icon on the toolbar- Autopsy supports 3 types of data sources that can be added to the Case:
-- User needs to select the data source type from the pull down menu in the Add Data Source wizard. -
- -- To analyze a Data Source, user should use the Add Data Source Wizard - to add it to a case. -
-- Autopsy populates an embedded database for each data source (image, disk device, logical files) that it imports. - This database is a SQLite database and it contains all of the file system metadata from the input data source. - The database is stored in the case directory, but the data source will stay in its original location. - The data source must remain accessible for the duration of the analysis because the database contains only basic file system information (meta-data, not the actual content). - The image / files are needed to retrieve file content. -
- -Currently, Autopsy supports these image formats:
-You cannot currently remove an data source from a case.
- - - diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/docs/addImage-icon.png b/Core/src/org/sleuthkit/autopsy/casemodule/docs/addImage-icon.png deleted file mode 100644 index 7ef648585c..0000000000 Binary files a/Core/src/org/sleuthkit/autopsy/casemodule/docs/addImage-icon.png and /dev/null differ diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/docs/addImage.html b/Core/src/org/sleuthkit/autopsy/casemodule/docs/addImage.html deleted file mode 100644 index 58eefa6699..0000000000 --- a/Core/src/org/sleuthkit/autopsy/casemodule/docs/addImage.html +++ /dev/null @@ -1,53 +0,0 @@ - - - -There are two ways to add an data source to the currently opened case:
- icon on the toolbarThis will bring up the Add Data Source wizard. It will guide you through the process.
-Here are some notes on what is going on during the process:
-
- 
- 
- - Note that in case of image, Autopsy will store the path to the image in its configuration file. - If the image moves, then Autopsy will give an error because it can't find the image file and it will prompt user to point to the new image location. -
- - \ No newline at end of file diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/docs/casemodule-about.html b/Core/src/org/sleuthkit/autopsy/casemodule/docs/casemodule-about.html deleted file mode 100644 index 0e7a28d65d..0000000000 --- a/Core/src/org/sleuthkit/autopsy/casemodule/docs/casemodule-about.html +++ /dev/null @@ -1,33 +0,0 @@ - - - -- In Autopsy, a "case" is a container concept for a set of input data sources (disk images, disk devices, logical files). - The set of data could be from multiple drives in a single computer or from multiple computers. - When you make a case, it will create a directory to hold all of the information. - The directory will contain the main Autopsy configuration file, other module's configuration files, - some databases, generated reports, and some other information (temporary files, cache files). - The main Autopsy case configuration file as a .aut extension - that is the file used to "Open" the case. - In general, it is recommended for the user not to modify any files in the Case directory and leave it to Autopsy manage it. -
-- If you want to view case details or edit some case information, - use the Case Properties window. -
- -Refer to the Creating a Case page for more details.
- -- To open a case, choose "Open Case" from the File menu or use the "Ctrl + O" keyboard shortcut. - Navigate to the case directory and select the ".aut" file. -
- - diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/docs/casemodule-hs.xml b/Core/src/org/sleuthkit/autopsy/casemodule/docs/casemodule-hs.xml deleted file mode 100644 index 75ac2b5a51..0000000000 --- a/Core/src/org/sleuthkit/autopsy/casemodule/docs/casemodule-hs.xml +++ /dev/null @@ -1,25 +0,0 @@ - - - -- The Hash Database Management window is where you can set and update your hash database information. - Hash databases are used to identify files that are 'known'. -
-Autopsy allows for multiple known bad hash databases to be set. Autopsy supports three formats:
-- Autopsy can use the NIST NSRL to detect 'known files'. - Note that the NSRL contains hashes of 'known files' that may be good or bad depending on your perspective and investigation type. - For example, the existence of a piece of financial software may be interesting to your investigation and that software could be in the NSRL. - Therefore, Autopsy treats files that are found in the NSRL as simply 'known' and does not specify good or bad. - Ingest modules have the option of ignoring files that were found in the NSRL. -
-- To use the NSRL, you must concatenate all of the NSRLFile.txt files together. - You can use 'cat' on a Unix system or from within Cygwin to do this. -
- -- Autopsy needs an index of the hashset to actualy use a hash database. - It can create the index if you import only the hashset. - When you select the database from within this window, it will tell you if the index needs to be created. - Autopsy uses the hash database management system from The Sleuth Kit. You can manually create an index using the 'hfind' command line tool or you can use Autopsy. - If you attempt proceed without indexing a database, Autopsy will offer to automatically produce an index for you. -
-- You can also specify only the index file and not use the full hashset - the index file is sufficient to identify known files. - This can save space. To do this, specify the .idx file from the Hash Database Management window. -
- -- There is an ingest module that will hash the files and look them up in the hashsets. - It will flag files that were in the notable hashset and those results will be shown in the Results tree of the Data Explorer. -
-Other ingest modules are able to use the known status of a file to decide if they should ignore the file or process it.
