by itself, as it is the largest RAM and CPU utilizer among the servers.
<br><br>
To use Multi-user cases, there needs to be a shared network drive accessible to all participating computers.
<br><br>
\section optimizing_performance Optimizing Performance
After installing Autopsy, there are several hardware-based things that we suggest you do to optimize performance:
1. Change the number of parallel pipelines used at run time. The default is two pipelines, but this can be increased if you are running on a system with several cores. To do this:
- Run Autopsy from the Start Menu or desktop
- When presented with the case creation splash screen, cancel/close the window
- Select "Tools", "Options"
- On the "Autopsy" tab, there is a drop down for _Number of threads to use for file ingest_. We recommend you set this value 4. If you set this number too high, performance can degrade because the pipelines are fighting for the same physical resources. Individual testing should be done to find an optimal setting.
- After each change, restart Autopsy to let this setting take effect.
<br><br>
\image html threadcount.PNG
<br><br>
2. In the screenshot above, there is an option to <i>Enable timeout to allow modules to automatically terminate after a set amount of time</i>. Enabling this feature by applying a checkmark and setting a number of hours puts a maximum amount of time an individual module may attempt to process before being stopped. If enabled and a module attempts to run for longer than this value, Autopsy stops the module and moves on to process the next module. This allows processing to continue even if a rogue module does not end appropriately in a reasonable amount of time.
<br><br>
3. When making a case, use different drives to store the case and the images. The case directory is where the SQLite database and keyword search index are stored in Single-user cases. This allows the maximum amount of data to be read and written at the same time. If using collaborative Multi-user mode, it is important that UNC paths are used to specifiy drive names. Fully-specified UNC paths should be in the form of <i>\\\\hostname\\sharename\\folder</i>.
<br><br>
4. We have had best performance using either solid state drives or fibre channel-attached SAN storage.
*/ */

20
docs/doxygen-user/main.dox
View File

@ -6,7 +6,7 @@ Overview
This is the User's Guide for the <a href="http://www.sleuthkit.org/autopsy/">open source Autopsy platform</a>. Autopsy allows you to examine a hard drive or mobile device and recover evidence from it. This guide should help you with using Autopsy. The <a href="http://www.sleuthkit.org/autopsy/docs/api-docs/3.1/"> developer's guide</a> will help you develop your own Autopsy modules. This is the User's Guide for the <a href="http://www.sleuthkit.org/autopsy/">open source Autopsy platform</a>. Autopsy allows you to examine a hard drive or mobile device and recover evidence from it. This guide should help you with using Autopsy. The <a href="http://www.sleuthkit.org/autopsy/docs/api-docs/3.1/"> developer's guide</a> will help you develop your own Autopsy modules.
Autopsy 3 is a complete rewrite from Autopsy 2, and none of this document is relevant to Autopsy 2. Autopsy 4 (and 3) are a complete rewrite from Autopsy 2, and none of this document is relevant to Autopsy 2.
Help Topics Help Topics
------- -------
@ -15,11 +15,6 @@ The following topics are available here:
- \subpage installation_page - \subpage installation_page
- \subpage quick_start_guide "Quick Start Guide" - \subpage quick_start_guide "Quick Start Guide"
- \subpage workflow_page - \subpage workflow_page
- Multi-user Collaboration Setup
- \subpage install_activemq
- \subpage install_postgresql
- \subpage install_solr
- \subpage multiuser_page
- Cases and Adding Data Sources - Cases and Adding Data Sources
- \subpage cases_page - \subpage cases_page
- \subpage ds_page - \subpage ds_page
@ -42,14 +37,21 @@ The following topics are available here:
- \subpage tree_viewer_page - \subpage tree_viewer_page
- \subpage result_viewer_page - \subpage result_viewer_page
- \subpage content_viewer_page - \subpage content_viewer_page
<!-- - \subpage image_gallery_page Not released yet, coming soon--> - \subpage image_gallery_page
- \subpage file_search_page - \subpage file_search_page
- \subpage timeline_page - \subpage timeline_page
- \subpage stix_page - \subpage stix_page
- Reporting - Reporting
- \subpage tagging_page - \subpage tagging_page
- \subpage reporting_page - \subpage reporting_page
- \subpage module_install_page - \subpage module_install_page
- \subpage performance_page
- Multi-user Collaborative Deployments
- \subpage install_multiuser_page
- \subpage install_activemq
- \subpage install_postgresql
- \subpage install_solr
- \subpage multiuser_page
If the topic you need is not listed, refer to the <a href="http://wiki.sleuthkit.org/index.php?title=Autopsy_User%27s_Guide">Autopsy Wiki</a> or join the <a href="https://lists.sourceforge.net/lists/listinfo/sleuthkit-users">SleuthKit User List</a> at SourceForge. If the topic you need is not listed, refer to the <a href="http://wiki.sleuthkit.org/index.php?title=Autopsy_User%27s_Guide">Autopsy Wiki</a> or join the <a href="https://lists.sourceforge.net/lists/listinfo/sleuthkit-users">SleuthKit User List</a> at SourceForge.

