mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-19 02:57:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/develop' into develop

Browse Source
This commit is contained in:
alexjacks92 2014-01-21 09:44:14 -05:00
commit 26f46eef19
55 changed files with 1449 additions and 1634 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
API-CHANGES.txt
View File

@ -1,9 +1,5 @@
Changes to make to API when we are ready to make backward incompatible changes:
- HTMLReport has special API for more context on columns and special handling in REportGenerator. Change all reports to the new API.
- DataContentViewer.isPreferred does not need isSupported to be passed in
- DataContentViewerHex and Strings can have the public setDataView methods removed in favor of the new private ones
- Content.getUniquePath() should not thrown TskException. We should deal with it in the method.
- Make the list of events that Case fires off to be part of an enum to group them together (like IngestManager does).
- Sub-modules in RecentActivity have a bunch of public/protected variables that do not need to be. (i.e. ExtractRegistry.rrFullFound).
- Delete BrowserType enum and BrowserActivityType in RecentActivity.

5
Core/src/org/sleuthkit/autopsy/casemodule/AddImageTask.java
View File

@ -234,9 +234,6 @@ public class AddImageTask implements Runnable {
if (!(cancelled || hasCritError)) {
try {
// Tell the progress monitor we're done
progressMonitor.setProgress(100);
if (newContents.isEmpty()) {
if (addImageProcess != null) { // and if we're done configuring ingest
// commit anything
@ -255,6 +252,8 @@ public class AddImageTask implements Runnable {
else { //already commited?
logger.log(Level.INFO, "Assuming image already committed, will not commit.");
}
// Tell the progress monitor we're done
progressMonitor.setProgress(100);
} catch (Exception ex) {
//handle unchecked exceptions post image add

102
Core/src/org/sleuthkit/autopsy/casemodule/docs/aboutImage.html
View File

@ -1,51 +1,51 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Data Source Basics</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>About Data Sources</h2>
<p>
Autopsy supports 3 types of data sources that can be added to the Case:</p>
<ul>
<li>Disk Image (raw, Encase, etc).
"Image" refers to a byte-for-byte copy of a hard drive or other storage media.
</li>
<li>Disk Device (physical or logical disk partition, plugged in the user machine and detected by Autopsy).
Note: to correctly detect all devices, Autopsy needs to run as Administrator.
</li>
<li>Logical Files (files and folders on the user machine file system)</li>
</ul>
<p>
User needs to select the data source type from the pull down menu in the Add Data Source wizard.
</p>
<p>
To analyze a Data Source, user should use the <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/addImage.html">Add Data Source Wizard</a>
to add it to a <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/casemodule-about.html">case</a>.
</p>
<p>
Autopsy populates an embedded database for each data source (image, disk device, logical files) that it imports.
This database is a SQLite database and it contains all of the file system metadata from the input data source.
The database is stored in the case directory, but the data source will stay in its original location.
The data source must remain accessible for the duration of the analysis because the database contains only basic file system information (meta-data, not the actual content).
The image / files are needed to retrieve file content.
</p>
<h2>Supported Image Formats</h2>
<p>Currently, Autopsy supports these image formats:</p>
<ul>
<li>Raw Single (For example: *.img, *.dd, *.raw, etc)</li>
<li>Raw Split (For example: *.001, *.002, *.aa, *.ab, etc)</li>
<li>EnCase (For example: *.e01, *e02, etc)</li>
</ul>
<h2>Removing a Data Source</h2>
<p>You cannot currently remove an data source from a case.</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Data Source Basics</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>About Data Sources</h2>
<p>
Autopsy supports 3 types of data sources that can be added to the Case:</p>
<ul>
<li>Disk Image (raw, Encase, etc).
"Image" refers to a byte-for-byte copy of a hard drive or other storage media.
</li>
<li>Disk Device (physical or logical disk partition, plugged in the user machine and detected by Autopsy).
Note: to correctly detect all devices, Autopsy needs to run as Administrator.
</li>
<li>Logical Files (files and folders on the user machine file system)</li>
</ul>
<p>
User needs to select the data source type from the pull down menu in the Add Data Source wizard.
</p>
<p>
To analyze a Data Source, user should use the <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/addImage.html">Add Data Source Wizard</a>
to add it to a <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/casemodule-about.html">case</a>.
</p>
<p>
Autopsy populates an embedded database for each data source (image, disk device, logical files) that it imports.
This database is a SQLite database and it contains all of the file system metadata from the input data source.
The database is stored in the case directory, but the data source will stay in its original location.
The data source must remain accessible for the duration of the analysis because the database contains only basic file system information (meta-data, not the actual content).
The image / files are needed to retrieve file content.
</p>
<h2>Supported Image Formats</h2>
<p>Currently, Autopsy supports these image formats:</p>
<ul>
<li>Raw Single (For example: *.img, *.dd, *.raw, etc)</li>
<li>Raw Split (For example: *.001, *.002, *.aa, *.ab, etc)</li>
<li>EnCase (For example: *.e01, *e02, etc)</li>
</ul>
<h2>Removing a Data Source</h2>
<p>You cannot currently remove an data source from a case.</p>
</body>
</html>

104
Core/src/org/sleuthkit/autopsy/casemodule/docs/addImage.html
View File

@ -1,53 +1,53 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Adding Data Source (Image, Disk, Files) Wizard</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Adding a Data Source</h2>
<p>There are two ways to add an data source to the currently opened case:</p>
<ul>
<li>Go to "File" and select "Add Data Source..." </li>
<li>Select the <img src="addImage-icon.png" alt="Add Image Icon" /> icon on the toolbar</li>
</ul>
<p>This will bring up the Add Data Source wizard. It will guide you through the process.</p>
<p>Here are some notes on what is going on during the process:</p>
<ul>
<li>
The first panel will ask you to select the data source type and
browse for the data source (image or files located on the computer, or select the device detected).
In case of adding a disk image, you will also need to specify the timezone that the disk image came from
so that the dates and times can be properly displayed and converted.
As soon as you click 'Next >', Autopsy will begin analyzing the disk image and populating the database in the background.
<br />
<img src="AddImageWizard1_Help.png" alt="Add Image Wizard Panel 1 Help" />
</li>
<li>
The second panel allows you to choose which ingest modules to run on the image.
Refer to the <a href="nbdocs:/org/sleuthkit/autopsy/ingest/docs/ingest-about.html">Image Ingest</a> part of the help guide for more details.
<br />
<img src="AddImageWizard2_Help.png" alt="Add Image Wizard Panel 3 Help" />
</li>
<li>
The third panel provides a progress bar and information about the data source Autopsy is currently processing.
If small enough, the input may have already finished processing, allowing you to continue past this panel.
However, it may be necessary to wait for a short time while the database is populated.
<br />
<img src="AddImageWizard3_Help.png" alt="Add Image Wizard Panel 2 Help" />
</li>
<li>
Once the input data source finishes adding, the ingest modules you selected will automatically run in the background.
If the data source is processed before you select ingest modules, Autopsy will wait until you have done so.
</li>
</ul>
<p>
Note that in case of image, Autopsy will store the path to the image in its configuration file.
If the image moves, then Autopsy will give an error because it can't find the image file and it will prompt user to point to the new image location.
</p>
</body>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Adding Data Source (Image, Disk, Files) Wizard</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Adding a Data Source</h2>
<p>There are two ways to add an data source to the currently opened case:</p>
<ul>
<li>Go to "File" and select "Add Data Source..." </li>
<li>Select the <img src="addImage-icon.png" alt="Add Image Icon" /> icon on the toolbar</li>
</ul>
<p>This will bring up the Add Data Source wizard. It will guide you through the process.</p>
<p>Here are some notes on what is going on during the process:</p>
<ul>
<li>
The first panel will ask you to select the data source type and
browse for the data source (image or files located on the computer, or select the device detected).
In case of adding a disk image, you will also need to specify the timezone that the disk image came from
so that the dates and times can be properly displayed and converted.
As soon as you click 'Next >', Autopsy will begin analyzing the disk image and populating the database in the background.
<br />
<img src="AddImageWizard1_Help.png" alt="Add Image Wizard Panel 1 Help" />
</li>
<li>
The second panel allows you to choose which ingest modules to run on the image.
Refer to the <a href="nbdocs:/org/sleuthkit/autopsy/ingest/docs/ingest-about.html">Image Ingest</a> part of the help guide for more details.
<br />
<img src="AddImageWizard2_Help.png" alt="Add Image Wizard Panel 3 Help" />
</li>
<li>
The third panel provides a progress bar and information about the data source Autopsy is currently processing.
If small enough, the input may have already finished processing, allowing you to continue past this panel.
However, it may be necessary to wait for a short time while the database is populated.
<br />
<img src="AddImageWizard3_Help.png" alt="Add Image Wizard Panel 2 Help" />
</li>
<li>
Once the input data source finishes adding, the ingest modules you selected will automatically run in the background.
If the data source is processed before you select ingest modules, Autopsy will wait until you have done so.
</li>
</ul>
<p>
Note that in case of image, Autopsy will store the path to the image in its configuration file.
If the image moves, then Autopsy will give an error because it can't find the image file and it will prompt user to point to the new image location.
</p>
</body>
</html>

54
Core/src/org/sleuthkit/autopsy/casemodule/docs/caseProperties.html
View File

@ -1,28 +1,28 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Case Properties Window</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Case Properties Window</h2>
<p>
Case Properties Window is where you can check some information about the currently opened case
(case name, case creation date, case directory, and images in this case).
</p>
<p>In this window, you can also do the following things:</p>
<ul>
<li>Change/update the case name</li>
<li>Delete the current case</li>
</ul>
<h2>How to Open Case Properties Window</h2>
<p>To open the "Case Properties" window, go to "File" and then select "Case Properties..."</p>
<h2>Example</h2>
<p>Here's an example of the "Case Properties" window:</p>
<img src="CasePropertiesHelp.png" alt="Case Properties Help" />
</body>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Case Properties Window</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Case Properties Window</h2>
<p>
Case Properties Window is where you can check some information about the currently opened case
(case name, case creation date, case directory, and images in this case).
</p>
<p>In this window, you can also do the following things:</p>
<ul>
<li>Change/update the case name</li>
<li>Delete the current case</li>
</ul>
<h2>How to Open Case Properties Window</h2>
<p>To open the "Case Properties" window, go to "File" and then select "Case Properties..."</p>
<h2>Example</h2>
<p>Here's an example of the "Case Properties" window:</p>
<img src="CasePropertiesHelp.png" alt="Case Properties Help" />
</body>
</html>

66
Core/src/org/sleuthkit/autopsy/casemodule/docs/casemodule-about.html
View File

@ -1,33 +1,33 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>About Cases</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>About Cases</h2>
<p>
In Autopsy, a "case" is a container concept for a set of <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/aboutImage.html">input data sources (disk images, disk devices, logical files)</a>.
The set of data could be from multiple drives in a single computer or from multiple computers.
When you make a case, it will create a directory to hold all of the information.
The directory will contain the main Autopsy configuration file, other module's configuration files,
some databases, generated reports, and some other information (temporary files, cache files).
The main Autopsy case configuration file as a .aut extension - that is the file used to "Open" the case.
In general, it is recommended for the user not to modify any files in the Case directory and leave it to Autopsy manage it.
</p>
<p>
If you want to view case details or edit some case information,
use the <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/caseProperties.html">Case Properties</a> window.
</p>
<h2>Creating a Case</h2>
<p>Refer to the <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/createNewCase.html">Creating a Case</a> page for more details.</p>
<h2>Opening a Case</h2>
<p>
To open a case, choose "Open Case" from the File menu or use the "Ctrl + O" keyboard shortcut.
Navigate to the case directory and select the ".aut" file.
</p>
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>About Cases</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>About Cases</h2>
<p>
In Autopsy, a "case" is a container concept for a set of <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/aboutImage.html">input data sources (disk images, disk devices, logical files)</a>.
The set of data could be from multiple drives in a single computer or from multiple computers.
When you make a case, it will create a directory to hold all of the information.
The directory will contain the main Autopsy configuration file, other module's configuration files,
some databases, generated reports, and some other information (temporary files, cache files).
The main Autopsy case configuration file as a .aut extension - that is the file used to "Open" the case.
In general, it is recommended for the user not to modify any files in the Case directory and leave it to Autopsy manage it.
</p>
<p>
If you want to view case details or edit some case information,
use the <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/caseProperties.html">Case Properties</a> window.
</p>
<h2>Creating a Case</h2>
<p>Refer to the <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/createNewCase.html">Creating a Case</a> page for more details.</p>
<h2>Opening a Case</h2>
<p>
To open a case, choose "Open Case" from the File menu or use the "Ctrl + O" keyboard shortcut.
Navigate to the case directory and select the ".aut" file.
</p>
</body>
</html>

48
Core/src/org/sleuthkit/autopsy/casemodule/docs/createNewCase.html
View File

@ -1,25 +1,25 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Creating A Case</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Creating a Case</h2>
<p>There are several ways to create a new case:</p>
<ul>
<li>Go to "File" and select "New Case..."</li>
<li>Press "Ctrl + N" on the keyboard</li>
</ul>
<p>
The "New Case" wizard dialog will open and you will need to enter the case name and base directory.
Each case will have its own directory and the path of the directory is created by combining the "base directory" with the "case name".
If the directory already exists, you will need to either delete the existing directory or choose a different combination of names.
</p>
<h2>Example:</h2>
<p> Here's an example of the "New Case" wizard dialog:</p>
<img src="NewCaseWizardHelp.png" alt="New Case Wizard Help" />
</body>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Creating A Case</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Creating a Case</h2>
<p>There are several ways to create a new case:</p>
<ul>
<li>Go to "File" and select "New Case..."</li>
<li>Press "Ctrl + N" on the keyboard</li>
</ul>
<p>
The "New Case" wizard dialog will open and you will need to enter the case name and base directory.
Each case will have its own directory and the path of the directory is created by combining the "base directory" with the "case name".
If the directory already exists, you will need to either delete the existing directory or choose a different combination of names.
</p>
<h2>Example:</h2>
<p> Here's an example of the "New Case" wizard dialog:</p>
<img src="NewCaseWizardHelp.png" alt="New Case Wizard Help" />
</body>
</html>