-- You can also see the results in the File Search window. - There is an option to choose the 'known status'. From here, you can do a search to see all 'known bad' files. - From here, you can also choose to ignore all 'known' files that were found in the NSRL. - You can also see the status of the file in a column when the file is listed. -
-
-
-
diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/docs/hashdb.PNG b/Core/src/org/sleuthkit/autopsy/casemodule/docs/hashdb.PNG
deleted file mode 100644
index fdca192324..0000000000
Binary files a/Core/src/org/sleuthkit/autopsy/casemodule/docs/hashdb.PNG and /dev/null differ
diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/docs/overview.html b/Core/src/org/sleuthkit/autopsy/casemodule/docs/overview.html
deleted file mode 100644
index d5faea39c3..0000000000
--- a/Core/src/org/sleuthkit/autopsy/casemodule/docs/overview.html
+++ /dev/null
@@ -1,66 +0,0 @@
-
-
-
- - Autopsy allows you to conduct a digital forensic investigation. - It is a graphical interface to The Sleuth Kit and other tools. - This page outlines the basic concepts of the program. - The remainder of the help guide is organized around these concepts. -
-- The main Autopsy features include: importing a Data Source (image, disk, files) and exploring its file systems, - running analysis modules (ingest), viewing ingest results, viewing content and generating reports. -
-- Autopsy is an extensible application; it provides a plug-in framework that allows other other parties to supply plug-ins and supply additional: - image and file ingest for new types of analysis, different content viewers and different types of reports to be supported. - There are plug-ins for for several ingest modules, viewers and reports that are bundled by default with Autopsy. -
-- All data is organized around the concept of a case. - A case can have one or more data sources loaded into it. -
-The main window has three major areas:
-- The main take away from this should be that analysis techniques and result categories can be found on the left-hand side, - the results from choosing something on the left are always listed in the upper right, - and the file contents are displayed in the lower left. -
-
-
-
-
-
\ No newline at end of file
diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/docs/package-info.java b/Core/src/org/sleuthkit/autopsy/casemodule/docs/package-info.java
deleted file mode 100644
index 3ad0da2f24..0000000000
--- a/Core/src/org/sleuthkit/autopsy/casemodule/docs/package-info.java
+++ /dev/null
@@ -1,8 +0,0 @@
-/*
- * To change this template, choose Tools | Templates
- * and open the template in the editor.
- */
-@HelpSetRegistration(helpSet = "casemodule-hs.xml", position = 3000)
-package org.sleuthkit.autopsy.casemodule.docs;
-
-import org.netbeans.api.javahelp.HelpSetRegistration;
diff --git a/Core/src/org/sleuthkit/autopsy/core/docs/blue-ball-mid.gif b/Core/src/org/sleuthkit/autopsy/core/docs/blue-ball-mid.gif
deleted file mode 100644
index 8639b61b8c..0000000000
Binary files a/Core/src/org/sleuthkit/autopsy/core/docs/blue-ball-mid.gif and /dev/null differ
diff --git a/Core/src/org/sleuthkit/autopsy/core/docs/blue-sqr-mid.gif b/Core/src/org/sleuthkit/autopsy/core/docs/blue-sqr-mid.gif
deleted file mode 100644
index 6acdc85201..0000000000
Binary files a/Core/src/org/sleuthkit/autopsy/core/docs/blue-sqr-mid.gif and /dev/null differ
diff --git a/Core/src/org/sleuthkit/autopsy/core/docs/ide.css b/Core/src/org/sleuthkit/autopsy/core/docs/ide.css
deleted file mode 100644
index 0877b62b78..0000000000
--- a/Core/src/org/sleuthkit/autopsy/core/docs/ide.css
+++ /dev/null
@@ -1,189 +0,0 @@
-/*
- * rave.css 08/13/2004
- *
- * Copyright © 1997, 2011, Oracle and/or its affiliates. All rights reserved.
- * Use is subject to license terms.