38
docs/doxygen-user/multiuser.dox
View File

@ -1,38 +1,42 @@
/*! \page multiuser_page Using Multi-user Collaboration /*! \page multiuser_page Using Multi-user Cases
\section creating_multi_user_cases Creating Multi-user cases \section creating_multi_user_cases Creating Multi-user cases
The collaborative Multi-user capabilities enable Autopsy cases to be opened by multiple reviewers at the same time allowing simultaneous case review with multiple reviewers.
Multi-user cases allow multiple instances of Autopsy to have the same case open at the same time. When creating a case, users are now presented with a choice of Single-user or Multi-user as shown in the screenshot below.
When creating a case, users are now presented with a choice of Single-user or Multi-user as shown in the screenshot below.
<br><br> <br><br>
\image html case-newcase.PNG \image html case-newcase.PNG
<br><br> <br><br>
Single-user functions the same as always, with a back end SQLite database and a machine-local version of Solr. Single-user functions the same as always, with a back end SQLite database and a machine-local version of Solr.
Multi-user allows multiple computers to open the same case at the same time. In order to accomplish this, some setup needs to take place. To use a Multi-user setup, one must install PostgreSQL, Solr, and ActiveMQ (see \subpage installation_page) on machines connected to the network, and properly configure Autopsy to interact with these services. This configuration is done in the Multi-user options panel, discussed below. To create a multi-user case, the following must occur:
<br><br> - The network services must be installed, configured, and running. See \ref multiuser_install_services.
- The Case folder needs to be in a shared folder that all other clients can also access at the same path (UNC or drive letter).
- The data sources that are added with the Add Data Source wizard must be in a shared folder that all clients can access at the same path.
\section multi_user_other Other Multi-user Information
- When using a multi-user case, other nodes could be running data ingest on the same case. While this is happening, you will see a progress bar labelled with the hostname of the machine performing the ingest on the bottom right of Autopsy. The progress bar will continue to move back and forth until ingest has been completed or cancelled. You can still run ingest on your local machine while this is ongoing. This is shown in the screenshot below.
\section multi_user_options Multi-user options panel
As shown in the screenshot below, all three services need configuration of IP addresses and ports, and two of them need user names and passwords. Enter the correct information into the dialog and press okay. Note that in order to create or open Multi-user cases, "Enable Multi-user cases" must be checked and the settings below must be correct.
<br><br>
\image html multiuser_settings.PNG
<br><br>
Other Multi-user Information
=======
- When using a case in collaborative Multi-user mode, other nodes could be running data ingest. While this is happening, you will see a progress bar labelled with the hostname of the machine performing the ingest on the bottom right of Autopsy. The progress bar will continue to move back and forth until ingest has been completed or cancelled. You can still run ingest on your local machine while this is ongoing. This is shown in the screenshot below.
<br><br> <br><br>
\image html othernodeingesting.PNG \image html othernodeingesting.PNG
<br><br> <br><br>
- When issues occur, there is an information "bubble" on the bottom right of the screen. It has an "i" inside a circle, with the color of the circle changed based upon the message. It uses red for bad and blue for good. See the screenshot below.
- When issues occur, there is an information "bubble" on the bottom right of the screen. It has an "i" inside a circle, with the color of the circle changed based upon the message. It uses red for bad and blue for good. See the screenshot below.
<br><br> <br><br>
\image html messagebubbles.PNG \image html messagebubbles.PNG
<br><br> <br><br>
- Clicking on the information "bubble" brings up the list of prior notifications that have not been dismissed by clicking on the "x". As you can see in the screenshot below, the network cable was unplugged from the machine and it lost all connection to the three services. When the cable was reconnected, it found the services again.
- Clicking on the information "bubble" brings up the list of prior notifications that have not been dismissed by clicking on the "x". As you can see in the screenshot below, the network cable was unplugged from the machine and it lost all connection to the three services. When the cable was reconnected, it found the services again.
<br><br> <br><br>
\image html messagebubblesbigger.PNG \image html messagebubblesbigger.PNG
<br><br> <br><br>
- While using collaborative Multi-user mode, it is important that UNC paths are used to specifiy drive names. Drive mapping will work, but it is sometimes difficult to get all the machines participating in a case to map to the same drive letters for the same resources. It is much simpler to use fully-specified UNC paths in the form of <i>\\\\hostname\\sharename\\folder</i>.
- When creating multi-user cases, we recommend using UNC paths to specify drive names. Drive mapping will work, but it is sometimes difficult to get all the machines participating in a case to map to the same drive letters for the same resources. It is much simpler to use fully-specified UNC paths in the form of <i>\\\\hostname\\sharename\\folder</i>.
*/ */

19
docs/doxygen-user/performance.dox Normal file
View File

@ -0,0 +1,19 @@
/*! \page performance_page Optimizing Performance
After installing Autopsy, there are several hardware-based things that we suggest you do to optimize performance:
1. Number of Threads: Change the number of parallel pipelines used at run time. The default is two pipelines, but this can be increased if you are running on a system with several cores. To do this:
- Run Autopsy from the Start Menu or desktop
- When presented with the case creation splash screen, cancel/close the window
- Select "Tools", "Options"
- On the "Autopsy" tab, there is a drop down for _Number of threads to use for file ingest_. We recommend you set this value 4. If you set this number too high, performance can degrade because the pipelines are fighting for the same physical resources. Individual testing should be done to find an optimal setting.
- After each change, restart Autopsy to let this setting take effect.
<br><br>
\image html threadcount.PNG
<br><br>
2. When making a case, use different drives to store the case and the images. This allows the maximum amount of data to be read and written at the same time.
3. We have had best performance using either solid state drives or fibre channel-attached SAN storage.
*/