diff --git a/docs/doxygen-dev/footer.html b/docs/doxygen-dev/footer.html
index 5ab86c6e86..b874c74742 100755
--- a/docs/doxygen-dev/footer.html
+++ b/docs/doxygen-dev/footer.html
@@ -1,5 +1,5 @@
-Copyright © 2012-2019 Basis Technology. Generated on $date
+
Copyright © 2012-2020 Basis Technology. Generated on $date
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.
diff --git a/docs/doxygen-user/Doxyfile b/docs/doxygen-user/Doxyfile
index 1bb3773a70..8295d9df5a 100644
--- a/docs/doxygen-user/Doxyfile
+++ b/docs/doxygen-user/Doxyfile
@@ -38,7 +38,7 @@ PROJECT_NAME = "Autopsy User Documentation"
# could be handy for archiving the generated documentation or if some version
# control system is used.
-PROJECT_NUMBER = 4.13.0
+PROJECT_NUMBER = 4.14.0
# Using the PROJECT_BRIEF tag one can provide an optional one line description
# for a project that appears at the top of each page and should give viewer a
@@ -1025,7 +1025,7 @@ GENERATE_HTML = YES
# The default directory is: html.
# This tag requires that the tag GENERATE_HTML is set to YES.
-HTML_OUTPUT = 4.13.0
+HTML_OUTPUT = 4.14.0
# The HTML_FILE_EXTENSION tag can be used to specify the file extension for each
# generated HTML page (for example: .htm, .php, .asp).
diff --git a/docs/doxygen-user/android_analyzer.dox b/docs/doxygen-user/android_analyzer.dox
index a849e089ff..eee20b85a0 100644
--- a/docs/doxygen-user/android_analyzer.dox
+++ b/docs/doxygen-user/android_analyzer.dox
@@ -52,14 +52,10 @@ There are no runtime ingest settings required.
Seeing Results
------
-The results show up in the tree under "Results", "Extracted Content".
+The results show up in the tree under "Results", "Extracted Content". The exact data extracted will vary but can include contacts, call logs, messages, and GPS entries.
\image html android_analyzer_output.PNG
-Messages can also be seen by browsing to the source file in the Data Sources tree, which will display the messages in the Results Viewer to the right. Any messages with attachments will be shown under the source file in the tree, and the attachments can be seen in the Result Viewer.
-
-\image html messages_datasource_tree.png
-
*/
diff --git a/docs/doxygen-user/content_viewer.dox b/docs/doxygen-user/content_viewer.dox
index d7f3420fbc..66ec679565 100644
--- a/docs/doxygen-user/content_viewer.dox
+++ b/docs/doxygen-user/content_viewer.dox
@@ -54,6 +54,10 @@ It will display most image types, which can be scaled and rotated:
\image html content_viewer_app_image.png
+It displays video files, allowing you to move play/pause, move forward or backward 30 seconds, adjust the volume, and change the playback speed.
+
+\image html content_viewer_video.png
+
It also allows you to browse SQLite tables and export their contents as CSV:
\image html content_viewer_app_sqlite.png
@@ -82,6 +86,12 @@ The File Metadata tab displays basic information about the file, such as type, s
\image html content_viewer_metadata.png
+\section cv_context Context
+
+The Context tab shows the the source of attached files and allows you to view the original result. In the image below you can see the context for an image that was sent as an email attachment.
+
+\image html content_viewer_context.png
+
\section cv_results Results
The Results tab is active when selecting items with associated results such as keyword hits, call logs, and messages. The exact fields displayed depend on the type of result. The two images below show the Results tab for a call log and a web bookmark.
diff --git a/docs/doxygen-user/data_sources.dox b/docs/doxygen-user/data_sources.dox
index cd48474f41..6aeed0bbb1 100644
--- a/docs/doxygen-user/data_sources.dox
+++ b/docs/doxygen-user/data_sources.dox
@@ -3,12 +3,13 @@
A data source is the thing you want to analyze. It can be a disk image, some logical files, a local disk, etc. You must open a case prior to adding a data source to Autopsy.
-Autopsy supports four types of data sources:
+Autopsy supports multiple types of data sources:
- Disk Image or VM File: A file (or set of files) that is a byte-for-byte copy of a hard drive or media card, or a virtual machine image. (see \ref ds_img)
- Local Disk: Local storage device (local drive, USB-attached drive, etc.). (see \ref ds_local)
- Logical Files: Local files or folders. (see \ref ds_log)
- Unallocated Space Image Files: Any type of file that does not contain a file system but you want to run through ingest (see \ref ds_unalloc)
- Autopsy Logical Imager Results: The results from running the logical imager. (see \ref ds_logical_imager)
+- XRY Text Export: The results from exporting text files from XRY. (see \ref ds_xry)
\section ds_add Adding a Data Source
@@ -41,7 +42,7 @@ NOTE: If you are adding a data source to a multi-user case, ensure that all Auto
6) After the ingest modules have been configured and the basic examination of the data source is complete, the ingest modules will begin to analyze the file contents.
-You cannot remove a data source from a case.
+Data sources can be removed from cases created with Autopsy 4.14.0 and later. See the section \ref data_source_deletion "below".
\section ds_img Adding a Disk Image
@@ -116,4 +117,23 @@ To add unallocated space image files:
This option allows you to add the results of a logical imager collection. See the \ref logical_imager_page page for details.
+\section ds_xry Adding XRY Text Export Data
+An XRY text export folder is expected to look similar to this:
+
+\image html xry_folder.png
+
+To add exported text files:
+-# Choose "XRY Text Export" from the data source types.
+-# Browse to the folder containing the text files.
+
+\image html xry_dsp.png
+
+\section data_source_deletion Deleting Data Sources
+
+As of Autopsy 4.14.0, data sources can be removed from cases. Removing a data source will delete all files associate with the data source, as well as all results from running ingest modules, tags, and timeline data. \ref reporting_page "Reports" will not be deleted, as most are not associated with a specific data source. If a new data source was created while processing another (from the \ref vm_extractor_page for example), this new data source will also be deleted if its parent is deleted.
+
+To delete a data source, right click it in either the \ref tree_viewer_page or the \ref result_viewer_page and select "Remove Data Source". If the case was originally created with a version of Autopsy earlier than 4.14.0 then this option will be disabled. After a confirmation dialog, the case will close and then reopen after the data source has been removed.
+
+\image html data_source_delete.png
+
*/
\ No newline at end of file
diff --git a/docs/doxygen-user/email_parser.dox b/docs/doxygen-user/email_parser.dox
index 517ccb069d..e69621d2ed 100644
--- a/docs/doxygen-user/email_parser.dox
+++ b/docs/doxygen-user/email_parser.dox
@@ -23,12 +23,14 @@ There are no runtime ingest settings required.
