The Summary tab displays counts of how many times the account has appeared in different data types in the top section. In the middle it displays the files this account was found in. If the \ref central_repo_page is enabled, you can see if any \ref personas_page "personas" are associated with this account and whether any other cases that contained this account.
\image html cvt_summary_tab.png
diff --git a/docs/doxygen-user/data_source_summary.dox b/docs/doxygen-user/data_source_summary.dox
index f656e5a6ab..459dd7f611 100644
--- a/docs/doxygen-user/data_source_summary.dox
+++ b/docs/doxygen-user/data_source_summary.dox
@@ -32,7 +32,7 @@ The Types tab shows counts of different file types found in the data source.
\subsection ds_summary_user_activity User Activity
-The User Activity tab shows the most recent results found in the data source.
+The User Activity tab shows the most recent results found in the data source. You can right click on a row to navigate directly to the corresponding result.
\image html ds_summary_user_activity.png
@@ -44,7 +44,7 @@ The Analysis tab shows the sets with the most results from the \ref hash_db_page
\subsection ds_summary_recent_files Recent Files
-The Recent Files tab shows information on the most recent files opened and downloaded.
+The Recent Files tab shows information on the most recent files opened and downloaded. You can right click on a row to navigate directly to the corresponding file or result.
\image html ds_summary_recent_files.png
@@ -56,6 +56,18 @@ The Past Cases tab shows which cases had results or notable files in common with
Note that because these entries are based on the Interesting Items results created during ingest and not querying the central repository, they will not reflect any matches in cases processed after this case. For example, suppose we create Case A and ingest a data source with Device Z. If we make a new case Case B afterward and ingest a data source that also has Device Z, we would see Case A listed in this tab for Case B, but if we reopened Case A we would not see Case B listed unless ingest was run again.
+\subsection ds_summary_geo Geolocation
+
+The Geolocation tab uses the coordinates from geolocation results to find the nearest city for each and displays the most recent cities and most common cities. If the location is more than 150 km from a city then it will be displayed as "Unknown". The "View in Map" button under the recent cities table will open the \ref geolocation_page "Geolocation window" showing all waypoints for this data source with timestamps in the last 30 days. The "View in Map" button under the most common cities will show all waypoints for this data source.
+
+\image html ds_summary_geo.png
+
+\subsection ds_summary_timeline Timeline
+
+The Timeline tab shows a simplified version of the \ref timeline_page "Timeline Viewer" for the selected data source. It will show events for the last 30 days of activity in the data source and give the first and last dates of activity. "File events" represent file creation, modification, access, and change. "Result events" represent the results from running ingest, such as the time a message was sent or when a URL was accessed. The "View in Timeline" button will open the main \ref timeline_page "Timeline Viewer".
+
+\image html ds_summary_timeline.png
+
\subsection ds_summary_ingest_history Ingest History
The Ingest History tab shows which ingest modules have been run on the data source and the version of each module.
diff --git a/docs/doxygen-user/drone.dox b/docs/doxygen-user/drone.dox
index 978e199917..baf2366a72 100755
--- a/docs/doxygen-user/drone.dox
+++ b/docs/doxygen-user/drone.dox
@@ -1,13 +1,13 @@
-/*! \page drone_page Drone Analyzer
+/*! \page drone_page DJI Drone Analyzer
[TOC]
\section drone_overview Overview
-The Drone Analyzer module allows you to analyze files from a drone.
+The DJI Drone Analyzer module allows you to analyze files from a drone.
-Currently, the Drone Analyzer module works on images obtained from the internal SD card found in the following DJI drone models:
+Currently, the DJI Drone Analyzer module works on images obtained from the internal SD card found in the following DJI drone models:
- Phantom 3
- Phantom 4
- Phantom 4 Pro
@@ -20,7 +20,7 @@ The module will find DAT files and process them using DatCon (https://datfile.ne
\section drone_config Running the Module
-To enable the Drone Analyzer ingest module select the checkbox in the \ref ingest_configure "Ingest Modules configuration screen".
+To enable the DJI Drone Analyzer ingest module select the checkbox in the \ref ingest_configure "Ingest Modules configuration screen".
