diff --git a/Core/src/org/sleuthkit/autopsy/corecomponents/Bundle.properties b/Core/src/org/sleuthkit/autopsy/corecomponents/Bundle.properties index 00afd73af4..fce437a96f 100644 --- a/Core/src/org/sleuthkit/autopsy/corecomponents/Bundle.properties +++ b/Core/src/org/sleuthkit/autopsy/corecomponents/Bundle.properties @@ -29,6 +29,8 @@ URL_ON_IMG=http://www.sleuthkit.org/ URL_ON_HELP=http://sleuthkit.org/autopsy/docs/user-docs/3.1/ +FILE_FOR_LOCAL_HELP=file:/// +INDEX_FOR_LOCAL_HELP=/docs/index.html LBL_Close=Close DataContentViewerString.copyMenuItem.text=Copy DataContentViewerHex.copyMenuItem.text=Copy @@ -137,7 +139,7 @@ AutopsyOptionsPanel.useGMTTimeRB.text=Use GMT AutopsyOptionsPanel.useLocalTimeRB.text=Use local time zone AutopsyOptionsPanel.keepCurrentViewerRB.toolTipText=For example, stay in Hex view when a JPEG is selected. AutopsyOptionsPanel.keepCurrentViewerRB.text=Stay on the same file viewer -AutopsyOptionsPanel.restartRequiredLabel.text=For this computer, a maximum of {0} file ingest threads should be used. Restart required to take effect. +AutopsyOptionsPanel.restartRequiredLabel.text=For this computer, a maximum of {0} file ingest threads should be used. Application restart required to take effect. AutopsyOptionsPanel.jLabelSelectFile.text=When selecting a file: AutopsyOptionsPanel.jLabelHideKnownFiles.text=Hide known files (i.e. those in the NIST NSRL) in the: AutopsyOptionsPanel.jLabelTimeDisplay.text=When displaying times: diff --git a/Core/src/org/sleuthkit/autopsy/corecomponents/OfflineHelpAction.java b/Core/src/org/sleuthkit/autopsy/corecomponents/OfflineHelpAction.java new file mode 100644 index 0000000000..f2e755553a --- /dev/null +++ b/Core/src/org/sleuthkit/autopsy/corecomponents/OfflineHelpAction.java @@ -0,0 +1,108 @@ +/* + * Autopsy Forensic Browser + * + * Copyright 2011-2015 Basis Technology Corp. + * Contact: carrier sleuthkit org + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.sleuthkit.autopsy.corecomponents; + +import java.awt.Desktop; +import java.awt.event.ActionEvent; +import java.awt.event.ActionListener; +import java.io.IOException; +import java.net.MalformedURLException; +import java.net.URI; +import org.netbeans.core.actions.HTMLViewAction; +import org.openide.awt.ActionID; +import org.openide.awt.ActionReference; +import org.openide.awt.ActionReferences; +import org.openide.awt.ActionRegistration; +import org.openide.awt.HtmlBrowser; +import org.openide.util.NbBundle; +import org.openide.util.NbBundle.Messages; +import java.util.logging.Level; +import java.util.logging.Logger; + +/** + * Implements a hyperlink to the Offline Documentation. + */ +@ActionID( + category = "Help", + id = "org.sleuthkit.autopsy.corecomponents.OfflineHelpAction" +) +@ActionRegistration( + displayName = "#CTL_OfflineHelpAction" +) +@ActionReferences({ + @ActionReference(path = "Menu/Help", position = 1), + @ActionReference(path = "Shortcuts", name = "F2") +}) +@Messages("CTL_OfflineHelpAction=Offline Autopsy Documentation") +public final class OfflineHelpAction implements ActionListener { + + private URI uri; + private static final Logger Logger = + org.sleuthkit.autopsy.coreutils.Logger.getLogger(AboutWindowPanel.class.getName()); + + @Override + public void actionPerformed(ActionEvent e) { + viewOfflineHelp(); + } + + /** + * Displays the Offline Documentation in the system browser. If not + * available, displays it in the built-in OpenIDE HTML Browser. + * + * Tested and working: Chrome, Firefox, IE + * Not tested: Opera, Safari + */ + private void viewOfflineHelp() { + String fileForHelp = ""; + String indexForHelp = ""; + String currentDirectory = ""; + + try { + // Match the form: file:///C:/some/directory/AutopsyXYZ/docs/index.html + fileForHelp = NbBundle.getMessage(OfflineHelpAction.class, "FILE_FOR_LOCAL_HELP"); + indexForHelp = NbBundle.getMessage(OfflineHelpAction.class, "INDEX_FOR_LOCAL_HELP"); + currentDirectory = System.getProperty("user.dir").replace("\\", "/").replace(" ", "%20"); //NON-NLS + uri = new URI(fileForHelp + currentDirectory + indexForHelp); + } catch (Exception ex) { + Logger.log(Level.SEVERE, "Unable to load Offline Documentation: " + + fileForHelp + currentDirectory + indexForHelp, ex); //NON-NLS + } + if (uri != null) { + // Display URL in the System browser + if (Desktop.isDesktopSupported()) { + Desktop desktop = Desktop.getDesktop(); + try { + desktop.browse(uri); + } catch (IOException ex) { + Logger.log(Level.SEVERE, "Unable to launch the system browser: " + + fileForHelp + currentDirectory + indexForHelp, ex); //NON-NLS + } + } else { + org.openide.awt.StatusDisplayer.getDefault().setStatusText( + NbBundle.getMessage(HTMLViewAction.class, "CTL_OpeningBrowser")); //NON-NLS + try { + HtmlBrowser.URLDisplayer.getDefault().showURL(uri.toURL()); + } catch (MalformedURLException ex) { + Logger.log(Level.SEVERE, "Unable to launch the built-in browser: " + + fileForHelp + currentDirectory + indexForHelp, ex); //NON-NLS + } + } + } + } +} diff --git a/Core/src/org/sleuthkit/autopsy/corecomponents/OnlineHelpAction.java b/Core/src/org/sleuthkit/autopsy/corecomponents/OnlineHelpAction.java index b0cd3171e6..d9190fa51b 100644 --- a/Core/src/org/sleuthkit/autopsy/corecomponents/OnlineHelpAction.java +++ b/Core/src/org/sleuthkit/autopsy/corecomponents/OnlineHelpAction.java @@ -51,7 +51,7 @@ import java.util.logging.Logger; @ActionReference(path = "Menu/Help", position = 0), @ActionReference(path = "Shortcuts", name = "F1") }) -@Messages("CTL_OnlineHelpAction=Online Documentation") +@Messages("CTL_OnlineHelpAction=Online Autopsy Documentation") public final class OnlineHelpAction implements ActionListener { private URI uri; diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/AbstractAbstractFileNode.java b/Core/src/org/sleuthkit/autopsy/datamodel/AbstractAbstractFileNode.java index 1538f6ebb3..a6b5ca57a1 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/AbstractAbstractFileNode.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/AbstractAbstractFileNode.java @@ -28,6 +28,7 @@ import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.SleuthkitCase; +import org.sleuthkit.datamodel.SleuthkitCase.CaseDbQuery; import org.sleuthkit.datamodel.TskCoreException; /** @@ -228,40 +229,33 @@ public abstract class AbstractAbstractFileNode extends A } @SuppressWarnings("deprecation") private static String getHashSetHitsForFile(AbstractFile content) { - ResultSet rs = null; String strList = ""; SleuthkitCase skCase = content.getSleuthkitCase(); long objId = content.getId(); - try { - int setNameId = BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(); - int artId = BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID(); + int setNameId = BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(); + int artId = BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID(); - String query = "SELECT value_text,blackboard_attributes.artifact_id,attribute_type_id " //NON-NLS - + "FROM blackboard_attributes,blackboard_artifacts WHERE " //NON-NLS - + "attribute_type_id=" + setNameId //NON-NLS - + " AND blackboard_attributes.artifact_id=blackboard_artifacts.artifact_id" //NON-NLS - + " AND blackboard_artifacts.artifact_type_id=" + artId //NON-NLS - + " AND blackboard_artifacts.obj_id=" + objId; //NON-NLS - rs = skCase.runQuery(query); + String query = "SELECT value_text,blackboard_attributes.artifact_id,attribute_type_id " //NON-NLS + + "FROM blackboard_attributes,blackboard_artifacts WHERE " //NON-NLS + + "attribute_type_id=" + setNameId //NON-NLS + + " AND blackboard_attributes.artifact_id=blackboard_artifacts.artifact_id" //NON-NLS + + " AND blackboard_artifacts.artifact_type_id=" + artId //NON-NLS + + " AND blackboard_artifacts.obj_id=" + objId; //NON-NLS + + try (CaseDbQuery dbQuery = skCase.executeQuery(query)) { + ResultSet resultSet = dbQuery.getResultSet(); int i = 0; - while (rs.next()) { + while (resultSet.next()) { if (i++ > 0) { strList += ", "; } - strList += rs.getString("value_text"); //NON-NLS - } - } catch (SQLException ex) { - logger.log(Level.WARNING, "SQL Exception occurred: ", ex); //NON-NLS - } finally { - if (rs != null) { - try { - skCase.closeRunQuery(rs); - } catch (SQLException ex) { - logger.log(Level.WARNING, "Error closing result set after getting hashset hits", ex); //NON-NLS - } + strList += resultSet.getString("value_text"); //NON-NLS } + } catch (TskCoreException | SQLException ex) { + logger.log(Level.WARNING, "Error getting hashset hits: ", ex); //NON-NLS } + return strList; } diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/EmailExtracted.java b/Core/src/org/sleuthkit/autopsy/datamodel/EmailExtracted.java index 3d8df28987..4f59c3a52b 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/EmailExtracted.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/EmailExtracted.java @@ -44,6 +44,8 @@ import org.sleuthkit.autopsy.ingest.ModuleDataEvent; import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.SleuthkitCase; +import org.sleuthkit.datamodel.SleuthkitCase.CaseDbQuery; +import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskException; /** @@ -95,18 +97,19 @@ public class EmailExtracted implements AutopsyVisitableItem { return; } - try { - int artId = BlackboardArtifact.ARTIFACT_TYPE.TSK_EMAIL_MSG.getTypeID(); - int pathAttrId = BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH.getTypeID(); - String query = "SELECT value_text,blackboard_attributes.artifact_id,attribute_type_id " //NON-NLS - + "FROM blackboard_attributes,blackboard_artifacts WHERE " //NON-NLS - + "attribute_type_id=" + pathAttrId //NON-NLS - + " AND blackboard_attributes.artifact_id=blackboard_artifacts.artifact_id" //NON-NLS - + " AND blackboard_artifacts.artifact_type_id=" + artId; //NON-NLS - ResultSet rs = skCase.runQuery(query); - while (rs.next()) { - final String path = rs.getString("value_text"); //NON-NLS - final long artifactId = rs.getLong("artifact_id"); //NON-NLS + int artId = BlackboardArtifact.ARTIFACT_TYPE.TSK_EMAIL_MSG.getTypeID(); + int pathAttrId = BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH.getTypeID(); + String query = "SELECT value_text,blackboard_attributes.artifact_id,attribute_type_id " //NON-NLS + + "FROM blackboard_attributes,blackboard_artifacts WHERE " //NON-NLS + + "attribute_type_id=" + pathAttrId //NON-NLS + + " AND blackboard_attributes.artifact_id=blackboard_artifacts.artifact_id" //NON-NLS + + " AND blackboard_artifacts.artifact_type_id=" + artId; //NON-NLS + + try (CaseDbQuery dbQuery = skCase.executeQuery(query)) { + ResultSet resultSet = dbQuery.getResultSet(); + while (resultSet.next()) { + final String path = resultSet.getString("value_text"); //NON-NLS + final long artifactId = resultSet.getLong("artifact_id"); //NON-NLS final Map parsedPath = parsePath(path); final String account = parsedPath.get(MAIL_ACCOUNT); final String folder = parsedPath.get(MAIL_FOLDER); @@ -123,10 +126,8 @@ public class EmailExtracted implements AutopsyVisitableItem { } messages.add(artifactId); } - skCase.closeRunQuery(rs); - - } catch (SQLException ex) { - logger.log(Level.WARNING, "Cannot initialize email extraction", ex); //NON-NLS + } catch (TskCoreException | SQLException ex) { + logger.log(Level.WARNING, "Cannot initialize email extraction: ", ex); //NON-NLS } } diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/HashsetHits.java b/Core/src/org/sleuthkit/autopsy/datamodel/HashsetHits.java index ce3d5ba144..f893c1e5b3 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/HashsetHits.