- *
- * Changes from NetBeans ide.css:
- * Oct. 2003
- * Got rid of - The Content Viewer area is in the lower right area of the interface. - This area is used to view a specific file in a variety of formats. - There are different tabs for different viewers. - Not all tabs support all file types, so only some of them will be enabled. - To display data in this area, a file must be selected from the - Result Viewer window. -
- -- The Content Viewer area is part of a plug-in framework. - You can install modules that will add more viewer types. - This section describes the viewers that come by default with Autopsy. -
- -Here's an example of a "Content Viewer" window:
-
-
- Currently, there are 5 main tabs on "Content Viewer" window:
- - - - \ No newline at end of file diff --git a/Core/src/org/sleuthkit/autopsy/corecomponents/docs/dataexplorer-about.html b/Core/src/org/sleuthkit/autopsy/corecomponents/docs/dataexplorer-about.html deleted file mode 100644 index 57c48fe62f..0000000000 --- a/Core/src/org/sleuthkit/autopsy/corecomponents/docs/dataexplorer-about.html +++ /dev/null @@ -1,47 +0,0 @@ - - - -- The Data Explorer view in Autopsy is the directory tree - node structure seen on the left hand side. -
- -The data explorer contains the following data:
-The data explorer provides different methods for finding relevant data, such as:
-- The Data Explorer will publish all relevant data to the Result Viewer - when specific nodes are clicked. In general, if you are looking for an 'analysis technique', then this is where you should look. -
- - - \ No newline at end of file diff --git a/Core/src/org/sleuthkit/autopsy/corecomponents/docs/dataresult-about.html b/Core/src/org/sleuthkit/autopsy/corecomponents/docs/dataresult-about.html deleted file mode 100644 index 59d400e9a4..0000000000 --- a/Core/src/org/sleuthkit/autopsy/corecomponents/docs/dataresult-about.html +++ /dev/null @@ -1,45 +0,0 @@ - - - -- The Result Viewer windows are in the upper right area of the interface and display the results from selecting something in the - Data Explorer Tree area. - You will have the option to display the results in a variety of formats. -
- -Currently, there are 2 main tabs in the Result Viewer window:
- - -- Viewers in Result Viewers have certain right-click functions built-in into them that can be accessed when a node a certain type is selected (a file, directory or a result). -
- -Here are some examples that you may see:
-Below is an example of a "Result Viewer" window:
-
-
-
-
diff --git a/Core/src/org/sleuthkit/autopsy/corecomponents/docs/hex-content-viewer.html b/Core/src/org/sleuthkit/autopsy/corecomponents/docs/hex-content-viewer.html
deleted file mode 100644
index e92d853334..0000000000
--- a/Core/src/org/sleuthkit/autopsy/corecomponents/docs/hex-content-viewer.html
+++ /dev/null
@@ -1,21 +0,0 @@
-
-
-
- - Hex Content Viewer shows you the raw and exact contents of a file. - In this Hex Content Viewer, the data of the file is represented as hexadecimal values grouped in 2 groups of 8 bytes, - followed by one group of 16 ASCII characters which are derived from each pair of hex values (each byte). - Non-printable ASCII characters and characters that would take more than one character space are typically represented by a dot (".") in the following ASCII field. -
- -Below is an example of "Hex Content Viewer" window:
-
-
-
\ No newline at end of file
diff --git a/Core/src/org/sleuthkit/autopsy/corecomponents/docs/package-info.java b/Core/src/org/sleuthkit/autopsy/corecomponents/docs/package-info.java
deleted file mode 100644
index fd2723b5c3..0000000000
--- a/Core/src/org/sleuthkit/autopsy/corecomponents/docs/package-info.java
+++ /dev/null
@@ -1,8 +0,0 @@
-/*
- * To change this template, choose Tools | Templates
- * and open the template in the editor.
- */
-@HelpSetRegistration(helpSet = "corecomponents-hs.xml", position = 4500)
-package org.sleuthkit.autopsy.corecomponents.docs;
-
-import org.netbeans.api.javahelp.HelpSetRegistration;
diff --git a/Core/src/org/sleuthkit/autopsy/corecomponents/docs/picture-content-viewer.html b/Core/src/org/sleuthkit/autopsy/corecomponents/docs/picture-content-viewer.html
deleted file mode 100644
index f6a9ba28c5..0000000000
--- a/Core/src/org/sleuthkit/autopsy/corecomponents/docs/picture-content-viewer.html
+++ /dev/null
@@ -1,20 +0,0 @@
-
-
-
- - The Media Content Viewer will show a picture or video file. - Video files can be played and paused. - The size of the picture or video will be reduced to fit into the screen. - If you want more complex analysis of the media, then you must export the file. -
-If you select an non-picture file or an unsupported picture format on the "Result Viewers", this tab will be disabled.
-Here's one of the example of the "Media Content Viewer":
-
-
-
diff --git a/Core/src/org/sleuthkit/autopsy/corecomponents/docs/result-viewer.html b/Core/src/org/sleuthkit/autopsy/corecomponents/docs/result-viewer.html
deleted file mode 100644
index 7a2e18d119..0000000000
--- a/Core/src/org/sleuthkit/autopsy/corecomponents/docs/result-viewer.html
+++ /dev/null
@@ -1,28 +0,0 @@
-
-
-
- Result Content Viewer shows the artifacts (saved results) associated with the item selected in the Result Viewer.
