Generated Doxygen pages corresponding to JavaHelp

docs/doxygen-user/README.txt

@@ -0,0 +1,4 @@
+To generate documentation, use doxygen.
+Get the latest Doxygen source code from https://github.com/doxygen/doxygen
+Make appropriate changes to the OUTPUT_DIRECTORY, INPUT, IMAGE_PATH tags in the DoxyFile configuration file.
+Command: ./doxygen path/to/the/DoxyFile

docs/doxygen-user/adding_a_data_source.dox

@@ -0,0 +1,18 @@
+/*! \page adding_a_data_source Adding A Data Source
+
+\li Go to "File" and select "Add Data Source..."
+\li Select the
+\image html add-data-source.PNG
+icon on the toolbar
+
+This will bring up the Add Data Source wizard. It will guide you through the process.
+
+<b>Here are some notes on what is going on during the process:</b> \n
+\li The first panel will ask you to select the data source type and browse for the data source (image or files located on the computer, or select the device detected). In case of adding a disk image, you will also need to specify the timezone that the disk image came from so that the dates and times can be properly displayed and converted. As soon as you click 'Next >', Autopsy will begin analyzing the disk image and populating the database in the background. \image html select-data-source-type.PNG
+\li The second panel allows you to choose which ingest modules to run on the image. Refer to the Image Ingest part of the help guide for more details. \image html select-ingest-modules.PNG
+\li The third panel provides a progress bar and information about the data source Autopsy is currently processing. If small enough, the input may have already finished processing, allowing you to continue past this panel. However, it may be necessary to wait for a short time while the database is populated. \image html data-source-progress-bar.PNG
+\li Once the input data source finishes adding, the ingest modules you selected will automatically run in the background. If the data source is processed before you select ingest modules, Autopsy will wait until you have done so.
+
+Note that in case of image, Autopsy will store the path to the image in its configuration file. If the image moves, then Autopsy will give an error because it can't find the image file and it will prompt user to point to the new image location.
+
+*/

docs/doxygen-user/case.dox

@@ -0,0 +1,10 @@
+/*! \page case Case
+\section about_cases  About Cases
+In Autopsy, a "case" is a container concept for a set of input data sources (disk images, disk devices, logical files). The set of data could be from multiple drives in a single computer or from multiple computers. When you make a case, it will create a directory to hold all of the information. The directory will contain the main Autopsy configuration file, other module's configuration files, some databases, generated reports, and some other information (temporary files, cache files). The main Autopsy case configuration file as a .aut extension - that is the file used to "Open" the case. In general, it is recommended for the user not to modify any files in the Case directory and leave it to Autopsy manage it.
+If you want to view case details or edit some case information, use the Case Properties window.
+\subsection creating_a_case Creating a Case
+Refer to the Creating a Case page for more details.
+\subsection opening_a_case  Opening a Case
+To open a case, choose "Open Case" from the File menu or use the "Ctrl + O" keyboard shortcut. Navigate to the case directory and select the ".aut" file.
+
+*/

docs/doxygen-user/case_management.dox

@@ -0,0 +1,4 @@
+/*! \page case_management Cases and Data Sources
+
+Also see \subpage case, \subpage data_source, \subpage case_properties_window.
+*/

docs/doxygen-user/case_properties_window.dox

@@ -0,0 +1,5 @@
+/*! \page case_properties_window Case Properties Window
+
+
+
+*/

docs/doxygen-user/content_viewers.dox

@@ -0,0 +1,18 @@
+/*! \page content_viewers Content Viewers
+
+The Content Viewer area is in the lower right area of the interface. This area is used to view a specific file in a variety of formats. There are different tabs for different viewers. Not all tabs support all file types, so only some of them will be enabled. To display data in this area, a file must be selected from the Result Viewer window.
+
+The Content Viewer area is part of a plug-in framework. You can install modules that will add more viewer types. This section describes the viewers that come by default with Autopsy.
+
+Here's an example of a "Content Viewer" window:
+\image html content-viewer-window-example.PNG
+ 
+<b>Default Viewers</b>
+Currently, there are 5 main tabs on "Content Viewer" window:
+\li \subpage result_viewers
+\li \subpage hex_content_viewer
+\li \subpage string_content_viewer
+\li \subpage media_content_viewer
+\li \subpage text_content_viewer
+
+*/