Seeing Results
------
-The results of this show up in the "Results", "E-Mail Messages" portion of the tree.
+The results of this show up in the "Results", "E-Mail Messages" portion of the \ref tree_viewer_page.
\image html email_results.PNG
-The results can also be seen by browsing to the source file in the Data Sources tree, which will display the messages in the Results Viewer to the right. Any messages with attachments will be shown under the source file, and the attachments can be seen in the Result Viewer by selecting the message.
+If an e-email has an attachment, the "Attachments" tab in the \ref content_viewer_page will be active.
-\image html email_datasource_tree.png
+\image html email_attachments.png
+
+You can right click and select "View File in Directory" to navigate to the attached file. You can also switch to the "Thumbnails" tab to see a preview of any image attachments.
*/
diff --git a/docs/doxygen-user/extension_mismatch.dox b/docs/doxygen-user/extension_mismatch.dox
index 2866ecedc0..25bac5e3fe 100644
--- a/docs/doxygen-user/extension_mismatch.dox
+++ b/docs/doxygen-user/extension_mismatch.dox
@@ -14,6 +14,10 @@ One can add and remove MIME types in the "Tools", "Options", "File Extension Mis
\image html extension-mismatch-detected-configuration.PNG
+If you'd like to contribute your changes back to the community, then you'll need to upload your updated %APPDATA%\autopsy\dev\config\mismatch_config.xml file by either:
+- Make a fork of the Github Autopsy repository, copy the new file into the src\org\sleuthkit\autopsy\fileextmismatch folder and submit a pull request
+- Attach the entire mismatch_config.xml file to a github issue.
+
Using the Module
======
Note that you can get a lot of false positives with this module. You can add your own rules to Autopsy to reduce unwanted hits.
diff --git a/docs/doxygen-user/file_discovery.dox b/docs/doxygen-user/file_discovery.dox
new file mode 100644
index 0000000000..a92b41dc43
--- /dev/null
+++ b/docs/doxygen-user/file_discovery.dox
@@ -0,0 +1,189 @@
+/*! \page file_discovery_page File Discovery
+
+\section file_disc_overview Overview
+
+The file discovery tool shows images or videos that match a set of filters configured by the user. You can choose how to group and order your results in order to see the most relevant data first.
+
+\section file_disc_prereq Prerequisites
+
+We suggest running all \ref ingest_page "ingest modules" before launching file discovery, but if time is a factor the following are the modules that are the most important. You will see a warning if you open file discovery without running the \ref file_type_identification_page and \ref EXIF_parser_page.
+
+Required ingest modules:
+
+- \ref file_type_identification_page
+
+
+Optional ingest modules:
+
+- \ref cr_ingest_module - Needed to use the \ref file_disc_occur_filter
+
- \ref EXIF_parser_page - Needed to use the \ref file_disc_user_filter
+
- \ref hash_db_page - Needed to use the \ref file_disc_hash_filter and to de-duplicate files
+
- \ref interesting_files_identifier_page - Needed to use the \ref file_disc_int_filter
+
- \ref object_detection_page - Needed to use the \ref file_disc_obj_filter
+
+
+\section file_disc_run Running File Discovery
+
+To launch file discovery, either click the "File Discovery" icon near the top of the Autopsy UI or go to "Tools", "File Discovery". There are three steps when setting up file discovery, which flow from the top of the panel to the bottom:
+
+- \ref file_disc_type "Choose the file type"
+
- \ref file_disc_filtering "Set up filters"
+
- \ref file_disc_grouping "Choose how to group and sort the results
+
+
+Once everything is set up, use the "Show" button at the bottom of the left panel to display your results. If you want to cancel a search in progress you can use the "Cancel" button.
+
+\image html FileDiscovery/fd_main.png
+
+\subsection file_disc_type File Type
+
+The first step is choosing whether you want to display images or videos. The file type is determined by the MIME type of the file, which is why the file_type_identification_page must be run to see any results. Switching between the file types will clear any results being displayed and reset the filters.
+
+\image html FileDiscovery/fd_fileType.png
+
+\subsection file_disc_filtering Filtering
+
+The second step is to select and configure your filters. For most filters, you enable them using the checkbox on the left and then select your options. Multiple options can be selected by using CTRL + left click. Files must pass all enabled filters to be displayed.
+
+\subsubsection file_disc_size_filter File Size Filter
+
+The file size filter lets you restrict the size of your results. The options are different for images and videos - an extra small image might be under 16 KB while an extra small video is anything under 500 KB.
+
+\image html FileDiscovery/fd_fileSizeFilter.png
+
+\subsubsection file_disc_ds_filter Data Source Filter
+
+The data source filter lets you restrict which data sources in your case to include in the results.
+
+\image html FileDiscovery/fd_dataSourceFilter.png
+
+\subsubsection file_disc_occur_filter Past Occurrences Filter
+
+The past occurrences filter uses the \ref central_repo_page "central repository" and \ref hash_db_page "known hash sets" to restrict how commom/rare a file must be to be included in the results. By default, the "Known Files" option is disabled, meaning that any file matching the NSRL or other white-listed hash set will not be displayed.
+
+\image html FileDiscovery/fd_pastOccur.png
+
+The counts for the rest of the options are based on how many data sources in your central repository contain a copy of this file (based on hash). If a file only appears in one data source in the current case, then it will match "Unique(1)". If it has only been seen in a few other data source, it will match "Rare(2-10)". Note that it doesn't matter how many times a file appears in each data source - a file could have twenty copies in one data source and still be "unique".
+
+\subsubsection file_disc_user_filter Possibly User Created
+
+The possibly user created filter restricts the results to files that suspected to be raw images or videos.
+
+\image html FileDiscovery/fd_userCreatedFilter.png
+
+This means the image or video must have a "User Content Suspected" result associated with it. These primarily come from the \ref EXIF_parser_page "Exif parser module".
+
+\image html FileDiscovery/fd_userContentArtifact.png
+
+\subsubsection file_disc_hash_filter Hash Set Filter
+
+The hash set filter restricts the results to files found in the selected hash sets. Only notable hash sets that have hits in the current case are listed (though those hits may not be images or videos). See the \ref hash_db_page page for more information on creating and using hash sets.
+
+\image html FileDiscovery/fd_hashSetFilter.png
+
+\subsubsection file_disc_int_filter Interesting Item Filter
+
+The interesting item filter restricts the results to files found in the selected interesting item rule sets. Only interesting file rule sets that have results in the current case are listed (though those matches may not be images or videos). See the \ref interesting_files_identifier_page page for more information on creating and using interesting item rule sets.
