update documentation

docs/doxygen-user/Doxyfile

@@ -38,7 +38,7 @@ PROJECT_NAME           = "Autopsy User Documentation"
 # could be handy for archiving the generated documentation or if some version
 # control system is used.
 
-PROJECT_NUMBER         = 3.1.2
+PROJECT_NUMBER         = 3.1
 
 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a

docs/doxygen-user/hashdb_lookup.dox

@@ -23,17 +23,28 @@ Autopsy allows for multiple known bad hash databases to be set. Autopsy supports
 Autopsy needs an index of the hashset to actualy use a hash database. It can create the index if you import only the hashset. When you select the database from within this window, it will tell you if the index needs to be created. Autopsy uses the hash database management system from The Sleuth Kit. You can manually create an index using the 'hfind' command line tool or you can use Autopsy. If you attempt proceed without indexing a database, Autopsy will offer to automatically produce an index for you.
 You can also specify only the index file and not use the full hashset - the index file is sufficient to identify known files. This can save space. To do this, specify the .idx file from the Hash Database Management window.
 
+<br>
 \section using_hashsets Using Hashsets
 There is an \ref ingest_page "ingest module" that will hash the files and look them up in the hashsets. It will flag files that were in the notable hashset and those results will be shown in the Results tree of the \ref tree_viewer_page.
 Other ingest modules are able to use the known status of a file to decide if they should ignore the file or process it.
 You can also see the results in the \ref how_to_open_file_search "File Search" window. There is an option to choose the 'known status'. From here, you can do a search to see all 'known bad' files. From here, you can also choose to ignore all 'known' files that were found in the NSRL. You can also see the status of the file in a column when the file is listed.
-\image html hash-database-configuration.PNG
- 
+<br>
+NIST NSRL
+------
+Autopsy can use the <A HREF="http://www.nsrl.nist.gov">NIST NSRL</A> to detect 'known files'. The NSRL contains hashes of 'known files' that may be good or bad depending on your perspective and investigation type. For example, the existence of a piece of financial software may be interesting to your investigation and that software could be in the NSRL. Therefore, Autopsy treats files that are found in the NSRL as simply 'known' and does not specify good or bad. Ingest modules have the option of ignoring files that were found in the NSRL.
 
-<b>NIST NSRL:</b>
-Autopsy can use the <A HREF="http://www.nsrl.nist.gov">NIST NSRL</A> to detect 'known files'. Note that the NSRL contains hashes of 'known files' that may be good or bad depending on your perspective and investigation type. For example, the existence of a piece of financial software may be interesting to your investigation and that software could be in the NSRL. Therefore, Autopsy treats files that are found in the NSRL as simply 'known' and does not specify good or bad. Ingest modules have the option of ignoring files that were found in the NSRL.
-To use the NSRL, you must concatenate all of the NSRLFile.txt files together. You can use 'cat' on a Unix system or from within Cygwin to do this.
+To use the NSRL, you may download a pre-made index from <A HREF="http://sourceforge.net/projects/autopsy/files/NSRL/">http://sourceforge.net/projects/autopsy/files/NSRL</A>. Download the <b>NSRL-XYZm-autopsy.zip </b> (where 'XYZ' is the version number. As of this writing, it is 247) and unzip the file. Use the "Tools", "Options" menu and select the "Hash Database" tab. Click "Import Database" and browse to the location of the unzipped NSRL file. You can change the Hash Set Name if desired. Select the type of database desired, choosing "Send ingest inbox message for each hit" if desired, and then click "OK".
 
+<br>
+\image html nsrl_import_process.PNG
+<br>
+<br>
+
+The screenshot below shows an imported NSRL.
+<br>
+\image html nsrl_imported.PNG
+<br>
+<br>
 
 
 Using the Module

docs/doxygen-user/image_gallery.dox

@@ -1,16 +1,16 @@
-/*! \page image_viewer_page Image and Video Viewer
+/*! \page image_gallery_page Image Gallery Module
 Overview
 ========
-This document outlines the use of the new Image Analyzer feature of Autopsy.  This feature was funded by DHS S&T to help provide free and open source digital forensics tools to law enforcement. 
+This document outlines the use of the new Image Gallery feature of Autopsy.  This feature was funded by DHS S&T to help provide free and open source digital forensics tools to law enforcement. 
 
