diff --git a/CentralRepository/src/org/sleuthkit/autopsy/centralrepository/docs/CONFIG.md b/CentralRepository/src/org/sleuthkit/autopsy/centralrepository/docs/CONFIG.md deleted file mode 100644 index d3bd10561e..0000000000 --- a/CentralRepository/src/org/sleuthkit/autopsy/centralrepository/docs/CONFIG.md +++ /dev/null @@ -1,140 +0,0 @@ -# Configuration - -## Database Setup - -There are 2 choices for database platforms: SQLite and PostgreSQL. -1. SQLite is a database in a file stored locally on the same host that is running Autopsy. -There is nothing to do to setup this database. It will be created by Autopsy on your -behalf, if it doesn't already exist. -2. PostgreSQL is a database server that can be run either on the same host that is -running Autopsy or on a remote server. To use PostgreSQL with the EnterpriseArtifactManager module, -you will need the server to be running, have an existing database named "enterpriseartifactmanagerdb" -and have an existing user/pass with ownership of the enterpriseartifactmanagerdb database. -The tables and indices will be automatically created by Autopsy. -See the [Autopsy multi-user settings documentation[(http://sleuthkit.org/autopsy/docs/user-docs/4.3/install_postgresql.html) for help setting up your PostgreSQL server. - -## Enable Module and Configure Database Settings - -In the menu go to: Tools -> Options -> EnterpriseArtifactManager - -1. Check the box to Enable Enterprise Artifact Manager. This will enable the Database Platform dropdown and Configure button. -2. In the dropdown, select the database platform that you want to use. -3. Click the Configure button to configure the settings for the chosen database platform. -4. Click the Apply button to save your database configuration settings. - -### Configure SQLite Database Settings - -There is only one step here, to specify the path and filename for the database. -You can accept the default value or use the Open button to choose another path. -The database file name can be called anything you want, but it is convenient to -give it a ".db" suffix. - -Once you have selected the path, click the Test Connection button. -If you see a green check next to the button, everything is ready to go. -If you see a red check next to the button, there is a problem with the path -you selected and you'll have to resolve that problem. - -Once the test passes, click the Save button to save your selection and close the window. - -### Configure PostgreSQL Database Settings - -For PostgreSQL all values are required, but some defaults are provided for convenience. - -1. Host Name/IP is the hostname or IP of your PostgreSQL server. -2. Port is the port that the PostgreSQL server is listening on; default is 5432. -3. Database name is the name of the database you are using for this module; default is enterpriseartifactmanagerdb. -4. User Name is the PostgreSQL user that owns and has full permissions to the database specified in step 3. -5. User Password is the password for the user. - -Once all values have been entered, click the Test Connection button. -If you see a green check next to the button, everything is ready to go. -If you see a red check next to the button, there is a problem with the values -you entered and you'll have to resolve that problem. - -Once the test passes, click the Save button to save your selection and close the window. - -## Import Globally Known Artifacts - -The purpose of this feature is to store any Known or Known Bad Artifacts in -the database. Think of this feature like a dynamic Hash List. -These artifacts are used during Ingest to flag files as Interesting. -They are also displayed in the Content Viewer when a file or artifact is selected that is -associated with one of the globally known artifacts. - -When importing a hash database, all fields are required. - -1. Select the Database Path using the Open button. This is the file containing -the hash values that you want to import. You can import multiple files, but only -one at a time. The format of these files must be the same format as used by -the hash database module. -2. Select the database type. The type of content in the database being imported. -3. Define the attribution for this database. - a. Select the Source Organization in the dropdown list. -This is the organization that provided the hash database to you. - b. If you do not see the Organization in the list, use the [Add New Organization](FEATURES.md#adding-a-new-organization) button to add it. -Once you add it, you can then select it in the dropdown list. - c. Enter a name for the dataset. This can be anything you want, but is often something like "child porn", "drugs", "malware", "corp hashlist", etc. - d. Enter a version number for that dataset. This can be anything you want, but is often something like "1.0", "1.1a", 20170505", etc. -4. Click the OK button to start the import. - -## Manage Correlatable Tags - -In Autopsy, you are allowed to define your own Tag names, tag files and artifacts, - and add comments when you tag a file or artifact. - -The purpose of this feature is to associate one or more of those tags with this module -to be used for Correlation. -By default there is a tag called "Evidence" as the only tag associated with this module. - -To associate one or more tag(s) with this module, check the Correlate box next to the tag -name(s) and click OK. - -### What does it mean for a tag to be associated with this module? - -Any file or artifact that a user tags with one of the associated tags will be -added to the database as a file or artifact of interest. -Any future