+
+\image html FileDiscovery/fd_interestingItemsFilter.png
+
+\subsubsection file_disc_obj_filter Object Detected Filter
+
+The object detected filter restricts the results to files that matched the selected classifiers. Only classifiers that have results in the current case are listed. Note that currently the built-in \ref object_detection_page ingest module only works on images, so you should generally not use this filter with videos. See the \ref object_detection_page page for more information on setting up classifiers.
+
+\image html FileDiscovery/fd_objectFilter.png
+
+\subsubsection file_disc_parent_filter Parent Folder Filter
+
+The parent folder filter either restricts the path the files can be on. This filter works differently than the others in that the individual options do not have to be selected - every rule that has been entered will be applied.
+
+\image html FileDiscovery/fd_parentFilter.png
+
+You can enter paths that should be included and paths that should be ignored. For both you then specify whether the path string you entered is a full path or a substring. For full path matches you'll need to include the leading and trailing slashes. Full path matches are also case-sensitive.
+
+The default options, shown above, will exclude any file that has a "Windows" folder or a "Program Files" folder in its path. It would exclude files like "/Windows/System32/image1.jpg" but would not exclude "/My Pictures/Bay Windows/image2.jpg" because the slashes around "Windows" force it to match the exact folder name.
+
+Here is another example. This rule was created with "Full" and "Include" selected.
+
+\image html FileDiscovery/fd_parentEx2.png
+
+This matches the file "/LogicalFileSet2/File Discovery/bird1.tif" but not any images in subfolders under "File Discovery".
+
+When there are multiple path options in the filter, they will be applied as follows:
+
+- The file path must match every "exclude" rule to pass
+
- If any "include" rules exist, the file path must match at least one "include" rule to pass
+
+
+This allows you to, for example, make rules to include both the "My Documents" and the "My Pictures" folders.
+
+\subsection file_disc_grouping Grouping and Sorting
+
+The final options are for how you want to group and sort your results.
+
+\image html FileDiscovery/fd_grouping.png
+
+The first option lets you choose the top level grouping for your results and the second option lets you choose how to sort them. The groups appear in the middle column of the file discovery panel. Note that some of the grouping options may not always appear - for example, grouping by past occurrences will only be present if the \ref central_repo_page is enabled, and grouping by hash set will only be present if there are hash set hits in your current case. The example below shows the groups created using the default options (group by file size, order groups by group name):
+
+\image html FileDiscovery/fd_groupingSize.png
+
+In the case of file size and past occurrences, ordering by group name is based on the natural ordering of the group (largest to smallest or most rare to most common). For the other groups it will be alphabetical. Ordering groups by size will sort them based on how many files each group contains, going largest to smallest. For example, here we've grouped by interesting item set and ordered the groups by their size.
+
+\image html FileDiscovery/fd_groupingInt.png
+
+The interesting items filter was not enabled so most images ended up in the "None" group, meaning they have no interesting file result associated with them. The final group in the list contains a file that matched both interesting item rule sets.
+
+The last grouping and sorting option is choosing how to sort the results within a group. This is the order of the results in the top right panel after selecting a group from the middle column. Note that due to the merging of results with the same hash in that panel, ordering by file name, path, or data source can vary. See the \ref file_disc_dedupe section below for more information.
+
+\section file_disc_results Viewing Results
+
+\subsection file_disc_results_overview Overview
+
+Once you select your options and click "Show", you'll see a list of groups in the middle panel. Selecting one of these groups will display the results from that group in the right panel. If your results are images, you'll see thumbnails for each image in the top area of the right panel.
+
+\image html FileDiscovery/fd_resultGroups.png
+
+If your results are videos, each result will display four thumbnails from the video.
+
+\image html FileDiscovery/fd_videos.png
+
+When you select a result from the top of the right panel, you'll see the path to the corresponding file(s) in the "Instances" panel below the thumbnails. There may be more than one file instance associated with a result - see the \ref file_disc_dedupe section below. You can right-click on files in the instances panel to use most of options available in the normal \ref result_viewer_page.
+
+\image html FileDiscovery/fd_instanceContext.png
+
+The bottom section of the panel is identical to the standard \ref content_viewer_page and displays data corresponding to the file instance selected in the middle of the panel.
+
+\subsection file_disc_dedupe De-duplication
+
+Assuming the \ref hash_db_page module has been run, all files in a result group with the same hash will be merged together under a single instance. You can see the number of instances of each file under the thumbnail, and each file instance will be displayed in the middle section of the panel.
+
+
+
+\image html FileDiscovery/fd_dupeEx.png
+
+Clicking on a particular instance will load data for that file in the content viewer area at the bottom.
+
+Note that files in different groups will not be merged together or appear under the instances list of each other. For example, if you choose to group by parent folder and have two instances of a file with the same hash but in different folders, each will appear once under its parent folder. Grouping by file size (the default) will always merge every instance of the same file.
+
+\subsection file_disc_icons Status Icons
+
+A number of icons may be displayed in the bottom right of the thumbnails to help point out notable results. Hovering over the icon will display a message explaining why the icon is present. In the image below, the yellow icon is present because the file is associated with an interesting item set.
+
+\image html FileDiscovery/fd_icon.png
+
+Most of the icons match what would be displayed in the "S" column of the normal \ref result_viewer_page.
+
+| Icon | Usage |
+|-------|------|
+\image html FileDiscovery/yellow-circle-yield.png "" | \ref interesting_files_identifier_page "Interesting file set match" or normal \ref tagging_page "file tag"
+\image html FileDiscovery/red-circle-exclamation.png "" | Notable \ref hash_db_page "hash set hit" or notable \ref tagging_page "file tag"
+\image html FileDiscovery/file-icon-deleted.png "" | Deleted file (every instance is deleted)
+
+
+\subsection file_disc_paging Paging
+
+If the group you select has many results, the results will be split up into pages. You can use the left and right arrows to move between pages or type in the page number you wish to go to. You can adjust the number of results per page using the drop down box in the upper right.
+
+\image html FileDiscovery/fd_paging.png
+
+*/
\ No newline at end of file
diff --git a/docs/doxygen-user/footer.html b/docs/doxygen-user/footer.html
index 5ab86c6e86..b874c74742 100644
--- a/docs/doxygen-user/footer.html
+++ b/docs/doxygen-user/footer.html
@@ -1,5 +1,5 @@
-Copyright © 2012-2019 Basis Technology. Generated on $date
+
Copyright © 2012-2020 Basis Technology. Generated on $date
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.
diff --git a/docs/doxygen-user/geolocation.dox b/docs/doxygen-user/geolocation.dox
new file mode 100644
index 0000000000..a4c78351cf
--- /dev/null
+++ b/docs/doxygen-user/geolocation.dox
@@ -0,0 +1,137 @@
+/*! \page geolocation_page Geolocation
+
+\section geo_overview Overview
+
+The Geolocation window shows artifacts that have longitude and latitude attributes as waypoints on a map. In the field, when access to online map tile servers may not be available, the Geolocation window provides support for offline map tile data sources.