- -Below is an example of "Result Content Viewer" window:
-
-
-
-
\ No newline at end of file
diff --git a/Core/src/org/sleuthkit/autopsy/corecomponents/docs/string-content-viewer.html b/Core/src/org/sleuthkit/autopsy/corecomponents/docs/string-content-viewer.html
deleted file mode 100644
index 215b8c0a52..0000000000
--- a/Core/src/org/sleuthkit/autopsy/corecomponents/docs/string-content-viewer.html
+++ /dev/null
@@ -1,23 +0,0 @@
-
-
-
- - Strings Content Viewer scans (potentially binary) data of the file / folder and searches it for data that could be text. - When appropriate data is found, the String Content Viewer shows data strings extracted from binary, decoded, and interpreted as UTF8/16 for the selected script/language. -
-- Note that this is different from the Text Content Viewer, which displays the text for a file that is stored in the keyword search index. - The results may be the same or they could be different, depending how the data were interpreted by the indexer. -
- -Below is an example of "String Content Viewer" window:
-
-
-
diff --git a/Core/src/org/sleuthkit/autopsy/corecomponents/docs/table-results-viewer.html b/Core/src/org/sleuthkit/autopsy/corecomponents/docs/table-results-viewer.html
deleted file mode 100644
index 79268f91c3..0000000000
--- a/Core/src/org/sleuthkit/autopsy/corecomponents/docs/table-results-viewer.html
+++ /dev/null
@@ -1,24 +0,0 @@
-
-
-
- - Table Results Viewer (Directory Listing) displays the data catalog as a table with some details (properties) of each file. - The properties that it shows are: name, time (modified, changed, accessed, and created), size, flags (directory and meta), mode, user ID, group ID, metadata address, attribute address, and type (directory and meta). - Click the Table Viewer tab to select this view. -
-- The Results Viewer can be also activated for saved results and it can show a high level results grouped, - or a results at a file level, depending on which node on the Directory Tree is selected to populate the Table Results Viewer. -
- -Below is an example of a "Table Results Viewer" window:
-
-
-
\ No newline at end of file
diff --git a/Core/src/org/sleuthkit/autopsy/corecomponents/docs/text-content-viewer.html b/Core/src/org/sleuthkit/autopsy/corecomponents/docs/text-content-viewer.html
deleted file mode 100644
index 966fbd0753..0000000000
--- a/Core/src/org/sleuthkit/autopsy/corecomponents/docs/text-content-viewer.html
+++ /dev/null
@@ -1,30 +0,0 @@
-
-
-
- - Text Content Viewer uses the keyword search index that may have been populated during - Image Ingest. - If a file has text stored in the index, then this tab will be enabled and it will be displayed to the user if a file or a result associated with a file is selected. -
-- This tab may have more text on it than the "String View", which relies on searching the file for text-looking data. - Some files, like PDF, will not have text-looking data at the byte-level, but the keyword indexing process knows how to interpret a PDF file and produce text. - For the files the indexer knows about, there may be the METADATA section at the end of the displayed extracted text. - If an indexed document contains any metadata (such as creation date, author, etc), it will be displayed there. - Note that, unlike the "String View", the Text View does not have its built-in settings for the script/language to use for extracted strings. - This is because the script/language is used at indexing time, and that setting is associated with the Keyword Search indexer, not the viewer. -
-- If this tab is not enabled, then either the file has no text or you did not enable Keyword Search as an ingest module. - Note that this viewer is also used to display highlighted keyword hits when operated in the "Search Matches" mode, - selected on the right-hand side of the viewer's toolbar. -
-
-
-
diff --git a/Core/src/org/sleuthkit/autopsy/corecomponents/docs/textview.png b/Core/src/org/sleuthkit/autopsy/corecomponents/docs/textview.png
deleted file mode 100644
index 0d47c92b1f..0000000000
Binary files a/Core/src/org/sleuthkit/autopsy/corecomponents/docs/textview.png and /dev/null differ
diff --git a/Core/src/org/sleuthkit/autopsy/corecomponents/docs/thumbnail-results-viewer.html b/Core/src/org/sleuthkit/autopsy/corecomponents/docs/thumbnail-results-viewer.html
deleted file mode 100644
index 986b786d29..0000000000
--- a/Core/src/org/sleuthkit/autopsy/corecomponents/docs/thumbnail-results-viewer.html
+++ /dev/null
@@ -1,22 +0,0 @@
-
-
-
- - Thumbnail Results Viewer displays the data catalog as a table of thumbnail images in adjustable sizes. - This viewer only supports picture file(s) (Currently, only supports JPG, GIF, and PNG formats). - Click the Thumbnail tab to select this view. - Note that for a large number of images in a directory selected in the Data Explorer, or for a View selected that contains - a large number of images, it might take a while to populate this view for the first time before the images are cached. -
- -Below is an example of "Thumbnail Results Viewer" window:
-
-
-
\ No newline at end of file
diff --git a/Core/src/org/sleuthkit/autopsy/directorytree/docs/DirectoryTree_example.png b/Core/src/org/sleuthkit/autopsy/directorytree/docs/DirectoryTree_example.png
deleted file mode 100644
index 116ad903c2..0000000000
Binary files a/Core/src/org/sleuthkit/autopsy/directorytree/docs/DirectoryTree_example.png and /dev/null differ
diff --git a/Core/src/org/sleuthkit/autopsy/directorytree/docs/ExtractUnallocImage.png b/Core/src/org/sleuthkit/autopsy/directorytree/docs/ExtractUnallocImage.png
deleted file mode 100644