data source ingest, where this module is enabled, will use those -files or artifacts as if they were part of the Known Bad list, causing matching files -from that ingest to be added to the Interesting Artifacts list in that currently open case. - -The term Correlate means that files processed during a future ingest will be correlated -with files existing in the database. - -As an example, I have a case open and I tag an image called "evilphoto.png" with the -default "Evidence" tag. That image will be stored in the database as a file of interest. -In the next data source that I ingest for the same case or a future case, -if an image with the same MD5 hash as "evilphoto.png" -is found, it will be automatically added to the Interesting Files tree and assumed -to be evidence. -This makes it easy to find and flag things in future cases that you know are -Interesting. - -## Manage Correlation Types - -This feature allows the user to control how much data is being stored in the database -to use for correlation and analysis. -By default, only FILES is enabled. -Select the types that you want to enable and click OK. - -The meaning of each type is as follows: - -* FILES - file path and MD5 hash -* DOMAIN - domain name -* EMAIL - email address -* PHONE - phone number -* USBID - device ID of connected USB devices. - -### What does Correlation mean? - -Artifacts stored in the database are available for this module to use for analysis. -That analysis comes in many forms. -When a file or artifact is extracted during ingest, this module will use the database -to find other files or artifacts that match it, to determine if that new file should be -flagged as an Interesting File. - -If that file or artifact does not exist in the database, and that Correlation Type -is enabled, then it will be added to the database. - -Having more data in the database will obviously allow this module to be more thorough, -but for some, database size is a concern, so we allow them to select a subset of data -to collect and use for analysis. diff --git a/CentralRepository/src/org/sleuthkit/autopsy/centralrepository/docs/DEVELOP.md b/CentralRepository/src/org/sleuthkit/autopsy/centralrepository/docs/DEVELOP.md deleted file mode 100644 index 5b61ce70c4..0000000000 --- a/CentralRepository/src/org/sleuthkit/autopsy/centralrepository/docs/DEVELOP.md +++ /dev/null @@ -1,61 +0,0 @@ -# Instructions for doing development of Autopsy Modules - -## On Windows, Setup your development environment with Autopsy sources and javadocs - -* Install x64 PostgreSQL and setup: - * http://sleuthkit.org/autopsy/docs/user-docs/4.3/install_postgresql.html - -* Install Oracle Java SE JDK 8 - Windows x64 from Oracle: - * http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html - -* Install NetBeans (choose the 'All' version): - * https://netbeans.org/downloads/ - -* Install Git for Windows x64: - * https://git-scm.com/downloads - -* Install doxygen and make sure it is added to your PATH - * http://www.stack.nl/~dimitri/doxygen/download.html - -* Sleuthkit and the DataModel java bindings - * Clone sleuthkit repo and set TSK_HOME environment variable. - * For the java bindings, there are two ways to get these - 1. [build Sleuthkit and then the java bindings](https://github.com/sleuthkit/sleuthkit/blob/develop/win32/BUILDING.txt), requiring Visual Studio and several - dependant libraries. - 2. download the [Autopsy dev platform zip](https://github.com/sleuthkit/autopsy/releases/download/autopsy-4.4.0/autopsy-4.4.0-devplatform.zip) and copy autopsy-4.4.0-devplatform/autopsy/modules/ext/Tsk_DataModel_PostgreSQL.jar to TSK_HOME/bindings/java/dist/ - * Set up environment variables, sample values: - - JAVA_HOME=C:\Program Files\Java\jdk1.8.0_121 - - JDK_HOME=C:\Program Files\Java\jdk1.8.0_121 - - JRE_HOME_64=C:\Program Files\Java\jre1.8.0_121 - - LIBEWF_HOME=C:\libewf_64bit (only needed if you chose option #1 above) - - LIBVHDI_HOME=C:\libvhdi_64bit (only needed if you chose option #1 above) - - POSTGRESQL_HOME_64=c:\Program Files\PostgreSQL\9.6 (only needed if you chose option #1 above) - - TSK_HOME=c:\sleuthkit - - PATH=...;C:\Program Files\Java\jdk1.8.0_121\bin;C:\Program Files\NetBeans 8.2\extide\ant\bin;C:\Program Files\doxygen\bin - -* Build Autopsy platform: - * Reference: https://github.com/sleuthkit/autopsy/blob/develop/BUILDING.txt - * Clone Autopsy project - * git clone git@github.com:sleuthkit/autopsy.git - * git checkout develop - * Add Autopsy project to NetBeans - * File -> Open Project - * Build the top level Autopsy project - * Generate javadoc and add doc folder in the documentation tab - -If the project builds correctly, everything is installed correctly. - -## How to build disk images for development/testing - -Refer to MS technet instructions for creating/using a VHD: https://technet.microsoft.com/en-us/library/gg318052(v=ws.10).aspx - -But here is the general idea: -* On Windows, use Disk Management tool to create a Virtual Hard Disk (.vhd) using the "dynamically expanding" disk format. Choose a small-ish disk size if you want the testing to be quick. -* Initialize the disk (Initialize Disk). -* Format the disk (New Simple Volume). -* Mount that disk (Attach VHD) -* Copy some files onto the disk. -* Umount that disk (Detach VHD). Do NOT delete the disk when detaching! - -Repeat the above steps to create additional disk images. - diff --git a/CentralRepository/src/org/sleuthkit/autopsy/centralrepository/docs/FEATURES.md b/CentralRepository/src/org/sleuthkit/autopsy/centralrepository/docs/FEATURES.md deleted file mode 100644 index