docs/doxygen-user/data_explorer.dox

@@ -0,0 +1,19 @@
+/*! \page data_explorer Data Explorers
+
+\section about_the_data_explorer About the Data Explorer
+The Data Explorer view in Autopsy is the \ref directory_tree "directory tree" node structure seen on the left hand side.
+The data explorer contains the following data:
+\li Image file-system with its directory structure that can be navigated,
+\li Saved results of image and file analysis, such as results produced by the ingest process,
+\li Built-in views and filters on the file-system and saved results.
+
+The data explorer provides different methods for finding relevant data, such as:
+\li All files of a specific type
+\li Different extracted content types (web bookmarks, web history, installed programs, devices, etc.)
+\li Hash database hits
+\li Keyword hits
+\li File bookmarks
+
+The Data Explorer will publish all relevant data to the \ref result_viewers "Result Viewer" when specific nodes are clicked. In general, if you are looking for an 'analysis technique', then this is where you should look.
+
+*/

docs/doxygen-user/data_source.dox

@@ -0,0 +1,22 @@
+/*! \page data_source Data Source
+\section about_data_source About Data Sources
+Autopsy supports 3 types of data sources that can be added to the Case:
+\li Disk Image (raw, Encase, etc). "Image" refers to a byte-for-byte copy of a hard drive or other storage media.
+\li Disk Device (physical or logical disk partition, plugged in the user machine and detected by Autopsy). Note: to correctly detect all devices, Autopsy needs to run as Administrator.
+\li Logical Files (files and folders on the user machine file system)
+User needs to select the data source type from the pull down menu in the Add Data Source wizard.
+To analyze a Data Source, user should use the Add Data Source Wizard to add it to a case.
+Autopsy populates an embedded database for each data source (image, disk device, logical files) that it imports. This database is a SQLite database and it contains all of the file system metadata from the input data source. The database is stored in the case directory, but the data source will stay in its original location. The data source must remain accessible for the duration of the analysis because the database contains only basic file system information (meta-data, not the actual content). The image / files are needed to retrieve file content.
+\section supported_image_formats Supported Image Formats
+Currently, Autopsy supports these image formats:
+\li Raw Single (For example: *.img, *.dd, *.raw, etc)
+\li Raw Split (For example: *.001, *.002, *.aa, *.ab, etc)
+\li EnCase (For example: *.e01, *e02, etc)
+\section adding_a_data_source_subsection Adding a Data Source
+\subpage adding_a_data_source There are two ways to add an data source to the currently opened case.
+\section removing_a_data_source Removing a Data Source
+You cannot currently remove an data source from a case.
+
+
+
+*/

docs/doxygen-user/directory_tree.dox

@@ -0,0 +1,18 @@
+/*! \page directory_tree Directory Tree
+    
+\section about_data_explorer About Data Explorer (Directory Tree)
+The data explorer tree is a very important area of the interface. This is where you will start many of your analysis approaches and find saved results from automated procedures (ingest). The tree has three main areas:
+\li <b>Images:</b> \n Where you can find the directory tree hierarchy of the file systems in the images. Go here to navigate to a specific file or directory.
+\li <b>Views:</b> \n  Where you can view all of the files in the images, but organized by file type or dates instead of directories. Go here if you are looking for files of a given type or that were recently used.
+\li <b>Results:</b> \n  Where you can see the results from the background ingest tasks and you can see your previous search results. Go here to see what was found by the ingest modules and to find your previous search results.
+\li <b>Bookmarks:</b> \n  Where you can view all file and results that have been bookmarked for easy access.
+
+Below is an example of an Data Explorer Tree window:
+image html explorer-tree.PNG
+
+Also see 
+\subpage image_details_window,
+\subpage volume_details_window,
+\subpage extracting_unallocated_space
+
+*/

docs/doxygen-user/extracting_unallocated_space.dox

@@ -0,0 +1,11 @@
+/*! \page extracting_unallocated_space Extracting Unallocated Space
+
+Unallocated space are chunks of the file system that is currently not being used for anything. Unallocated space can store deleted files and other interesting artifacts. On the actual image, Unallocated space is stored in blocks with distinct locations on the system. However, because of the way various carving tools work, it is more ideal to feed them a single, large unallocated file. Autopsy provides access to both methods of looking at unallocated space.
+\li Individual Blocks Underneath a volume, there is a folder named Unalloc. This folder contains all the individual unallocated blocks as the image is storing them. You can right click and extract them the same way you can extract any other type of file in the Directory Tree.
+\li Single Files There are two ways to extract unallocated space as a single file. Right clicking on a volume and selecting "Extract Unallocated Space as Single File" will concatenate all the unallocated files into a single, continuous file for the volume. The second way is to right click on an image, and select "Extract Unallocated Space to Single Files". This option will extract one single file for each volume in the image. Progress on extraction is sent to the progress bar in the bottom right. Progress is based on number of files concatenated. These files are stored in the Export folder under the case directory. Files are named according to ImageName-Unalloc-ImageObjectID-VolumeID.dat This naming scheme ensures that no duplicate file names will occur even if an there are two images with the same name in a case.
+
+Below is where to find the single file extraction option
+
+\image html extracting-unallocated-space.PNG
+
+*/