150
Core/src/org/sleuthkit/autopsy/casemodule/docs/hashDbMgmt.html
View File

@ -1,75 +1,75 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Hash Database Management</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Hash Database Management Window</h2>
<p>
The Hash Database Management window is where you can set and update your hash database information.
Hash databases are used to identify files that are 'known'.
</p>
<ul>
<li>
Known good files are those that can be safely ignored.
This set of files frequently includes standard OS and application files.
Ignoring such uninteresting to the investigator files, can greatly reduce image analysis time.
</li>
<li>
Known bad (also called notable) files are those that should raise awareness.
This set will vary depending on the type of investigation, but common examples include contraband images and malware.
</li>
</ul>
<h2>Notable / Known Bad Hashsets</h2>
<p>Autopsy allows for multiple known bad hash databases to be set. Autopsy supports three formats:</p>
<ul>
<li>EnCase: An EnCase hashset file.</li>
<li>MD5sum: Output from running the md5, md5sum, or md5deep program on a set of files.</li>
<li>NSRL: The format of the NSRL database.</li>
<li>HashKeeper: Hashset file conforming to the HashKeeper standard.</li>
</ul>
<h2>NIST NSRL</h2>
<p>
Autopsy can use the <a href="http://www.nsrl.nist.gov">NIST NSRL</a> to detect 'known files'.
Note that the NSRL contains hashes of 'known files' that may be good or bad depending on your perspective and investigation type.
For example, the existence of a piece of financial software may be interesting to your investigation and that software could be in the NSRL.
Therefore, Autopsy treats files that are found in the NSRL as simply 'known' and does not specify good or bad.
Ingest modules have the option of ignoring files that were found in the NSRL.
</p>
<p>
To use the NSRL, you must concatenate all of the NSRLFile.txt files together.
You can use 'cat' on a Unix system or from within Cygwin to do this.
</p>
<h2>Adding Hashsets</h2>
<p>
Autopsy needs an index of the hashset to actualy use a hash database.
It can create the index if you import only the hashset.
When you select the database from within this window, it will tell you if the index needs to be created.
Autopsy uses the hash database management system from The Sleuth Kit. You can manually create an index using the 'hfind' command line tool or you can use Autopsy.
If you attempt proceed without indexing a database, Autopsy will offer to automatically produce an index for you.
</p>
<p>
You can also specify only the index file and not use the full hashset - the index file is sufficient to identify known files.
This can save space. To do this, specify the .idx file from the Hash Database Management window.
</p>
<h2>Using Hashsets</h2>
<p>
There is an <a href="nbdocs:/org/sleuthkit/autopsy/ingest/docs/ingest-about.html">ingest module</a> that will hash the files and look them up in the hashsets.
It will flag files that were in the notable hashset and those results will be shown in the Results tree of the <a href="nbdocs:/org/sleuthkit/autopsy/directorytree/docs/directorytree-about.html">Data Explorer</a>.
</p>
<p>Other ingest modules are able to use the known status of a file to decide if they should ignore the file or process it.</p>
<p>
You can also see the results in the <a href="nbdocs:/org/sleuthkit/autopsy/filesearch/docs/open-filesearch.html">File Search</a> window.
There is an option to choose the 'known status'. From here, you can do a search to see all 'known bad' files.
From here, you can also choose to ignore all 'known' files that were found in the NSRL.
You can also see the status of the file in a column when the file is listed.
</p>
<img src="hashdb.PNG" alt="Hash Database Configuration" />
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Hash Database Management</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Hash Database Management Window</h2>
<p>
The Hash Database Management window is where you can set and update your hash database information.
Hash databases are used to identify files that are 'known'.
</p>
<ul>
<li>
Known good files are those that can be safely ignored.
This set of files frequently includes standard OS and application files.
Ignoring such uninteresting to the investigator files, can greatly reduce image analysis time.
</li>
<li>
Known bad (also called notable) files are those that should raise awareness.
This set will vary depending on the type of investigation, but common examples include contraband images and malware.
</li>
</ul>
<h2>Notable / Known Bad Hashsets</h2>
<p>Autopsy allows for multiple known bad hash databases to be set. Autopsy supports three formats:</p>
<ul>
<li>EnCase: An EnCase hashset file.</li>
<li>MD5sum: Output from running the md5, md5sum, or md5deep program on a set of files.</li>
<li>NSRL: The format of the NSRL database.</li>
<li>HashKeeper: Hashset file conforming to the HashKeeper standard.</li>
</ul>
<h2>NIST NSRL</h2>
<p>
Autopsy can use the <a href="http://www.nsrl.nist.gov">NIST NSRL</a> to detect 'known files'.
Note that the NSRL contains hashes of 'known files' that may be good or bad depending on your perspective and investigation type.
For example, the existence of a piece of financial software may be interesting to your investigation and that software could be in the NSRL.
Therefore, Autopsy treats files that are found in the NSRL as simply 'known' and does not specify good or bad.
Ingest modules have the option of ignoring files that were found in the NSRL.
</p>
<p>
To use the NSRL, you must concatenate all of the NSRLFile.txt files together.
You can use 'cat' on a Unix system or from within Cygwin to do this.
</p>
<h2>Adding Hashsets</h2>
<p>
Autopsy needs an index of the hashset to actualy use a hash database.
It can create the index if you import only the hashset.
When you select the database from within this window, it will tell you if the index needs to be created.
Autopsy uses the hash database management system from The Sleuth Kit. You can manually create an index using the 'hfind' command line tool or you can use Autopsy.
If you attempt proceed without indexing a database, Autopsy will offer to automatically produce an index for you.
</p>
<p>
You can also specify only the index file and not use the full hashset - the index file is sufficient to identify known files.
This can save space. To do this, specify the .idx file from the Hash Database Management window.
</p>
<h2>Using Hashsets</h2>
<p>
There is an <a href="nbdocs:/org/sleuthkit/autopsy/ingest/docs/ingest-about.html">ingest module</a> that will hash the files and look them up in the hashsets.
It will flag files that were in the notable hashset and those results will be shown in the Results tree of the <a href="nbdocs:/org/sleuthkit/autopsy/directorytree/docs/directorytree-about.html">Data Explorer</a>.
</p>
<p>Other ingest modules are able to use the known status of a file to decide if they should ignore the file or process it.</p>
<p>
You can also see the results in the <a href="nbdocs:/org/sleuthkit/autopsy/filesearch/docs/open-filesearch.html">File Search</a> window.
There is an option to choose the 'known status'. From here, you can do a search to see all 'known bad' files.
From here, you can also choose to ignore all 'known' files that were found in the NSRL.
You can also see the status of the file in a column when the file is listed.
</p>
<img src="hashdb.PNG" alt="Hash Database Configuration" />
</body>
</html>

130
Core/src/org/sleuthkit/autopsy/casemodule/docs/overview.html
View File

@ -1,66 +1,66 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Overview</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Overview</h2>
<p>
Autopsy allows you to conduct a digital forensic investigation.
It is a graphical interface to The Sleuth Kit and other tools.
This page outlines the basic concepts of the program.
The remainder of the help guide is organized around these concepts.
</p>
<p>
The main Autopsy features include: importing a Data Source (image, disk, files) and exploring its file systems,
running analysis modules (ingest), viewing ingest results, viewing content and generating reports.
</p>
<p>
Autopsy is an extensible application; it provides a plug-in framework that allows other other parties to supply plug-ins and supply additional:
image and file ingest for new types of analysis, different content viewers and different types of reports to be supported.
There are plug-ins for for several ingest modules, viewers and reports that are bundled by default with Autopsy.
</p>
<p>
All data is organized around the concept of a <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/casemodule-about.html">case</a>.
A case can have one or more data <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/aboutImage.html">sources</a> loaded into it.
</p>
<p>The main window has three major areas:</p>
<ul>
<li>
<a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/dataexplorer-about.html">Data Explorer Tree</a>:
This area is where you go find major analysis functionality.
It allows you to start finding the relevant files quickly.
</li>
<li>
<a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/dataresult-about.html">Result Viewers</a>:
This area is where the files and directories that were found from the explorer window can be viewed.
There are different formatting options for the files.
</li>
<li>
<a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/datacontent-about.html">Content Viewers</a>:
This area is where file content can be viewed after they are selected from the Result Viewer area.
</li>
</ul>
<p>
The main take away from this should be that analysis techniques and result categories can be found on the left-hand side,
the results from choosing something on the left are always listed in the upper right,
and the file contents are displayed in the lower left.
</p>
<img src="Autopsy_overview.png" alt="Autopsy Overview Window" />
</body>
</html>
<!--
Tip: to create a link which will open in an external web browser, try:
<object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer">
<param name="content" value="http://www.netbeans.org/">
<param name="text" value="<html><u>http://www.netbeans.org/</u></html>">
<param name="textFontSize" value="medium">
<param name="textColor" value="blue">
</object>
To create a link to a help set from another module, you need to know the code name base and path, e.g.:
<a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a>
(This link will behave sanely if that module is disabled or missing.)
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Overview</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Overview</h2>
<p>
Autopsy allows you to conduct a digital forensic investigation.
It is a graphical interface to The Sleuth Kit and other tools.
This page outlines the basic concepts of the program.
The remainder of the help guide is organized around these concepts.
</p>
<p>
The main Autopsy features include: importing a Data Source (image, disk, files) and exploring its file systems,
running analysis modules (ingest), viewing ingest results, viewing content and generating reports.
</p>
<p>
Autopsy is an extensible application; it provides a plug-in framework that allows other other parties to supply plug-ins and supply additional:
image and file ingest for new types of analysis, different content viewers and different types of reports to be supported.
There are plug-ins for for several ingest modules, viewers and reports that are bundled by default with Autopsy.
</p>
<p>
All data is organized around the concept of a <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/casemodule-about.html">case</a>.
A case can have one or more data <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/aboutImage.html">sources</a> loaded into it.
</p>
<p>The main window has three major areas:</p>
<ul>
<li>
<a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/dataexplorer-about.html">Data Explorer Tree</a>:
This area is where you go find major analysis functionality.
It allows you to start finding the relevant files quickly.
</li>
<li>
<a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/dataresult-about.html">Result Viewers</a>:
This area is where the files and directories that were found from the explorer window can be viewed.
There are different formatting options for the files.
</li>
<li>
<a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/datacontent-about.html">Content Viewers</a>:
This area is where file content can be viewed after they are selected from the Result Viewer area.
</li>
</ul>
<p>
The main take away from this should be that analysis techniques and result categories can be found on the left-hand side,
the results from choosing something on the left are always listed in the upper right,
and the file contents are displayed in the lower left.
</p>
<img src="Autopsy_overview.png" alt="Autopsy Overview Window" />
</body>
</html>
<!--
Tip: to create a link which will open in an external web browser, try:
<object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer">
<param name="content" value="http://www.netbeans.org/">
<param name="text" value="<html><u>http://www.netbeans.org/</u></html>">
<param name="textFontSize" value="medium">
<param name="textColor" value="blue">
</object>
To create a link to a help set from another module, you need to know the code name base and path, e.g.:
<a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a>
(This link will behave sanely if that module is disabled or missing.)
-->

2
Core/src/org/sleuthkit/autopsy/contentviewers/Metadata.java
View File

@ -185,7 +185,7 @@ public class Metadata extends javax.swing.JPanel implements DataContentViewer
}
@Override
public int isPreferred(Node node, boolean isSupported) {
public int isPreferred(Node node) {
return 1;
}
}

7
Core/src/org/sleuthkit/autopsy/corecomponentinterfaces/DataContentViewer.java
View File

@ -83,16 +83,15 @@ public interface DataContentViewer {
* Checks whether the given viewer is preferred for the Node.
* This is a bit subjective, but the idea is that Autopsy wants to display
* the most relevant tab. The more generic the viewer, the lower
* the return value should be.
* the return value should be. This will only be called on viewers that
* support the given node.
*
* @param node Node to check for preference
* @param isSupported true if the viewer is supported by the node, false otherwise
* as determined by a previous check
* @return an int (0-10) higher return means the viewer has higher priority
* 0 means not supported
* 1 to 2 means the module will display all file types (such as the hex viewer)
* 3-10 are prioritized by Content viewer developer. Modules that operate on very
* few file types should be towards 10.
*/
public int isPreferred(Node node, boolean isSupported);
public int isPreferred(Node node);
}

6
Core/src/org/sleuthkit/autopsy/corecomponents/DataContentPanel.java
View File

@ -181,7 +181,7 @@ public class DataContentPanel extends javax.swing.JPanel implements DataContent,
jTabbedPane1.setEnabledAt(i, true);
// remember the viewer with the highest preference value
int currentPreferred = dcv.isPreferred(selectedNode, true);
int currentPreferred = dcv.isPreferred(selectedNode);
if (currentPreferred > maxPreferred) {
preferredViewerIndex = i;
maxPreferred = currentPreferred;
@ -258,8 +258,8 @@ public class DataContentPanel extends javax.swing.JPanel implements DataContent,
return this.wrapped.isSupported(node);
}
int isPreferred(Node node, boolean isSupported) {
return this.wrapped.isPreferred(node, isSupported);
int isPreferred(Node node) {
return this.wrapped.isPreferred(node);
}
}

13
Core/src/org/sleuthkit/autopsy/corecomponents/DataContentViewerArtifact.java
View File

@ -330,18 +330,13 @@ public class DataContentViewerArtifact extends javax.swing.JPanel implements Dat
}
@Override
public int isPreferred(Node node, boolean isSupported) {
public int isPreferred(Node node) {
BlackboardArtifact artifact = node.getLookup().lookup(BlackboardArtifact.class);
if(isSupported) {
if(artifact == null) {
return 3;
}
else {
return 5;
}
if(artifact == null) {
return 3;
}
else {
return 0;
return 5;
}
}

8
Core/src/org/sleuthkit/autopsy/corecomponents/DataContentViewerHex.java
View File

@ -434,12 +434,8 @@ public class DataContentViewerHex extends javax.swing.JPanel implements DataCont
}
@Override
public int isPreferred(Node node, boolean isSupported) {
if (isSupported) {
return 1;
} else {
return 0;
}
public int isPreferred(Node node) {
return 1;
}
@Override

31
Core/src/org/sleuthkit/autopsy/corecomponents/DataContentViewerMedia.java
View File

@ -226,25 +226,22 @@ public class DataContentViewerMedia extends javax.swing.JPanel implements DataCo
}
@Override
public int isPreferred(Node node, boolean isSupported) {
if (isSupported) {
//special case, check if deleted video, then do not make it preferred
AbstractFile file = node.getLookup().lookup(AbstractFile.class);
if (file == null) {
return 0;
}
String name = file.getName().toLowerCase();
boolean deleted = file.isDirNameFlagSet(TSK_FS_NAME_FLAG_ENUM.UNALLOC);
if (containsExt(name, videoExtensions) && deleted) {
return 0;
}
else {
return 7;
}
} else {
public int isPreferred(Node node) {
//special case, check if deleted video, then do not make it preferred
AbstractFile file = node.getLookup().lookup(AbstractFile.class);
if (file == null) {
return 0;
}
String name = file.getName().toLowerCase();
boolean deleted = file.isDirNameFlagSet(TSK_FS_NAME_FLAG_ENUM.UNALLOC);
if (containsExt(name, videoExtensions) && deleted) {
return 0;
}
else {
return 7;
}
}
private static boolean containsExt(String name, String[] exts) {