+
+\image html geo_main.png
+
+\section geo_usage Usage
+
+To open the Geolocation window, go to "Tools" and then select "Geolocation".
+
+\subsection geo_navigation General Usage
+
+You can move the map by clicking and dragging, and zoom using either the mouse wheel or the slider in the bottom left of the map. If a map tile is not available the tile will appear grey but the waypoints will still be displayed. This is more likely to happen when changing the default \ref geo_map_options.
+
+You can left click on a waypoint to highlight that waypoint and show a details pop-up in the upper right corner of the map. The details pop-up will be updated as you click on different waypoints. The data displayed will vary depending on the type of waypoint. For example, this is the endpoint of a GPS Route:
+
+\image html geo_details_route.png
+
+While this is an image with GPS coordinates found by the \ref EXIF_parser_page :
+
+\image html geo_details.png
+
+You can also right click on a waypoint to bring up a similar menu to what you'd see in the \ref result_viewer_page.
+
+\image html geo_context_menu.png
+
+\subsection geo_filter Filtering
+
+The filters are displayed on the left side of the screen. The top filter lets you filter the waypoints based on timestamp. If enabled, you will only see waypoints with a timestamp within N days of the most recent waypoint (not the current date). When using this filter you can also choose whether you want to see waypoints with no timestamp. The second filter allows you to show waypoints only for the selected data sources.
+
+\image html geo_filter_panel.png
+
+If desired, the filter panel can be hidden by clicking on the vertical "Filters" tab on the top right edge of the filter panel. Clicking on that tab a second time will restore the filters panel.
+
+\subsection geo_report Generating a Report
+
+You can generate a KML report using the "KML Report" button in the bottom right corner of the window. The report will include only the currently visible waypoints and can be found in the "Reports" folder of your case.
+
+\image html geo_report.png
+
+As with other \ref reporting_page "report modules", the generated report will appear under "Reports" in the \ref tree_viewer_page. Note that you can also use the \ref report_kml report module to generate a report containing all geolocation data in the case.
+
+\section geo_map_options Map Tile Options
+
+The Autopsy Geolocation window supports several map tile data source options. The map tile data source can be changed
+on the Geolocation panel in the Options dialog. There are four options for geolocation tile data, two of which can be used offline.
+
+- Default online tile server
+
+- The default Geolocation window tile data source is the Microsoft Virtual Earth server https://www.bing.com/maps.
+
+ - OpenStreetMap server
+
+- You can specify the address of a OSM tile server. A list of online tile servers can be found here: https://wiki.openstreetmap.org/wiki/Tile_servers.
+Tile servers may have restrictions on them that prevent Autopsy from accessing their tiles. If the tiles URL is something of the form "http://tiles.example.org/${z}/${x}/${y}.png",
+then you'll need to enter "http://tiles.example.org" in the options panel.
+
+\image html geo_openstreetmap.png
+
+ - OpenStreetMap zip file
+
+- Allows offline use of zip file of OSM tile images
+
- Details on how to generate tile zip files are \ref geo_generate_zip "below".
+
+ - MBTiles file
+
+- Allows offline use of MBTiles file containing raster tiles.
+
- MBTiles raster tiles files can be downloaded from OpenMapTiles.
+
- OpenMapTiles provides downloads of MBTile files for areas as large as the whole planet to as small as regions of countries.
+
- For each of these regions there are at least four MBTiles available for download, please be sure to download one of the "Raster Tile" files,
+not the "Vector Tiles".
+
+
+
+\subsection geo_generate_zip Using Maperative to Generate Tile Image Zip Files
+
+Maperative is a tool for drawing maps, however it can also be used to create tile images. Maperative download and documentations can be found at http://maperitive.net/ .
+
+By default Maperative uses an online tile server to generate the map. For offline use, users can supply an OpenStreetMap raw data extract.
+
+
+\subsubsection geo_generate_tile_image Generating tile image zip files using any map data source:
+
+- Download and run Maperative.
+
- Center and zoom in on area of interest. The larger the area, the more tiles that will be generated. Tiles will be generated for the area visible in the map panel.
+
- Choose whether you want to use the default zoom levels or custom ones. Zoom levels in Mapertive start at 1. As the zoom level increases so will the quantity of tiles generated as well as the detail of each tile. Generating tiles, especially for heavily populated areas, may take time, please be patient with either method.
+
+- To generate tiles using the default zoom levels, select Tools->Generate Tiles
+
+\image html geo_gen_tiles.png
+
+Maperative will generate tiles for zoom levels depending on the area of interest and the zoom level. For example, if you start all the way zoomed out, you will likely see levels 1 through 10 generated. If you start zoomed in, you might see levels 10 through 14.
+
+
- Maperative provides a command interface which allows you to generate tiles for specific zoom levels. Commands can be run in the Command prompt text field at the bottom of the Maperative window. For a full list of commands see the Maperative documentation or http://maperitive.net/docs/. The generate-tiles command can be used to generate tiles for the area visible in the map panel area. For full details on generate-tiles see the documentation included with Maperative or http://maperitive.net/docs/Commands/GenerateTiles.html. The following is a sample command to generate tiles for zoom level 2 to 3 into the folder Tiles:
+\verbatim generate-tiles minzoom=2 maxzoom=3 tilesdir=C:\Tiles \endverbatim
+
+\image html geo_command_line.png
+
+
+ - For use in autopsy, the generated tile images need to be in a zip file. To create a zip of tiles for use in Autopsy, zip up all of the folders in the tile file output directory. Do not include the parent directory, just the numbered folders contained within. If you use the menu bar option or did not specify a folder in your command the generated tiles will be located in <Maperative Install Location>\\Tiles.
+
+\image html geo_tile_folder.png
+
+Be sure to zip only the contents of the folder, not the top level folder.
+
+
+
+\subsubsection geo_add_ds Adding a data source to Maperative
+
+Maperative can be used to generate tiles using raw data extracts from OpenStreetMaps. Data extracts (*.osm or *.osm.pbf) files can be downloaded from various locations. See https://wiki.openstreetmap.org/wiki/Planet.osm for a list of locations. Geofabrik's free download server has open OpenStreetMap data extracts for many regions. When using OSM raw data extracts in Maperative, the recommendation is to use smaller (.osm) files.
+
+To add a data source to Maperative:
+
+- Select from the menu bar File->Open Map Source...
+
+\image html geo_add_ds.png
+
+
- The new data source will appear in the bottom right corner of the window in the "Map Sources" list.
+
- To disable a Map Source, select the Map Source from the list and click the X button.
