mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

update user docs

Browse Source
This commit is contained in:
adam-m 2012-09-28 14:20:13 -04:00
parent f3f9797c49
commit 3ee9bb8e73
5 changed files with 151 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
Core/src/org/sleuthkit/autopsy/ingest/docs/ingest-about.html
View File

@ -11,8 +11,10 @@
and extraction of a certain type of information.
The analysis can be a lengthy process, especially for large images and when a number of types of analysis needs to be performed.
Ingest is a technique of automating these tasks. It is also similar to triage. Autopsy allows to run these lengthy analysis tasks in the background,
Ingest is a technique of automating these tasks. Autopsy allows to run these lengthy analysis tasks in the background,
while the user can browse the application interface and review the ingest results as their appear.
Ingest is similar to triage.
Autopsy attempts to process files inside the ingested image in such order so that the more interesting files (user-related files) are processed files.
</p>
<p>The ingest process begins after the basic file system information has been added to the database.
@ -21,27 +23,56 @@
and even for very large images to be processed there can be initial results available minutes, sometimes seconds after the analysis has started.
</p>
<p>You can start image ingest in two ways. When you add an image with the <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/addImage.html">Add Image wizard</a>, you will be shown the list of ingest modules and you can choose which you want to run and you can do some basic configuration of the modules. You can also launch the Ingest Manager run ingest by right clicking on an image in the explorer tree and choosing "Restart Image Ingest". </p>
<p>The results from the ingest module can typically be found in the Results area of the explorer tree. However, some modules may choose to write results to a local file or to some other location and not make them available in the UI. </p>
<p>You can start image ingest in two ways. When you add an image with the <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/addImage.html">Add Image wizard</a>, you will be shown the list of ingest modules and you can choose which you want to run.
You can also launch the Ingest Manager run ingest by right clicking on an image in the explorer tree and choosing "Restart Image Ingest". </p>
<p>
Once ingest is started, you can review the currently running ingest tasks in the task bar on the bottom-right corner of the main window.
The ingest tasks can be canceled by the user if so desired. Note, that sometimes the cancellation process make take several seconds or more to complete cleanly, depending on what the ingest module was currently doing.
</p>
<p>
The ingest message inbox will provide notifications when the particular ingest modules start and finish running.
There may also be error notifications, and result notifications sent by specific ingest modules.
</p>
<p>The results from the ingest modules can typically be found in the Results area of the explorer tree.
However, some modules may choose to write results to a local file or to some other location and not make them available in the UI. </p>
<h2>Ingest Modules</h2>
<p>
An ingest module is responsible for extracting data from and searching images. Different modules will do different things. Examples include:
An ingest module is responsible for extracting data from and searching images.
Different modules will do different things. Examples include:
</p>
<ul>
<li>Calculate MD5 hash of each file</li>
<li>Lookup MD5 hash in database</li>
<li>Detect file type of each file</li>
<li>Keyword search each file</li>
<li>Extract web artifacts (downloads, history, etc.)</li>
<li>Extract web artifacts (downloads, history, installed programs, web search engine queries, etc.)</li>
<li>Extract Email messages</li>
<li>Extract connected device IDs.</li>
<li>Extract EXIF meta-data from picture files</li>
</ul>
<p>
<p>Ingest modules can be created by third-party-developers and can be added independently of Autopsy. </p>
<h2>Configuring Ingest Modules</h2>
There are two places to configure ingest modules. When the Ingest Manager is launched, there may be a small set of options the module allows you to edit directly in the Ingest Manager. Additionally, the Ingest Manager may display an "Advanced" button, which will open up a larger configuration menu with more available settings. This advanced configuration menu can often be found in the "Tools" > "Options" menu, along with the advanced settings for numerous other ingest modules.
<p>
Before launching ingest, you should go over the modules configuration by selecting every module
in the list and review the current ingest module settings.
Some modules need to be configured at least the first time Autopsy is used to have default configuration populated
, otherwise they won't perform any analysis.
Changing the modules configuration will potentially affect number of results found, it might also affect the total time required for ingest to run and how fast the results are reported in real-time.
</p>
<h2>Adding Ingest Modules</h2>
Ingest modules can be added through Autopsy's plugin manager. This is accessible through the "Tools" > "Plugins" menu. Currently, the best way to add an ingest module is by navigating to the module's NBM file after choosing "Add Plugin..." in the "Downloaded" tab of the plugin manager. Autopsy will require a restart after any modules are installed in order to properly load and display them.
<p>
Ingest modules can be created by third-party-developers and can be added independently of Autopsy.
This can be done through Autopsy's plugin manager. This is accessible through the "Tools" > "Plugins" menu. Currently, the best way to add an ingest module is by navigating to the module's NBM file after choosing "Add Plugin..." in the "Downloaded" tab of the plugin manager.
Autopsy will require a restart after any modules are installed in order to properly load and display them.
</p>
</body>
</html>