63
Core/src/org/sleuthkit/autopsy/corecomponents/DataContentViewerString.java
View File

@ -322,14 +322,6 @@ public class DataContentViewerString extends javax.swing.JPanel implements DataC
private javax.swing.JLabel totalPageLabel;
// End of variables declaration//GEN-END:variables
@Deprecated
public void setDataView(Content dataSource, long offset, boolean reset) {
if (reset) {
resetComponent();
return;
}
setDataView(dataSource, offset);
}
/**
* Sets the DataView (The tabbed panel)
@ -399,6 +391,30 @@ public class DataContentViewerString extends javax.swing.JPanel implements DataC
this.setCursor(null);
}
private void setDataView(StringContent dataSource) {
this.setCursor(Cursor.getPredefinedCursor(Cursor.WAIT_CURSOR));
try {
this.dataSource = null;
// set the data on the bottom and show it
String text = dataSource.getString();
nextPageButton.setEnabled(false);
prevPageButton.setEnabled(false);
currentPage = 1;
int totalPage = 1;
totalPageLabel.setText(Integer.toString(totalPage));
currentPageLabel.setText(Integer.toString(currentPage));
outputViewPane.setText(text); // set the output view
setComponentsVisibility(true); // shows the components that not needed
outputViewPane.moveCaretPosition(0);
} finally {
this.setCursor(null);
}
}
/**
* To set the visibility of specific components in this class.
@ -484,12 +500,8 @@ public class DataContentViewerString extends javax.swing.JPanel implements DataC
}
@Override
public int isPreferred(Node node, boolean isSupported) {
if (node != null && isSupported) {
return 1;
} else {
return 0;
}
public int isPreferred(Node node) {
return 1;
}
@Override
@ -497,29 +509,6 @@ public class DataContentViewerString extends javax.swing.JPanel implements DataC
return this;
}
private void setDataView(StringContent dataSource) {
this.setCursor(Cursor.getPredefinedCursor(Cursor.WAIT_CURSOR));
try {
this.dataSource = null;
// set the data on the bottom and show it
String text = dataSource.getString();
nextPageButton.setEnabled(false);
prevPageButton.setEnabled(false);
currentPage = 1;
int totalPage = 1;
totalPageLabel.setText(Integer.toString(totalPage));
currentPageLabel.setText(Integer.toString(currentPage));
outputViewPane.setText(text); // set the output view
setComponentsVisibility(true); // shows the components that not needed
outputViewPane.moveCaretPosition(0);
} finally {
this.setCursor(null);
}
}
/* Show the right click menu only if evt is the correct mouse event */
private void maybeShowPopup(java.awt.event.MouseEvent evt) {

62
Core/src/org/sleuthkit/autopsy/corecomponents/docs/corecomponents-toc.xml
View File

@ -1,31 +1,31 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE toc PUBLIC "-//Sun Microsystems Inc.//DTD JavaHelp TOC Version 2.0//EN" "http://java.sun.com/products/javahelp/toc_2_0.dtd">
<toc version="2.0">
<tocitem text="Data Explorers">
<tocitem text="About Data Explorers" target="org.sleuthkit.autopsy.corecomponents.dataexplorer-about"/>
<tocitem text="Directory Tree">
<tocitem text="About Directory Tree" target="org.sleuthkit.autopsy.directorytree.about"/>
<tocitem text="Image Details Window" target="org.sleuthkit.autopsy.directorytree.image-details"/>
<tocitem text="Volume Details Window" target="org.sleuthkit.autopsy.directorytree.volume-details"/>
<tocitem text="Extracting Unallocated Space" target="org.sleuthkit.autopsy.directorytree.unallocated-space"/>
</tocitem>
<tocitem text="File Search">
<tocitem text="About File Search" target="org.sleuthkit.autopsy.filesearch.about"/>
<tocitem text="How to Open File Search" target="org.sleuthkit.autopsy.filesearch.open-filesearch"/>
<tocitem text="How to Use File Search" target="org.sleuthkit.autopsy.filesearch.how-to-use-filesearch"/>
</tocitem>
</tocitem>
<tocitem text="Result Viewers">
<tocitem text="About Result Viewers" target="org.sleuthkit.autopsy.corecomponents.dataresult-about"/>
<tocitem text="Table Results Viewer" target="org.sleuthkit.autopsy.corecomponents.table-results-viewer"/>
<tocitem text="Thumbnail Result Viewer" target="org.sleuthkit.autopsy.corecomponents.thumbnail-results-viewer"/>
</tocitem>
<tocitem text="Content Viewers">
<tocitem text="About Content Viewers" target="org.sleuthkit.autopsy.corecomponents.datacontent-about"/>
<tocitem text="Hex Content Viewer" target="org.sleuthkit.autopsy.corecomponents.hex-content-viewer"/>
<tocitem text="String Content Viewer" target="org.sleuthkit.autopsy.corecomponents.string-content-viewer"/>
<tocitem text="Text Content Viewer" target="org.sleuthkit.autopsy.corecomponents.text-content-viewer"/>
<tocitem text="Media Content Viewer" target="org.sleuthkit.autopsy.corecomponents.picture-content-viewer"/>
</tocitem>
</toc>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE toc PUBLIC "-//Sun Microsystems Inc.//DTD JavaHelp TOC Version 2.0//EN" "http://java.sun.com/products/javahelp/toc_2_0.dtd">
<toc version="2.0">
<tocitem text="Data Explorers">
<tocitem text="About Data Explorers" target="org.sleuthkit.autopsy.corecomponents.dataexplorer-about"/>
<tocitem text="Directory Tree">
<tocitem text="About Directory Tree" target="org.sleuthkit.autopsy.directorytree.about"/>
<tocitem text="Image Details Window" target="org.sleuthkit.autopsy.directorytree.image-details"/>
<tocitem text="Volume Details Window" target="org.sleuthkit.autopsy.directorytree.volume-details"/>
<tocitem text="Extracting Unallocated Space" target="org.sleuthkit.autopsy.directorytree.unallocated-space"/>
</tocitem>
<tocitem text="File Search">
<tocitem text="About File Search" target="org.sleuthkit.autopsy.filesearch.about"/>
<tocitem text="How to Open File Search" target="org.sleuthkit.autopsy.filesearch.open-filesearch"/>
<tocitem text="How to Use File Search" target="org.sleuthkit.autopsy.filesearch.how-to-use-filesearch"/>
</tocitem>
</tocitem>
<tocitem text="Result Viewers">
<tocitem text="About Result Viewers" target="org.sleuthkit.autopsy.corecomponents.dataresult-about"/>
<tocitem text="Table Results Viewer" target="org.sleuthkit.autopsy.corecomponents.table-results-viewer"/>
<tocitem text="Thumbnail Result Viewer" target="org.sleuthkit.autopsy.corecomponents.thumbnail-results-viewer"/>
</tocitem>
<tocitem text="Content Viewers">
<tocitem text="About Content Viewers" target="org.sleuthkit.autopsy.corecomponents.datacontent-about"/>
<tocitem text="Hex Content Viewer" target="org.sleuthkit.autopsy.corecomponents.hex-content-viewer"/>
<tocitem text="String Content Viewer" target="org.sleuthkit.autopsy.corecomponents.string-content-viewer"/>
<tocitem text="Text Content Viewer" target="org.sleuthkit.autopsy.corecomponents.text-content-viewer"/>
<tocitem text="Media Content Viewer" target="org.sleuthkit.autopsy.corecomponents.picture-content-viewer"/>
</tocitem>
</toc>

98
Core/src/org/sleuthkit/autopsy/corecomponents/docs/datacontent-about.html
View File

@ -1,50 +1,50 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>About Content Viewers</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Content Viewers</h2>
<p>
The Content Viewer area is in the lower right area of the interface.
This area is used to view a specific file in a variety of formats.
There are different tabs for different viewers.
Not all tabs support all file types, so only some of them will be enabled.
To display data in this area, a file must be selected from the
<a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/dataresult-about.html">Result Viewer</a> window.
</p>
<p>
The Content Viewer area is part of a plug-in framework.
You can install modules that will add more viewer types.
This section describes the viewers that come by default with Autopsy.
</p>
<p>Here's an example of a "Content Viewer" window:</p>
<img src="ContentViewer_example.png" alt="Example of Content Viewer Window" />
<h2>Default Viewers</h2>
<p> Currently, there are 5 main tabs on "Content Viewer" window:</p>
<ul>
<li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/result-viewer.html">Result Viewer</a></li>
<li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/hex-content-viewer.html">Hex Content Viewer</a></li>
<li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/string-content-viewer.html">String Content Viewer</a></li>
<li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/picture-content-viewer.html">Media Viewer</a></li>
<li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/text-content-viewer.html">Text Viewer</a></li>
</ul>
</body>
</html>
<!--
Tip: to create a link which will open in an external web browser, try:
<object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer">
<param name="content" value="http://www.netbeans.org/">
<param name="text" value="<html><u>http://www.netbeans.org/</u></html>">
<param name="textFontSize" value="medium">
<param name="textColor" value="blue">
</object>
To create a link to a help set from another module, you need to know the code name base and path, e.g.:
<a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a>
(This link will behave sanely if that module is disabled or missing.)
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>About Content Viewers</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Content Viewers</h2>
<p>
The Content Viewer area is in the lower right area of the interface.
This area is used to view a specific file in a variety of formats.
There are different tabs for different viewers.
Not all tabs support all file types, so only some of them will be enabled.
To display data in this area, a file must be selected from the
<a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/dataresult-about.html">Result Viewer</a> window.
</p>
<p>
The Content Viewer area is part of a plug-in framework.
You can install modules that will add more viewer types.
This section describes the viewers that come by default with Autopsy.
</p>
<p>Here's an example of a "Content Viewer" window:</p>
<img src="ContentViewer_example.png" alt="Example of Content Viewer Window" />
<h2>Default Viewers</h2>
<p> Currently, there are 5 main tabs on "Content Viewer" window:</p>
<ul>
<li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/result-viewer.html">Result Viewer</a></li>
<li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/hex-content-viewer.html">Hex Content Viewer</a></li>
<li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/string-content-viewer.html">String Content Viewer</a></li>
<li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/picture-content-viewer.html">Media Viewer</a></li>
<li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/text-content-viewer.html">Text Viewer</a></li>
</ul>
</body>
</html>
<!--
Tip: to create a link which will open in an external web browser, try:
<object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer">
<param name="content" value="http://www.netbeans.org/">
<param name="text" value="<html><u>http://www.netbeans.org/</u></html>">
<param name="textFontSize" value="medium">
<param name="textColor" value="blue">
</object>
To create a link to a help set from another module, you need to know the code name base and path, e.g.:
<a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a>
(This link will behave sanely if that module is disabled or missing.)
!-->

92
Core/src/org/sleuthkit/autopsy/corecomponents/docs/dataexplorer-about.html
View File

@ -1,47 +1,47 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Data Explorers</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>About the Data Explorer</h2>
<p>
The Data Explorer view in Autopsy is the <a href="nbdocs:/org/sleuthkit/autopsy/directorytree/docs/directorytree-about.html">directory tree</a>
node structure seen on the left hand side.
</p>
<p>The data explorer contains the following data:</p>
<ul>
<li>Image file-system with its directory structure that can be navigated,</li>
<li>Saved results of image and file analysis, such as results produced by the ingest process,</li>
<li>Built-in views and filters on the file-system and saved results.</li>
</ul>
<p>The data explorer provides different methods for finding relevant data, such as:</p>
<ul>
<li>All files of a specific type</li>
<li>Different extracted content types (web bookmarks, web history, installed programs, devices, etc.)</li>
<li>Hash database hits</li>
<li>Keyword hits</li>
<li>File bookmarks</li>
</ul>
<p>
The Data Explorer will publish all relevant data to the <a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/dataresult-about.html">Result Viewer</a>
when specific nodes are clicked. In general, if you are looking for an 'analysis technique', then this is where you should look.
</p>
</body>
</html>
<!--
Tip: to create a link which will open in an external web browser, try:
<object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer">
<param name="content" value="http://www.netbeans.org/">
<param name="text" value="<html><u>http://www.netbeans.org/</u></html>">
<param name="textFontSize" value="medium">
<param name="textColor" value="blue">
</object>
To create a link to a help set from another module, you need to know the code name base and path, e.g.:
<a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a>
(This link will behave sanely if that module is disabled or missing.)
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Data Explorers</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>About the Data Explorer</h2>
<p>
The Data Explorer view in Autopsy is the <a href="nbdocs:/org/sleuthkit/autopsy/directorytree/docs/directorytree-about.html">directory tree</a>
node structure seen on the left hand side.
</p>
<p>The data explorer contains the following data:</p>
<ul>
<li>Image file-system with its directory structure that can be navigated,</li>
<li>Saved results of image and file analysis, such as results produced by the ingest process,</li>
<li>Built-in views and filters on the file-system and saved results.</li>
</ul>
<p>The data explorer provides different methods for finding relevant data, such as:</p>
<ul>
<li>All files of a specific type</li>
<li>Different extracted content types (web bookmarks, web history, installed programs, devices, etc.)</li>
<li>Hash database hits</li>
<li>Keyword hits</li>
<li>File bookmarks</li>
</ul>
<p>
The Data Explorer will publish all relevant data to the <a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/dataresult-about.html">Result Viewer</a>
when specific nodes are clicked. In general, if you are looking for an 'analysis technique', then this is where you should look.
</p>
</body>
</html>
<!--
Tip: to create a link which will open in an external web browser, try:
<object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer">
<param name="content" value="http://www.netbeans.org/">
<param name="text" value="<html><u>http://www.netbeans.org/</u></html>">
<param name="textFontSize" value="medium">
<param name="textColor" value="blue">
</object>
To create a link to a help set from another module, you need to know the code name base and path, e.g.:
<a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a>
(This link will behave sanely if that module is disabled or missing.)
!-->

90
Core/src/org/sleuthkit/autopsy/corecomponents/docs/dataresult-about.html
View File

@ -1,45 +1,45 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Result Viewers</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Result Viewers</h2>
<p>
The Result Viewer windows are in the upper right area of the interface and display the results from selecting something in the
<a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/dataexplorer-about.html">Data Explorer Tree</a> area.
You will have the option to display the results in a variety of formats.
</p>
<p>Currently, there are 2 main tabs in the Result Viewer window:</p>
<ul>
<li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/table-results-viewer.html">Table Results Viewer</a></li>
<li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/thumbnail-results-viewer.html">Thumbnail Results Viewer</a></li>
</ul>
<h2>Right Click Functions</h2>
<p>
Viewers in Result Viewers have certain right-click functions built-in into them that can be accessed when a node a certain type is selected (a file, directory or a result).
</p>
<p>Here are some examples that you may see:</p>
<ul>
<li><strong>Open File in External Viewer</strong>:
Opens the selected file in an "external" application as defined by the local OS.
For example, HTML files may be opened by IE or Firefox, depending on what the local system is configured to use.</li>
<li><strong>View in New Window:</strong>
Opens the content in a new internal Content Viewer (instead of in the default location in the lower right).</li>
<li><strong>Extract:</strong>
Make a local copy of the file or directory for further analysis.</li>
<li><strong>Search for files with the same MD5 Hash:</strong>
Searches the entire file-system for any files with the same MD5 Hash as the one selected.</li>
</ul>
<h2>Example</h2>
<p>Below is an example of a "Result Viewer" window:</p>
<img src="ResultViewer_example.png" alt="Example of Result Viewer Window" />
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Result Viewers</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Result Viewers</h2>
<p>
The Result Viewer windows are in the upper right area of the interface and display the results from selecting something in the
<a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/dataexplorer-about.html">Data Explorer Tree</a> area.
You will have the option to display the results in a variety of formats.
</p>
<p>Currently, there are 2 main tabs in the Result Viewer window:</p>
<ul>
<li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/table-results-viewer.html">Table Results Viewer</a></li>
<li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/thumbnail-results-viewer.html">Thumbnail Results Viewer</a></li>
</ul>
<h2>Right Click Functions</h2>
<p>
Viewers in Result Viewers have certain right-click functions built-in into them that can be accessed when a node a certain type is selected (a file, directory or a result).
</p>
<p>Here are some examples that you may see:</p>
<ul>
<li><strong>Open File in External Viewer</strong>:
Opens the selected file in an "external" application as defined by the local OS.
For example, HTML files may be opened by IE or Firefox, depending on what the local system is configured to use.</li>
<li><strong>View in New Window:</strong>
Opens the content in a new internal Content Viewer (instead of in the default location in the lower right).</li>
<li><strong>Extract:</strong>
Make a local copy of the file or directory for further analysis.</li>
<li><strong>Search for files with the same MD5 Hash:</strong>
Searches the entire file-system for any files with the same MD5 Hash as the one selected.</li>
</ul>
<h2>Example</h2>
<p>Below is an example of a "Result Viewer" window:</p>
<img src="ResultViewer_example.png" alt="Example of Result Viewer Window" />
</body>
</html>

