diff --git a/docs/doxygen-user/images/InterestingFiles/if_create_set.png b/docs/doxygen-user/images/InterestingFiles/if_create_set.png new file mode 100644 index 0000000000..6302a6026c Binary files /dev/null and b/docs/doxygen-user/images/InterestingFiles/if_create_set.png differ diff --git a/docs/doxygen-user/images/InterestingFiles/if_export.png b/docs/doxygen-user/images/InterestingFiles/if_export.png new file mode 100644 index 0000000000..7743689db4 Binary files /dev/null and b/docs/doxygen-user/images/InterestingFiles/if_export.png differ diff --git a/docs/doxygen-user/images/InterestingFiles/if_new_rule.png b/docs/doxygen-user/images/InterestingFiles/if_new_rule.png new file mode 100644 index 0000000000..826b2b1203 Binary files /dev/null and b/docs/doxygen-user/images/InterestingFiles/if_new_rule.png differ diff --git a/docs/doxygen-user/images/InterestingFiles/if_official_rule_details.png b/docs/doxygen-user/images/InterestingFiles/if_official_rule_details.png new file mode 100644 index 0000000000..669a5d4dca Binary files /dev/null and b/docs/doxygen-user/images/InterestingFiles/if_official_rule_details.png differ diff --git a/docs/doxygen-user/images/InterestingFiles/ingest.png b/docs/doxygen-user/images/InterestingFiles/ingest.png index aadf558768..9dedfd045b 100644 Binary files a/docs/doxygen-user/images/InterestingFiles/ingest.png and b/docs/doxygen-user/images/InterestingFiles/ingest.png differ diff --git a/docs/doxygen-user/images/InterestingFiles/main.png b/docs/doxygen-user/images/InterestingFiles/main.png index 67a27cdb7e..fd74aa70a5 100644 Binary files a/docs/doxygen-user/images/InterestingFiles/main.png and b/docs/doxygen-user/images/InterestingFiles/main.png differ diff --git a/docs/doxygen-user/interesting_files.dox b/docs/doxygen-user/interesting_files.dox index 7e4147a66f..e7f4305822 100644 --- a/docs/doxygen-user/interesting_files.dox +++ b/docs/doxygen-user/interesting_files.dox @@ -15,7 +15,7 @@ This module allows you to make sets of rules that will be run against each file \section interesting_files_config Configuration -To create and edit your rule sets, go to "Tools", "Options" and then select the "Interesting Files" tab. The area on the left side will show you a list of all the rule sets that are currently available. Selecting a rule set will display its description and information about each of its rules on the right side of the panel. +To create and edit your rule sets, go to "Tools", "Options" and then select the "Interesting Files" tab. The area on the left side will show you a list of all the rule sets that are currently available. This will include the official rule sets that are included with Autopsy and any rule sets that you create. Selecting a rule set will display its description and information about each of its rules on the right side of the panel. \image html InterestingFiles/main.png @@ -31,6 +31,8 @@ The buttons on the bottom of the left side of the panel control the rule sets.
  • Export Set - Exports the selected rule set in a format that can be shared with other Autopsy users. +Note that the predefined rule sets can not be deleted or edited. If you believe you have additions that would be useful to the community, see the \ref update_interesting_files_page page for instructions on submitting updates. + Selecting a rule set will display its description, whether it ignores known files, and the rules contained in the set. Selecting a rule will display the conditions for that rule in the "Rule Details" section. The buttons under the list of rules allow you to create new rules and edit or delete existing rules. Selecting "New Rule" will bring up a new window to create the rule. diff --git a/docs/doxygen-user/main.dox b/docs/doxygen-user/main.dox index 424a0323d1..63114401bd 100644 --- a/docs/doxygen-user/main.dox +++ b/docs/doxygen-user/main.dox @@ -93,7 +93,9 @@ The following topics are available here: - \ref object_detection_page - \ref volatility_dsp_page -- \subpage translations_page +- Community Contributions + - \subpage translations_page + - \subpage update_interesting_files_page If the topic you need is not listed, then you can: diff --git a/docs/doxygen-user/updating_interesting_file_sets.dox b/docs/doxygen-user/updating_interesting_file_sets.dox new file mode 100644 index 0000000000..dfacd38f1d --- /dev/null +++ b/docs/doxygen-user/updating_interesting_file_sets.dox @@ -0,0 +1,26 @@ +/*! \page update_interesting_files_page Updating the Official Interesting File Sets + +The \ref interesting_files_identifier_page contains several official rule sets. You can select a rule set to display the rules it contains in the middle of the right side of the panel. + +\image html InterestingFiles/if_official_rule_details.png + +If you have one or more rules that you think should be included in an official rule set you can submit your new rules using the process below. Consult the \ref interesting_files_config section for general instructions on creating and editing interesting file sets. + +
      +
    1. Create a new interesting file set. Give it a name similar to the set you wish to update to make it clear which set your new rules belong to. Do not copy the existing rule set. + +\image html InterestingFiles/if_create_set.png + +
    2. Create your rule(s). Make sure each rule has a "Rule Name" that identifies the application it is detecting. Click the "Apply" button on the main panel when done. + +\image html InterestingFiles/if_new_rule.png + +
    3. Export the set as XML. + +\image html InterestingFiles/if_export.png + +
    4. Create an Autopsy Github issue that identifes the set to update and what applications were added, and attach the XML. Go to: https://github.com/sleuthkit/autopsy/issues +
    + + +*/ \ No newline at end of file