mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-12 07:56:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove older docs for Central Repo

Browse Source
This commit is contained in:
Richard Cordovano 2017-06-29 13:11:48 -04:00
parent 48f80210d2
commit 2fae538b08
3 changed files with 0 additions and 317 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

140
CentralRepository/src/org/sleuthkit/autopsy/centralrepository/docs/CONFIG.md
View File

@ -1,140 +0,0 @@
# Configuration
## Database Setup
There are 2 choices for database platforms: SQLite and PostgreSQL.
1. SQLite is a database in a file stored locally on the same host that is running Autopsy.
There is nothing to do to setup this database. It will be created by Autopsy on your
behalf, if it doesn't already exist.
2. PostgreSQL is a database server that can be run either on the same host that is
running Autopsy or on a remote server. To use PostgreSQL with the EnterpriseArtifactManager module,
you will need the server to be running, have an existing database named "enterpriseartifactmanagerdb"
and have an existing user/pass with ownership of the enterpriseartifactmanagerdb database.
The tables and indices will be automatically created by Autopsy.
See the [Autopsy multi-user settings documentation[(http://sleuthkit.org/autopsy/docs/user-docs/4.3/install_postgresql.html) for help setting up your PostgreSQL server.
## Enable Module and Configure Database Settings
In the menu go to: Tools -> Options -> EnterpriseArtifactManager
1. Check the box to Enable Enterprise Artifact Manager. This will enable the Database Platform dropdown and Configure button.
2. In the dropdown, select the database platform that you want to use.
3. Click the Configure button to configure the settings for the chosen database platform.
4. Click the Apply button to save your database configuration settings.
### Configure SQLite Database Settings
There is only one step here, to specify the path and filename for the database.
You can accept the default value or use the Open button to choose another path.
The database file name can be called anything you want, but it is convenient to
give it a ".db" suffix.
Once you have selected the path, click the Test Connection button.
If you see a green check next to the button, everything is ready to go.
If you see a red check next to the button, there is a problem with the path
you selected and you'll have to resolve that problem.
Once the test passes, click the Save button to save your selection and close the window.
### Configure PostgreSQL Database Settings
For PostgreSQL all values are required, but some defaults are provided for convenience.
1. Host Name/IP is the hostname or IP of your PostgreSQL server.
2. Port is the port that the PostgreSQL server is listening on; default is 5432.
3. Database name is the name of the database you are using for this module; default is enterpriseartifactmanagerdb.
4. User Name is the PostgreSQL user that owns and has full permissions to the database specified in step 3.
5. User Password is the password for the user.
Once all values have been entered, click the Test Connection button.
If you see a green check next to the button, everything is ready to go.
If you see a red check next to the button, there is a problem with the values
you entered and you'll have to resolve that problem.
Once the test passes, click the Save button to save your selection and close the window.
## Import Globally Known Artifacts
The purpose of this feature is to store any Known or Known Bad Artifacts in
the database. Think of this feature like a dynamic Hash List.
These artifacts are used during Ingest to flag files as Interesting.
They are also displayed in the Content Viewer when a file or artifact is selected that is
associated with one of the globally known artifacts.
When importing a hash database, all fields are required.
1. Select the Database Path using the Open button. This is the file containing
the hash values that you want to import. You can import multiple files, but only
one at a time. The format of these files must be the same format as used by
the hash database module.
2. Select the database type. The type of content in the database being imported.
3. Define the attribution for this database.
a. Select the Source Organization in the dropdown list.
This is the organization that provided the hash database to you.
b. If you do not see the Organization in the list, use the [Add New Organization](FEATURES.md#adding-a-new-organization) button to add it.
Once you add it, you can then select it in the dropdown list.
c. Enter a name for the dataset. This can be anything you want, but is often something like "child porn", "drugs", "malware", "corp hashlist", etc.
d. Enter a version number for that dataset. This can be anything you want, but is often something like "1.0", "1.1a", 20170505", etc.
4. Click the OK button to start the import.
## Manage Correlatable Tags
In Autopsy, you are allowed to define your own Tag names, tag files and artifacts,
and add comments when you tag a file or artifact.
The purpose of this feature is to associate one or more of those tags with this module
to be used for Correlation.
By default there is a tag called "Evidence" as the only tag associated with this module.
To associate one or more tag(s) with this module, check the Correlate box next to the tag
name(s) and click OK.
### What does it mean for a tag to be associated with this module?
Any file or artifact that a user tags with one of the associated tags will be
added to the database as a file or artifact of interest.
Any future data source ingest, where this module is enabled, will use those
files or artifacts as if they were part of the Known Bad list, causing matching files
from that ingest to be added to the Interesting Artifacts list in that currently open case.
The term Correlate means that files processed during a future ingest will be correlated
with files existing in the database.
As an example, I have a case open and I tag an image called "evilphoto.png" with the
default "Evidence" tag. That image will be stored in the database as a file of interest.
In the next data source that I ingest for the same case or a future case,
if an image with the same MD5 hash as "evilphoto.png"
is found, it will be automatically added to the Interesting Files tree and assumed
to be evidence.
This makes it easy to find and flag things in future cases that you know are
Interesting.
## Manage Correlation Types
This feature allows the user to control how much data is being stored in the database
to use for correlation and analysis.
By default, only FILES is enabled.
Select the types that you want to enable and click OK.
The meaning of each type is as follows:
* FILES - file path and MD5 hash
* DOMAIN - domain name
* EMAIL - email address
* PHONE - phone number
* USBID - device ID of connected USB devices.
### What does Correlation mean?
Artifacts stored in the database are available for this module to use for analysis.
That analysis comes in many forms.
When a file or artifact is extracted during ingest, this module will use the database
to find other files or artifacts that match it, to determine if that new file should be
flagged as an Interesting File.
If that file or artifact does not exist in the database, and that Correlation Type
is enabled, then it will be added to the database.
Having more data in the database will obviously allow this module to be more thorough,
but for some, database size is a concern, so we allow them to select a subset of data
to collect and use for analysis.