+
+
+\subsubsection geo_merge_osm Merging OSM raw data extracts
+
+For ease of use, users may want to merge OSM raw data extracts. OSMConvert is a tool that can be used to merge OSM raw data extracts.
+
+To merge two OSM raw data extracts country1.osm.pbf and country2.osm.pbf use the following commands. Note that this assumes that osmcovert and the files are in the same directory; if they are not be sure to use full paths.
+\verbatim
+osmconvert country1.osm.pbf -o=country1.o5m
+osmconvert country2.osm.pbf -o=country2.o5m
+osmconvert country1.o5m country2.o5m -o=together.o5m
+osmconvert together.o5m -o=together.osm.pbf
+\endverbatim
+
+
+*/
\ No newline at end of file
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_dataSourceFilter.png b/docs/doxygen-user/images/FileDiscovery/fd_dataSourceFilter.png
new file mode 100644
index 0000000000..9c42198839
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_dataSourceFilter.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_dupeEx.png b/docs/doxygen-user/images/FileDiscovery/fd_dupeEx.png
new file mode 100644
index 0000000000..e711bc95cc
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_dupeEx.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_fileSizeFilter.png b/docs/doxygen-user/images/FileDiscovery/fd_fileSizeFilter.png
new file mode 100644
index 0000000000..1e2bdb7f84
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_fileSizeFilter.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_fileType.png b/docs/doxygen-user/images/FileDiscovery/fd_fileType.png
new file mode 100644
index 0000000000..e7ae704fe5
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_fileType.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_grouping.png b/docs/doxygen-user/images/FileDiscovery/fd_grouping.png
new file mode 100644
index 0000000000..7d1441bee1
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_grouping.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_groupingInt.png b/docs/doxygen-user/images/FileDiscovery/fd_groupingInt.png
new file mode 100644
index 0000000000..1de9099297
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_groupingInt.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_groupingSize.png b/docs/doxygen-user/images/FileDiscovery/fd_groupingSize.png
new file mode 100644
index 0000000000..e21707eb44
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_groupingSize.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_hashSetFilter.png b/docs/doxygen-user/images/FileDiscovery/fd_hashSetFilter.png
new file mode 100644
index 0000000000..8c05e72524
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_hashSetFilter.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_icon.png b/docs/doxygen-user/images/FileDiscovery/fd_icon.png
new file mode 100644
index 0000000000..575395bad7
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_icon.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_instanceContext.png b/docs/doxygen-user/images/FileDiscovery/fd_instanceContext.png
new file mode 100644
index 0000000000..e8d7961da2
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_instanceContext.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_interestingItemsFilter.png b/docs/doxygen-user/images/FileDiscovery/fd_interestingItemsFilter.png
new file mode 100644
index 0000000000..4362a904d9
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_interestingItemsFilter.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_loadSettings.png b/docs/doxygen-user/images/FileDiscovery/fd_loadSettings.png
new file mode 100644
index 0000000000..0ed2169853
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_loadSettings.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_main.png b/docs/doxygen-user/images/FileDiscovery/fd_main.png
new file mode 100644
index 0000000000..1412f43892
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_main.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_objectFilter.png b/docs/doxygen-user/images/FileDiscovery/fd_objectFilter.png
new file mode 100644
index 0000000000..42efcee8fa
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_objectFilter.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_paging.png b/docs/doxygen-user/images/FileDiscovery/fd_paging.png
new file mode 100644
index 0000000000..7a18889e5e
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_paging.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_parentEx2.png b/docs/doxygen-user/images/FileDiscovery/fd_parentEx2.png
new file mode 100644
index 0000000000..102f39f92b
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_parentEx2.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_parentFilter.png b/docs/doxygen-user/images/FileDiscovery/fd_parentFilter.png
new file mode 100644
index 0000000000..5cf24a7fda
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_parentFilter.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_pastOccur.png b/docs/doxygen-user/images/FileDiscovery/fd_pastOccur.png
new file mode 100644
index 0000000000..9b04f882c9
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_pastOccur.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_resultGroups.png b/docs/doxygen-user/images/FileDiscovery/fd_resultGroups.png
new file mode 100644
index 0000000000..02e644a605
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_resultGroups.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_userContentArtifact.png b/docs/doxygen-user/images/FileDiscovery/fd_userContentArtifact.png
new file mode 100644
index 0000000000..f4af8f8fb6
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_userContentArtifact.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_userCreatedFilter.png b/docs/doxygen-user/images/FileDiscovery/fd_userCreatedFilter.png
new file mode 100644
index 0000000000..510624fcd0
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_userCreatedFilter.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_videos.png b/docs/doxygen-user/images/FileDiscovery/fd_videos.png
new file mode 100644
index 0000000000..eb36a81f41
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_videos.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/file-icon-deleted.png b/docs/doxygen-user/images/FileDiscovery/file-icon-deleted.png
new file mode 100644
index 0000000000..ef172e501b
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/file-icon-deleted.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/red-circle-exclamation.png b/docs/doxygen-user/images/FileDiscovery/red-circle-exclamation.png
new file mode 100644
index 0000000000..26b61e6f06
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/red-circle-exclamation.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/yellow-circle-yield.png b/docs/doxygen-user/images/FileDiscovery/yellow-circle-yield.png