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/HashsetHits.java @@ -46,6 +46,8 @@ import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; import org.sleuthkit.datamodel.SleuthkitCase; +import org.sleuthkit.datamodel.SleuthkitCase.CaseDbQuery; +import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskException; /** @@ -99,35 +101,28 @@ public class HashsetHits implements AutopsyVisitableItem { return; } - ResultSet rs = null; - try { - int setNameId = ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(); - int artId = ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID(); - String query = "SELECT value_text,blackboard_attributes.artifact_id,attribute_type_id " //NON-NLS - + "FROM blackboard_attributes,blackboard_artifacts WHERE " //NON-NLS - + "attribute_type_id=" + setNameId //NON-NLS - + " AND blackboard_attributes.artifact_id=blackboard_artifacts.artifact_id" //NON-NLS - + " AND blackboard_artifacts.artifact_type_id=" + artId; //NON-NLS - rs = skCase.runQuery(query); - while (rs.next()) { - String setName = rs.getString("value_text"); //NON-NLS - long artifactId = rs.getLong("artifact_id"); //NON-NLS + int setNameId = ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(); + int artId = ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID(); + String query = "SELECT value_text,blackboard_attributes.artifact_id,attribute_type_id " //NON-NLS + + "FROM blackboard_attributes,blackboard_artifacts WHERE " //NON-NLS + + "attribute_type_id=" + setNameId //NON-NLS + + " AND blackboard_attributes.artifact_id=blackboard_artifacts.artifact_id" //NON-NLS + + " AND blackboard_artifacts.artifact_type_id=" + artId; //NON-NLS + + try (CaseDbQuery dbQuery = skCase.executeQuery(query)) { + ResultSet resultSet = dbQuery.getResultSet(); + while (resultSet.next()) { + String setName = resultSet.getString("value_text"); //NON-NLS + long artifactId = resultSet.getLong("artifact_id"); //NON-NLS if (!hashSetHitsMap.containsKey(setName)) { hashSetHitsMap.put(setName, new HashSet()); } hashSetHitsMap.get(setName).add(artifactId); } - } catch (SQLException ex) { + } catch (TskCoreException | SQLException ex) { logger.log(Level.WARNING, "SQL Exception occurred: ", ex); //NON-NLS - } finally { - if (rs != null) { - try { - skCase.closeRunQuery(rs); - } catch (SQLException ex) { - logger.log(Level.WARNING, "Error closing result set after getting hashset hits", ex); //NON-NLS - } - } - } + } + setChanged(); notifyObservers(); } diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/InterestingHits.java b/Core/src/org/sleuthkit/autopsy/datamodel/InterestingHits.java index db59b49004..76e9c1c836 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/InterestingHits.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/InterestingHits.java @@ -47,6 +47,7 @@ import org.sleuthkit.autopsy.ingest.ModuleDataEvent; import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.SleuthkitCase; +import org.sleuthkit.datamodel.SleuthkitCase.CaseDbQuery; import org.sleuthkit.datamodel.TskCoreException; @@ -94,36 +95,27 @@ public class InterestingHits implements AutopsyVisitableItem { return; } - ResultSet rs = null; - try { - int setNameId = BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(); - int artId = artType.getTypeID(); - String query = "SELECT value_text,blackboard_attributes.artifact_id,attribute_type_id " //NON-NLS - + "FROM blackboard_attributes,blackboard_artifacts WHERE " //NON-NLS - + "attribute_type_id=" + setNameId //NON-NLS - + " AND blackboard_attributes.artifact_id=blackboard_artifacts.artifact_id" //NON-NLS - + " AND blackboard_artifacts.artifact_type_id=" + artId; //NON-NLS - rs = skCase.runQuery(query); - while (rs.next()) { - String value = rs.getString("value_text"); //NON-NLS - long artifactId = rs.getLong("artifact_id"); //NON-NLS + int setNameId = BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(); + int artId = artType.getTypeID(); + String query = "SELECT value_text,blackboard_attributes.artifact_id,attribute_type_id " //NON-NLS + + "FROM blackboard_attributes,blackboard_artifacts WHERE " //NON-NLS + + "attribute_type_id=" + setNameId //NON-NLS + + " AND blackboard_attributes.artifact_id=blackboard_artifacts.artifact_id" //NON-NLS + + " AND blackboard_artifacts.artifact_type_id=" + artId; //NON-NLS + + try (CaseDbQuery dbQuery = skCase.executeQuery(query)) { + ResultSet resultSet = dbQuery.getResultSet(); + while (resultSet.next()) { + String value = resultSet.getString("value_text"); //NON-NLS + long artifactId = resultSet.getLong("artifact_id"); //NON-NLS if (!interestingItemsMap.containsKey(value)) { interestingItemsMap.put(value, new HashSet<>()); } interestingItemsMap.get(value).add(artifactId); } - } catch (SQLException ex) { + } catch (TskCoreException | SQLException ex) { logger.log(Level.WARNING, "SQL Exception occurred: ", ex); //NON-NLS } - finally { - if (rs != null) { - try { - skCase.closeRunQuery(rs); - } catch (SQLException ex) { - logger.log(Level.WARNING, "Error closing result set after getting artifacts", ex); //NON-NLS - } - } - } } } diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/KeywordHits.java b/Core/src/org/sleuthkit/autopsy/datamodel/KeywordHits.java index 310a109c7b..d1e7bce138 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/KeywordHits.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/KeywordHits.java @@ -46,6 +46,7 @@ import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.SleuthkitCase; +import org.sleuthkit.datamodel.SleuthkitCase.CaseDbQuery; import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskException; @@ -163,24 +164,24 @@ public class KeywordHits implements AutopsyVisitableItem { return; } - ResultSet rs = null; - try { - int setId = BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(); - int wordId = BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID(); - int regexId = BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_REGEXP.getTypeID(); - int artId = BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID(); - String query = "SELECT blackboard_attributes.value_text,blackboard_attributes.artifact_id," //NON-NLS - + "blackboard_attributes.attribute_type_id FROM blackboard_attributes,blackboard_artifacts WHERE " //NON-NLS - + "(blackboard_attributes.artifact_id=blackboard_artifacts.artifact_id AND " //NON-NLS - + "blackboard_artifacts.artifact_type_id=" + artId //NON-NLS - + ") AND (attribute_type_id=" + setId + " OR " //NON-NLS - + "attribute_type_id=" + wordId + " OR " //NON-NLS - + "attribute_type_id=" + regexId + ")"; //NON-NLS - rs = skCase.runQuery(query); - while (rs.next()) { - String value = rs.getString("value_text"); //NON-NLS - long artifactId = rs.getLong("artifact_id"); //NON-NLS - long typeId = rs.getLong("attribute_type_id"); //NON-NLS + int setId = BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(); + int wordId = BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID(); + int regexId = BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_REGEXP.getTypeID(); + int artId = BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID(); + String query = "SELECT blackboard_attributes.value_text,blackboard_attributes.artifact_id," //NON-NLS + + "blackboard_attributes.attribute_type_id FROM blackboard_attributes,blackboard_artifacts WHERE " //NON-NLS + + "(blackboard_attributes.artifact_id=blackboard_artifacts.artifact_id AND " //NON-NLS + + "blackboard_artifacts.artifact_type_id=" + artId //NON-NLS + + ") AND (attribute_type_id=" + setId + " OR " //NON-NLS + + "attribute_type_id=" + wordId + " OR " //NON-NLS + + "attribute_type_id=" + regexId + ")"; //NON-NLS + + try (CaseDbQuery dbQuery = skCase.executeQuery(query)) { + ResultSet resultSet = dbQuery.getResultSet(); + while (resultSet.next()) { + String value = resultSet.getString("value_text"); //NON-NLS + long artifactId = resultSet.getLong("artifact_id"); //NON-NLS + long typeId = resultSet.getLong("attribute_type_id"); //NON-NLS if (!artifactIds.containsKey(artifactId)) { artifactIds.put(artifactId, new LinkedHashMap()); } @@ -188,17 +189,10 @@ public class KeywordHits implements AutopsyVisitableItem { artifactIds.get(artifactId).put(typeId, value); } } - } catch (SQLException ex) { + } catch (TskCoreException | SQLException ex) { logger.log(Level.WARNING, "SQL Exception occurred: ", ex); //NON-NLS - } finally { - if (rs != null) { - try { - skCase.closeRunQuery(rs); - } catch (SQLException ex) { - logger.log(Level.WARNING, "Error closing result set after getting keyword hits", ex); //NON-NLS - } - } } + populateMaps(artifactIds); } } diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/RecentFilesChildren.java b/Core/src/org/sleuthkit/autopsy/datamodel/RecentFilesChildren.java index ae07221d04..c57aef6bd0 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/RecentFilesChildren.