40
Core/src/org/sleuthkit/autopsy/corecomponents/docs/hex-content-viewer.html
View File

@ -1,21 +1,21 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Hex Content Viewer</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Hex Content Viewer</h2>
<p>
Hex Content Viewer shows you the raw and exact contents of a file.
In this Hex Content Viewer, the data of the file is represented as hexadecimal values grouped in 2 groups of 8 bytes,
followed by one group of 16 ASCII characters which are derived from each pair of hex values (each byte).
Non-printable ASCII characters and characters that would take more than one character space are typically represented by a dot (".") in the following ASCII field.
</p>
<h2>Example</h2>
<p>Below is an example of "Hex Content Viewer" window:</p>
<img src="Hex_Content_Viewer.png" alt="Example of Hex Content Viewer Tab" />
</body>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Hex Content Viewer</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Hex Content Viewer</h2>
<p>
Hex Content Viewer shows you the raw and exact contents of a file.
In this Hex Content Viewer, the data of the file is represented as hexadecimal values grouped in 2 groups of 8 bytes,
followed by one group of 16 ASCII characters which are derived from each pair of hex values (each byte).
Non-printable ASCII characters and characters that would take more than one character space are typically represented by a dot (".") in the following ASCII field.
</p>
<h2>Example</h2>
<p>Below is an example of "Hex Content Viewer" window:</p>
<img src="Hex_Content_Viewer.png" alt="Example of Hex Content Viewer Tab" />
</body>
</html>

40
Core/src/org/sleuthkit/autopsy/corecomponents/docs/picture-content-viewer.html
View File

@ -1,20 +1,20 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Media Content Viewer</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Media Content Viewer</h2>
<p>
The Media Content Viewer will show a picture or video file.
Video files can be played and paused.
The size of the picture or video will be reduced to fit into the screen.
If you want more complex analysis of the media, then you must export the file.
</p>
<p>If you select an non-picture file or an unsupported picture format on the "Result Viewers", this tab will be disabled.</p>
<p>Here's one of the example of the "Media Content Viewer":</p>
<img src="Picture_Content_Viewer.png" alt="Example of Picture Content Viewer Tab" />
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Media Content Viewer</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Media Content Viewer</h2>
<p>
The Media Content Viewer will show a picture or video file.
Video files can be played and paused.
The size of the picture or video will be reduced to fit into the screen.
If you want more complex analysis of the media, then you must export the file.
</p>
<p>If you select an non-picture file or an unsupported picture format on the "Result Viewers", this tab will be disabled.</p>
<p>Here's one of the example of the "Media Content Viewer":</p>
<img src="Picture_Content_Viewer.png" alt="Example of Picture Content Viewer Tab" />
</body>
</html>

54
Core/src/org/sleuthkit/autopsy/corecomponents/docs/result-viewer.html
View File

@ -1,28 +1,28 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Result Content Viewer</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Result Content Viewer</h2>
<p>Result Content Viewer shows the artifacts (saved results) associated with the item selected in the Result Viewer.</p>
<h2>Example</h2>
<p>Below is an example of "Result Content Viewer" window:</p>
<img src="Result_Viewer.png" alt="Example of Result Content Viewer Tab" />
</body>
</html>
<!--
Tip: to create a link which will open in an external web browser, try:
<object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer">
<param name="content" value="http://www.netbeans.org/">
<param name="text" value="<html><u>http://www.netbeans.org/</u></html>">
<param name="textFontSize" value="medium">
<param name="textColor" value="blue">
</object>
To create a link to a help set from another module, you need to know the code name base and path, e.g.:
<a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a>
(This link will behave sanely if that module is disabled or missing.)
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Result Content Viewer</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Result Content Viewer</h2>
<p>Result Content Viewer shows the artifacts (saved results) associated with the item selected in the Result Viewer.</p>
<h2>Example</h2>
<p>Below is an example of "Result Content Viewer" window:</p>
<img src="Result_Viewer.png" alt="Example of Result Content Viewer Tab" />
</body>
</html>
<!--
Tip: to create a link which will open in an external web browser, try:
<object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer">
<param name="content" value="http://www.netbeans.org/">
<param name="text" value="<html><u>http://www.netbeans.org/</u></html>">
<param name="textFontSize" value="medium">
<param name="textColor" value="blue">
</object>
To create a link to a help set from another module, you need to know the code name base and path, e.g.:
<a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a>
(This link will behave sanely if that module is disabled or missing.)
!-->

46
Core/src/org/sleuthkit/autopsy/corecomponents/docs/string-content-viewer.html
View File

@ -1,23 +1,23 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>String Content Viewer</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>String Content Viewer</h2>
<p>
Strings Content Viewer scans (potentially binary) data of the file / folder and searches it for data that could be text.
When appropriate data is found, the String Content Viewer shows data strings extracted from binary, decoded, and interpreted as UTF8/16 for the selected script/language.
</p>
<p>
Note that this is different from the Text Content Viewer, which displays the text for a file that is stored in the keyword search index.
The results may be the same or they could be different, depending how the data were interpreted by the indexer.
</p>
<h2>Example</h2>
<p>Below is an example of "String Content Viewer" window:</p>
<img src="String_Content_Viewer.png" alt="Example of String Content Viewer Tab" />
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>String Content Viewer</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>String Content Viewer</h2>
<p>
Strings Content Viewer scans (potentially binary) data of the file / folder and searches it for data that could be text.
When appropriate data is found, the String Content Viewer shows data strings extracted from binary, decoded, and interpreted as UTF8/16 for the selected script/language.
</p>
<p>
Note that this is different from the Text Content Viewer, which displays the text for a file that is stored in the keyword search index.
The results may be the same or they could be different, depending how the data were interpreted by the indexer.
</p>
<h2>Example</h2>
<p>Below is an example of "String Content Viewer" window:</p>
<img src="String_Content_Viewer.png" alt="Example of String Content Viewer Tab" />
</body>
</html>

46
Core/src/org/sleuthkit/autopsy/corecomponents/docs/table-results-viewer.html
View File

@ -1,24 +1,24 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Table Results (Directory Listing) Viewer</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Table Results Viewer</h2>
<p>
Table Results Viewer (Directory Listing) displays the data catalog as a table with some details (properties) of each file.
The properties that it shows are: name, time (modified, changed, accessed, and created), size, flags (directory and meta), mode, user ID, group ID, metadata address, attribute address, and type (directory and meta).
Click the Table Viewer tab to select this view.
</p>
<p>
The Results Viewer can be also activated for saved results and it can show a high level results grouped,
or a results at a file level, depending on which node on the Directory Tree is selected to populate the Table Results Viewer.
</p>
<h2>Example</h2>
<p>Below is an example of a "Table Results Viewer" window:</p>
<img src="Table_Results_Viewer.png" alt="Example of Table Result Viewers Tab" />
</body>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Table Results (Directory Listing) Viewer</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Table Results Viewer</h2>
<p>
Table Results Viewer (Directory Listing) displays the data catalog as a table with some details (properties) of each file.
The properties that it shows are: name, time (modified, changed, accessed, and created), size, flags (directory and meta), mode, user ID, group ID, metadata address, attribute address, and type (directory and meta).
Click the Table Viewer tab to select this view.
</p>
<p>
The Results Viewer can be also activated for saved results and it can show a high level results grouped,
or a results at a file level, depending on which node on the Directory Tree is selected to populate the Table Results Viewer.
</p>
<h2>Example</h2>
<p>Below is an example of a "Table Results Viewer" window:</p>
<img src="Table_Results_Viewer.png" alt="Example of Table Result Viewers Tab" />
</body>
</html>

60
Core/src/org/sleuthkit/autopsy/corecomponents/docs/text-content-viewer.html
View File

@ -1,30 +1,30 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Text View</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Text View</h2>
<p>
Text Content Viewer uses the keyword search index that may have been populated during
<a href="nbdocs:/org/sleuthkit/autopsy/ingest/docs/ingest-about.html">Image Ingest</a>.
If a file has text stored in the index, then this tab will be enabled and it will be displayed to the user if a file or a result associated with a file is selected.
</p>
<p>
This tab may have more text on it than the "String View", which relies on searching the file for text-looking data.
Some files, like PDF, will not have text-looking data at the byte-level, but the keyword indexing process knows how to interpret a PDF file and produce text.
For the files the indexer knows about, there may be the METADATA section at the end of the displayed extracted text.
If an indexed document contains any metadata (such as creation date, author, etc), it will be displayed there.
Note that, unlike the "String View", the Text View does not have its built-in settings for the script/language to use for extracted strings.
This is because the script/language is used at indexing time, and that setting is associated with the Keyword Search indexer, not the viewer.
</p>
<p>
If this tab is not enabled, then either the file has no text or you did not enable Keyword Search as an ingest module.
Note that this viewer is also used to display highlighted keyword hits when operated in the "Search Matches" mode,
selected on the right-hand side of the viewer's toolbar.
</p>
<img src="textview.png" alt="Text View" />
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Text View</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Text View</h2>
<p>
Text Content Viewer uses the keyword search index that may have been populated during
<a href="nbdocs:/org/sleuthkit/autopsy/ingest/docs/ingest-about.html">Image Ingest</a>.
If a file has text stored in the index, then this tab will be enabled and it will be displayed to the user if a file or a result associated with a file is selected.
</p>
<p>
This tab may have more text on it than the "String View", which relies on searching the file for text-looking data.
Some files, like PDF, will not have text-looking data at the byte-level, but the keyword indexing process knows how to interpret a PDF file and produce text.
For the files the indexer knows about, there may be the METADATA section at the end of the displayed extracted text.
If an indexed document contains any metadata (such as creation date, author, etc), it will be displayed there.
Note that, unlike the "String View", the Text View does not have its built-in settings for the script/language to use for extracted strings.
This is because the script/language is used at indexing time, and that setting is associated with the Keyword Search indexer, not the viewer.
</p>
<p>
If this tab is not enabled, then either the file has no text or you did not enable Keyword Search as an ingest module.
Note that this viewer is also used to display highlighted keyword hits when operated in the "Search Matches" mode,
selected on the right-hand side of the viewer's toolbar.
</p>
<img src="textview.png" alt="Text View" />
</body>
</html>

42
Core/src/org/sleuthkit/autopsy/corecomponents/docs/thumbnail-results-viewer.html
View File

@ -1,22 +1,22 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Thumbnail Results Viewer</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Thumbnail Results Viewer</h2>
<p>
Thumbnail Results Viewer displays the data catalog as a table of thumbnail images in adjustable sizes.
This viewer only supports picture file(s) (Currently, only supports JPG, GIF, and PNG formats).
Click the Thumbnail tab to select this view.
Note that for a large number of images in a directory selected in the Data Explorer, or for a View selected that contains
a large number of images, it might take a while to populate this view for the first time before the images are cached.
</p>
<h2>Example</h2>
<p>Below is an example of "Thumbnail Results Viewer" window:</p>
<img src="Thumbnail_Results_Viewer.png" alt="Example of Thumbnail Results Viewer Tab" />
</body>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Thumbnail Results Viewer</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Thumbnail Results Viewer</h2>
<p>
Thumbnail Results Viewer displays the data catalog as a table of thumbnail images in adjustable sizes.
This viewer only supports picture file(s) (Currently, only supports JPG, GIF, and PNG formats).
Click the Thumbnail tab to select this view.
Note that for a large number of images in a directory selected in the Data Explorer, or for a View selected that contains
a large number of images, it might take a while to populate this view for the first time before the images are cached.
</p>
<h2>Example</h2>
<p>Below is an example of "Thumbnail Results Viewer" window:</p>
<img src="Thumbnail_Results_Viewer.png" alt="Example of Thumbnail Results Viewer Tab" />
</body>
</html>

94
Core/src/org/sleuthkit/autopsy/directorytree/docs/directorytree-about.html
View File

@ -1,48 +1,48 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Data Explorer (Directory Tree)</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>About Data Explorer (Directory Tree)</h2>
<p>
The data explorer tree is a very important area of the interface.
This is where you will start many of your analysis approaches and find saved results from automated procedures (ingest).
The tree has three main areas:
</p>
<ul>
<li><strong>Images:</strong>
Where you can find the directory tree hierarchy of the file systems in the images.
Go here to navigate to a specific file or directory.
</li>
<li><strong>Views:</strong>
Where you can view all of the files in the images, but organized by file type or dates instead of directories.
Go here if you are looking for files of a given type or that were recently used.
</li>
<li><strong>Results:</strong>
Where you can see the results from the background ingest tasks and you can see your previous search results.
Go here to see what was found by the ingest modules and to find your previous search results.
</li>
<li><strong>Bookmarks:</strong>
Where you can view all file and results that have been bookmarked for easy access.
</li>
</ul>
<p>Below is an example of an Data Explorer Tree window:</p>
<img src="DirectoryTree_example.png" alt="Explorer Tree" />
</body>
</html>
<!--
Tip: to create a link which will open in an external web browser, try:
<object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer">
<param name="content" value="http://www.netbeans.org/">
<param name="text" value="<html><u>http://www.netbeans.org/</u></html>">
<param name="textFontSize" value="medium">
<param name="textColor" value="blue">
</object>
To create a link to a help set from another module, you need to know the code name base and path, e.g.:
<a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a>
(This link will behave sanely if that module is disabled or missing.)
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Data Explorer (Directory Tree)</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>About Data Explorer (Directory Tree)</h2>
<p>
The data explorer tree is a very important area of the interface.
This is where you will start many of your analysis approaches and find saved results from automated procedures (ingest).
The tree has three main areas:
</p>
<ul>
<li><strong>Images:</strong>
Where you can find the directory tree hierarchy of the file systems in the images.
Go here to navigate to a specific file or directory.
</li>
<li><strong>Views:</strong>
Where you can view all of the files in the images, but organized by file type or dates instead of directories.
Go here if you are looking for files of a given type or that were recently used.
</li>
<li><strong>Results:</strong>
Where you can see the results from the background ingest tasks and you can see your previous search results.
Go here to see what was found by the ingest modules and to find your previous search results.
</li>
<li><strong>Bookmarks:</strong>
Where you can view all file and results that have been bookmarked for easy access.
</li>
</ul>
<p>Below is an example of an Data Explorer Tree window:</p>
<img src="DirectoryTree_example.png" alt="Explorer Tree" />
</body>
</html>
<!--
Tip: to create a link which will open in an external web browser, try:
<object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer">
<param name="content" value="http://www.netbeans.org/">
<param name="text" value="<html><u>http://www.netbeans.org/</u></html>">
<param name="textFontSize" value="medium">
<param name="textColor" value="blue">
</object>
To create a link to a help set from another module, you need to know the code name base and path, e.g.:
<a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a>
(This link will behave sanely if that module is disabled or missing.)
!-->