-The new image analyzer feature has been designed specifically with child-exploitation cases in mind, but can be used for a variety of other investigation types that involve images and videos. It offers the following features beyond the traditional long list of thumbnails that Autopsy and other tools currently provide. 
+The new image gallery feature has been designed specifically with child-exploitation cases in mind, but can be used for a variety of other investigation types that involve images and videos. It offers the following features beyond the traditional long list of thumbnails that Autopsy and other tools currently provide. 
 - Groups images by folder (and other attributes) to help examiner break the large set of images into smaller groups and to help focus on areas with images of interest.
 - Allows examiner to start viewing images immediately upon adding them to the case.  As images are hashed, they are updated in the interface.  You do not need to wait until the entire image is ingested.
 
 This document assumes basic familiarity with Autopsy. 
 Quick Start 
 ===========
-1. The Image Analysis tool can be configured to collect data about images/videos as ingest runs or all at once after ingest.  To change this setting go to "Tools", "Options", "Image /Video Analyzer".  This setting is saved per case, but can not be changed during ingest.
+1. The Image Analysis tool can be configured to collect data about images/videos as ingest runs or all at once after ingest.  To change this setting go to "Tools", "Options", "Image /Video Gallery".  This setting is saved per case, but can not be changed during ingest.
 2. Create a case as normal and add a disk image (or folder of files) as a data source.  Ensure that you have the hash lookup module enabled with NSRL and known bad hashsets, the EXIF module enabled, and the File Type module enabled. 
 3. Click "Tools", "Analyze Images/Videos" in the menu.  This will open the  Autopsy Image/Video Analysis tool in a new window.
 4. Groups of images will be presented as they are analyzed by the background ingest modules.  You can later resort and regroup, but it is required to keep it grouped by folder while ingest is still ongoing. 
@@ -36,12 +36,12 @@ The tool has been designed specifically with child-exploitation cases in mind an
 
 Name|Description|Color
 ----|-----------------|------
-CAT-0|Uncategorized|![gray](ImageAnalyzer/gray.png)
-CAT-1|Child Abuse Material  |![red](ImageAnalyzer/red.png)
-CAT-2|Child Exploitative / Age Difficult|![orange](ImageAnalyzer/orange.png)
-CAT-3|CGI / Animation|![yellow](ImageAnalyzer/yellow.png)
-CAT-4|Comparison Images |![bisque](ImageAnalyzer/bisque.png)
-CAT-5|Non-pertinent|![green](ImageAnalyzer/green.png)
+CAT-0|Uncategorized|![gray](ImageGallery/gray.png)
+CAT-1|Child Abuse Material  |![red](ImageGallery/red.png)
+CAT-2|Child Exploitative / Age Difficult|![orange](ImageGallery/orange.png)
+CAT-3|CGI / Animation|![yellow](ImageGallery/yellow.png)
+CAT-4|Comparison Images |![bisque](ImageGallery/bisque.png)
+CAT-5|Non-pertinent|![green](ImageGallery/green.png)
 
 GUI controls
 =================
@@ -82,10 +82,10 @@ Each file is represented in the main display area via a small tile.  The tile sh
 | image | description | meaning|
 |----|----|-----|
 | | solid colored border | file’s assigned category.|
-| ![](ImageAnalyzer/purpledash.png) "" | purple dashed border |   file  has a known bad hashset hit, but has not yet been categorized. |
-| ![](ImageAnalyzer/hashset_hits.png) ""|pushpin |  file  has a known bad hashset hit|
-| ![](ImageAnalyzer/video-file.png) ""| clapboard on document | video file|
-| ![](ImageAnalyzer/flag_red.png) ""| a red flag | file has been 'flagged' as with the follow up tag|
+| ![](ImageGallery/purpledash.png) "" | purple dashed border |   file  has a known bad hashset hit, but has not yet been categorized. |
+| ![](ImageGallery/hashset_hits.png) ""|pushpin |  file  has a known bad hashset hit|
+| ![](ImageGallery/video-file.png) ""| clapboard on document | video file|
+| ![](ImageGallery/flag_red.png) ""| a red flag | file has been 'flagged' as with the follow up tag|
 
 
 Slide Show Mode

docs/doxygen-user/main.dox

@@ -38,7 +38,7 @@ The following topics are available here:
  - \subpage tree_viewer_page
  - \subpage result_viewer_page
  - \subpage content_viewer_page
-<!-- - \subpage image_viewer_page      Not released yet-->
+<!-- - \subpage image_gallery_page      Not released yet-->
  - \subpage file_search_page
  - \subpage timeline_page
  - \subpage stix_page