22
Core/src/org/sleuthkit/autopsy/ingest/docs/ingest-inbox.html
View File

@ -19,24 +19,36 @@ limitations under the License.
<!DOCTYPE html>
<html>
<head>
<title>Message Inbox</title>
<title>Ingest Message Inbox</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Message Inbox</h2>
<h2>Ingest Message Inbox</h2>
<p>
The message inbox is used by Autopsy to provide real-time updates during ingest.
The ingest message inbox is used by Autopsy to provide real-time updates during ingest.
To open the inbox, click on the yellow warning sign in the top/right corner of the Autopsy window.
The sign can display a number of incoming unread (not yet clicked) messages during ingest in its upper-right corner.
</p>
<p>
<img src="inbox-button.png" alt="Inbox button" />
</p>
<p>
Ingest modules are able to post messages when notable events occur, such as a keyword or hash database hit.
Ingest modules are able to post messages when notable events occur,
such as a keyword or hash database hit.
If a module posts many similar messages in a short time span,
the inbox will group those messages so that unique updates are not lost among the noise.
</p>
<p>
The grouped messages are colored with different shades to indicate their importance; if a message group contains a lower number of unique messages, it is
potentially more important than another group with a large number of unique messages. The more unique important messages have a lighter background color.
</p>
<p>
The ingest messages can be sorted by uniqueness/importance, or by chronological order in which they had appeared.
</p>
<p>
A message can be clicked to view the message details. When a message is clicked, it is marked as "read".
When updates are posted with regard to a specific result or file, the message is linked to that file
and the buttons in the top/right corner of the inbox can be used to browse to that data.
and the buttons in the top/right corner of the message details view can be used to browse to that data.
</p>
<img src="inbox-main.PNG" alt="Inbox Main Screen" /><br /><br />
<img src="inbox-details.PNG" alt="Inbox Details Screen" />

38
KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/docs/keywordsearch-about.html
View File

@ -25,19 +25,45 @@ limitations under the License.
<body>
<h2>Keyword Search</h2>
<p>
Autopsy contains a keyword search <a href="nbdocs:/org/sleuthkit/autopsy/ingest/docs/ingest-about.html">ingest module</a>
that extracts and indexes strings from the files on the image being ingested. Search queries will not be executed until the
ingest module has finished running.
Autopsy ships a keyword search <a href="nbdocs:/org/sleuthkit/autopsy/ingest/docs/ingest-about.html">ingest module</a>
that extracts text from the files on the image being ingested and adds them to the index.
</p>
<p>
Autopsy tries its best to extract maximum amount of text from the indexed files.
First, the indexing will try to extract text from supported file formats, such as pure text file format, MS Office Documents, PDF files, Email files, and many others.
If the file is not supported by the standard text extractor, Autopsy will fallback to string extraction algorithm.
String extraction on unknown file formats or arbitrary binary files can often still extract a good amount of text from the file, often good enough to provide additional clues.
However, string extraction will not extract text from binary files that have been decrypted.
</p>
<p>
Once files are in the index, they can be searched quickly for specific keywords, regular expressions,
or using keyword search lists that can contain a mixture of keywords and regular expressions.
</p>
<p>
Autopsy ships with some built-in lists that define regular expressions and enable user to search for Phone Numbers, IP addresses,
URLs and E-mail addresses. However, enabling some of these very general lists can produce a very large number of hits, many of them can be false-positives.
</p>
<p>
Search queries can be executed automatically by the ingest during the ingest run, or at the end of the ingest, depending on the current settings and the time it takes to ingest the image.
Search queries can also be executed manually by the user at any time, as long as there are some files already indexed and ready to be searched.
Keyword search module will save the search results regardless whether the search is performed by the ingest process, or manually by the user.
The saved results are available in the Directory Tree in the left hand side panel.
</p>
<p>
To see keyword search results in real-time while ingest is running, add keyword lists using the
<a href="nbdocs:/org/sleuthkit/autopsy/keywordsearch/docs/keywordsearch-configuration.html">Keyword Search Configuration Dialog</a>
and select the "Use during ingest" check box. See <a href="nbdocs:/org/sleuthkit/autopsy/ingest/docs/ingest-about.html">(Ingest)</a>
and select the "Use during ingest" check box.
You can select "Enable sending messages to inbox during ingest" per list, if the hits on that list should be reported in the Inbox, which is recommended for very specific searches.
See <a href="nbdocs:/org/sleuthkit/autopsy/ingest/docs/ingest-about.html">(Ingest)</a>
for more information on refresh speeds and ingest in general.
</p>
<p>
Once ingest is finished and the index has been created, the <a href="nbdocs:/org/sleuthkit/autopsy/keywordsearch/docs/keywordsearch-bar.html">Keyword Search Bar</a>
will be available for use.
Once there are files in the index, the <a href="nbdocs:/org/sleuthkit/autopsy/keywordsearch/docs/keywordsearch-bar.html">Keyword Search Bar</a>
will be available for use to manually search at any time.
</p>
</body>
</html>