index 3fc12e59d1..0000000000
Binary files a/Core/src/org/sleuthkit/autopsy/directorytree/docs/ExtractUnallocImage.png and /dev/null differ
diff --git a/Core/src/org/sleuthkit/autopsy/directorytree/docs/ImageDetailHelp.png b/Core/src/org/sleuthkit/autopsy/directorytree/docs/ImageDetailHelp.png
deleted file mode 100644
index cd60598f9e..0000000000
Binary files a/Core/src/org/sleuthkit/autopsy/directorytree/docs/ImageDetailHelp.png and /dev/null differ
diff --git a/Core/src/org/sleuthkit/autopsy/directorytree/docs/VolumeDetailHelp.png b/Core/src/org/sleuthkit/autopsy/directorytree/docs/VolumeDetailHelp.png
deleted file mode 100644
index 984dbacc0a..0000000000
Binary files a/Core/src/org/sleuthkit/autopsy/directorytree/docs/VolumeDetailHelp.png and /dev/null differ
diff --git a/Core/src/org/sleuthkit/autopsy/directorytree/docs/directorytree-about.html b/Core/src/org/sleuthkit/autopsy/directorytree/docs/directorytree-about.html
deleted file mode 100644
index a25af20157..0000000000
--- a/Core/src/org/sleuthkit/autopsy/directorytree/docs/directorytree-about.html
+++ /dev/null
@@ -1,48 +0,0 @@
-
-
-
- - The data explorer tree is a very important area of the interface. - This is where you will start many of your analysis approaches and find saved results from automated procedures (ingest). - The tree has three main areas: -
-Below is an example of an Data Explorer Tree window:
-
-
-
-
\ No newline at end of file
diff --git a/Core/src/org/sleuthkit/autopsy/directorytree/docs/directorytree-hs.xml b/Core/src/org/sleuthkit/autopsy/directorytree/docs/directorytree-hs.xml
deleted file mode 100644
index 0954595e4b..0000000000
--- a/Core/src/org/sleuthkit/autopsy/directorytree/docs/directorytree-hs.xml
+++ /dev/null
@@ -1,31 +0,0 @@
-
-
-
-- The Image Details window shows you basic information about a disk image. - You can access it by right-clicking on an image in the tree and choosing "Image Details". -
- -
-
- An example is shown here:
-
-
-
diff --git a/Core/src/org/sleuthkit/autopsy/directorytree/docs/rightClick_imageDetails.png b/Core/src/org/sleuthkit/autopsy/directorytree/docs/rightClick_imageDetails.png
deleted file mode 100644
index 05b922cbd5..0000000000
Binary files a/Core/src/org/sleuthkit/autopsy/directorytree/docs/rightClick_imageDetails.png and /dev/null differ
diff --git a/Core/src/org/sleuthkit/autopsy/directorytree/docs/rightClick_volumeDetails.png b/Core/src/org/sleuthkit/autopsy/directorytree/docs/rightClick_volumeDetails.png
deleted file mode 100644
index 991eb80dfc..0000000000
Binary files a/Core/src/org/sleuthkit/autopsy/directorytree/docs/rightClick_volumeDetails.png and /dev/null differ
diff --git a/Core/src/org/sleuthkit/autopsy/directorytree/docs/unallocated-space.html b/Core/src/org/sleuthkit/autopsy/directorytree/docs/unallocated-space.html
deleted file mode 100644
index d8d03299cd..0000000000
--- a/Core/src/org/sleuthkit/autopsy/directorytree/docs/unallocated-space.html
+++ /dev/null
@@ -1,53 +0,0 @@
-
-
-
- - Unallocated space are chunks of the file system that is currently not being used for anything. - Unallocated space can store deleted files and other interesting artifacts. On the actual image, - Unallocated space is stored in blocks with distinct locations on the system. However, because - of the way various carving tools work, it is more ideal to feed them a single, large unallocated - file. - - Autopsy provides access to both methods of looking at unallocated space. -
-Below is where to find the single file extraction option
-
-
-
-
\ No newline at end of file
diff --git a/Core/src/org/sleuthkit/autopsy/directorytree/docs/volume-details.html b/Core/src/org/sleuthkit/autopsy/directorytree/docs/volume-details.html
deleted file mode 100644
index 527e681d4f..0000000000
--- a/Core/src/org/sleuthkit/autopsy/directorytree/docs/volume-details.html
+++ /dev/null
@@ -1,22 +0,0 @@
-
-
-
- - The Volume Details window shows you information about a volume. - It shows information such as the starting sector, length, and description. - You can view the information by right clicking on a volume in the tree and choosing "Volume Details". -
- -
-
-
- An example is shown here:
-
-
-
diff --git a/Core/src/org/sleuthkit/autopsy/filesearch/docs/FileSearch_example.png b/Core/src/org/sleuthkit/autopsy/filesearch/docs/FileSearch_example.png
deleted file mode 100644
index 2ab639e058..0000000000
Binary files a/Core/src/org/sleuthkit/autopsy/filesearch/docs/FileSearch_example.png and /dev/null differ
diff --git a/Core/src/org/sleuthkit/autopsy/filesearch/docs/FileSearch_usage.png b/Core/src/org/sleuthkit/autopsy/filesearch/docs/FileSearch_usage.png
deleted file mode 100644
index 30079c3dc7..0000000000
Binary files a/Core/src/org/sleuthkit/autopsy/filesearch/docs/FileSearch_usage.png and /dev/null differ
diff --git a/Core/src/org/sleuthkit/autopsy/filesearch/docs/filesearch-about.html b/Core/src/org/sleuthkit/autopsy/filesearch/docs/filesearch-about.html
deleted file mode 100644
index dcfc2b0fc3..0000000000
--- a/Core/src/org/sleuthkit/autopsy/filesearch/docs/filesearch-about.html
+++ /dev/null
@@ -1,52 +0,0 @@
-
-
-
- - File Search tool can be accessed either from the Tools menu or by right-clicking on image node in the Data Explorer / Directory Tree. - By using File Search, you can specify, filter, and show the directories and files that you want to see from the images in the current opened case. - The File Search results will be populated in a brand new Table Result viewer on the right-hand side. -
-Currently, Autopsy only supports 4 categories in File Search: Name, Size, Date, and Known Status based search.