docs/doxygen-user/file_search.dox

@@ -0,0 +1,20 @@
+/*! \page file_search File Search
+
+\section about_file_search About File Search
+File Search tool can be accessed either from the Tools menu or by right-clicking on image node in the Data Explorer / Directory Tree. By using File Search, you can specify, filter, and show the directories and files that you want to see from the images in the current opened case. The File Search results will be populated in a brand new Table Result viewer on the right-hand side.
+Currently, Autopsy only supports 4 categories in File Search: Name, Size, Date, and Known Status based search.
+<b>Note: Currently File Search doesn't support regular expression, however the Keyword Search feature of Autopsy does also look in file names and it does support regular expressions, which can complimentary to the File Search.</b>
+
+\subsection how_to_open_file_search_subsection How to Open File Search
+To see how to open File Search, click \ref how_to_open_file_search "here".
+<b>Note: The File Search Window is opened and closed automatically. If there's a case opened and there is at least one image inside that case, File Search Window can't be closed.</b>
+
+\subsection how_to_use_file_search_subsection How to Use File Search
+To see how to use File Search, click \ref how_to_use_file_search "here".
+
+<b>Example</b>
+Here's an example of a File Search window:
+
+\image html file-search-top-component.PNG
+
+*/

docs/doxygen-user/hash_database_management_window.dox

@@ -0,0 +1,27 @@
+/*! \page hash_database_management_window Hash Database Management Window
+
+The Hash Database Management window is where you can set and update your hash database information. Hash databases are used to identify files that are 'known'.
+\li Known good files are those that can be safely ignored. This set of files frequently includes standard OS and application files. Ignoring such uninteresting to the investigator files, can greatly reduce image analysis time.
+\li Known bad (also called notable) files are those that should raise awareness. This set will vary depending on the type of investigation, but common examples include contraband images and malware.
+
+\section notable_known_bad_hashsets Notable / Known Bad Hashsets
+Autopsy allows for multiple known bad hash databases to be set. Autopsy supports three formats:
+\li EnCase: An EnCase hashset file.
+\li MD5sum: Output from running the md5, md5sum, or md5deep program on a set of files.
+\li NSRL: The format of the NSRL database.
+\li HashKeeper: Hashset file conforming to the HashKeeper standard.
+
+<b>NIST_NSRL:</b>
+Autopsy can use the <A HREF="http://www.nsrl.nist.gov">NIST NSRL</A> to detect 'known files'. Note that the NSRL contains hashes of 'known files' that may be good or bad depending on your perspective and investigation type. For example, the existence of a piece of financial software may be interesting to your investigation and that software could be in the NSRL. Therefore, Autopsy treats files that are found in the NSRL as simply 'known' and does not specify good or bad. Ingest modules have the option of ignoring files that were found in the NSRL.
+To use the NSRL, you must concatenate all of the NSRLFile.txt files together. You can use 'cat' on a Unix system or from within Cygwin to do this.
+\section adding_hashsets Adding Hashsets
+Autopsy needs an index of the hashset to actualy use a hash database. It can create the index if you import only the hashset. When you select the database from within this window, it will tell you if the index needs to be created. Autopsy uses the hash database management system from The Sleuth Kit. You can manually create an index using the 'hfind' command line tool or you can use Autopsy. If you attempt proceed without indexing a database, Autopsy will offer to automatically produce an index for you.
+You can also specify only the index file and not use the full hashset - the index file is sufficient to identify known files. This can save space. To do this, specify the .idx file from the Hash Database Management window.
+\section using_hashsets Using Hashsets
+There is an \ref ingest "ingest module" that will hash the files and look them up in the hashsets. It will flag files that were in the notable hashset and those results will be shown in the Results tree of the \ref directory_tree "Data Explorer".
+Other ingest modules are able to use the known status of a file to decide if they should ignore the file or process it.
+You can also see the results in the \ref how_to_open_file_search "File Search" window. There is an option to choose the 'known status'. From here, you can do a search to see all 'known bad' files. From here, you can also choose to ignore all 'known' files that were found in the NSRL. You can also see the status of the file in a column when the file is listed.
+\image html hash-database-configuration.PNG
+ 
+
+*/

