mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added YARA doc.

Browse Source 
Updated aleapp and drone module pages.
This commit is contained in:
apriestman 2021-01-07 09:52:51 -05:00
parent b09d7228e7
commit a962b99e4f
9 changed files with 57 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/doxygen-user/aleapp.dox
View File

@ -8,7 +8,7 @@ The Android Analyzer ingest module runs aLEAPP (https://github.com/abrignoni/aLE
\section aleapp_config Using the Module \section aleapp_config Using the Module
Select the checkbox in the Ingest Modules settings screen to enable the Android Analzyer (ALEAPP) module. The module will run on .tar/.zip files found in a \ref ds_log "logical files data source" or a \ref ds_img disk image. Select the checkbox in the Ingest Modules settings screen to enable the Android Analzyer (ALEAPP) module. The module will run on .tar/.zip files found in a \ref ds_log "logical files data source" or a \ref ds_img "disk image".
\section aleapp_results Seeing Results \section aleapp_results Seeing Results

8
docs/doxygen-user/drone.dox
View File

@ -1,13 +1,13 @@
/*! \page drone_page Drone Analyzer /*! \page drone_page DJI Drone Analyzer
[TOC] [TOC]
\section drone_overview Overview \section drone_overview Overview
The Drone Analyzer module allows you to analyze files from a drone. The DJI Drone Analyzer module allows you to analyze files from a drone.
Currently, the Drone Analyzer module works on images obtained from the internal SD card found in the following DJI drone models: Currently, the DJI Drone Analyzer module works on images obtained from the internal SD card found in the following DJI drone models:
- Phantom 3 - Phantom 3
- Phantom 4 - Phantom 4
- Phantom 4 Pro - Phantom 4 Pro
@ -20,7 +20,7 @@ The module will find DAT files and process them using DatCon (https://datfile.ne
\section drone_config Running the Module \section drone_config Running the Module
To enable the Drone Analyzer ingest module select the checkbox in the \ref ingest_configure "Ingest Modules configuration screen". To enable the DJI Drone Analyzer ingest module select the checkbox in the \ref ingest_configure "Ingest Modules configuration screen".
\section drone_results Viewing Results \section drone_results Viewing Results

BIN
docs/doxygen-user/images/aleapp_main.jpg
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 592 KiB

After

Width:  |  Height:  |  Size: 98 KiB

BIN
docs/doxygen-user/images/yara_ingest_settings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 60 KiB

BIN
docs/doxygen-user/images/yara_new_rule_set.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.6 KiB

BIN
docs/doxygen-user/images/yara_options.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 37 KiB

BIN
docs/doxygen-user/images/yara_results.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

2
docs/doxygen-user/main.dox
View File

@ -51,6 +51,8 @@ The following topics are available here:
- \subpage drone_page - \subpage drone_page
- \subpage gpx_page - \subpage gpx_page
- \subpage ileapp_page - \subpage ileapp_page
- \subpage aleapp_page
- \subpage yara_page
- Reviewing the Results - Reviewing the Results
- \subpage uilayout_page - \subpage uilayout_page

50
docs/doxygen-user/yara.dox Normal file
View File

@ -0,0 +1,50 @@
/*! \page yara_page YARA Analyzer
[TOC]
\section yara_overview Overview
The YARA Analyzer module uses a set of rules to search files for textual or binary patterns. YARA was designed for malware analysis but can be used to search for any type of files. For more information on YARA see <a href="https://virustotal.github.io/yara/">https://virustotal.github.io/yara/</a>.
\section yara_config Configuration
To create and edit your rule sets, go to "Tools", "Options" and then select the "YARA" tab.
\image html yara_options.png
YARA rule sets are stored in folders in the user's Autopsy folder. To create a new rule set, click the "New Set" button in the lower left and enter the name for your new set.
\image html yara_new_rule_set.png
With your new rule set selected, click the "Open Folder" button to go to the newly created rules folder. You can now copy existing YARA files into this folder to include them in the rule set. Information on writing YARA rules can be found <a href="https://yara.readthedocs.io/en/stable/writingrules.html">here</a> and many existing YARA rules can be found through a web search. As a very simple example, we will add this rule to the sample rule set to find files that contain the words "hello" and "world":
\verbatim
rule HelloWorldRule
{
strings:
$part1 = "hello" nocase
$part2 = "world" nocase
condition:
$part1 and $part2
}
\endverbatim
Once you've added your rules to the folder, click the "Refresh File List" button to show them in the options panel.
\section yara_running Running the Module
To enable the YARA Analyzer ingest module select the checkbox in the \ref ingest_configure "Ingest Modules configuration screen".
\image html yara_ingest_settings.png
Make sure all rule sets you want to run are checked. You can also choose between running on all files or only running on executable files.
\section yara_results Viewing Results
Results are show in the Results tree under "Extracted Content".
\image html yara_results.png
*/