40
Core/src/org/sleuthkit/autopsy/directorytree/docs/image-details.html
View File

@ -1,20 +1,20 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Image Details Window</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Image Details Window</h2>
<p>
The Image Details window shows you basic information about a disk image.
You can access it by right-clicking on an image in the tree and choosing "Image Details".
</p>
<img src="rightClick_imageDetails.png" alt="Right click on directory tree to show Image Details" />
<p>An example is shown here:</p>
<img src="ImageDetailHelp.png" alt="Example of Image Details Window" />
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Image Details Window</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Image Details Window</h2>
<p>
The Image Details window shows you basic information about a disk image.
You can access it by right-clicking on an image in the tree and choosing "Image Details".
</p>
<img src="rightClick_imageDetails.png" alt="Right click on directory tree to show Image Details" />
<p>An example is shown here:</p>
<img src="ImageDetailHelp.png" alt="Example of Image Details Window" />
</body>
</html>

44
Core/src/org/sleuthkit/autopsy/directorytree/docs/volume-details.html
View File

@ -1,22 +1,22 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Volume Details Window</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Volume Details Window</h2>
<p>
The Volume Details window shows you information about a volume.
It shows information such as the starting sector, length, and description.
You can view the information by right clicking on a volume in the tree and choosing "Volume Details".
</p>
<img src="rightClick_volumeDetails.png" alt="Right click on directory tree to show Volume Details" />
<p>An example is shown here:</p>
<img src="VolumeDetailHelp.png" alt="Example of Volume Details Window" />
</body>
</html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Volume Details Window</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Volume Details Window</h2>
<p>
The Volume Details window shows you information about a volume.
It shows information such as the starting sector, length, and description.
You can view the information by right clicking on a volume in the tree and choosing "Volume Details".
</p>
<img src="rightClick_volumeDetails.png" alt="Right click on directory tree to show Volume Details" />
<p>An example is shown here:</p>
<img src="VolumeDetailHelp.png" alt="Example of Volume Details Window" />
</body>
</html>

5
Core/src/org/sleuthkit/autopsy/examples/SampleContentViewer.java
View File

@ -166,10 +166,7 @@ public class SampleContentViewer extends javax.swing.JPanel implements DataConte
}
@Override
public int isPreferred(Node node, boolean isSupported) {
if (isSupported == false) {
return 0;
}
public int isPreferred(Node node) {
// we return 1 since this module will operate on nearly all files
return 1;
}

250
Core/src/org/sleuthkit/autopsy/examples/SampleDataSourceIngestModule.java
View File

@ -1,125 +1,125 @@
/*
* Sample module in the public domain. Feel free to use this as a template
* for your modules.
*
* Contact: Brian Carrier [carrier <at> sleuthkit [dot] org]
*
* This is free and unencumbered software released into the public domain.
*
* Anyone is free to copy, modify, publish, use, compile, sell, or
* distribute this software, either in source code form or as a compiled
* binary, for any purpose, commercial or non-commercial, and by any
* means.
*
* In jurisdictions that recognize copyright laws, the author or authors
* of this software dedicate any and all copyright interest in the
* software to the public domain. We make this dedication for the benefit
* of the public at large and to the detriment of our heirs and
* successors. We intend this dedication to be an overt act of
* relinquishment in perpetuity of all present and future rights to this
* software under copyright law.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
* IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
* OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
* ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
* OTHER DEALINGS IN THE SOFTWARE.
*/
package org.sleuthkit.autopsy.examples;
import java.util.List;
import org.apache.log4j.Logger;
import org.openide.util.Exceptions;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.casemodule.services.FileManager;
import org.sleuthkit.autopsy.casemodule.services.Services;
import org.sleuthkit.autopsy.ingest.IngestDataSourceWorkerController;
import org.sleuthkit.autopsy.ingest.IngestModuleDataSource;
import org.sleuthkit.autopsy.ingest.IngestModuleInit;
import org.sleuthkit.autopsy.ingest.PipelineContext;
import org.sleuthkit.datamodel.AbstractFile;
import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskCoreException;
/**
* Sample DataSource-level ingest module that doesn't do much at all.
* Just exists to show basic idea of these modules
*/
public class SampleDataSourceIngestModule extends org.sleuthkit.autopsy.ingest.IngestModuleDataSource {
/* Data Source modules operate on a disk or set of logical files. They
* are passed in teh data source refernce and query it for things they want.
*/
@Override
public void process(PipelineContext<IngestModuleDataSource> pipelineContext, Content dataSource, IngestDataSourceWorkerController controller) {
Case case1 = Case.getCurrentCase();
SleuthkitCase sleuthkitCase = case1.getSleuthkitCase();
Services services = new Services(sleuthkitCase);
FileManager fm = services.getFileManager();
try {
/* you can use the findFiles method in FileManager (or similar ones in
* SleuthkitCase to find files based only on their name. This
* one finds files that have a .doc extension. */
List<AbstractFile> docFiles = fm.findFiles(dataSource, "%.doc");
for (AbstractFile file : docFiles) {
// do something with each doc file
}
/* We can also do more general queries with findFilesWhere, which
* allows us to make our own WHERE clause in the database.
*/
long currentTime = System.currentTimeMillis()/1000;
// go back 2 weeks
long minTime = currentTime - (14 * 24 * 60 * 60);
List<FsContent> otherFiles = sleuthkitCase.findFilesWhere("crtime > " + minTime);
// do something with these files...
} catch (TskCoreException ex) {
Logger log = Logger.getLogger(SampleDataSourceIngestModule.class);
log.fatal("Error retrieving files from database: " + ex.getLocalizedMessage());
return;
}
}
@Override
public void init(IngestModuleInit initContext) {
// do nothing
}
@Override
public void complete() {
// do nothing
}
@Override
public void stop() {
// do nothing
}
@Override
public String getName() {
return "SampleDataSourceIngestModule";
}
@Override
public String getVersion() {
return "1.0";
}
@Override
public String getDescription() {
return "Doesn't do much";
}
@Override
public boolean hasBackgroundJobsRunning() {
return false;
}
}
/*
* Sample module in the public domain. Feel free to use this as a template
* for your modules.
*
* Contact: Brian Carrier [carrier <at> sleuthkit [dot] org]
*
* This is free and unencumbered software released into the public domain.
*
* Anyone is free to copy, modify, publish, use, compile, sell, or
* distribute this software, either in source code form or as a compiled
* binary, for any purpose, commercial or non-commercial, and by any
* means.
*
* In jurisdictions that recognize copyright laws, the author or authors
* of this software dedicate any and all copyright interest in the
* software to the public domain. We make this dedication for the benefit
* of the public at large and to the detriment of our heirs and
* successors. We intend this dedication to be an overt act of
* relinquishment in perpetuity of all present and future rights to this
* software under copyright law.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
* IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
* OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
* ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
* OTHER DEALINGS IN THE SOFTWARE.
*/
package org.sleuthkit.autopsy.examples;
import java.util.List;
import org.apache.log4j.Logger;
import org.openide.util.Exceptions;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.casemodule.services.FileManager;
import org.sleuthkit.autopsy.casemodule.services.Services;
import org.sleuthkit.autopsy.ingest.IngestDataSourceWorkerController;
import org.sleuthkit.autopsy.ingest.IngestModuleDataSource;
import org.sleuthkit.autopsy.ingest.IngestModuleInit;
import org.sleuthkit.autopsy.ingest.PipelineContext;
import org.sleuthkit.datamodel.AbstractFile;
import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskCoreException;
/**
* Sample DataSource-level ingest module that doesn't do much at all.
* Just exists to show basic idea of these modules
*/
public class SampleDataSourceIngestModule extends org.sleuthkit.autopsy.ingest.IngestModuleDataSource {
/* Data Source modules operate on a disk or set of logical files. They
* are passed in teh data source refernce and query it for things they want.
*/
@Override
public void process(PipelineContext<IngestModuleDataSource> pipelineContext, Content dataSource, IngestDataSourceWorkerController controller) {
Case case1 = Case.getCurrentCase();
SleuthkitCase sleuthkitCase = case1.getSleuthkitCase();
Services services = new Services(sleuthkitCase);
FileManager fm = services.getFileManager();
try {
/* you can use the findFiles method in FileManager (or similar ones in
* SleuthkitCase to find files based only on their name. This
* one finds files that have a .doc extension. */
List<AbstractFile> docFiles = fm.findFiles(dataSource, "%.doc");
for (AbstractFile file : docFiles) {
// do something with each doc file
}
/* We can also do more general queries with findFilesWhere, which
* allows us to make our own WHERE clause in the database.
*/
long currentTime = System.currentTimeMillis()/1000;
// go back 2 weeks
long minTime = currentTime - (14 * 24 * 60 * 60);
List<FsContent> otherFiles = sleuthkitCase.findFilesWhere("crtime > " + minTime);
// do something with these files...
} catch (TskCoreException ex) {
Logger log = Logger.getLogger(SampleDataSourceIngestModule.class);
log.fatal("Error retrieving files from database: " + ex.getLocalizedMessage());
return;
}
}
@Override
public void init(IngestModuleInit initContext) {
// do nothing
}
@Override
public void complete() {
// do nothing
}
@Override
public void stop() {
// do nothing
}
@Override
public String getName() {
return "SampleDataSourceIngestModule";
}
@Override
public String getVersion() {
return "1.0";
}
@Override
public String getDescription() {
return "Doesn't do much";
}
@Override
public boolean hasBackgroundJobsRunning() {
return false;
}
}