docs/doxygen-user/hex_content_viewer.dox

@@ -0,0 +1,9 @@
+/*! \page hex_content_viewer Hex Content Viewer
+Hex Content Viewer shows you the raw and exact contents of a file. In this Hex Content Viewer, the data of the file is represented as hexadecimal values grouped in 2 groups of 8 bytes, followed by one group of 16 ASCII characters which are derived from each pair of hex values (each byte). Non-printable ASCII characters and characters that would take more than one character space are typically represented by a dot (".") in the following ASCII field.
+
+<b>Example</b> \n
+Below is an example of "Hex Content Viewer" window:
+\image html hex-content-viewer-tab.PNG
+
+*/
+ 

docs/doxygen-user/how_to_open_file_search.dox

@@ -0,0 +1,11 @@
+/*! \page how_to_open_file_search How To Open File Search
+    
+How to Open File Search
+To open the File Search, you can do one of the following thing:
+Right click an image and choose "Open File Search by Attributes".
+\image html open-file-search-component-1.PNG
+Select the "Tools" > "File Search by Attributes".
+\image html open-file-search-component-2.PNG
+<b>Note: The File Search Window is opened and closed automatically. If there's a case opened and there is at least one image inside that case, File Search Window can't be closed.</b>
+
+*/

docs/doxygen-user/how_to_use_file_search.dox

@@ -0,0 +1,19 @@
+/*! \page how_to_use_file_search How To Use File Search
+
+Currently, there are 4 categories that you can use to filter and show the directories and files within the images in the current opened case.
+The categories are:
+\li Name:
+Search for all files and directory whose name contains the pattern given.
+Note: it doesn't support regular expression and keyword matching.
+\li Size:
+Search for all files and directory whose size matches the pattern given. The pattern can be "equal to", "greater than", and "less than". The unit for the size can be "Byte(s)", "KB", "MB", "GB", and "TB".
+\li Date:
+Search for all files and directory whose "date property" is within the date range given. The "date properties" are "Modified Date", "Accessed Date", "Changed Date", and "Created Date". You must also specify the timezone for the date given.
+\li Known Status:
+Search for all files and directory whose known status is recognized as either Unknown, Known, or Known Bad. For more on Known Status, see Hash Database Management.
+To use any of these filters, check the box next to the category and click "Search" button to start the search process. The result will show up in the "Result Viewer".
+Example
+Here's an example where I try to get all the directories and files whose name contains "hello", has a size greater than 1000 Bytes,was created between 06/15/2010 and 06/16/2010 (in GMT-5 timezone), and is an unknown file:
+\image html example-of-file-sarch.PNG
+
+*/

docs/doxygen-user/image_details_window.dox

@@ -0,0 +1,11 @@
+/*! \page image_details_window Image Detail Window
+
+The Image Details window shows you basic information about a disk image. You can access it by right-clicking on an image in the tree and choosing "Image Details".
+
+\image html show-image-details.PNG
+
+An example is shown here:
+
+\image html image-detail-window.PNG
+
+*/

docs/doxygen-user/ingest.dox

@@ -0,0 +1,41 @@
+/*! \page ingest Ingest
+
+    
+<b>Image Ingest</b> \n
+Autopsy tries to automate as many things as possible for the user. There are many tasks that will always be performed in a digital investigation and they normally involve some type of image or file analysis and extraction of a certain type of information. The analysis can be a lengthy process, especially for large images and when a number of types of analysis needs to be performed.
+
+Ingest is a technique of automating these tasks. Autopsy allows to run these lengthy analysis tasks in the background, while the user can browse the application interface and review the ingest results as their appear. Ingest is similar to triage. Autopsy attempts to process files inside the ingested image in such order so that the more interesting files (user-related files) are processed files.
+
+The ingest process begins after the basic file system information has been added to the database. A series of ingest modules (described in a following section) run automatically behind the scenes and make their results available as soon as possible. Autopsy is designed so that these results are reported to the user in real-time, and even for very large images to be processed there can be initial results available minutes, sometimes seconds after the analysis has started.
+
+You can start image ingest in two ways. When you add an image with the Add Data Source wizard, you will be shown the list of ingest modules and you can choose which you want to run. You can also launch the Ingest Manager run ingest by right clicking on an image in the explorer tree and choosing "Restart Image Ingest".
+
+Once ingest is started, you can review the currently running ingest tasks in the task bar on the bottom-right corner of the main window. The ingest tasks can be canceled by the user if so desired.
+
+<b>Note: sometimes the cancellation process make take several seconds or more to complete cleanly, depending on what the ingest module was currently doing. </b>
+
+The ingest message inbox will provide notifications when the particular ingest modules start and finish running. There may also be error notifications, and result notifications sent by specific ingest modules.
+
+The results from the ingest modules can typically be found in the Results area of the explorer tree. However, some modules may choose to write results to a local file or to some other location and not make them available in the UI.
+
+<b>Ingest Modules</b> \n
+An ingest module is responsible for extracting data from and searching images. Different modules will do different things. Examples include:
+\li Calculate MD5 hash of each file
+\li Lookup MD5 hash in database
+\li Detect file type of each file
+\li Keyword search each file
+\li Extract web artifacts (downloads, history, installed programs, web search engine queries, etc.)
+\li Extract Email messages
+\li Extract connected device IDs.
+\li Extract EXIF meta-data from picture files
+
+<b>Configuring Ingest Modules</b> \n
+There are two places to configure ingest modules. When the Ingest Manager is launched, there may be a small set of options the module allows you to edit directly in the Ingest Manager. Additionally, the Ingest Manager may display an "Advanced" button, which will open up a larger configuration menu with more available settings. This advanced configuration menu can often be found in the "Tools" > "Options" menu, along with the advanced settings for numerous other ingest modules.
+
+Before launching ingest, you should go over the modules configuration by selecting every module in the list and review the current ingest module settings. Some modules need to be configured at least the first time Autopsy is used to have default configuration populated, otherwise they won't perform any analysis. Changing the modules configuration will potentially affect number of results found, it might also affect the total time required for ingest to run and how fast the results are reported in real-time.
+
+<b>Adding Ingest Modules</b> \n
+Ingest modules can be created by third-party-developers and can be added independently of Autopsy. This can be done through Autopsy's plugin manager. This is accessible through the "Tools" > "Plugins" menu. Currently, the best way to add an ingest module is by navigating to the module's NBM file after choosing "Add Plugin..." in the "Downloaded" tab of the plugin manager. Autopsy will require a restart after any modules are installed in order to properly load and display them.
+
+Also see \subpage message_inbox
+*/