new file mode 100644
index 0000000000..85c873f33f
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/yellow-circle-yield.png differ
diff --git a/docs/doxygen-user/images/content_viewer_annotations.png b/docs/doxygen-user/images/content_viewer_annotations.png
index 671a842099..aa37590379 100644
Binary files a/docs/doxygen-user/images/content_viewer_annotations.png and b/docs/doxygen-user/images/content_viewer_annotations.png differ
diff --git a/docs/doxygen-user/images/content_viewer_app_image.png b/docs/doxygen-user/images/content_viewer_app_image.png
index 42b57d27c6..c3ba7a0052 100644
Binary files a/docs/doxygen-user/images/content_viewer_app_image.png and b/docs/doxygen-user/images/content_viewer_app_image.png differ
diff --git a/docs/doxygen-user/images/content_viewer_app_plist.png b/docs/doxygen-user/images/content_viewer_app_plist.png
index 29da91b7ac..815b5d2ed9 100644
Binary files a/docs/doxygen-user/images/content_viewer_app_plist.png and b/docs/doxygen-user/images/content_viewer_app_plist.png differ
diff --git a/docs/doxygen-user/images/content_viewer_app_sqlite.png b/docs/doxygen-user/images/content_viewer_app_sqlite.png
index 0166cb32e3..9bc708593f 100644
Binary files a/docs/doxygen-user/images/content_viewer_app_sqlite.png and b/docs/doxygen-user/images/content_viewer_app_sqlite.png differ
diff --git a/docs/doxygen-user/images/content_viewer_context.png b/docs/doxygen-user/images/content_viewer_context.png
new file mode 100644
index 0000000000..c808e6c0b2
Binary files /dev/null and b/docs/doxygen-user/images/content_viewer_context.png differ
diff --git a/docs/doxygen-user/images/content_viewer_hex.png b/docs/doxygen-user/images/content_viewer_hex.png
index 330c0468a7..0843548450 100644
Binary files a/docs/doxygen-user/images/content_viewer_hex.png and b/docs/doxygen-user/images/content_viewer_hex.png differ
diff --git a/docs/doxygen-user/images/content_viewer_html.png b/docs/doxygen-user/images/content_viewer_html.png
index 29f2f86ea4..4a24941951 100644
Binary files a/docs/doxygen-user/images/content_viewer_html.png and b/docs/doxygen-user/images/content_viewer_html.png differ
diff --git a/docs/doxygen-user/images/content_viewer_indexed_text.png b/docs/doxygen-user/images/content_viewer_indexed_text.png
index 83c0076eda..e25cbee5c5 100644
Binary files a/docs/doxygen-user/images/content_viewer_indexed_text.png and b/docs/doxygen-user/images/content_viewer_indexed_text.png differ
diff --git a/docs/doxygen-user/images/content_viewer_message.png b/docs/doxygen-user/images/content_viewer_message.png
index f927289531..7f3e109396 100644
Binary files a/docs/doxygen-user/images/content_viewer_message.png and b/docs/doxygen-user/images/content_viewer_message.png differ
diff --git a/docs/doxygen-user/images/content_viewer_metadata.png b/docs/doxygen-user/images/content_viewer_metadata.png
index 1c25115398..fd38248776 100644
Binary files a/docs/doxygen-user/images/content_viewer_metadata.png and b/docs/doxygen-user/images/content_viewer_metadata.png differ
diff --git a/docs/doxygen-user/images/content_viewer_other_occurrences.png b/docs/doxygen-user/images/content_viewer_other_occurrences.png
index 3bdac5b67b..c8a69e15d2 100644
Binary files a/docs/doxygen-user/images/content_viewer_other_occurrences.png and b/docs/doxygen-user/images/content_viewer_other_occurrences.png differ
diff --git a/docs/doxygen-user/images/content_viewer_registry.png b/docs/doxygen-user/images/content_viewer_registry.png
index 43149fcb7f..ee45181c85 100644
Binary files a/docs/doxygen-user/images/content_viewer_registry.png and b/docs/doxygen-user/images/content_viewer_registry.png differ
diff --git a/docs/doxygen-user/images/content_viewer_results_bookmark.png b/docs/doxygen-user/images/content_viewer_results_bookmark.png
index 6baa7f7383..7dbc61bc7a 100644
Binary files a/docs/doxygen-user/images/content_viewer_results_bookmark.png and b/docs/doxygen-user/images/content_viewer_results_bookmark.png differ
diff --git a/docs/doxygen-user/images/content_viewer_results_call.png b/docs/doxygen-user/images/content_viewer_results_call.png
index 03b79bf1f0..fa554e873a 100644
Binary files a/docs/doxygen-user/images/content_viewer_results_call.png and b/docs/doxygen-user/images/content_viewer_results_call.png differ
diff --git a/docs/doxygen-user/images/content_viewer_strings_cyrillic.png b/docs/doxygen-user/images/content_viewer_strings_cyrillic.png
index f70ba0c130..0318a383d6 100644
Binary files a/docs/doxygen-user/images/content_viewer_strings_cyrillic.png and b/docs/doxygen-user/images/content_viewer_strings_cyrillic.png differ
diff --git a/docs/doxygen-user/images/content_viewer_strings_latin.png b/docs/doxygen-user/images/content_viewer_strings_latin.png
index 6968326d65..ba4403e518 100644
Binary files a/docs/doxygen-user/images/content_viewer_strings_latin.png and b/docs/doxygen-user/images/content_viewer_strings_latin.png differ
diff --git a/docs/doxygen-user/images/content_viewer_video.png b/docs/doxygen-user/images/content_viewer_video.png
new file mode 100644
index 0000000000..f3a26ef8f6
Binary files /dev/null and b/docs/doxygen-user/images/content_viewer_video.png differ
diff --git a/docs/doxygen-user/images/cvt_contacts.png b/docs/doxygen-user/images/cvt_contacts.png
index 9d86b82ccc..4f674e6579 100644
Binary files a/docs/doxygen-user/images/cvt_contacts.png and b/docs/doxygen-user/images/cvt_contacts.png differ
diff --git a/docs/doxygen-user/images/data_source_delete.png b/docs/doxygen-user/images/data_source_delete.png
new file mode 100644
index 0000000000..d33e42e107
Binary files /dev/null and b/docs/doxygen-user/images/data_source_delete.png differ
diff --git a/docs/doxygen-user/images/email_attachments.png b/docs/doxygen-user/images/email_attachments.png
new file mode 100644
index 0000000000..6eab4cc45f
Binary files /dev/null and b/docs/doxygen-user/images/email_attachments.png differ
diff --git a/docs/doxygen-user/images/email_datasource_tree.png b/docs/doxygen-user/images/email_datasource_tree.png
deleted file mode 100644
index d78039867e..0000000000
Binary files a/docs/doxygen-user/images/email_datasource_tree.png and /dev/null differ
diff --git a/docs/doxygen-user/images/email_results.PNG b/docs/doxygen-user/images/email_results.PNG
index 1e36b83c71..49ccbc6439 100644
Binary files a/docs/doxygen-user/images/email_results.PNG and b/docs/doxygen-user/images/email_results.PNG differ
diff --git a/docs/doxygen-user/images/geo_add_ds.png b/docs/doxygen-user/images/geo_add_ds.png
new file mode 100644
index 0000000000..60ac3f5684
Binary files /dev/null and b/docs/doxygen-user/images/geo_add_ds.png differ
diff --git a/docs/doxygen-user/images/geo_command_line.png b/docs/doxygen-user/images/geo_command_line.png
