Merge pull request #3554 from APriestman/restoreDocs
Restore live triage docs and some changes to other images.
Richard Cordovano
GitHub
|
Before Width: | Height: | Size: 28 KiB After Width: | Height: | Size: 28 KiB |
BIN
docs/doxygen-user/images/live_triage_case.png
Normal file
|
After Width: | Height: | Size: 26 KiB |
BIN
docs/doxygen-user/images/live_triage_dialog.png
Normal file
|
After Width: | Height: | Size: 17 KiB |
BIN
docs/doxygen-user/images/live_triage_ds.png
Normal file
|
After Width: | Height: | Size: 39 KiB |
BIN
docs/doxygen-user/images/live_triage_script.png
Normal file
|
After Width: | Height: | Size: 12 KiB |
|
Before Width: | Height: | Size: 43 KiB After Width: | Height: | Size: 16 KiB |
33
docs/doxygen-user/live_triage.dox
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
/*! \page live_triage_page Live Triage
|
||||||
|
|
||||||
|
\section live_triage_overview Overview
|
||||||
|
|
||||||
|
The Live Triage feature allows you to load Autopsy onto a removable drive to run on target systems while making minimal changes to that target system. This will currently only work on Windows systems.
|
||||||
|
|
||||||
|
\section live_triage_create_drive Creating a live triage drive
|
||||||
|
|
||||||
|
To create a live triage drive, go to Tools->Make Live Triage Drive to bring up the main dialog.
|
||||||
|
|
||||||
|
\image html live_triage_dialog.png
|
||||||
|
|
||||||
|
Select the drive you want to use - any type of USB storage device will work. For best results use the fastest drive available. Once the process is complete the root folder will contain an Autopsy folder and a RunFromUSB.bat file.
|
||||||
|
|
||||||
|
\section live_triage_usage Running Autopsy from the live triage drive
|
||||||
|
|
||||||
|
Insert the drive into the target machine and browse to it in Windows Explorer. Right click on RunFromUSB.bat and select "Run as administrator". This is necessary to analyze the local drives.
|
||||||
|
|
||||||
|
\image html live_triage_script.png
|
||||||
|
|
||||||
|
Running the script will generate a few more directories on the USB drive. The configData directory stores all the data used by Autopsy - primarily configuration files and temporary files. You can make changes to the Autopsy settings and they will persist between runs. The cases directory is created as a recommended place to save your case data. You will need to browse to it when creating a case in Autopsy.
|
||||||
|
|
||||||
|
Once Autopsy is running, proceed to create a case as normal, making sure to save it on the USB drive.
|
||||||
|
|
||||||
|
\image html live_triage_case.png
|
||||||
|
|
||||||
|
Then choose the Local Disk data source and select the desired drive.
|
||||||
|
|
||||||
|
\image html live_triage_ds.png
|
||||||
|
|
||||||
|
See the \ref ds_local page for more information on local disk data sources.
|
||||||
|
|
||||||
|
*/
|
||||||
@ -60,6 +60,7 @@ The following topics are available here:
|
|||||||
- \subpage windows_authentication
|
- \subpage windows_authentication
|
||||||
- \subpage multiuser_sec_page
|
- \subpage multiuser_sec_page
|
||||||
- \subpage multiuser_page
|
- \subpage multiuser_page
|
||||||
|
- \subpage live_triage_page
|
||||||
- \subpage advanced_page
|
- \subpage advanced_page
|
||||||
|
|
||||||
If the topic you need is not listed, refer to the <a href="http://wiki.sleuthkit.org/index.php?title=Autopsy_User%27s_Guide">Autopsy Wiki</a> or join the <a href="https://lists.sourceforge.net/lists/listinfo/sleuthkit-users">SleuthKit User List</a> at SourceForge.
|
If the topic you need is not listed, refer to the <a href="http://wiki.sleuthkit.org/index.php?title=Autopsy_User%27s_Guide">Autopsy Wiki</a> or join the <a href="https://lists.sourceforge.net/lists/listinfo/sleuthkit-users">SleuthKit User List</a> at SourceForge.
|
||||||
|
|||||||