61
CentralRepository/src/org/sleuthkit/autopsy/centralrepository/docs/DEVELOP.md
View File

@ -1,61 +0,0 @@
# Instructions for doing development of Autopsy Modules
## On Windows, Setup your development environment with Autopsy sources and javadocs
* Install x64 PostgreSQL and setup:
* http://sleuthkit.org/autopsy/docs/user-docs/4.3/install_postgresql.html
* Install Oracle Java SE JDK 8 - Windows x64 from Oracle:
* http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
* Install NetBeans (choose the 'All' version):
* https://netbeans.org/downloads/
* Install Git for Windows x64:
* https://git-scm.com/downloads
* Install doxygen and make sure it is added to your PATH
* http://www.stack.nl/~dimitri/doxygen/download.html
* Sleuthkit and the DataModel java bindings
* Clone sleuthkit repo and set TSK_HOME environment variable.
* For the java bindings, there are two ways to get these
1. [build Sleuthkit and then the java bindings](https://github.com/sleuthkit/sleuthkit/blob/develop/win32/BUILDING.txt), requiring Visual Studio and several
dependant libraries.
2. download the [Autopsy dev platform zip](https://github.com/sleuthkit/autopsy/releases/download/autopsy-4.4.0/autopsy-4.4.0-devplatform.zip) and copy autopsy-4.4.0-devplatform/autopsy/modules/ext/Tsk_DataModel_PostgreSQL.jar to TSK_HOME/bindings/java/dist/
* Set up environment variables, sample values:
- JAVA_HOME=C:\Program Files\Java\jdk1.8.0_121
- JDK_HOME=C:\Program Files\Java\jdk1.8.0_121
- JRE_HOME_64=C:\Program Files\Java\jre1.8.0_121
- LIBEWF_HOME=C:\libewf_64bit (only needed if you chose option #1 above)
- LIBVHDI_HOME=C:\libvhdi_64bit (only needed if you chose option #1 above)
- POSTGRESQL_HOME_64=c:\Program Files\PostgreSQL\9.6 (only needed if you chose option #1 above)
- TSK_HOME=c:\sleuthkit
- PATH=...;C:\Program Files\Java\jdk1.8.0_121\bin;C:\Program Files\NetBeans 8.2\extide\ant\bin;C:\Program Files\doxygen\bin
* Build Autopsy platform:
* Reference: https://github.com/sleuthkit/autopsy/blob/develop/BUILDING.txt
* Clone Autopsy project
* git clone git@github.com:sleuthkit/autopsy.git
* git checkout develop
* Add Autopsy project to NetBeans
* File -> Open Project
* Build the top level Autopsy project
* Generate javadoc and add doc folder in the documentation tab
If the project builds correctly, everything is installed correctly.
## How to build disk images for development/testing
Refer to MS technet instructions for creating/using a VHD: https://technet.microsoft.com/en-us/library/gg318052(v=ws.10).aspx
But here is the general idea:
* On Windows, use Disk Management tool to create a Virtual Hard Disk (.vhd) using the "dynamically expanding" disk format. Choose a small-ish disk size if you want the testing to be quick.
* Initialize the disk (Initialize Disk).
* Format the disk (New Simple Volume).
* Mount that disk (Attach VHD)
* Copy some files onto the disk.
* Umount that disk (Detach VHD). Do NOT delete the disk when detaching!
Repeat the above steps to create additional disk images.