\section drone_results Viewing Results
diff --git a/docs/doxygen-user/footer.html b/docs/doxygen-user/footer.html
index b874c74742..abc63ecc26 100644
--- a/docs/doxygen-user/footer.html
+++ b/docs/doxygen-user/footer.html
@@ -1,5 +1,5 @@
-Copyright © 2012-2020 Basis Technology. Generated on $date
+
Copyright © 2012-2021 Basis Technology. Generated on $date
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.
diff --git a/docs/doxygen-user/hashdb_lookup.dox b/docs/doxygen-user/hashdb_lookup.dox
index c32e4adc74..29fc6f459d 100644
--- a/docs/doxygen-user/hashdb_lookup.dox
+++ b/docs/doxygen-user/hashdb_lookup.dox
@@ -6,7 +6,7 @@
What Does It Do
========
-The Hash Lookup Module calculates MD5 hash values for files and looks up hash values in a database to determine if the file is notable, known (in general), included in a specific set of files, or unknown.
+The Hash Lookup Module calculates MD5 hash values for files and looks up hash values in a database to determine if the file is notable, known (in general), included in a specific set of files, or unknown. SHA-256 hashes are also calculated, though these will not be used in hash set lookups.
Configuration
diff --git a/docs/doxygen-user/ileapp.dox b/docs/doxygen-user/ileapp.dox
index 21a314e0ac..5abae340d9 100644
--- a/docs/doxygen-user/ileapp.dox
+++ b/docs/doxygen-user/ileapp.dox
@@ -8,7 +8,7 @@ The iOS Analyzer ingest module runs iLEAPP (https://github.com/abrignoni/iLEAPP)
\section ileapp_config Using the Module
-Select the checkbox in the Ingest Modules settings screen to enable the IOS Analzyer (iLEAPP) module. In Autopsy 4.17.0 the module only runs on .tar/.zip files found in a \ref ds_log "logical files data source".
+Select the checkbox in the Ingest Modules settings screen to enable the IOS Analzyer (iLEAPP) module. The module will run on .tar/.zip files found in a \ref ds_log "logical files data source" or a \ref ds_img "disk image".
\section ileapp_results Seeing Results
diff --git a/docs/doxygen-user/images/DataSourceSummary/ds_summary_analysis.png b/docs/doxygen-user/images/DataSourceSummary/ds_summary_analysis.png
index 15957a0712..a1e6bfb842 100644
Binary files a/docs/doxygen-user/images/DataSourceSummary/ds_summary_analysis.png and b/docs/doxygen-user/images/DataSourceSummary/ds_summary_analysis.png differ
diff --git a/docs/doxygen-user/images/DataSourceSummary/ds_summary_container.png b/docs/doxygen-user/images/DataSourceSummary/ds_summary_container.png
index 3adf7ec40d..3d51efee73 100644
Binary files a/docs/doxygen-user/images/DataSourceSummary/ds_summary_container.png and b/docs/doxygen-user/images/DataSourceSummary/ds_summary_container.png differ
diff --git a/docs/doxygen-user/images/DataSourceSummary/ds_summary_geo.png b/docs/doxygen-user/images/DataSourceSummary/ds_summary_geo.png
new file mode 100644
index 0000000000..4ab4440b55
Binary files /dev/null and b/docs/doxygen-user/images/DataSourceSummary/ds_summary_geo.png differ
diff --git a/docs/doxygen-user/images/DataSourceSummary/ds_summary_ingest.png b/docs/doxygen-user/images/DataSourceSummary/ds_summary_ingest.png
index 203e9c44ee..d3a1a970a9 100644
Binary files a/docs/doxygen-user/images/DataSourceSummary/ds_summary_ingest.png and b/docs/doxygen-user/images/DataSourceSummary/ds_summary_ingest.png differ
diff --git a/docs/doxygen-user/images/DataSourceSummary/ds_summary_past_cases.png b/docs/doxygen-user/images/DataSourceSummary/ds_summary_past_cases.png
index 591cb66867..3b47578b0e 100644
Binary files a/docs/doxygen-user/images/DataSourceSummary/ds_summary_past_cases.png and b/docs/doxygen-user/images/DataSourceSummary/ds_summary_past_cases.png differ
diff --git a/docs/doxygen-user/images/DataSourceSummary/ds_summary_recent_files.png b/docs/doxygen-user/images/DataSourceSummary/ds_summary_recent_files.png
index af63e103f7..3eeaeffd89 100644
Binary files a/docs/doxygen-user/images/DataSourceSummary/ds_summary_recent_files.png and b/docs/doxygen-user/images/DataSourceSummary/ds_summary_recent_files.png differ