356
Core/src/org/sleuthkit/autopsy/examples/SampleFileIngestModule.java
View File

@ -1,178 +1,178 @@
/*
* Sample module in the public domain. Feel free to use this as a template
* for your modules.
*
* Contact: Brian Carrier [carrier <at> sleuthkit [dot] org]
*
* This is free and unencumbered software released into the public domain.
*
* Anyone is free to copy, modify, publish, use, compile, sell, or
* distribute this software, either in source code form or as a compiled
* binary, for any purpose, commercial or non-commercial, and by any
* means.
*
* In jurisdictions that recognize copyright laws, the author or authors
* of this software dedicate any and all copyright interest in the
* software to the public domain. We make this dedication for the benefit
* of the public at large and to the detriment of our heirs and
* successors. We intend this dedication to be an overt act of
* relinquishment in perpetuity of all present and future rights to this
* software under copyright law.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
* IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
* OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
* ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
* OTHER DEALINGS IN THE SOFTWARE.
*/
package org.sleuthkit.autopsy.examples;
import org.apache.log4j.Logger;
import org.openide.util.Exceptions;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.ingest.IngestModuleAbstractFile;
import org.sleuthkit.autopsy.ingest.IngestModuleInit;
import org.sleuthkit.autopsy.ingest.PipelineContext;
import org.sleuthkit.datamodel.AbstractFile;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.TskCoreException;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskData;
/**
* This is a sample and simple module. It is a file-level ingest module, meaning
* that it will get called on each file in the disk image / logical file set.
* It does a stupid calculation of the number of null bytes in the beginning of the
* file in order to show the basic flow.
*
* Autopsy has been hard coded to ignore this module based on the it's package name.
* IngestModuleLoader will not load things from the org.sleuthkit.autopsy.examples package.
* Either change the package or the loading code to make this module actually run.
*/
public class SampleFileIngestModule extends org.sleuthkit.autopsy.ingest.IngestModuleAbstractFile {
private int attrId = -1;
private static SampleFileIngestModule defaultInstance = null;
// Private to ensure Singleton status
private SampleFileIngestModule() {
}
// File-level ingest modules are currently singleton -- this is required
public static synchronized SampleFileIngestModule getDefault() {
//defaultInstance is a private static class variable
if (defaultInstance == null) {
defaultInstance = new SampleFileIngestModule();
}
return defaultInstance;
}
@Override
public void init(IngestModuleInit initContext) {
/* For this demo, we are going to make a private attribute to post our
* results to the blackbaord with. There are many standard blackboard artifact
* and attribute types and you should first consider using one of those before
* making private ones because other modules won't know about provate ones.
* Because our demo has results that have no real value, we do not have an
* official attribute for them.
*/
Case case1 = Case.getCurrentCase();
SleuthkitCase sleuthkitCase = case1.getSleuthkitCase();
// see if the type already exists in the blackboard.
try {
attrId = sleuthkitCase.getAttrTypeID("ATTR_SAMPLE");
} catch (TskCoreException ex) {
// create it if not
try {
attrId = sleuthkitCase.addAttrType("ATTR_SAMPLE", "Sample Attribute");
} catch (TskCoreException ex1) {
Logger log = Logger.getLogger(SampleFileIngestModule.class);
log.fatal("Error adding attribute type: " + ex1.getLocalizedMessage());
attrId = -1;
}
}
}
@Override
public ProcessResult process(PipelineContext<IngestModuleAbstractFile> pipelineContext, AbstractFile abstractFile) {
// skip non-files
if ((abstractFile.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) ||
(abstractFile.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS)) {
return ProcessResult.OK;
}
// skip NSRL / known files
if (abstractFile.getKnown() == TskData.FileKnown.KNOWN) {
return ProcessResult.OK;
}
/* Do a non-sensical calculation of the number of 0x00 bytes
* in the first 1024-bytes of the file. This is for demo
* purposes only.
*/
try {
byte buffer[] = new byte[1024];
int len = abstractFile.read(buffer, 0, 1024);
int count = 0;
for (int i = 0; i < len; i++) {
if (buffer[i] == 0x00) {
count++;
}
}
if (attrId != -1) {
// Make an attribute using the ID for the private type that we previously created.
BlackboardAttribute attr = new BlackboardAttribute(attrId, getName(), count);
/* add it to the general info artifact. In real modules, you would likely have
* more complex data types and be making more specific artifacts.
*/
BlackboardArtifact art = abstractFile.getGenInfoArtifact();
art.addAttribute(attr);
}
return ProcessResult.OK;
} catch (TskCoreException ex) {
Exceptions.printStackTrace(ex);
return ProcessResult.ERROR;
}
}
@Override
public void complete() {
}
@Override
public void stop() {
}
@Override
public String getVersion() {
return "1.0";
}
@Override
public String getName() {
return "SampleFileIngestModule";
}
@Override
public String getDescription() {
return "Doesn't do much";
}
@Override
public boolean hasBackgroundJobsRunning() {
// we're single threaded...
return false;
}
}
/*
* Sample module in the public domain. Feel free to use this as a template
* for your modules.
*
* Contact: Brian Carrier [carrier <at> sleuthkit [dot] org]
*
* This is free and unencumbered software released into the public domain.
*
* Anyone is free to copy, modify, publish, use, compile, sell, or
* distribute this software, either in source code form or as a compiled
* binary, for any purpose, commercial or non-commercial, and by any
* means.
*
* In jurisdictions that recognize copyright laws, the author or authors
* of this software dedicate any and all copyright interest in the
* software to the public domain. We make this dedication for the benefit
* of the public at large and to the detriment of our heirs and
* successors. We intend this dedication to be an overt act of
* relinquishment in perpetuity of all present and future rights to this
* software under copyright law.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
* IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
* OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
* ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
* OTHER DEALINGS IN THE SOFTWARE.
*/
package org.sleuthkit.autopsy.examples;
import org.apache.log4j.Logger;
import org.openide.util.Exceptions;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.ingest.IngestModuleAbstractFile;
import org.sleuthkit.autopsy.ingest.IngestModuleInit;
import org.sleuthkit.autopsy.ingest.PipelineContext;
import org.sleuthkit.datamodel.AbstractFile;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.TskCoreException;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskData;
/**
* This is a sample and simple module. It is a file-level ingest module, meaning
* that it will get called on each file in the disk image / logical file set.
* It does a stupid calculation of the number of null bytes in the beginning of the
* file in order to show the basic flow.
*
* Autopsy has been hard coded to ignore this module based on the it's package name.
* IngestModuleLoader will not load things from the org.sleuthkit.autopsy.examples package.
* Either change the package or the loading code to make this module actually run.
*/
public class SampleFileIngestModule extends org.sleuthkit.autopsy.ingest.IngestModuleAbstractFile {
private int attrId = -1;
private static SampleFileIngestModule defaultInstance = null;
// Private to ensure Singleton status
private SampleFileIngestModule() {
}
// File-level ingest modules are currently singleton -- this is required
public static synchronized SampleFileIngestModule getDefault() {
//defaultInstance is a private static class variable
if (defaultInstance == null) {
defaultInstance = new SampleFileIngestModule();
}
return defaultInstance;
}
@Override
public void init(IngestModuleInit initContext) {
/* For this demo, we are going to make a private attribute to post our
* results to the blackbaord with. There are many standard blackboard artifact
* and attribute types and you should first consider using one of those before
* making private ones because other modules won't know about provate ones.
* Because our demo has results that have no real value, we do not have an
* official attribute for them.
*/
Case case1 = Case.getCurrentCase();
SleuthkitCase sleuthkitCase = case1.getSleuthkitCase();
// see if the type already exists in the blackboard.
try {
attrId = sleuthkitCase.getAttrTypeID("ATTR_SAMPLE");
} catch (TskCoreException ex) {
// create it if not
try {
attrId = sleuthkitCase.addAttrType("ATTR_SAMPLE", "Sample Attribute");
} catch (TskCoreException ex1) {
Logger log = Logger.getLogger(SampleFileIngestModule.class);
log.fatal("Error adding attribute type: " + ex1.getLocalizedMessage());
attrId = -1;
}
}
}
@Override
public ProcessResult process(PipelineContext<IngestModuleAbstractFile> pipelineContext, AbstractFile abstractFile) {
// skip non-files
if ((abstractFile.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) ||
(abstractFile.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS)) {
return ProcessResult.OK;
}
// skip NSRL / known files
if (abstractFile.getKnown() == TskData.FileKnown.KNOWN) {
return ProcessResult.OK;
}
/* Do a non-sensical calculation of the number of 0x00 bytes
* in the first 1024-bytes of the file. This is for demo
* purposes only.
*/
try {
byte buffer[] = new byte[1024];
int len = abstractFile.read(buffer, 0, 1024);
int count = 0;
for (int i = 0; i < len; i++) {
if (buffer[i] == 0x00) {
count++;
}
}
if (attrId != -1) {
// Make an attribute using the ID for the private type that we previously created.
BlackboardAttribute attr = new BlackboardAttribute(attrId, getName(), count);
/* add it to the general info artifact. In real modules, you would likely have
* more complex data types and be making more specific artifacts.
*/
BlackboardArtifact art = abstractFile.getGenInfoArtifact();
art.addAttribute(attr);
}
return ProcessResult.OK;
} catch (TskCoreException ex) {
Exceptions.printStackTrace(ex);
return ProcessResult.ERROR;
}
}
@Override
public void complete() {
}
@Override
public void stop() {
}
@Override
public String getVersion() {
return "1.0";
}
@Override
public String getName() {
return "SampleFileIngestModule";
}
@Override
public String getDescription() {
return "Doesn't do much";
}
@Override
public boolean hasBackgroundJobsRunning() {
// we're single threaded...
return false;
}
}

104
Core/src/org/sleuthkit/autopsy/filesearch/docs/filesearch-about.html
View File

@ -1,52 +1,52 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>About File Search</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>About File Search</h2>
<p>
File Search tool can be accessed either from the Tools menu or by right-clicking on image node in the Data Explorer / Directory Tree.
By using File Search, you can specify, filter, and show the directories and files that you want to see from the images in the current opened case.
The File Search results will be populated in a brand new Table Result viewer on the right-hand side.
</p>
<p>Currently, Autopsy only supports 4 categories in File Search: Name, Size, Date, and Known Status based search.</p>
<ul class="note">
<li><strong>Note:</strong>
Currently File Search doesn't support regular expression,
however the Keyword Search feature of Autopsy does also look in file names and it does support regular expressions,
which can complimentary to the File Search.
</li>
</ul>
<h2>How to Open File Search</h2>
<p>To see how to open File Search, click <a href="nbdocs:/org/sleuthkit/autopsy/filesearch/docs/open-filesearch.html">here</a>.</p>
<ul class="note">
<li><strong>Note:</strong>
The File Search Window is opened and closed automatically.
If there's a case opened and there is at least one image inside that case, File Search Window can't be closed.
</li>
</ul>
<h2>How to Use File Search</h2>
<p>To see how to use File Search, click <a href="nbdocs:/org/sleuthkit/autopsy/filesearch/docs/how-to-use-filesearch.html">here</a>.</p>
<h2>Example</h2>
<p>Here's an example of a File Search window:</p>
<img src="FileSearch_example.png" alt="File Search Top Component Window" />
</body>
</html>
<!--
Tip: to create a link which will open in an external web browser, try:
<object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer">
<param name="content" value="http://www.netbeans.org/">
<param name="text" value="<html><u>http://www.netbeans.org/</u></html>">
<param name="textFontSize" value="medium">
<param name="textColor" value="blue">
</object>
To create a link to a help set from another module, you need to know the code name base and path, e.g.:
<a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a>
(This link will behave sanely if that module is disabled or missing.)
-->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>About File Search</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>About File Search</h2>
<p>
File Search tool can be accessed either from the Tools menu or by right-clicking on image node in the Data Explorer / Directory Tree.
By using File Search, you can specify, filter, and show the directories and files that you want to see from the images in the current opened case.
The File Search results will be populated in a brand new Table Result viewer on the right-hand side.
</p>
<p>Currently, Autopsy only supports 4 categories in File Search: Name, Size, Date, and Known Status based search.</p>
<ul class="note">
<li><strong>Note:</strong>
Currently File Search doesn't support regular expression,
however the Keyword Search feature of Autopsy does also look in file names and it does support regular expressions,
which can complimentary to the File Search.
</li>
</ul>
<h2>How to Open File Search</h2>
<p>To see how to open File Search, click <a href="nbdocs:/org/sleuthkit/autopsy/filesearch/docs/open-filesearch.html">here</a>.</p>
<ul class="note">
<li><strong>Note:</strong>
The File Search Window is opened and closed automatically.
If there's a case opened and there is at least one image inside that case, File Search Window can't be closed.
</li>
</ul>
<h2>How to Use File Search</h2>
<p>To see how to use File Search, click <a href="nbdocs:/org/sleuthkit/autopsy/filesearch/docs/how-to-use-filesearch.html">here</a>.</p>
<h2>Example</h2>
<p>Here's an example of a File Search window:</p>
<img src="FileSearch_example.png" alt="File Search Top Component Window" />
</body>
</html>
<!--
Tip: to create a link which will open in an external web browser, try:
<object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer">
<param name="content" value="http://www.netbeans.org/">
<param name="text" value="<html><u>http://www.netbeans.org/</u></html>">
<param name="textFontSize" value="medium">
<param name="textColor" value="blue">
</object>
To create a link to a help set from another module, you need to know the code name base and path, e.g.:
<a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a>
(This link will behave sanely if that module is disabled or missing.)
-->

108
Core/src/org/sleuthkit/autopsy/filesearch/docs/how-to-use-filesearch.html
View File

@ -1,55 +1,55 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>How to Use File Search</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>How to Use File Search</h2>
<p>Currently, there are 4 categories that you can use to filter and show the directories and files within the images in the current opened case.</p>
<p>The categories are:</p>
<ol>
<li><strong>Name:</strong>
<p>Search for all files and directory whose name contains the pattern given.</p>
<ul class="note">
<li><strong>Note:</strong> it doesn't support regular expression and keyword matching.</li>
</ul>
</li>
<li><strong>Size:</strong>
<p>
Search for all files and directory whose size matches the pattern given.
The pattern can be "equal to", "greater than", and "less than".
The unit for the size can be "Byte(s)", "KB", "MB", "GB", and "TB".
</p>
</li>
<li><strong>Date:</strong>
<p>
Search for all files and directory whose "date property" is within the date range given.
The "date properties" are "Modified Date", "Accessed Date", "Changed Date", and "Created Date".
You must also specify the timezone for the date given.
</p>
</li>
<li><strong>Known Status:</strong>
<p>
Search for all files and directory whose known status is recognized as either Unknown, Known, or Known Bad.
For more on Known Status, see <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/hashDbMgmt.html">Hash Database Management</a>.
</p>
<p>
To use any of these filters, check the box next to the category and click "Search" button to start the search process.
The result will show up in the "<a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/dataresult-about.html">Result Viewer</a>".
</p>
</li>
</ol>
<h2>Example</h2>
<p>
Here's an example where I try to get all the directories and files whose name contains "hello",
has a size greater than 1000 Bytes,was created between 06/15/2010 and 06/16/2010 (in GMT-5 timezone), and is an unknown file:
</p>
<img src="FileSearch_usage.png" alt="Example of File Search usage" />
</body>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>How to Use File Search</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>How to Use File Search</h2>
<p>Currently, there are 4 categories that you can use to filter and show the directories and files within the images in the current opened case.</p>
<p>The categories are:</p>
<ol>
<li><strong>Name:</strong>
<p>Search for all files and directory whose name contains the pattern given.</p>
<ul class="note">
<li><strong>Note:</strong> it doesn't support regular expression and keyword matching.</li>
</ul>
</li>
<li><strong>Size:</strong>
<p>
Search for all files and directory whose size matches the pattern given.
The pattern can be "equal to", "greater than", and "less than".
The unit for the size can be "Byte(s)", "KB", "MB", "GB", and "TB".
</p>
</li>
<li><strong>Date:</strong>
<p>
Search for all files and directory whose "date property" is within the date range given.
The "date properties" are "Modified Date", "Accessed Date", "Changed Date", and "Created Date".
You must also specify the timezone for the date given.
</p>
</li>
<li><strong>Known Status:</strong>
<p>
Search for all files and directory whose known status is recognized as either Unknown, Known, or Known Bad.
For more on Known Status, see <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/hashDbMgmt.html">Hash Database Management</a>.
</p>
<p>
To use any of these filters, check the box next to the category and click "Search" button to start the search process.
The result will show up in the "<a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/dataresult-about.html">Result Viewer</a>".
</p>
</li>
</ol>
<h2>Example</h2>
<p>
Here's an example where I try to get all the directories and files whose name contains "hello",
has a size greater than 1000 Bytes,was created between 06/15/2010 and 06/16/2010 (in GMT-5 timezone), and is an unknown file:
</p>
<img src="FileSearch_usage.png" alt="Example of File Search usage" />
</body>
</html>

56
Core/src/org/sleuthkit/autopsy/filesearch/docs/open-filesearch.html
View File

@ -1,29 +1,29 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>How to Open File Search</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>How to Open File Search</h2>
<p>To open the File Search, you can do one of the following thing:</p>
<ul>
<li>Right click an image and choose "Open File Search by Attributes".
<br>
<img src="open_fileSearch1.png" alt="Open File Search Top Component 1" />
</li>
<li>Select the "Tools" > "File Search by Attributes".
<br>
<img src="open_fileSearch2.png" alt="Open File Search Top Component 2" />
</li>
</ul>
<ul class="note">
<li><strong>Note:</strong>
The File Search Window is opened and closed automatically.
If there's a case opened and there is at least one image inside that case, File Search Window can't be closed.
</li>
</ul>
</body>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>How to Open File Search</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>How to Open File Search</h2>
<p>To open the File Search, you can do one of the following thing:</p>
<ul>
<li>Right click an image and choose "Open File Search by Attributes".
<br>
<img src="open_fileSearch1.png" alt="Open File Search Top Component 1" />
</li>
<li>Select the "Tools" > "File Search by Attributes".
<br>
<img src="open_fileSearch2.png" alt="Open File Search Top Component 2" />
</li>
</ul>
<ul class="note">
<li><strong>Note:</strong>
The File Search Window is opened and closed automatically.
If there's a case opened and there is at least one image inside that case, File Search Window can't be closed.
</li>
</ul>
</body>
</html>