new file mode 100644
index 0000000000..de69fdfd15
Binary files /dev/null and b/docs/doxygen-user/images/geo_command_line.png differ
diff --git a/docs/doxygen-user/images/geo_context_menu.png b/docs/doxygen-user/images/geo_context_menu.png
new file mode 100644
index 0000000000..e6da8484f9
Binary files /dev/null and b/docs/doxygen-user/images/geo_context_menu.png differ
diff --git a/docs/doxygen-user/images/geo_details.png b/docs/doxygen-user/images/geo_details.png
new file mode 100644
index 0000000000..8932479524
Binary files /dev/null and b/docs/doxygen-user/images/geo_details.png differ
diff --git a/docs/doxygen-user/images/geo_details_route.png b/docs/doxygen-user/images/geo_details_route.png
new file mode 100644
index 0000000000..0f47ba0654
Binary files /dev/null and b/docs/doxygen-user/images/geo_details_route.png differ
diff --git a/docs/doxygen-user/images/geo_filter_panel.png b/docs/doxygen-user/images/geo_filter_panel.png
new file mode 100644
index 0000000000..bac9ee702e
Binary files /dev/null and b/docs/doxygen-user/images/geo_filter_panel.png differ
diff --git a/docs/doxygen-user/images/geo_gen_tiles.png b/docs/doxygen-user/images/geo_gen_tiles.png
new file mode 100644
index 0000000000..0f1547779c
Binary files /dev/null and b/docs/doxygen-user/images/geo_gen_tiles.png differ
diff --git a/docs/doxygen-user/images/geo_main.png b/docs/doxygen-user/images/geo_main.png
new file mode 100644
index 0000000000..cf7f49ca68
Binary files /dev/null and b/docs/doxygen-user/images/geo_main.png differ
diff --git a/docs/doxygen-user/images/geo_openstreetmap.png b/docs/doxygen-user/images/geo_openstreetmap.png
new file mode 100644
index 0000000000..a35d4234be
Binary files /dev/null and b/docs/doxygen-user/images/geo_openstreetmap.png differ
diff --git a/docs/doxygen-user/images/geo_report.png b/docs/doxygen-user/images/geo_report.png
new file mode 100644
index 0000000000..4b710b3cbc
Binary files /dev/null and b/docs/doxygen-user/images/geo_report.png differ
diff --git a/docs/doxygen-user/images/geo_tile_folder.png b/docs/doxygen-user/images/geo_tile_folder.png
new file mode 100644
index 0000000000..2ae5c347eb
Binary files /dev/null and b/docs/doxygen-user/images/geo_tile_folder.png differ
diff --git a/docs/doxygen-user/images/messages_datasource_tree.png b/docs/doxygen-user/images/messages_datasource_tree.png
deleted file mode 100644
index b8ff011502..0000000000
Binary files a/docs/doxygen-user/images/messages_datasource_tree.png and /dev/null differ
diff --git a/docs/doxygen-user/images/plaso_config.png b/docs/doxygen-user/images/plaso_config.png
new file mode 100644
index 0000000000..e31aea1a23
Binary files /dev/null and b/docs/doxygen-user/images/plaso_config.png differ
diff --git a/docs/doxygen-user/images/plaso_timeline.png b/docs/doxygen-user/images/plaso_timeline.png
new file mode 100644
index 0000000000..af112b2732
Binary files /dev/null and b/docs/doxygen-user/images/plaso_timeline.png differ
diff --git a/docs/doxygen-user/images/select-data-source-type.PNG b/docs/doxygen-user/images/select-data-source-type.PNG
index b997bf9f0f..e772e0114e 100644
Binary files a/docs/doxygen-user/images/select-data-source-type.PNG and b/docs/doxygen-user/images/select-data-source-type.PNG differ
diff --git a/docs/doxygen-user/images/ui-layout-1.PNG b/docs/doxygen-user/images/ui-layout-1.PNG
index 7f9485888d..8e54967524 100644
Binary files a/docs/doxygen-user/images/ui-layout-1.PNG and b/docs/doxygen-user/images/ui-layout-1.PNG differ
diff --git a/docs/doxygen-user/images/xry_dsp.png b/docs/doxygen-user/images/xry_dsp.png
new file mode 100644
index 0000000000..46e2659c19
Binary files /dev/null and b/docs/doxygen-user/images/xry_dsp.png differ
diff --git a/docs/doxygen-user/images/xry_folder.png b/docs/doxygen-user/images/xry_folder.png
new file mode 100644
index 0000000000..1f2e734a98
Binary files /dev/null and b/docs/doxygen-user/images/xry_folder.png differ
diff --git a/docs/doxygen-user/main.dox b/docs/doxygen-user/main.dox
index 61d555ace4..1322042b91 100644
--- a/docs/doxygen-user/main.dox
+++ b/docs/doxygen-user/main.dox
@@ -66,7 +66,8 @@ The following topics are available here:
- \subpage image_gallery_page
- \subpage timeline_page
- \subpage communications_page
-
+ - \subpage geolocation_page
+ - \subpage file_discovery_page
- Reporting
- \subpage tagging_page
diff --git a/docs/doxygen-user/plaso.dox b/docs/doxygen-user/plaso.dox
new file mode 100644
index 0000000000..9b013c97c1
--- /dev/null
+++ b/docs/doxygen-user/plaso.dox
@@ -0,0 +1,19 @@
+/*! \page plaso_page Plaso
+
+Plaso is a framework for running modules to extract timestamps for various types of files. The Plaso ingest module runs Plaso to generate events that are displayed in the Autopsy \ref timeline_page. For more information on Plaso, see the documentation.
+
+\section plaso_config Running the Module
+
+The Plaso ingest module runs dozens of individual parsers and can take a long time to run. In testing, the slowest parsers by far were winreg, pe, and chrome_cache. chrome_cache is always disabled as it duplicates events created by the \ref recent_activity_page. You can choose to enable the winreg and pe modules on the ingest module configuration panel.
+
+\image html plaso_config.png
+
+Plaso will only run on \ref ds_img "disk image data sources".
+
+\section plaso_results Viewing Results
+
+The Plaso events will be shown in the \ref timeline_page Timeline. Note that events created by Plaso are not displayed in the \ref tree_viewer_page.
+
+\image html plaso_timeline.png
+
+*/
\ No newline at end of file
diff --git a/docs/doxygen/Doxyfile b/docs/doxygen/Doxyfile
index d73868792a..dd78bc69ea 100644
--- a/docs/doxygen/Doxyfile
+++ b/docs/doxygen/Doxyfile
@@ -38,7 +38,7 @@ PROJECT_NAME = "Autopsy"
# could be handy for archiving the generated documentation or if some version
# control system is used.
-PROJECT_NUMBER = 4.13.0
+PROJECT_NUMBER = 4.14.0
# Using the PROJECT_BRIEF tag one can provide an optional one line description
# for a project that appears a the top of each page and should give viewer a
@@ -1066,7 +1066,7 @@ GENERATE_HTML = YES
# The default directory is: html.
# This tag requires that the tag GENERATE_HTML is set to YES.
-HTML_OUTPUT = api-docs/4.13.0/
+HTML_OUTPUT = api-docs/4.14.0/
# The HTML_FILE_EXTENSION tag can be used to specify the file extension for each
# generated HTML page (for example: .htm, .php, .asp).
diff --git a/docs/doxygen/footer.html b/docs/doxygen/footer.html
index 8bf1577a45..f703eb2a5e 100644
--- a/docs/doxygen/footer.html
+++ b/docs/doxygen/footer.html
@@ -1,5 +1,5 @@
-Copyright © 2012-2019 Basis Technology. Generated on: $date
+
Copyright © 2012-2020 Basis Technology. Generated on: $date
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.