-To see how to open File Search, click here.
-To see how to use File Search, click here.
- -Here's an example of a File Search window:
-
-
-
-
diff --git a/Core/src/org/sleuthkit/autopsy/filesearch/docs/filesearch-hs.xml b/Core/src/org/sleuthkit/autopsy/filesearch/docs/filesearch-hs.xml
deleted file mode 100644
index 4b410199f7..0000000000
--- a/Core/src/org/sleuthkit/autopsy/filesearch/docs/filesearch-hs.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-
-
-
-Currently, there are 4 categories that you can use to filter and show the directories and files within the images in the current opened case.
-The categories are:
-Search for all files and directory whose name contains the pattern given.
-- Search for all files and directory whose size matches the pattern given. - The pattern can be "equal to", "greater than", and "less than". - The unit for the size can be "Byte(s)", "KB", "MB", "GB", and "TB". -
-- Search for all files and directory whose "date property" is within the date range given. - The "date properties" are "Modified Date", "Accessed Date", "Changed Date", and "Created Date". - You must also specify the timezone for the date given. -
-- Search for all files and directory whose known status is recognized as either Unknown, Known, or Known Bad. - For more on Known Status, see Hash Database Management. -
-- To use any of these filters, check the box next to the category and click "Search" button to start the search process. - The result will show up in the "Result Viewer". -
-- Here's an example where I try to get all the directories and files whose name contains "hello", - has a size greater than 1000 Bytes,was created between 06/15/2010 and 06/16/2010 (in GMT-5 timezone), and is an unknown file: -
-
-
-
\ No newline at end of file
diff --git a/Core/src/org/sleuthkit/autopsy/filesearch/docs/open-filesearch.html b/Core/src/org/sleuthkit/autopsy/filesearch/docs/open-filesearch.html
deleted file mode 100644
index c3043d0ac7..0000000000
--- a/Core/src/org/sleuthkit/autopsy/filesearch/docs/open-filesearch.html
+++ /dev/null
@@ -1,29 +0,0 @@
-
-
-
- To open the File Search, you can do one of the following thing:
-
- 
- - Autopsy tries to automate as many things as possible for the user. - There are many tasks that will always be performed in a digital investigation and they normally involve some type of image or file analysis and extraction of a certain type of information. - The analysis can be a lengthy process, especially for large images and when a number of types of analysis needs to be performed. -
-- Ingest is a technique of automating these tasks. Autopsy allows to run these lengthy analysis tasks in the background, - while the user can browse the application interface and review the ingest results as their appear. - Ingest is similar to triage. - Autopsy attempts to process files inside the ingested image in such order so that the more interesting files (user-related files) are processed files. -
-- The ingest process begins after the basic file system information has been added to the database. - A series of ingest modules (described in a following section) run automatically behind the scenes and make their results available as soon as possible. - Autopsy is designed so that these results are reported to the user in real-time, - and even for very large images to be processed there can be initial results available minutes, sometimes seconds after the analysis has started. -
-- You can start image ingest in two ways. When you add an image with the Add Data Source wizard, - you will be shown the list of ingest modules and you can choose which you want to run. - You can also launch the Ingest Manager run ingest by right clicking on an image in the explorer tree and choosing "Restart Image Ingest". -
-- Once ingest is started, you can review the currently running ingest tasks in the task bar on the bottom-right corner of the main window. - The ingest tasks can be canceled by the user if so desired. -
-- The ingest message inbox will provide notifications when the particular ingest modules start and finish running. - There may also be error notifications, and result notifications sent by specific ingest modules. -
-- The results from the ingest modules can typically be found in the Results area of the explorer tree. - However, some modules may choose to write results to a local file or to some other location and not make them available in the UI. -
- -- An ingest module is responsible for extracting data from and searching images. - Different modules will do different things. Examples include: -
-- There are two places to configure ingest modules. When the Ingest Manager is launched, there may be a small set of options the module allows you to edit directly in the Ingest Manager. - Additionally, the Ingest Manager may display an "Advanced" button, which will open up a larger configuration menu with more available settings. - This advanced configuration menu can often be found in the "Tools" > "Options" menu, along with the advanced settings for numerous other ingest modules. -