31
KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/docs/keywordsearch-bar.html
View File

@ -25,19 +25,36 @@ limitations under the License.
<body>
<h2>Keyword Search Bar</h2>
<p>
The keyword search bar is used to search the index for matching words, phrases, lists, or regular expressions.
It can also be used during ingest to add images to the search process.
Enable regular expression mode by pressing the arrow to the left of the search box and selecting 'Use Regular Expressions'
The keyword search bar is used to search for keywords in the manual mode (outside of ingest).
The existing index will be searched for matching words, phrases, lists, or regular expressions.
Results will be opened in a separate Results Viewer for every search executed and they will also be saved in the Directory Tree.
</p>
<h2>Individual Keyword Search</h2>
<p>
Individual keyword or regular expressions can be quickly searched using the search text box widget.
To toggle between keyword and regular expression mode, use the down arrow in the search box.
</p>
<h2>Keyword List Search</h2>
<p>
Lists created using the <a href="nbdocs:/org/sleuthkit/autopsy/keywordsearch/docs/keywordsearch-configuration.html">Keyword Search Configuration Dialog</a>
can be searched by pressing on the 'Keyword Lists' button, selecting the check boxes corresponding to the lists to be searched, and pressing the 'Search' button.
can be manually searched by the user by pressing on the 'Keyword Lists' button, selecting the check boxes corresponding to the lists to be searched, and pressing the 'Search' button.
</p>
<h2>Search During Ingest</h2>
<h2>Searching during ingest.</h2>
<p>
Searching during ingest is not supported. However, lists can be added to ingest by following the same procedure as above.
The manual search for individual keywords or regular expressions can be executed also during the ongoing ingest on the current index using the search text box widget.
Note however, that you may miss some results if not entire index has yet been populated.
Autopsy enables you to perform the search on an incomplete index in order to retrieve some preliminary results in real-time.
</p>
<img src="keywordsearch-bar.png" alt="Keyword Search Bar" />
<p>
During the ingest, the manual search by keyword list is deactivated.
A newly selected list can instead be added to the ongoing ingest, and it will be searched in the background instead.
</p>
<p>
Keywords and lists can be managed during ingest..
</p>
<img src="keywordsearch-bar.png" alt="Keyword Search Bar" />
</body>
</html>

41
KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/docs/keywordsearch-configuration.html
View File

@ -25,13 +25,13 @@ limitations under the License.
<body>
<h2>Keyword Search Configuration Dialog</h2>
<p>
The keyword search configuration dialog has three tabs, each with it's own purpose:<br/>
The keyword search configuration dialog has three tabs, each with it's own purpose:</p>
<ul>
<li>The Lists tab is used to add, remove, and modify keyword search lists.</li>
<li>The String Extraction tab is used to enable language scripts and extraction type.</li>
<li>The General tab is used to configure the ingest timings and display information.</li>
</ul>
</p>
<p>
To create a list, select the 'New List' button and choose a name for the new Keyword List.
Once the list has been created, keywords can be added to it. Regular expressions are supported using
@ -44,11 +44,46 @@ limitations under the License.
For Encase lists, folder structure and hierarchy is currently ignored. This will be fixed in a future version.
There is currently no way to export lists for use with Encase. This will also be added in future releases.
</p>
<h2>String extraction setting.</h2>
<p>
The string extraction setting defines how strings are extracted from files from which text cannot be extracted because their file formats are not supported.
This is the case with arbitrary binary files (such as the page file) and chunks of unallocated space that represent deleted files.
</p>
<p>
When we extract strings from binary files we need to interpet sequences of bytes as text differently, depending on the possible
text encoding and script/language used. In many cases we don't know what the specific encoding / language the text is be encoded in in advance.
However, it helps if the investigator is looking for a specific language, because by selecting less languages the indexing performance will be improved
and a number of false positives will be reduced.
</p>
<p>
The default setting is to search for English strings only, encoded as either UTF8 or UTF16. This setting has the best performance (shortest ingest time).
</p>
<p>
The user can also use the String Viewer first and try different script/language settings, and see which setting gives satisfactory results for the type of text relevant to the investigation.
Then the same setting that works for the investigation can be applied to the keyword search ingest.
</p>
<h2>NIST NSRL Support</h2>
<p>
The hash database ingest service can be configured to use the NIST NSRL hash database of known files.
The keyword search configuration dialog contains an option to skip keyword indexing and search on files found in the NSRL.
The keyword search advanced configuration dialog "General" tab contains an option to skip keyword indexing and search on files
that have previously marked as "known" and uninteresting files.
Selecting this option can greatly reduce size of the index and improve ingest performance.
In most cases, user does not need to keyword search for "known" files.
</p>
<h2>Result update frequency during ingest.</h2>
<p>
To control how frequently searches are executed during ingest, user can adjust the timing setting
available in the keyword search advanced configuration dialog "General" tab.
Setting the number of minutes lower will result in more frequent index updates and searches being executed
and the user will be able to see results more in real-time.
However, more frequent updates can affect the overall performance, especially on lower-end systems,
and can potentially lengthen the overall time needed for the ingest to complete.
</p>
<strong>Lists tab:</strong><br>
<img src="keywordsearch-configuration.png" alt="Keyword Search Configuration Dialog" /><br><br>
<strong>String Extraction tab:</strong><br>