diff --git a/nbproject/project.properties b/nbproject/project.properties
index 8132096d48..1f61a9c967 100644
--- a/nbproject/project.properties
+++ b/nbproject/project.properties
@@ -4,7 +4,7 @@ app.title=Autopsy
### lowercase version of above
app.name=${branding.token}
### if left unset, version will default to today's date
-app.version=4.13.0
+app.version=4.14.0
### build.type must be one of: DEVELOPMENT, RELEASE
#build.type=RELEASE
build.type=DEVELOPMENT
diff --git a/thirdparty/rr-full/Parse/Win32Registry/Base.pm b/thirdparty/rr-full/Parse/Win32Registry/Base.pm
index 6598f37b11..0b206e7bb5 100644
--- a/thirdparty/rr-full/Parse/Win32Registry/Base.pm
+++ b/thirdparty/rr-full/Parse/Win32Registry/Base.pm
@@ -161,14 +161,26 @@ sub unpack_windows_time {
# The equation can be found in several places on the Net.
# My thanks go to Dan Sully for Audio::WMA's _fileTimeToUnixTime
# which shows a perl implementation of it.
- my ($low, $high) = unpack("VV", $data);
- my $filetime = $high * 2 ** 32 + $low;
- my $epoch_time = int(($filetime - 116444736000000000) / 10000000);
+ my ($lo, $hi) = unpack("VV", $data);
+# my $filetime = $high * 2 ** 32 + $low;
+# my $epoch_time = int(($filetime - 116444736000000000) / 10000000);
+
+ my $epoch_time;
+ if ($lo == 0 && $hi == 0) {
+ $epoch_time = 0;
+ } else {
+ $lo -= 0xd53e8000;
+ $hi -= 0x019db1de;
+ $epoch_time = int($hi*429.4967296 + $lo/1e7);
+ };
+ $epoch_time = 0 if ($epoch_time < 0);
+
+
# adjust the UNIX epoch time to the local OS's epoch time
# (see perlport's Time and Date section)
- my $epoch_offset = timegm(0, 0, 0, 1, 0, 70);
- $epoch_time += $epoch_offset;
+ # my $epoch_offset = timegm(0, 0, 0, 1, 0, 70);
+ # $epoch_time += $epoch_offset;
if ($epoch_time < 0 || $epoch_time > 0x7fffffff) {
$epoch_time = undef;
diff --git a/thirdparty/rr-full/rip.exe b/thirdparty/rr-full/rip.exe
index 2becc8de6b..9a024202f3 100755
Binary files a/thirdparty/rr-full/rip.exe and b/thirdparty/rr-full/rip.exe differ
diff --git a/thirdparty/rr-full/rr.exe b/thirdparty/rr-full/rr.exe
index a96bba5daa..889b971889 100755
Binary files a/thirdparty/rr-full/rr.exe and b/thirdparty/rr-full/rr.exe differ
diff --git a/thirdparty/rr/Parse/Win32Registry/Base.pm b/thirdparty/rr/Parse/Win32Registry/Base.pm
index 6598f37b11..0b206e7bb5 100644
--- a/thirdparty/rr/Parse/Win32Registry/Base.pm
+++ b/thirdparty/rr/Parse/Win32Registry/Base.pm
@@ -161,14 +161,26 @@ sub unpack_windows_time {
# The equation can be found in several places on the Net.
# My thanks go to Dan Sully for Audio::WMA's _fileTimeToUnixTime
# which shows a perl implementation of it.
- my ($low, $high) = unpack("VV", $data);
- my $filetime = $high * 2 ** 32 + $low;
- my $epoch_time = int(($filetime - 116444736000000000) / 10000000);
+ my ($lo, $hi) = unpack("VV", $data);
+# my $filetime = $high * 2 ** 32 + $low;
+# my $epoch_time = int(($filetime - 116444736000000000) / 10000000);
+
+ my $epoch_time;
+ if ($lo == 0 && $hi == 0) {
+ $epoch_time = 0;
+ } else {
+ $lo -= 0xd53e8000;
+ $hi -= 0x019db1de;
+ $epoch_time = int($hi*429.4967296 + $lo/1e7);
+ };
+ $epoch_time = 0 if ($epoch_time < 0);
+
+
# adjust the UNIX epoch time to the local OS's epoch time
# (see perlport's Time and Date section)
- my $epoch_offset = timegm(0, 0, 0, 1, 0, 70);
- $epoch_time += $epoch_offset;
+ # my $epoch_offset = timegm(0, 0, 0, 1, 0, 70);
+ # $epoch_time += $epoch_offset;
if ($epoch_time < 0 || $epoch_time > 0x7fffffff) {
$epoch_time = undef;
diff --git a/thirdparty/rr/plugins/autopsyprocarchitecture.pl b/thirdparty/rr/plugins/autopsyprocarchitecture.pl
index a03a53f470..d5c0e63f6e 100644
--- a/thirdparty/rr/plugins/autopsyprocarchitecture.pl
+++ b/thirdparty/rr/plugins/autopsyprocarchitecture.pl
@@ -47,15 +47,14 @@ sub pluginmain {
my $arch = $env->get_value("PROCESSOR_ARCHITECTURE")->get_data();
::rptMsg("" . $arch . "");
};
- ::rptMsg($@) if ($@);
-
+ ::logMsg($@) if ($@);
}
else {
- ::rptMsg($env_path." not found.");
+ ::logMsg($env_path." not found.");
}
}
else {
- ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
#::logMsg($key_path." not found.");
}
}
diff --git a/thirdparty/rr/rip.exe b/thirdparty/rr/rip.exe
index 2becc8de6b..9a024202f3 100755
Binary files a/thirdparty/rr/rip.exe and b/thirdparty/rr/rip.exe differ
diff --git a/thirdparty/rr/rr.exe b/thirdparty/rr/rr.exe
index a96bba5daa..889b971889 100755
Binary files a/thirdparty/rr/rr.exe and b/thirdparty/rr/rr.exe differ
diff --git a/thunderbirdparser/nbproject/project.xml b/thunderbirdparser/nbproject/project.xml
index 52e915e2f3..4eebb3d2f4 100644
--- a/thunderbirdparser/nbproject/project.xml
+++ b/thunderbirdparser/nbproject/project.xml
@@ -36,7 +36,7 @@
10
- 10.17
+ 10.18