-- Before launching ingest, you should go over the modules configuration by selecting every module in the list and review the current ingest module settings. - Some modules need to be configured at least the first time Autopsy is used to have default configuration populated, otherwise they won't perform any analysis. - Changing the modules configuration will potentially affect number of results found, it might also affect the total time required for ingest to run and how fast the results are reported in real-time. -
- -- Ingest modules can be created by third-party-developers and can be added independently of Autopsy. - This can be done through Autopsy's plugin manager. This is accessible through the "Tools" > "Plugins" menu. - Currently, the best way to add an ingest module is by navigating to the module's NBM file after choosing "Add Plugin..." in the "Downloaded" tab of the plugin manager. - Autopsy will require a restart after any modules are installed in order to properly load and display them. -
- - - \ No newline at end of file diff --git a/Core/src/org/sleuthkit/autopsy/ingest/docs/ingest-hs.xml b/Core/src/org/sleuthkit/autopsy/ingest/docs/ingest-hs.xml deleted file mode 100644 index a282a788f3..0000000000 --- a/Core/src/org/sleuthkit/autopsy/ingest/docs/ingest-hs.xml +++ /dev/null @@ -1,22 +0,0 @@ - - - -- The ingest message inbox is used by Autopsy to provide real-time updates during ingest. - To open the inbox, click on the yellow warning sign in the top/right corner of the Autopsy window. - The sign can display a number of incoming unread (not yet clicked) messages during ingest in its upper-right corner. -
-
- - Ingest modules are able to post messages when notable events occur, - such as a keyword or hash database hit. - If a module posts many similar messages in a short time span, - the inbox will group those messages so that unique updates are not lost among the noise. -
-- The grouped messages are colored with different shades to indicate their importance; - if a message group contains a lower number of unique messages, - it is potentially more important than another group with a large number of unique messages. - The more unique important messages have a lighter background color. -
-The ingest messages can be sorted by uniqueness/importance, or by chronological order in which they had appeared.
-- A message can be clicked to view the message details. When a message is clicked, it is marked as "read". - When updates are posted with regard to a specific result or file, the message is linked to that file - and the buttons in the top/right corner of the message details view can be used to browse to that data. -
-
- 
-
-
\ No newline at end of file
diff --git a/Core/src/org/sleuthkit/autopsy/ingest/docs/ingest-map.xml b/Core/src/org/sleuthkit/autopsy/ingest/docs/ingest-map.xml
deleted file mode 100644
index b82786a403..0000000000
--- a/Core/src/org/sleuthkit/autopsy/ingest/docs/ingest-map.xml
+++ /dev/null
@@ -1,10 +0,0 @@
-
-
-
-
diff --git a/Core/src/org/sleuthkit/autopsy/ingest/docs/ingest-toc.xml b/Core/src/org/sleuthkit/autopsy/ingest/docs/ingest-toc.xml
deleted file mode 100644
index 360b0cc687..0000000000
--- a/Core/src/org/sleuthkit/autopsy/ingest/docs/ingest-toc.xml
+++ /dev/null
@@ -1,12 +0,0 @@
-
-
-
-- Autopsy ships a keyword search module, which provides the ingest capability - and also supports a manual text search mode. -
-The keyword search ingest module extracts text from the files on the image being ingested and adds them to the index that can then be searched.
-- Autopsy tries its best to extract maximum amount of text from the files being indexed. - First, the indexing will try to extract text from supported file formats, such as pure text file format, MS Office Documents, PDF files, Email files, and many others. - If the file is not supported by the standard text extractor, Autopsy will fallback to string extraction algorithm. - String extraction on unknown file formats or arbitrary binary files can often still extract a good amount of text from the file, often good enough to provide additional clues. - However, string extraction will not be able to extract text strings from binary files that have been encrypted. -
-- Autopsy ships with some built-in lists that define regular expressions and enable user to search for Phone Numbers, IP addresses, URLs and E-mail addresses. - However, enabling some of these very general lists can produce a very large number of hits, many of them can be false-positives. -
-- Once files are in the index, they can be searched quickly for specific keywords, regular expressions, - or using keyword search lists that can contain a mixture of keywords and regular expressions. - Search queries can be executed automatically by the ingest during the ingest run, or at the end of the ingest, depending on the current settings and the time it takes to ingest the image. -
-Search queries can also be executed manually by the user at any time, as long as there are some files already indexed and ready to be searched.