docs/doxygen-user/keyword_search.dox

@@ -0,0 +1,24 @@
+/*! \page keyword_search Keyword Search
+
+ Autopsy ships a keyword search module, which provides the \ref ingest "ingest capability" and also supports a manual text search mode.
+
+ The keyword search ingest module extracts text from the files on the image being ingested and adds them to the index that can then be searched.
+
+ Autopsy tries its best to extract maximum amount of text from the files being indexed. First, the indexing will try to extract text from supported file formats, such as pure text file format, MS Office Documents, PDF files, Email files, and many others. If the file is not supported by the standard text extractor, Autopsy will fallback to string extraction algorithm. String extraction on unknown file formats or arbitrary binary files can often still extract a good amount of text from the file, often good enough to provide additional clues. However, string extraction will not be able to extract text strings from binary files that have been encrypted.
+
+ Autopsy ships with some built-in lists that define regular expressions and enable user to search for Phone Numbers, IP addresses, URLs and E-mail addresses. However, enabling some of these very general lists can produce a very large number of hits, many of them can be false-positives.
+
+ Once files are in the index, they can be searched quickly for specific keywords, regular expressions, or using keyword search lists that can contain a mixture of keywords and regular expressions. Search queries can be executed automatically by the ingest during the ingest run, or at the end of the ingest, depending on the current settings and the time it takes to ingest the image.
+
+ Search queries can also be executed manually by the user at any time, as long as there are some files already indexed and ready to be searched.
+
+ Keyword search module will save the search results regardless whether the search is performed by the ingest process, or manually by the user. The saved results are available in the Directory Tree in the left hand side panel.
+
+ To see keyword search results in real-time while ingest is running, add keyword lists using the \subpage keyword_search_configuration_dialog "Keyword Search Configuration Dialog" and select the "Use during ingest" check box. You can select "Send messages to inbox during ingest" per list, if the hits on that list should be reported in the Inbox, which is recommended for very specific searches.
+
+ See (\ref ingest "Ingest") for more information on ingest in general.
+
+ Once there are files in the index, the \subpage keyword_search_bar "Keyword Search Bar" will be available for use to manually search at any time.
+
+
+*/

docs/doxygen-user/keyword_search_bar.dox

@@ -0,0 +1,21 @@
+/*! \page keyword_search_bar Keyword Search Bar
+
+The keyword search bar is used to search for keywords in the manual mode (outside of ingest). The existing index will be searched for matching words, phrases, lists, or regular expressions. Results will be opened in a separate Results Viewer for every search executed and they will also be saved in the Directory Tree.
+
+<b>Individual Keyword Search</b> \n
+Individual keyword or regular expressions can be quickly searched using the search text box widget. To toggle between keyword and regular expression mode, use the down arrow in the search box.
+
+<b>Keyword List Search</b> \n
+Lists created using the Keyword Search Configuration Dialog can be manually searched by the user by pressing on the 'Keyword Lists' button, selecting the check boxes corresponding to the lists to be searched, and pressing the 'Search' button.
+
+<b>Searching during ingest</b> \n
+The manual search for individual keywords or regular expressions can be executed also during the ongoing ingest on the current index using the search text box widget. Note however, that you may miss some results if not entire index has yet been populated. Autopsy enables you to perform the search on an incomplete index in order to retrieve some preliminary results in real-time.
+
+During the ingest, the manual search by keyword list is deactivated. A newly selected list can instead be added to the ongoing ingest, and it will be searched in the background instead.
+
+Keywords and lists can be managed during ingest.
+
+\image html keyword-search-bar.PNG
+ 
+
+*/