116
CentralRepository/src/org/sleuthkit/autopsy/centralrepository/docs/FEATURES.md
View File

@ -1,116 +0,0 @@
# Features
Once you have configured everything, created a case, and have run the ingest of at least one data source,
you can make use of some other exciting features that are described below.
## Content Viewer
This module adds a new tab to the [Content Viewer](http://sleuthkit.org/autopsy/docs/user-docs/4.3/content_viewer_page.html).
The tab for this module is called "Other Cases".
It can display data that is found in other cases, other data sources for the same case, or imported global artifacts.
If at least one other case or data source has been ingested with this module enabled,
there is a potential that data will be displayed in the Other Cases content viewer.
If the selected file or artifact is associated by one of the supported Correlation Types,
to one or more file(s) or artifact(s) in the database, the associated files/artifacts will be displayed.
Note: the Content Viewer will display ALL associated files and artifacts available in the database.
It ignores the user's [enabled/disabled Correlation Types](CONFIG.md#manage-correlation-types).
If the user right-clicks on a row, a menu will be displayed.
This menu has several options.
1. [Show Commonality Details](FEATURES.md#show-commonality-details)
2. [Save to CSV](FEATURES.md#save-to-csv)
3. [Show Case Details](FEATURES.md#show-case-details)
4. [Select All](FEATURES.md#select-all)
Click option for more details.
### Rows in the table
By default, the rows in the content viewer will have background colors to indicate if they
are known to be of interest.
Files/artifacts that are Known Bad will have a Red background, Unknown will have Yellow background,
and Known will have a White background.
The user can click on any column heading to sort by the values in that column.
### Show Commonality Details
The concept of Commonality simply means, how common is the selected file.
The value is the percentage of case/data source tuples that have the selected file or artifact.
### Save to CSV
This option will save ALL SELECTED rows in the Content Viewer table to a CSV file.
By default, the CSV file is saved into the Export directory inside the currently open Autopsy case,
but the user is free to select a different location.
Note: if you want to copy/paste rows, it is usually possible to use CTRL+C to copy the
selected rows and then CTRL+V to paste them into a file, but it will not be CSV formatted.
### Show Case Details
This option will open a dialog that displays all of the relevant details for the selected case.
The details will include:
1. Case UUID
2. Case Name
3. Case Creation Date
4. Case Examiner contact information
5. Case Examiner's notes
These details would have been entered by the examiner of the selected case, by visiting
the Case -> Enterprise Artifact Manager Case Details menu, when that case was open.
### Select All
This option will select all rows in the Content Viewer table.
## Interesting Items tree
In the Results tree of an open case is an entry called Interesting Items.
When this module is enabled, all of the enabled Correlatable Types will cause
matching files to be added to this Interesting Items tree during ingest.
As an example, if the FILES Correlatable Type is enabled, and the ingest is
currently processing a file, for example "badfile.exe", and the MD5 hash for that
file already exists in the database as a KNOWN BAD file, then an entry in the Interesting Items tree
will be added for the current instance of "badfile.exe" in the data source currently being ingested.
The same type of thing will happen for each [enabled Correlatable Type](CONFIG.md#manage-correlation-types).
In the case of the PHONE correlatable type, the Interesting Items tree will start
a sub-tree for each phone number. The sub-tree will then contain each instance of that
Known Bad phone number.
## Edit Enterprise Artifact Manager Case Details
By default, Autopsy lets you edit Case Details in the Case menu.
When this module is enabled, there is an additional option in the Case menu,
called "Enterprise Artifact Manager Case Details".
This is where the examiner can store a number of details about the case.
1. The organization of the case examiner.
2. The contact information of the case examiner.
3. The case examiner's case notes.
To define the organization of the case examiner, simply select the organization name
from the dropdown box.
If the organization is not listed, you can click [Add New Organization](FEATURES.md#adding-a-new-organization) button.
Once the new organization is added, it should be available in the dropdown box.
## Adding a New Organization
An Organization can have two purposes in this module.
1. It defines the Organization that the forensic examiner belongs to.
This organization is selected or added when Editing Correlation Case Details.
2. It defines the Organization that is the source of a Globally Known Artifact List.
This organization is selected or added during Import of a Globally Known Artifact hash list.
When adding a new organization, only the Organization Name is required.
It is recommended to also include a Point of Contact for that organization.
This will be someone that is a manager or team lead at that Organization that
could be contacted for any questions about a case or a shared Globally Known Artifact
hash list.
Click OK to save the new Organization.