194
Core/src/org/sleuthkit/autopsy/ingest/docs/ingest-about.html
View File

@ -1,98 +1,98 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Image Ingest</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Image Ingest</h2>
<p>
Autopsy tries to automate as many things as possible for the user.
There are many tasks that will always be performed in a digital investigation and they normally involve some type of image or file analysis and extraction of a certain type of information.
The analysis can be a lengthy process, especially for large images and when a number of types of analysis needs to be performed.
</p>
<p>
Ingest is a technique of automating these tasks. Autopsy allows to run these lengthy analysis tasks in the background,
while the user can browse the application interface and review the ingest results as their appear.
Ingest is similar to triage.
Autopsy attempts to process files inside the ingested image in such order so that the more interesting files (user-related files) are processed files.
</p>
<p>
The ingest process begins after the basic file system information has been added to the database.
A series of ingest modules (described in a following section) run automatically behind the scenes and make their results available as soon as possible.
Autopsy is designed so that these results are reported to the user in real-time,
and even for very large images to be processed there can be initial results available minutes, sometimes seconds after the analysis has started.
</p>
<p>
You can start image ingest in two ways. When you add an image with the <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/addImage.html">Add Data Source wizard</a>,
you will be shown the list of ingest modules and you can choose which you want to run.
You can also launch the Ingest Manager run ingest by right clicking on an image in the explorer tree and choosing "Restart Image Ingest".
</p>
<p>
Once ingest is started, you can review the currently running ingest tasks in the task bar on the bottom-right corner of the main window.
The ingest tasks can be canceled by the user if so desired.
</p>
<ul class="note">
<li><strong>Note:</strong>
sometimes the cancellation process make take several seconds or more to complete cleanly, depending on what the ingest module was currently doing.
</li>
</ul>
<p>
The ingest message inbox will provide notifications when the particular ingest modules start and finish running.
There may also be error notifications, and result notifications sent by specific ingest modules.
</p>
<p>
The results from the ingest modules can typically be found in the Results area of the explorer tree.
However, some modules may choose to write results to a local file or to some other location and not make them available in the UI.
</p>
<h2>Ingest Modules</h2>
<p>
An ingest module is responsible for extracting data from and searching images.
Different modules will do different things. Examples include:
</p>
<ul>
<li>Calculate MD5 hash of each file</li>
<li>Lookup MD5 hash in database</li>
<li>Detect file type of each file</li>
<li>Keyword search each file</li>
<li>Extract web artifacts (downloads, history, installed programs, web search engine queries, etc.)</li>
<li>Extract Email messages</li>
<li>Extract connected device IDs.</li>
<li>Extract EXIF meta-data from picture files</li>
</ul>
<h2>Configuring Ingest Modules</h2>
<p>
There are two places to configure ingest modules. When the Ingest Manager is launched, there may be a small set of options the module allows you to edit directly in the Ingest Manager.
Additionally, the Ingest Manager may display an "Advanced" button, which will open up a larger configuration menu with more available settings.
This advanced configuration menu can often be found in the "Tools" > "Options" menu, along with the advanced settings for numerous other ingest modules.
</p>
<p>
Before launching ingest, you should go over the modules configuration by selecting every module in the list and review the current ingest module settings.
Some modules need to be configured at least the first time Autopsy is used to have default configuration populated, otherwise they won't perform any analysis.
Changing the modules configuration will potentially affect number of results found, it might also affect the total time required for ingest to run and how fast the results are reported in real-time.
</p>
<h2>Adding Ingest Modules</h2>
<p>
Ingest modules can be created by third-party-developers and can be added independently of Autopsy.
This can be done through Autopsy's plugin manager. This is accessible through the "Tools" > "Plugins" menu.
Currently, the best way to add an ingest module is by navigating to the module's NBM file after choosing "Add Plugin..." in the "Downloaded" tab of the plugin manager.
Autopsy will require a restart after any modules are installed in order to properly load and display them.
</p>
</body>
</html>
<!--
Tip: to create a link which will open in an external web browser, try:
<object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer">
<param name="content" value="http://www.netbeans.org/">
<param name="text" value="<html><u>http://www.netbeans.org/</u></html>">
<param name="textFontSize" value="medium">
<param name="textColor" value="blue">
</object>
To create a link to a help set from another module, you need to know the code name base and path, e.g.:
<a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a>
(This link will behave sanely if that module is disabled or missing.)
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Image Ingest</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Image Ingest</h2>
<p>
Autopsy tries to automate as many things as possible for the user.
There are many tasks that will always be performed in a digital investigation and they normally involve some type of image or file analysis and extraction of a certain type of information.
The analysis can be a lengthy process, especially for large images and when a number of types of analysis needs to be performed.
</p>
<p>
Ingest is a technique of automating these tasks. Autopsy allows to run these lengthy analysis tasks in the background,
while the user can browse the application interface and review the ingest results as their appear.
Ingest is similar to triage.
Autopsy attempts to process files inside the ingested image in such order so that the more interesting files (user-related files) are processed files.
</p>
<p>
The ingest process begins after the basic file system information has been added to the database.
A series of ingest modules (described in a following section) run automatically behind the scenes and make their results available as soon as possible.
Autopsy is designed so that these results are reported to the user in real-time,
and even for very large images to be processed there can be initial results available minutes, sometimes seconds after the analysis has started.
</p>
<p>
You can start image ingest in two ways. When you add an image with the <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/addImage.html">Add Data Source wizard</a>,
you will be shown the list of ingest modules and you can choose which you want to run.
You can also launch the Ingest Manager run ingest by right clicking on an image in the explorer tree and choosing "Restart Image Ingest".
</p>
<p>
Once ingest is started, you can review the currently running ingest tasks in the task bar on the bottom-right corner of the main window.
The ingest tasks can be canceled by the user if so desired.
</p>
<ul class="note">
<li><strong>Note:</strong>
sometimes the cancellation process make take several seconds or more to complete cleanly, depending on what the ingest module was currently doing.
</li>
</ul>
<p>
The ingest message inbox will provide notifications when the particular ingest modules start and finish running.
There may also be error notifications, and result notifications sent by specific ingest modules.
</p>
<p>
The results from the ingest modules can typically be found in the Results area of the explorer tree.
However, some modules may choose to write results to a local file or to some other location and not make them available in the UI.
</p>
<h2>Ingest Modules</h2>
<p>
An ingest module is responsible for extracting data from and searching images.
Different modules will do different things. Examples include:
</p>
<ul>
<li>Calculate MD5 hash of each file</li>
<li>Lookup MD5 hash in database</li>
<li>Detect file type of each file</li>
<li>Keyword search each file</li>
<li>Extract web artifacts (downloads, history, installed programs, web search engine queries, etc.)</li>
<li>Extract Email messages</li>
<li>Extract connected device IDs.</li>
<li>Extract EXIF meta-data from picture files</li>
</ul>
<h2>Configuring Ingest Modules</h2>
<p>
There are two places to configure ingest modules. When the Ingest Manager is launched, there may be a small set of options the module allows you to edit directly in the Ingest Manager.
Additionally, the Ingest Manager may display an "Advanced" button, which will open up a larger configuration menu with more available settings.
This advanced configuration menu can often be found in the "Tools" > "Options" menu, along with the advanced settings for numerous other ingest modules.
</p>
<p>
Before launching ingest, you should go over the modules configuration by selecting every module in the list and review the current ingest module settings.
Some modules need to be configured at least the first time Autopsy is used to have default configuration populated, otherwise they won't perform any analysis.
Changing the modules configuration will potentially affect number of results found, it might also affect the total time required for ingest to run and how fast the results are reported in real-time.
</p>
<h2>Adding Ingest Modules</h2>
<p>
Ingest modules can be created by third-party-developers and can be added independently of Autopsy.
This can be done through Autopsy's plugin manager. This is accessible through the "Tools" > "Plugins" menu.
Currently, the best way to add an ingest module is by navigating to the module's NBM file after choosing "Add Plugin..." in the "Downloaded" tab of the plugin manager.
Autopsy will require a restart after any modules are installed in order to properly load and display them.
</p>
</body>
</html>
<!--
Tip: to create a link which will open in an external web browser, try:
<object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer">
<param name="content" value="http://www.netbeans.org/">
<param name="text" value="<html><u>http://www.netbeans.org/</u></html>">
<param name="textFontSize" value="medium">
<param name="textColor" value="blue">
</object>
To create a link to a help set from another module, you need to know the code name base and path, e.g.:
<a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a>
(This link will behave sanely if that module is disabled or missing.)
!-->

110
Core/src/org/sleuthkit/autopsy/ingest/docs/ingest-inbox.html
View File

@ -1,56 +1,56 @@
<!--
Autopsy Forensic Browser
Copyright 2011 Basis Technology Corp.
Contact: carrier <at> sleuthkit <dot> org
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Ingest Message Inbox</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Ingest Message Inbox</h2>
<p>
The ingest message inbox is used by Autopsy to provide real-time updates during ingest.
To open the inbox, click on the yellow warning sign in the top/right corner of the Autopsy window.
The sign can display a number of incoming unread (not yet clicked) messages during ingest in its upper-right corner.
</p>
<img src="inbox-button.png" alt="Inbox button" />
<p>
Ingest modules are able to post messages when notable events occur,
such as a keyword or hash database hit.
If a module posts many similar messages in a short time span,
the inbox will group those messages so that unique updates are not lost among the noise.
</p>
<p>
The grouped messages are colored with different shades to indicate their importance;
if a message group contains a lower number of unique messages,
it is potentially more important than another group with a large number of unique messages.
The more unique important messages have a lighter background color.
</p>
<p>The ingest messages can be sorted by uniqueness/importance, or by chronological order in which they had appeared.</p>
<p>
A message can be clicked to view the message details. When a message is clicked, it is marked as "read".
When updates are posted with regard to a specific result or file, the message is linked to that file
and the buttons in the top/right corner of the message details view can be used to browse to that data.
</p>
<img src="inbox-main.PNG" alt="Inbox Main Screen" />
<br />
<img src="inbox-details.PNG" alt="Inbox Details Screen" />
</body>
<!--
Autopsy Forensic Browser
Copyright 2011 Basis Technology Corp.
Contact: carrier <at> sleuthkit <dot> org
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Ingest Message Inbox</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Ingest Message Inbox</h2>
<p>
The ingest message inbox is used by Autopsy to provide real-time updates during ingest.
To open the inbox, click on the yellow warning sign in the top/right corner of the Autopsy window.
The sign can display a number of incoming unread (not yet clicked) messages during ingest in its upper-right corner.
</p>
<img src="inbox-button.png" alt="Inbox button" />
<p>
Ingest modules are able to post messages when notable events occur,
such as a keyword or hash database hit.
If a module posts many similar messages in a short time span,
the inbox will group those messages so that unique updates are not lost among the noise.
</p>
<p>
The grouped messages are colored with different shades to indicate their importance;
if a message group contains a lower number of unique messages,
it is potentially more important than another group with a large number of unique messages.
The more unique important messages have a lighter background color.
</p>
<p>The ingest messages can be sorted by uniqueness/importance, or by chronological order in which they had appeared.</p>
<p>
A message can be clicked to view the message details. When a message is clicked, it is marked as "read".
When updates are posted with regard to a specific result or file, the message is linked to that file
and the buttons in the top/right corner of the message details view can be used to browse to that data.
</p>
<img src="inbox-main.PNG" alt="Inbox Main Screen" />
<br />
<img src="inbox-details.PNG" alt="Inbox Details Screen" />
</body>
</html>

10
HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/HashDbConfigPanel.java
View File

@ -50,7 +50,6 @@ public final class HashDbConfigPanel extends javax.swing.JPanel implements Optio
private static final String NO_SELECTION_TEXT = "No database selected";
private static final String ERROR_GETTING_PATH_TEXT = "Error occurred getting path";
private static final String ERROR_GETTING_INDEX_STATUS_TEXT = "Error occurred getting status";
private static final String LEGACY_INDEX_FILE_EXTENSION = "-md5.idx";
private HashDbManager hashSetManager = HashDbManager.getInstance();
private HashSetTableModel hashSetTableModel = new HashSetTableModel();
@ -161,13 +160,10 @@ public final class HashDbConfigPanel extends javax.swing.JPanel implements Optio
hashDbIndexStatusLabel.setForeground(Color.black);
indexButton.setEnabled(false);
}
else if (db.hasLookupIndex()) {
else if (db.hasIndex()) {
if (db.hasIndexOnly()) {
hashDbIndexStatusLabel.setText("Index only");
}
else if (db.getIndexPath().endsWith(LEGACY_INDEX_FILE_EXTENSION)) {
hashDbIndexStatusLabel.setText("Indexed (old format)");
}
else {
hashDbIndexStatusLabel.setText("Indexed");
}
@ -242,7 +238,7 @@ public final class HashDbConfigPanel extends javax.swing.JPanel implements Optio
List<HashDb> unindexed = new ArrayList<>();
for (HashDb hashSet : hashSetManager.getAllHashSets()) {
try {
if (!hashSet.hasLookupIndex()) {
if (!hashSet.hasIndex()) {
unindexed.add(hashSet);
}
}
@ -376,7 +372,7 @@ public final class HashDbConfigPanel extends javax.swing.JPanel implements Optio
private boolean indexExists(int rowIndex){
try {
return hashSets.get(rowIndex).hasLookupIndex();
return hashSets.get(rowIndex).hasIndex();
}
catch (TskCoreException ex) {
Logger.getLogger(HashSetTableModel.class.getName()).log(Level.SEVERE, "Error getting index info for hash database", ex);

14
HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/HashDbIngestModule.java
View File

@ -43,6 +43,7 @@ import org.sleuthkit.datamodel.TskCoreException;
import org.sleuthkit.datamodel.TskData;
import org.sleuthkit.datamodel.TskException;
import org.sleuthkit.autopsy.hashdatabase.HashDbManager.HashDb;
import org.sleuthkit.datamodel.HashInfo;
public class HashDbIngestModule extends IngestModuleAbstractFile {
private static HashDbIngestModule instance = null;
@ -164,7 +165,7 @@ public class HashDbIngestModule extends IngestModuleAbstractFile {
for (HashDb db : hashDbs) {
if (db.getSearchDuringIngest()) {
try {
if (db.hasLookupIndex()) {
if (db.hasIndex()) {
hashDbsForIngest.add(db);
}
}
@ -218,7 +219,8 @@ public class HashDbIngestModule extends IngestModuleAbstractFile {
for (HashDb db : knownBadHashSets) {
try {
long lookupstart = System.currentTimeMillis();
if (db.hasMd5HashOf(file)) {
HashInfo hashInfo = db.lookUp(file);
if (null != hashInfo) {
foundBad = true;
knownBadCount += 1;
try {
@ -231,14 +233,14 @@ public class HashDbIngestModule extends IngestModuleAbstractFile {
}
String hashSetName = db.getHashSetName();
String comment = "";
ArrayList<String> comments = db.lookUp(file).getComments();
String comment = "";
ArrayList<String> comments = hashInfo.getComments();
int i = 0;
for (String c : comments) {
comment += c;
if (++i > 1) {
c += ". ";
comment += " ";
}
comment += c;
if (comment.length() > MAX_COMMENT_SIZE) {
comment = comment.substring(0, MAX_COMMENT_SIZE) + "...";
break;