diff --git a/docs/doxygen-user/images/DataSourceSummary/ds_summary_result_viewer.png b/docs/doxygen-user/images/DataSourceSummary/ds_summary_result_viewer.png
index ad16f2e031..8f2b4d3f47 100644
Binary files a/docs/doxygen-user/images/DataSourceSummary/ds_summary_result_viewer.png and b/docs/doxygen-user/images/DataSourceSummary/ds_summary_result_viewer.png differ
diff --git a/docs/doxygen-user/images/DataSourceSummary/ds_summary_timeline.png b/docs/doxygen-user/images/DataSourceSummary/ds_summary_timeline.png
new file mode 100644
index 0000000000..1a376723d6
Binary files /dev/null and b/docs/doxygen-user/images/DataSourceSummary/ds_summary_timeline.png differ
diff --git a/docs/doxygen-user/images/DataSourceSummary/ds_summary_types.png b/docs/doxygen-user/images/DataSourceSummary/ds_summary_types.png
index db3f4a14f9..2bf93d3f90 100644
Binary files a/docs/doxygen-user/images/DataSourceSummary/ds_summary_types.png and b/docs/doxygen-user/images/DataSourceSummary/ds_summary_types.png differ
diff --git a/docs/doxygen-user/images/DataSourceSummary/ds_summary_user_activity.png b/docs/doxygen-user/images/DataSourceSummary/ds_summary_user_activity.png
index 2ce9dcaf16..7b6d4d09f5 100644
Binary files a/docs/doxygen-user/images/DataSourceSummary/ds_summary_user_activity.png and b/docs/doxygen-user/images/DataSourceSummary/ds_summary_user_activity.png differ
diff --git a/docs/doxygen-user/images/DataSourceSummary/ds_summary_window.png b/docs/doxygen-user/images/DataSourceSummary/ds_summary_window.png
index 745c3b1d97..a9d61e9084 100644
Binary files a/docs/doxygen-user/images/DataSourceSummary/ds_summary_window.png and b/docs/doxygen-user/images/DataSourceSummary/ds_summary_window.png differ
diff --git a/docs/doxygen-user/images/aleapp_main.jpg b/docs/doxygen-user/images/aleapp_main.jpg
index 82d8d2c778..d318748a6d 100644
Binary files a/docs/doxygen-user/images/aleapp_main.jpg and b/docs/doxygen-user/images/aleapp_main.jpg differ
diff --git a/docs/doxygen-user/images/cvt_summary_tab.png b/docs/doxygen-user/images/cvt_summary_tab.png
index 53f4ee148c..405448d31e 100644
Binary files a/docs/doxygen-user/images/cvt_summary_tab.png and b/docs/doxygen-user/images/cvt_summary_tab.png differ
diff --git a/docs/doxygen-user/images/yara_ingest_settings.png b/docs/doxygen-user/images/yara_ingest_settings.png
new file mode 100644
index 0000000000..0917a73bd0
Binary files /dev/null and b/docs/doxygen-user/images/yara_ingest_settings.png differ
diff --git a/docs/doxygen-user/images/yara_new_rule_set.png b/docs/doxygen-user/images/yara_new_rule_set.png
new file mode 100644
index 0000000000..1470f8f45c
Binary files /dev/null and b/docs/doxygen-user/images/yara_new_rule_set.png differ
diff --git a/docs/doxygen-user/images/yara_options.png b/docs/doxygen-user/images/yara_options.png
new file mode 100644
index 0000000000..e04a1e62f4
Binary files /dev/null and b/docs/doxygen-user/images/yara_options.png differ
diff --git a/docs/doxygen-user/images/yara_results.png b/docs/doxygen-user/images/yara_results.png
new file mode 100644
index 0000000000..5e1d447935
Binary files /dev/null and b/docs/doxygen-user/images/yara_results.png differ
diff --git a/docs/doxygen-user/main.dox b/docs/doxygen-user/main.dox
index c9649aeef6..b8778cd36b 100644
--- a/docs/doxygen-user/main.dox
+++ b/docs/doxygen-user/main.dox
@@ -51,6 +51,8 @@ The following topics are available here:
- \subpage drone_page
- \subpage gpx_page
- \subpage ileapp_page
+ - \subpage aleapp_page
+ - \subpage yara_page
- Reviewing the Results
- \subpage uilayout_page
diff --git a/docs/doxygen-user/yara.dox b/docs/doxygen-user/yara.dox
new file mode 100644
index 0000000000..19bba86384
--- /dev/null
+++ b/docs/doxygen-user/yara.dox
@@ -0,0 +1,50 @@
+/*! \page yara_page YARA Analyzer
+
+[TOC]
+
+
+\section yara_overview Overview
+
+The YARA Analyzer module uses a set of rules to search files for textual or binary patterns. YARA was designed for malware analysis but can be used to search for any type of files. For more information on YARA see https://virustotal.github.io/yara/.