de96fee0a0..0000000000 --- a/CentralRepository/src/org/sleuthkit/autopsy/centralrepository/docs/FEATURES.md +++ /dev/null @@ -1,116 +0,0 @@ -# Features - -Once you have configured everything, created a case, and have run the ingest of at least one data source, -you can make use of some other exciting features that are described below. - -## Content Viewer - -This module adds a new tab to the [Content Viewer](http://sleuthkit.org/autopsy/docs/user-docs/4.3/content_viewer_page.html). -The tab for this module is called "Other Cases". -It can display data that is found in other cases, other data sources for the same case, or imported global artifacts. - -If at least one other case or data source has been ingested with this module enabled, -there is a potential that data will be displayed in the Other Cases content viewer. -If the selected file or artifact is associated by one of the supported Correlation Types, -to one or more file(s) or artifact(s) in the database, the associated files/artifacts will be displayed. -Note: the Content Viewer will display ALL associated files and artifacts available in the database. -It ignores the user's [enabled/disabled Correlation Types](CONFIG.md#manage-correlation-types). - -If the user right-clicks on a row, a menu will be displayed. -This menu has several options. -1. [Show Commonality Details](FEATURES.md#show-commonality-details) -2. [Save to CSV](FEATURES.md#save-to-csv) -3. [Show Case Details](FEATURES.md#show-case-details) -4. [Select All](FEATURES.md#select-all) - -Click option for more details. - -### Rows in the table - -By default, the rows in the content viewer will have background colors to indicate if they -are known to be of interest. -Files/artifacts that are Known Bad will have a Red background, Unknown will have Yellow background, -and Known will have a White background. - -The user can click on any column heading to sort by the values in that column. - -### Show Commonality Details - -The concept of Commonality simply means, how common is the selected file. -The value is the percentage of case/data source tuples that have the selected file or artifact. - -### Save to CSV - -This option will save ALL SELECTED rows in the Content Viewer table to a CSV file. -By default, the CSV file is saved into the Export directory inside the currently open Autopsy case, -but the user is free to select a different location. - -Note: if you want to copy/paste rows, it is usually possible to use CTRL+C to copy the -selected rows and then CTRL+V to paste them into a file, but it will not be CSV formatted. - -### Show Case Details - -This option will open a dialog that displays all of the relevant details for the selected case. -The details will include: -1. Case UUID -2. Case Name -3. Case Creation Date -4. Case Examiner contact information -5. Case Examiner's notes - -These details would have been entered by the examiner of the selected case, by visiting -the Case -> Enterprise Artifact Manager Case Details menu, when that case was open. - -### Select All - -This option will select all rows in the Content Viewer table. - -## Interesting Items tree - -In the Results tree of an open case is an entry called Interesting Items. -When this module is enabled, all of the enabled Correlatable Types will cause -matching files to be added to this Interesting Items tree during ingest. - -As an example, if the FILES Correlatable Type is enabled, and the ingest is -currently processing a file, for example "badfile.exe", and the MD5 hash for that -file already exists in the database as a KNOWN BAD file, then an entry in the Interesting Items tree -will be added for the current instance of "badfile.exe" in the data source currently being ingested. - -The same type of thing will happen for each [enabled Correlatable Type](CONFIG.md#manage-correlation-types). - -In the case of the PHONE correlatable type, the Interesting Items tree will start -a sub-tree for each phone number. The sub-tree will then contain each instance of that -Known Bad phone number. - -## Edit Enterprise Artifact Manager Case Details - -By default, Autopsy lets you edit Case Details in the Case menu. -When this module is enabled, there is an additional option in the Case menu, -called "Enterprise Artifact Manager Case Details". - -This is where the examiner can store a number of details about the case. -1. The organization of the case examiner. -2. The contact information of the case examiner. -3. The case examiner's case notes. - -To define the organization of the case examiner, simply select the organization name -from the dropdown box. -If the organization is not listed, you can click [Add New Organization](FEATURES.md#adding-a-new-organization) button. -Once the new organization is added, it should be available in the dropdown box. - -## Adding a New Organization - -An Organization can have two purposes in this module. - -1. It defines the Organization that the forensic examiner belongs to. -This organization is selected or added when Editing Correlation Case Details. -2. It defines the Organization that is the source of a Globally Known Artifact List. -This organization is selected or added during Import of a Globally Known Artifact hash list. - -When adding a new organization, only the Organization Name is required. -It is recommended to also include a Point of Contact for that organization. -This will be someone that is a manager or team lead at that Organization that -could be contacted for any questions about a case or a shared Globally Known Artifact -hash list. - -Click OK to save the new Organization.