18
HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/HashDbManager.java
View File

@ -243,9 +243,9 @@ public class HashDbManager implements PropertyChangeListener {
return hashDb;
}
synchronized void indexHashDatabase(HashDb hashDb, boolean deleteIndexFile) {
synchronized void indexHashDatabase(HashDb hashDb) {
hashDb.addPropertyChangeListener(this);
HashDbIndexer creator = new HashDbIndexer(hashDb, deleteIndexFile);
HashDbIndexer creator = new HashDbIndexer(hashDb);
creator.execute();
}
@ -788,7 +788,7 @@ public class HashDbManager implements PropertyChangeListener {
* @throws TskCoreException
*/
public void addHashes(Content content, String comment) throws TskCoreException {
// TODO: This only works for AbstractFiles and MD5 hashes at present.
// This only works for AbstractFiles and MD5 hashes at present.
assert content instanceof AbstractFile;
if (content instanceof AbstractFile) {
AbstractFile file = (AbstractFile)content;
@ -812,7 +812,7 @@ public class HashDbManager implements PropertyChangeListener {
public HashInfo lookUp(Content content) throws TskCoreException {
HashInfo result = null;
// TODO: This only works for AbstractFiles and MD5 hashes at present.
// This only works for AbstractFiles and MD5 hashes at present.
assert content instanceof AbstractFile;
if (content instanceof AbstractFile) {
AbstractFile file = (AbstractFile)content;
@ -823,12 +823,12 @@ public class HashDbManager implements PropertyChangeListener {
return result;
}
boolean hasLookupIndex() throws TskCoreException {
boolean hasIndex() throws TskCoreException {
return SleuthkitJNI.hashDatabaseHasLookupIndex(handle);
}
boolean hasIndexOnly() throws TskCoreException {
return SleuthkitJNI.hashDatabaseHasLegacyLookupIndexOnly(handle);
return SleuthkitJNI.hashDatabaseIsIndexOnly(handle);
}
boolean canBeReIndexed() throws TskCoreException {
@ -847,11 +847,9 @@ public class HashDbManager implements PropertyChangeListener {
private class HashDbIndexer extends SwingWorker<Object, Void> {
private ProgressHandle progress = null;
private HashDb hashDb = null;
private boolean deleteIndexFile = false;
HashDbIndexer(HashDb hashDb, boolean deleteIndexFile) {
HashDbIndexer(HashDb hashDb) {
this.hashDb = hashDb;
this.deleteIndexFile = deleteIndexFile;
};
@Override
@ -861,7 +859,7 @@ public class HashDbManager implements PropertyChangeListener {
progress.start();
progress.switchToIndeterminate();
try {
SleuthkitJNI.createLookupIndexForHashDatabase(hashDb.handle, deleteIndexFile);
SleuthkitJNI.createLookupIndexForHashDatabase(hashDb.handle);
}
catch (TskCoreException ex) {
Logger.getLogger(HashDb.class.getName()).log(Level.SEVERE, "Error indexing hash database", ex);

2
HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/HashDbSimpleConfigPanel.java
View File

@ -146,7 +146,7 @@ public class HashDbSimpleConfigPanel extends javax.swing.JPanel {
HashDb db = hashDatabases.get(rowIndex);
boolean dbHasIndex = false;
try {
dbHasIndex = db.hasLookupIndex();
dbHasIndex = db.hasIndex();
}
catch (TskCoreException ex) {
Logger.getLogger(HashDbSimpleConfigPanel.class.getName()).log(Level.SEVERE, "Error getting info for " + db.getHashSetName() + " hash database", ex);

29
HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/ModalNoButtons.java
View File

@ -21,13 +21,9 @@ package org.sleuthkit.autopsy.hashdatabase;
import java.beans.PropertyChangeEvent;
import java.beans.PropertyChangeListener;
import java.io.File;
import java.util.ArrayList;
import java.util.List;
import java.util.logging.Level;
import javax.swing.JOptionPane;
import org.sleuthkit.autopsy.coreutils.Logger;
import org.sleuthkit.datamodel.TskCoreException;
import org.sleuthkit.autopsy.hashdatabase.HashDbManager.HashDb;
/**
@ -42,7 +38,6 @@ import org.sleuthkit.autopsy.hashdatabase.HashDbManager.HashDb;
*/
class ModalNoButtons extends javax.swing.JDialog implements PropertyChangeListener {
private static final String INDEX_FILE_EXTENSION = ".kdb";
List<HashDb> unindexed;
HashDb toIndex;
HashDbConfigPanel hdbmp;
@ -211,7 +206,7 @@ class ModalNoButtons extends javax.swing.JDialog implements PropertyChangeListen
this.CURRENTLYON_LABEL.setText("Currently indexing 1 database");
if (!this.toIndex.isIndexing()) {
this.toIndex.addPropertyChangeListener(this);
HashDbManager.getInstance().indexHashDatabase(toIndex, okToDeleteOldIndexFile(toIndex));
HashDbManager.getInstance().indexHashDatabase(toIndex);
}
}
@ -227,7 +222,7 @@ class ModalNoButtons extends javax.swing.JDialog implements PropertyChangeListen
this.CURRENTLYON_LABEL.setText("Currently indexing 1 of " + length);
if (!db.isIndexing()) {
db.addPropertyChangeListener(this);
HashDbManager.getInstance().indexHashDatabase(db, okToDeleteOldIndexFile(db));
HashDbManager.getInstance().indexHashDatabase(db);
}
}
}
@ -255,23 +250,5 @@ class ModalNoButtons extends javax.swing.JDialog implements PropertyChangeListen
this.CURRENTLYON_LABEL.setText("Currently indexing " + currentcount + " of " + length);
}
}
}
private boolean okToDeleteOldIndexFile(HashDb hashDb) {
boolean deleteOldIndexFile = true;
try {
if (hashDb.hasLookupIndex()) {
String indexPath = hashDb.getIndexPath();
File indexFile = new File(indexPath);
if (!indexPath.endsWith(INDEX_FILE_EXTENSION)) {
deleteOldIndexFile = JOptionPane.showConfirmDialog(this, "Updating index file format, delete " + indexFile.getName() + " file that uses the old file format?", "Delete Obsolete Index File", JOptionPane.YES_NO_OPTION) == JOptionPane.YES_OPTION;
}
}
}
catch (TskCoreException ex) {
Logger.getLogger(HashDbConfigPanel.class.getName()).log(Level.SEVERE, "Error getting index info for hash database", ex);
JOptionPane.showMessageDialog(null, "Error gettting index information for " + hashDb.getHashSetName() + " hash database. Cannot perform indexing operation.", "Hash Database Index Status Error", JOptionPane.ERROR_MESSAGE);
}
return deleteOldIndexFile;
}
}
}

18
KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/ExtractedContentViewer.java
View File

@ -311,19 +311,15 @@ public class ExtractedContentViewer implements DataContentViewer {
}
@Override
public int isPreferred(Node node,
boolean isSupported) {
public int isPreferred(Node node) {
BlackboardArtifact art = node.getLookup().lookup(BlackboardArtifact.class);
if (isSupported) {
if (art == null) {
return 4;
} else if (art.getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
return 6;
} else {
return 4;
}
if (art == null) {
return 4;
} else if (art.getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
return 6;
} else {
return 0;
return 4;
}
}

61
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/BrowserActivityType.java
View File

@ -1,61 +0,0 @@
/*
* Autopsy Forensic Browser
*
* Copyright 2012 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.recentactivity;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.Map;
/**
*
* No one seems to be using this
*/
@Deprecated
public enum BrowserActivityType {
Cookies(0),
Url(1),
Bookmarks(2);
private static final Map<Integer,BrowserActivityType> lookup
= new HashMap<Integer,BrowserActivityType>();
static {
for(BrowserActivityType bat : values())
lookup.put(bat.type, bat);
}
private int type;
private BrowserActivityType(int type)
{
this.type = type;
}
public int getType() { return type; }
public static BrowserActivityType get(int type) {
switch(type) {
case 0: return Cookies;
case 1: return Url;
case 2: return Bookmarks;
}
return null;
}
}

60
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/BrowserType.java
View File

@ -1,60 +0,0 @@
/*
* Autopsy Forensic Browser
*
* Copyright 2012 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.recentactivity;
import java.util.HashMap;
import java.util.Map;
/**
*
* No one is using this. It should go away
*/
@Deprecated
public enum BrowserType {
IE(0), //Internet Explorer
FF(1), //Firefox
CH(2); //Chrome
private static final Map<Integer,BrowserType> lookup
= new HashMap<Integer,BrowserType>();
static {
for(BrowserType bt : values())
lookup.put(bt.type, bt);
}
private int type;
private BrowserType(int type)
{
this.type = type;
}
public int getType() { return type; }
public static BrowserType get(int type) {
switch(type) {
case 0: return IE;
case 1: return FF;
case 2: return CH;
}
return null;
}
}

6
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java
View File

@ -55,7 +55,7 @@ import org.sleuthkit.datamodel.TskData;
/**
* Chrome recent activity extraction
*/
public class Chrome extends Extract {
class Chrome extends Extract {
private static final String historyQuery = "SELECT urls.url, urls.title, urls.visit_count, urls.typed_count, "
+ "last_visit_time, urls.hidden, visits.visit_time, (SELECT urls.url FROM urls WHERE urls.id=visits.url) as from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url";
@ -65,8 +65,8 @@ public class Chrome extends Extract {
private static final String downloadQueryVersion30 = "SELECT current_path as full_path, url, start_time, received_bytes FROM downloads, downloads_url_chains WHERE downloads.id=downloads_url_chains.id";
private static final String loginQuery = "select origin_url, username_value, signon_realm from logins";
private final Logger logger = Logger.getLogger(this.getClass().getName());
public int ChromeCount = 0;
final public static String MODULE_VERSION = "1.0";
private int ChromeCount = 0;
final private static String MODULE_VERSION = "1.0";
private IngestServices services;
//hide public constructor to prevent from instantiation by ingest module loader

8
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extract.java
View File

@ -33,14 +33,14 @@ import org.sleuthkit.autopsy.ingest.IngestModuleDataSource;
import org.sleuthkit.autopsy.report.SQLiteDBConnect;
import org.sleuthkit.datamodel.*;
abstract public class Extract extends IngestModuleDataSource{
abstract class Extract extends IngestModuleDataSource{
protected Case currentCase = Case.getCurrentCase(); // get the most updated case
protected SleuthkitCase tskCase = currentCase.getSleuthkitCase();
public final Logger logger = Logger.getLogger(this.getClass().getName());
protected final ArrayList<String> errorMessages = new ArrayList<>();
protected String moduleName = "";
protected boolean dataFound = false;
private final ArrayList<String> errorMessages = new ArrayList<>();
String moduleName = "";
boolean dataFound = false;
//hide public constructor to prevent from instantiation by ingest module loader
Extract() {

4
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java
View File

@ -68,7 +68,7 @@ import org.sleuthkit.autopsy.ingest.IngestModuleDataSource;
import org.sleuthkit.autopsy.ingest.IngestModuleInit;
import org.sleuthkit.datamodel.*;
public class ExtractIE extends Extract {
class ExtractIE extends Extract {
private static final Logger logger = Logger.getLogger(ExtractIE.class.getName());
private IngestServices services;
@ -77,7 +77,7 @@ public class ExtractIE extends Extract {
private String PASCO_LIB_PATH;
private String JAVA_PATH;
final public static String MODULE_VERSION = "1.0";
final private static String MODULE_VERSION = "1.0";
private static final SimpleDateFormat dateFormatter = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'");
private ExecUtil execPasco;

10
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
View File

@ -57,14 +57,14 @@ import org.xml.sax.SAXException;
* and the second is a set that were customized for Autopsy to produce a more structured
* output of XML so that we can parse and turn into blackboard artifacts.
*/
public class ExtractRegistry extends Extract {
class ExtractRegistry extends Extract {
public Logger logger = Logger.getLogger(this.getClass().getName());
private Logger logger = Logger.getLogger(this.getClass().getName());
private String RR_PATH;
private String RR_FULL_PATH;
boolean rrFound = false; // true if we found the Autopsy-specific version of regripper
boolean rrFullFound = false; // true if we found the full version of regripper
final public static String MODULE_VERSION = "1.0";
private boolean rrFound = false; // true if we found the Autopsy-specific version of regripper
private boolean rrFullFound = false; // true if we found the full version of regripper
final private static String MODULE_VERSION = "1.0";
private ExecUtil execRR;
//hide public constructor to prevent from instantiation by ingest module loader

2
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractUSB.java
View File

@ -40,7 +40,7 @@ import org.sleuthkit.autopsy.coreutils.PlatformUtil;
* Loads a file that maps USB IDs to names of makes and models. Uses Linux USB info.
* This should be renamed because it isn't extracting. It's just mapping IDs to names.
*/
public class ExtractUSB {
class ExtractUSB {
private static final Logger logger = Logger.getLogger(ExtractUSB.class.getName());
private HashMap<String, USBInfo> devices;
private static final String DataFile = "USB_DATA.txt";

5
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java
View File

@ -50,7 +50,7 @@ import org.sleuthkit.datamodel.TskCoreException;
/**
* Firefox recent activity extraction
*/
public class Firefox extends Extract {
class Firefox extends Extract {
private static final String historyQuery = "SELECT moz_historyvisits.id,url,title,visit_count,(visit_date/1000000) as visit_date,from_visit,(SELECT url FROM moz_places WHERE id=moz_historyvisits.from_visit) as ref FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id AND hidden = 0";
private static final String cookieQuery = "SELECT name,value,host,expiry,(lastAccessed/1000000) as lastAccessed,(creationTime/1000000) as creationTime FROM moz_cookies";
@ -59,8 +59,7 @@ public class Firefox extends Extract {
private static final String downloadQuery = "SELECT target, source,(startTime/1000000) as startTime, maxBytes FROM moz_downloads";
private static final String downloadQueryVersion24 = "SELECT url, content as target, (lastModified/1000000) as lastModified FROM moz_places, moz_annos WHERE moz_places.id = moz_annos.place_id AND moz_annos.anno_attribute_id = 3";
public int FireFoxCount = 0;
final public static String MODULE_VERSION = "1.0";
final private static String MODULE_VERSION = "1.0";
private IngestServices services;
//hide public constructor to prevent from instantiation by ingest module loader

2
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java
View File

@ -51,7 +51,7 @@ public final class RAImageIngestModule extends IngestModuleDataSource {
private StringBuilder subCompleted = new StringBuilder();
private ArrayList<Extract> modules;
private List<Extract> browserModules;
final public static String MODULE_VERSION = Version.getVersion();
final private static String MODULE_VERSION = Version.getVersion();
//public constructor is required
//as multiple instances are created for processing multiple images simultenously

8
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/SearchEngineURLQueryAnalyzer.java
View File

@ -62,14 +62,14 @@ import org.xml.sax.SAXException;
* To add search engines, edit SearchEngines.xml under RecentActivity
*
*/
public class SearchEngineURLQueryAnalyzer extends Extract {
class SearchEngineURLQueryAnalyzer extends Extract {
private IngestServices services;
public static final String MODULE_NAME = "Search Engine URL Query Analyzer";
public final static String MODULE_VERSION = "1.0";
private static final String MODULE_NAME = "Search Engine URL Query Analyzer";
private final static String MODULE_VERSION = "1.0";
public static final String XMLFILE = "SEUQAMappings.xml";
private static final String XMLFILE = "SEUQAMappings.xml";
private static final String XSDFILE = "SearchEngineSchema.xsd";

2
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java
View File

@ -50,7 +50,7 @@ import org.sleuthkit.datamodel.TskCoreException;
*
* @author Alex
*/
public class Util {
class Util {
private static Logger logger = Logger.getLogger(Util.class.getName());