+
+\section yara_config Configuration
+
+To create and edit your rule sets, go to "Tools", "Options" and then select the "YARA" tab.
+
+\image html yara_options.png
+
+YARA rule sets are stored in folders in the user's Autopsy folder. To create a new rule set, click the "New Set" button in the lower left and enter the name for your new set.
+
+\image html yara_new_rule_set.png
+
+With your new rule set selected, click the "Open Folder" button to go to the newly created rules folder. You can now copy existing YARA files into this folder to include them in the rule set. Information on writing YARA rules can be found here and many existing YARA rules can be found through a web search. As a very simple example, we will add this rule to the sample rule set to find files that contain the words "hello" and "world":
+
+\verbatim
+rule HelloWorldRule
+{
+ strings:
+ $part1 = "hello" nocase
+ $part2 = "world" nocase
+
+ condition:
+ $part1 and $part2
+}
+\endverbatim
+
+Once you've added your rules to the folder, click the "Refresh File List" button to show them in the options panel.
+
+\section yara_running Running the Module
+
+To enable the YARA Analyzer ingest module select the checkbox in the \ref ingest_configure "Ingest Modules configuration screen".
+
+\image html yara_ingest_settings.png
+
+Make sure all rule sets you want to run are checked. You can also choose between running on all files or only running on executable files.
+
+\section yara_results Viewing Results
+
+Results are show in the Results tree under "Extracted Content".
+
+\image html yara_results.png
+
+*/
diff --git a/docs/doxygen/footer.html b/docs/doxygen/footer.html
index f703eb2a5e..65eaf1d7dd 100644
--- a/docs/doxygen/footer.html
+++ b/docs/doxygen/footer.html
@@ -1,5 +1,5 @@
-Copyright © 2012-2020 Basis Technology. Generated on: $date
+
Copyright © 2012-2021 Basis Technology. Generated on: $date
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.
diff --git a/test/script/tskdbdiff.py b/test/script/tskdbdiff.py
index e202c3e111..c6c6dfacdc 100644
--- a/test/script/tskdbdiff.py
+++ b/test/script/tskdbdiff.py
@@ -627,10 +627,24 @@ def normalize_db_entry(line, files_table, vs_parts_table, vs_info_table, fs_info
fields_list[4] = files_table[object_id]
if legacy_artifact_id != 'NULL' and legacy_artifact_id in artifact_table.keys():
fields_list[6] = artifact_table[legacy_artifact_id]
+
+
+ if fields_list[1] == fields_list[2] and fields_list[1] == fields_list[3]:
+ fields_list[1] = cleanupEventDescription(fields_list[1])
+ fields_list[2] = cleanupEventDescription(fields_list[2])
+ fields_list[3] = cleanupEventDescription(fields_list[3])
+
newLine = ('INSERT INTO "tsk_event_descriptions" VALUES(' + ','.join(fields_list[1:]) + ');') # remove report_id
return newLine
else:
return line
+
+def cleanupEventDescription(description):
+ test = re.search("^'\D+:\d+'$", description)
+ if test is not None:
+ return re.sub(":\d+", ":", description)
+ else:
+ return description
def getAssociatedArtifactType(cur, artifact_id, isMultiUser):
if isMultiUser:
diff --git a/thirdparty/aLeapp/aleapp.exe b/thirdparty/aLeapp/aleapp.exe
index 52fab109ea..179d7b6331 100644
Binary files a/thirdparty/aLeapp/aleapp.exe and b/thirdparty/aLeapp/aleapp.exe differ