Added sections on data artifacts and analysis results

2025-07-06 21:00:22 +00:00 · 2021-07-13 14:03:06 -04:00 · 2021-07-13 14:03:06 -04:00 · 2a8c3b14bd
commit 2a8c3b14bd
parent 5db2cd89fb
5 changed files with 31 additions and 17 deletions
--- a/docs/doxygen-user/content_viewer.dox
+++ b/docs/doxygen-user/content_viewer.dox
@ -75,9 +75,9 @@ Registry hive files can be viewed in a format similar to a registry editor.

 \image html content_viewer_registry.png

-\section cv_metadata File Metadata
+\section cv_metadata File Metadata / Source File Metadata

-The File Metadata tab displays basic information about the file, such as type, size, and hash. It also displays the output of the Sleuth Kit istat tool.
+The File Metadata tab displays basic information about the file selected or the file associated with the result, such as type, size, and hash. It also displays the output of the Sleuth Kit istat tool.

 \image html content_viewer_metadata.png

@ -87,14 +87,20 @@ The OS Accounts tab displays information on the OS account associated with a giv

 \image html content_viewer_os_account.png

-\section cv_results Results
+\section cv_results Data Artifacts

-The Results tab is active when selecting items with associated results such as keyword hits, call logs, and messages. The exact fields displayed depend on the type of result. The two images below show the Results tab for a call log and a web bookmark.
+The Data Artifacts tab shows the artifacts associated with the item selected in the result viewer such as web bookmarks, call logs, and messages. The exact fields displayed depend on the type of data artifact. The two images below show the Data Artifacts tab for a call log and a web bookmark.

 \image html content_viewer_results_call.png
 <br>
 \image html content_viewer_results_bookmark.png

+\section cv_analysis_results Analysis Results
+
+The Analysis Results tab shows all analysis results associated with the item selected in the result viewer. If you select an analysis result, it will auto-scroll to that result in the list. Analysis results come from data such as hash set hits, interesting items, and keyword hits. The image below shows web category analysis results.
+
+\image html content_viewer_analysis_result_webcat.png
+
 \section cv_context Context

 The Context tab shows information on where a file came from and allows you to navigate to the original result. For example, it can show the the URL for downloaded files and the email message a file was attached to. In the image below you can see the context for an image that was sent as an email attachment.
--- a/docs/doxygen-user/hosts.dox
+++ b/docs/doxygen-user/hosts.dox
@ -19,7 +19,7 @@ Hosts are displayed in the \ref tree_viewer_page. Depending on the \ref view_opt

 \subsection host_os_accounts OS Accounts

-OS accounts can be viewed in the OS Accounts node under Results. Each OS account is associated with a host, and the host information is displayed in the OS Account tab of the content viewer.
+OS accounts can be viewed in the OS Accounts node of the tree viewer. Each OS account is associated with a host, and the host information is displayed in the OS Account tab of the content viewer.

 \image html host_os_accounts.png

--- a/docs/doxygen-user/images/content_viewer_results_bookmark.png
+++ b/docs/doxygen-user/images/content_viewer_results_bookmark.png
--- a/docs/doxygen-user/images/content_viewer_results_call.png
+++ b/docs/doxygen-user/images/content_viewer_results_call.png
--- a/docs/doxygen-user/tree_viewer.dox
+++ b/docs/doxygen-user/tree_viewer.dox
@ -3,10 +3,12 @@
 [TOC]


-The tree on the left-hand side of the main window is where you can browse the files in the data sources in the case and find saved results from automated analyis (ingest). The tree has five main areas:
+The tree on the left-hand side of the main window is where you can browse the files in the data sources in the case and find saved results from automated analyis (ingest). The tree has seven main areas:
 - <b>Persons / Hosts / Data Sources:</b> This shows the directory tree hierarchy of the data sources. You can navigate to a specific file or directory here. Each data source added to the case is represented as a distinct sub tree. If you add a data source multiple times, it shows up multiple times.
- <b>Views:</b> Specific types of files from the data sources are shown here, aggregated by type or other properties. Files here can come from more than one data source.
- <b>Results:</b> This is where you can see the results from both the automated analysis (ingest) running in the background and your search results.
+- <b>File Views:</b> Specific types of files from the data sources are shown here, aggregated by type or other properties. Files here can come from more than one data source.
+- <b>Data Artifacts:</b> This isone of the main places where results from running \ref ingest_page appear.
+- <b>Analysis Results:</b> This is the other main place where results from running \ref ingest_page appear.
+- <b>OS Accounts:</b> This is where you can see the results from both the automated analysis (ingest) running in the background and your search results.
 - <b>Tags:</b> This is where files and results that have been \ref tagging_page "tagged" are shown.
 - <b>Reports:</b> Reports that you have generated, or that ingest modules have created, show up here.

@ -43,22 +45,28 @@ Unallocated space is the chunks of a file system that are currently not being us
 An example of the single file extraction option is shown below.
 \image html extracting-unallocated-space.PNG

-\section ui_tree_views Views
+\section ui_tree_views File Views

 Views filter all the files in the case by some property of the file. 
 - <b>File Types</b>  Sorts files by file extension or by MIME type, and shows them in the appropriate group. For example, files with .mp3 and .wav extensions end up in the "Audio" group. 
 - <b>Deleted Files</b>  Displays files that have been deleted, but the names have been recovered.
 - <b>File Size</b>  Sorts files based on size.

+\section ui_tree_results Data Artifacts

-\section ui_tree_results Results
- <b>Extracted Content:</b> Many ingest modules will place results here; EXIF metadata, GPS locations, or Web history for example.
- <b>Keyword Hits:</b> Keyword search hits show up here.
- <b>Hashset Hits:</b> Hashset hits show up here. 
- <b>E-Mail Messages:</b> Email messages show up here.
- <b>Interesting Items:</b> Things deemed interesting show up here.
- <b>Accounts:</b> Credit card accounts show up here.
- <b>Tags:</b> Any item you tag shows up here so you can find it again easily.
+This section shows the data artifacts created by running ingest. In general, data artifacts contain concrete information extracted from the data source. For example, call logs and messages from communication logs or web bookmarks extracted from a browser database. 
+
+\section ui_tree_analysis_results Analysis Results
+
+This section shows the analysis results created by running ingest. In general, analysis results contain information that the user has indicated they are interested in. For example, if the user sets up a list of \ref hash_db_page "notable hashes", any hash set hits will appear here. 
+
+\section ui_tree_os_accounts OS Accounts
+
+This section shows the OS accounts found in the case. See \ref host_os_accounts for an example.
+
+\section ui_tree_tags Tags
+
+Any item you tag shows up here so you can find it again easily. See \ref tagging_page for more information.

 \section ui_tree_reports Reports