-- Keyword search module will save the search results regardless whether the search is performed by the ingest process, or manually by the user. - The saved results are available in the Directory Tree in the left hand side panel. -
-- To see keyword search results in real-time while ingest is running, add keyword lists using the - Keyword Search Configuration Dialog - and select the "Use during ingest" check box. - You can select "Send messages to inbox during ingest" per list, if the hits on that list should be reported in the Inbox, which is recommended for very specific searches. -
-- See (Ingest) - for more information on ingest in general. -
-- Once there are files in the index, the Keyword Search Bar - will be available for use to manually search at any time. -
- - - diff --git a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/docs/keywordsearch-bar.html b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/docs/keywordsearch-bar.html deleted file mode 100644 index 8530fb8374..0000000000 --- a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/docs/keywordsearch-bar.html +++ /dev/null @@ -1,59 +0,0 @@ - - - - -- The keyword search bar is used to search for keywords in the manual mode (outside of ingest). - The existing index will be searched for matching words, phrases, lists, or regular expressions. - Results will be opened in a separate Results Viewer for every search executed and they will also be saved in the Directory Tree. -
- -- Individual keyword or regular expressions can be quickly searched using the search text box widget. - To toggle between keyword and regular expression mode, use the down arrow in the search box. -
- -- Lists created using the Keyword Search Configuration Dialog - can be manually searched by the user by pressing on the 'Keyword Lists' button, selecting the check boxes corresponding to the lists to be searched, and pressing the 'Search' button. -
- -- The manual search for individual keywords or regular expressions can be executed also during the ongoing ingest on the current index using the search text box widget. - Note however, that you may miss some results if not entire index has yet been populated. - Autopsy enables you to perform the search on an incomplete index in order to retrieve some preliminary results in real-time. -
-- During the ingest, the manual search by keyword list is deactivated. - A newly selected list can instead be added to the ongoing ingest, and it will be searched in the background instead. -
-Keywords and lists can be managed during ingest...
-
-
-
diff --git a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/docs/keywordsearch-bar.png b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/docs/keywordsearch-bar.png
deleted file mode 100644
index 0ac54fd841..0000000000
Binary files a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/docs/keywordsearch-bar.png and /dev/null differ
diff --git a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/docs/keywordsearch-configuration.html b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/docs/keywordsearch-configuration.html
deleted file mode 100644
index ed0f83c7fe..0000000000
--- a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/docs/keywordsearch-configuration.html
+++ /dev/null
@@ -1,95 +0,0 @@
-
-
-
-
- The keyword search configuration dialog has three tabs, each with it's own purpose:
-- To create a list, select the 'New List' button and choose a name for the new Keyword List. - Once the list has been created, keywords can be added to it. Regular expressions are supported using - Java Regex Syntax. - Lists can be added to the keyword search ingest process; searches will happen at regular intervals as content is added to the index. -
- -- Autopsy supports importing Encase tab-delimited lists as well as lists created previously with Autopsy. - For Encase lists, folder structure and hierarchy is currently ignored. This will be fixed in a future version. - There is currently no way to export lists for use with Encase. This will also be added in future releases. -
- -- The string extraction setting defines how strings are extracted from files from which text cannot be extracted because their file formats are not supported. - This is the case with arbitrary binary files (such as the page file) and chunks of unallocated space that represent deleted files. -
-- When we extract strings from binary files we need to interpet sequences of bytes as text differently, depending on the possible text encoding and script/language used. - In many cases we don't know what the specific encoding / language the text is be encoded in in advance. - However, it helps if the investigator is looking for a specific language, because by selecting less languages the indexing performance will be improved - and a number of false positives will be reduced. -
-- The default setting is to search for English strings only, encoded as either UTF8 or UTF16. - This setting has the best performance (shortest ingest time). -
-- The user can also use the String Viewer first and try different script/language settings, - and see which setting gives satisfactory results for the type of text relevant to the investigation. - Then the same setting that works for the investigation can be applied to the keyword search ingest. -
- -- The hash database ingest service can be configured to use the NIST NSRL hash database of known files. - The keyword search advanced configuration dialog "General" tab contains an option to skip keyword indexing and search on files - that have previously marked as "known" and uninteresting files. - Selecting this option can greatly reduce size of the index and improve ingest performance. - In most cases, user does not need to keyword search for "known" files. -
- -- To control how frequently searches are executed during ingest, user can adjust the timing setting - available in the keyword search advanced configuration dialog "General" tab. - Setting the number of minutes lower will result in more frequent index updates and searches being executed - and the user will be able to see results more in real-time. - However, more frequent updates can affect the overall performance, especially on lower-end systems, - and can potentially lengthen the overall time needed for the ingest to complete. -
- -Lists tab:
-
String Extraction tab:
-
General tab:
-