docs/doxygen-user/keyword_search_configuration_dialog.dox

@@ -0,0 +1,33 @@
+/*! \page keyword_search_configuration_dialog Keyword Search Configuration Dialog
+
+The keyword search configuration dialog has three tabs, each with it's own purpose:
+\li The Lists tab is used to add, remove, and modify keyword search lists.
+\li The String Extraction tab is used to enable language scripts and extraction type.
+\li The General tab is used to configure the ingest timings and display information.
+
+To create a list, select the 'New List' button and choose a name for the new Keyword List. Once the list has been created, keywords can be added to it. Regular expressions are supported using Java Regex Syntax. Lists can be added to the keyword search ingest process; searches will happen at regular intervals as content is added to the index.
+
+<b>List Import and Export</b> \n
+Autopsy supports importing Encase tab-delimited lists as well as lists created previously with Autopsy. For Encase lists, folder structure and hierarchy is currently ignored. This will be fixed in a future version. There is currently no way to export lists for use with Encase. This will also be added in future releases.
+
+<b>String extraction setting</b> \n
+The string extraction setting defines how strings are extracted from files from which text cannot be extracted because their file formats are not supported. This is the case with arbitrary binary files (such as the page file) and chunks of unallocated space that represent deleted files.
+When we extract strings from binary files we need to interpet sequences of bytes as text differently, depending on the possible text encoding and script/language used. In many cases we don't know what the specific encoding / language the text is be encoded in in advance. However, it helps if the investigator is looking for a specific language, because by selecting less languages the indexing performance will be improved and a number of false positives will be reduced.
+The default setting is to search for English strings only, encoded as either UTF8 or UTF16. This setting has the best performance (shortest ingest time).
+The user can also use the String Viewer first and try different script/language settings, and see which setting gives satisfactory results for the type of text relevant to the investigation. Then the same setting that works for the investigation can be applied to the keyword search ingest.
+
+<b>NIST NSRL Support</b> \n
+The hash database ingest service can be configured to use the NIST NSRL hash database of known files. The keyword search advanced configuration dialog "General" tab contains an option to skip keyword indexing and search on files that have previously marked as "known" and uninteresting files. Selecting this option can greatly reduce size of the index and improve ingest performance. In most cases, user does not need to keyword search for "known" files.
+
+<b>Result update frequency during ingest</b> \n
+To control how frequently searches are executed during ingest, user can adjust the timing setting available in the keyword search advanced configuration dialog "General" tab. Setting the number of minutes lower will result in more frequent index updates and searches being executed and the user will be able to see results more in real-time. However, more frequent updates can affect the overall performance, especially on lower-end systems, and can potentially lengthen the overall time needed for the ingest to complete.
+
+<b>Lists tab</b> \n
+\image html keyword-search-configuration-dialog.PNG
+
+<b> String Extraction tab</b>
+\image html keyword-search-configuration-dialog-string-extraction.PNG
+
+<b>General tab</b>
+\image html keyword-search-configuration-dialog-general.PNG
+*/

docs/doxygen-user/main.dox

@@ -14,13 +14,20 @@ Help Topics
 The following topics are available here:
 
 - \subpage installation_page
-- \subpage quick_start_page
-- \subpage case_mgmt_page
-- \subpage image_viewer_page
-- \subpage timeline_page
+- \subpage quick_start_guide "Quick Start Guide"
+- \subpage overview "Overview"
+- \subpage case_management "Case Management"
+- \subpage hash_database_management_window "Hash Database Management Window"
+- \subpage keyword_search "Keyword Search"
+- \subpage ingest "Ingest"
+- \subpage data_explorer "Data Explorers"
+- \subpage directory_tree "Directory Tree"
+- \subpage file_search "File Search"
+- \subpage result_viewers "Result Viewers"
+- \subpage content_viewers "Content Viewers"
+- \subpage timeline
+
 
 If the topic you need is not listed, refer to the Help system in the tool or the wiki (http://wiki.sleuthkit.org/index.php?title=Autopsy_User%27s_Guide). 
 
-*/
-
-
+*/

docs/doxygen-user/media_content_viewer.dox

@@ -0,0 +1,10 @@
+/*! \page media_content_viewer Media Content Viewer
+
+The Media Content Viewer will show a picture or video file. Video files can be played and paused. The size of the picture or video will be reduced to fit into the screen. If you want more complex analysis of the media, then you must export the file.
+
+If you select an non-picture file or an unsupported picture format on the "Result Viewers", this tab will be disabled.
+
+<b>Example</b> \n
+Here's one of the example of the "Media Content Viewer":
+\image html picture-content-viewer-tab.PNG
+*/

docs/doxygen-user/message_inbox.dox

@@ -0,0 +1,18 @@
+/*! \page message_inbox Message Inbox
+\section ingest_message_inbox Ingest Message Inbox
+The ingest message inbox is used by Autopsy to provide real-time updates during ingest. To open the inbox, click on the yellow warning sign in the top/right corner of the Autopsy window. The sign can display a number of incoming unread (not yet clicked) messages during ingest in its upper-right corner.
+
+\image html inbox-button.PNG
+
+Ingest modules are able to post messages when notable events occur, such as a keyword or hash database hit. If a module posts many similar messages in a short time span, the inbox will group those messages so that unique updates are not lost among the noise.
+
+The grouped messages are colored with different shades to indicate their importance; if a message group contains a lower number of unique messages, it is potentially more important than another group with a large number of unique messages. The more unique important messages have a lighter background color.
+
+The ingest messages can be sorted by uniqueness/importance, or by chronological order in which they had appeared.
+
+A message can be clicked to view the message details. When a message is clicked, it is marked as "read". When updates are posted with regard to a specific result or file, the message is linked to that file and the buttons in the top/right corner of the message details view can be used to browse to that data.
+
+\image html inbox-main-screen.PNG
+
+\image html inbox-detail-screen.PNG
+*/

docs/doxygen-user/overview.dox

@@ -0,0 +1,14 @@
+/*! \page overview Overview
+
+\section Overview
+Autopsy allows you to conduct a digital forensic investigation. It is a graphical interface to The Sleuth Kit and other tools. This page outlines the basic concepts of the program. The remainder of the help guide is organized around these concepts.
+The main Autopsy features include: importing a Data Source (image, disk, files) and exploring its file systems, running analysis modules (ingest), viewing ingest results, viewing content and generating reports.
+Autopsy is an extensible application; it provides a plug-in framework that allows other other parties to supply plug-ins and supply additional: image and file ingest for new types of analysis, different content viewers and different types of reports to be supported. There are plug-ins for for several ingest modules, viewers and reports that are bundled by default with Autopsy.
+All data is organized around the concept of a case. A case can have one or more data sources loaded into it.
+The main window has three major areas:
+\li \ref data_explorer "Data Explorer Tree": This area is where you go find major analysis functionality. It allows you to start finding the relevant files quickly.
+\li \ref result_viewers "Result Viewers": This area is where the files and directories that were found from the explorer window can be viewed. There are different formatting options for the files.
+\li \ref content_viewers "Content Viewers": This area is where file content can be viewed after they are selected from the Result Viewer area.
+The main take away from this should be that analysis techniques and result categories can be found on the left-hand side, the results from choosing something on the left are always listed in the upper right, and the file contents are displayed in the lower left.
+
+*/

docs/doxygen-user/quick_start_guide.dox

@@ -1,4 +1,4 @@
-/*! \page quick_start_page Quick Start Guide
+/*! \page quick_start_guide Quick Start Guide
 
 \section s1 Adding a Data Source (image, local disk, logical files)
 
@@ -112,4 +112,4 @@ It will create an HTML or XLS report in the Reports folder of the case folder.
 If you forgot the location of your case folder, you can determine it using the "Case Properties" option in the "File" menu.
 There is also an option to export report files to a separate folder outside of the case folder. 
 
-*/
+*/

docs/doxygen-user/result_viewers.dox

@@ -0,0 +1,19 @@
+/*! \page result_viewers Result Viewers
+The Result Viewer windows are in the upper right area of the interface and display the results from selecting something in the Data Explorer Tree area. You will have the option to display the results in a variety of formats.
+Currently, there are 2 main tabs in the Result Viewer window:
+\li \subpage table_result_viewer
+\li \subpage thumbnail_result_viewer
+
+\section right_click_functions Right Click Functions
+Viewers in Result Viewers have certain right-click functions built-in into them that can be accessed when a node a certain type is selected (a file, directory or a result).
+Here are some examples that you may see:
+\li Open File in External Viewer: Opens the selected file in an "external" application as defined by the local OS. For example, HTML files may be opened by IE or Firefox, depending on what the local system is configured to use.
+\li View in New Window: Opens the content in a new internal Content Viewer (instead of in the default location in the lower right).
+\li Extract: Make a local copy of the file or directory for further analysis.
+\li Search for files with the same MD5 Hash: Searches the entire file-system for any files with the same MD5 Hash as the one selected.
+
+<b>Example</b>\n
+Below is an example of a "Result Viewer" window:
+\image html result-viewer-window-example.PNG
+
+*/

docs/doxygen-user/string_content_viewer.dox

@@ -0,0 +1,12 @@
+/*! \page string_content_viewer String Content Viewer
+    
+Strings Content Viewer scans (potentially binary) data of the file / folder and searches it for data that could be text. When appropriate data is found, the String Content Viewer shows data strings extracted from binary, decoded, and interpreted as UTF8/16 for the selected script/language.
+
+Note that this is different from the Text Content Viewer, which displays the text for a file that is stored in the keyword search index. The results may be the same or they could be different, depending how the data were interpreted by the indexer.
+
+<b>Example</b> \n
+Below is an example of "String Content Viewer" window:
+\image html string-content-viewer-tab.PNG
+ 
+
+*/

docs/doxygen-user/table_results_viewer.dox

@@ -0,0 +1,9 @@
+/*! \page table_result_viewer Table Result Viewers
+    
+Thumbnail Results Viewer
+Thumbnail Results Viewer displays the data catalog as a table of thumbnail images in adjustable sizes. This viewer only supports picture file(s) (Currently, only supports JPG, GIF, and PNG formats). Click the Thumbnail tab to select this view. Note that for a large number of images in a directory selected in the Data Explorer, or for a View selected that contains a large number of images, it might take a while to populate this view for the first time before the images are cached.
+
+<b>Example</b>\n
+Below is an example of "Thumbnail Results Viewer" window:
+\image html table-result-viewer-tab.PNG 
+*/

docs/doxygen-user/text_content_viewer.dox

@@ -0,0 +1,11 @@
+/*! \page text_content_viewer Text Content Viewer
+
+Text Content Viewer uses the keyword search index that may have been populated during Image Ingest. If a file has text stored in the index, then this tab will be enabled and it will be displayed to the user if a file or a result associated with a file is selected.
+
+This tab may have more text on it than the "String View", which relies on searching the file for text-looking data. Some files, like PDF, will not have text-looking data at the byte-level, but the keyword indexing process knows how to interpret a PDF file and produce text. For the files the indexer knows about, there may be the METADATA section at the end of the displayed extracted text. If an indexed document contains any metadata (such as creation date, author, etc), it will be displayed there. Note that, unlike the "String View", the Text View does not have its built-in settings for the script/language to use for extracted strings. This is because the script/language is used at indexing time, and that setting is associated with the Keyword Search indexer, not the viewer.
+
+If this tab is not enabled, then either the file has no text or you did not enable Keyword Search as an ingest module. Note that this viewer is also used to display highlighted keyword hits when operated in the "Search Matches" mode, selected on the right-hand side of the viewer's toolbar.
+ 
+\image html text-view.PNG
+ 
+*/

docs/doxygen-user/thumbnail_result_viewer.dox

@@ -0,0 +1,10 @@
+/*! \page thumbnail_result_viewer Thumbnail Result Viewers
+Table Results Viewer (Directory Listing) displays the data catalog as a table with some details (properties) of each file. The properties that it shows are: name, time (modified, changed, accessed, and created), size, flags (directory and meta), mode, user ID, group ID, metadata address, attribute address, and type (directory and meta). Click the Table Viewer tab to select this view.
+
+The Results Viewer can be also activated for saved results and it can show a high level results grouped, or a results at a file level, depending on which node on the Directory Tree is selected to populate the Table Results Viewer.
+
+<b>Example</b>\n
+Below is an example of a "Table Results Viewer" window:
+\image html thumbnail-result-viewer-tab.PNG
+
+*/

docs/doxygen-user/timeline.dox

@@ -1,4 +1,4 @@
-/*! \page timeline_page Timeline
+/*! \page timeline Timeline
 Overview
 ========
 This document outlines the use of the new Timeline feature of Autopsy.  This feature was funded by DHS S&T to help provide free and open source digital forensics tools to law enforcement. 

docs/doxygen-user/volume_details_window.dox

@@ -0,0 +1,9 @@
+/*! \page volume_details_window Volume Detail Window
+
+The Volume Details window shows you information about a volume. It shows information such as the starting sector, length, and description. You can view the information by right clicking on a volume in the tree and choosing "Volume Details".
+
+\image html show-volume-details.PNG
+An example is shown here:
+
+\image html volume-detail-window.PNG
+*/