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/RecentFilesChildren.java @@ -29,6 +29,8 @@ import org.sleuthkit.autopsy.coreutils.Logger; import org.openide.nodes.ChildFactory; import org.openide.nodes.Node; import org.sleuthkit.datamodel.SleuthkitCase; +import org.sleuthkit.datamodel.SleuthkitCase.CaseDbQuery; +import org.sleuthkit.datamodel.TskCoreException; /** * @@ -82,21 +84,14 @@ import org.sleuthkit.datamodel.SleuthkitCase; @SuppressWarnings("deprecation") private long runTimeQuery(String query) { long result = 0; - ResultSet rs = null; - try { - rs = skCase.runQuery(query); - result = rs.getLong(1); - } catch (SQLException ex) { - logger.log(Level.WARNING, "Couldn't get recent files results", ex); //NON-NLS - } finally { - if (rs != null) { - try { - skCase.closeRunQuery(rs); - } catch (SQLException ex) { - logger.log(Level.WARNING, "Error closing result set after getting recent files results", ex); //NON-NLS - } - } + + try (CaseDbQuery dbQuery = skCase.executeQuery(query)) { + ResultSet resultSet = dbQuery.getResultSet(); + result = resultSet.getLong(1); + } catch (TskCoreException | SQLException ex) { + logger.log(Level.WARNING, "Couldn't get recent files results: ", ex); //NON-NLS } + return result; } } diff --git a/Core/src/org/sleuthkit/autopsy/modules/android/CacheLocationAnalyzer.java b/Core/src/org/sleuthkit/autopsy/modules/android/CacheLocationAnalyzer.java index 7eb9d89dfb..8146b5f374 100755 --- a/Core/src/org/sleuthkit/autopsy/modules/android/CacheLocationAnalyzer.java +++ b/Core/src/org/sleuthkit/autopsy/modules/android/CacheLocationAnalyzer.java @@ -74,7 +74,6 @@ class CacheLocationAnalyzer { } private static void findGeoLocationsInFile(File file, AbstractFile f) { - byte[] bytes; // will temporarily hold bytes to be converted into the correct data types try { @@ -95,7 +94,9 @@ class CacheLocationAnalyzer { bytes = new byte[1]; inputStream.read(bytes); while (new BigInteger(bytes).intValue() != 0) { //pass through non important values until the start of accuracy(around 7-10 bytes) - inputStream.read(bytes); + if (0 > inputStream.read(bytes)) { + break; /// we've passed the end of the file, so stop + } } bytes = new byte[3]; inputStream.read(bytes); diff --git a/Core/src/org/sleuthkit/autopsy/modules/interestingitems/Bundle.properties b/Core/src/org/sleuthkit/autopsy/modules/interestingitems/Bundle.properties index dd5873dc84..38477818fc 100755 --- a/Core/src/org/sleuthkit/autopsy/modules/interestingitems/Bundle.properties +++ b/Core/src/org/sleuthkit/autopsy/modules/interestingitems/Bundle.properties @@ -43,6 +43,7 @@ InterestingItemDefsPanel.fileNameRegexCheckbox.text=Regex InterestingItemDefsPanel.fileNameExtensionRadioButton.text=Extension Only InterestingItemDefsPanel.fileNameTextField.text= InterestingItemDefsPanel.fileNameRadioButton.text=File Name +InterestingItemDefsPanel.doFileSetsDialog.duplicateRuleSet.text=Rule set with name {0} already exists. FilesSetRulePanel.pathSeparatorInfoLabel.text=Use / as path separator FilesSetRulePanel.filesAndDirsRadioButton.text=Files and Directories InterestingItemDefsPanel.rulePathFilterTextField.text= diff --git a/Core/src/org/sleuthkit/autopsy/modules/interestingitems/FilesSet.java b/Core/src/org/sleuthkit/autopsy/modules/interestingitems/FilesSet.java index 92de50d821..62b448ebcb 100755 --- a/Core/src/org/sleuthkit/autopsy/modules/interestingitems/FilesSet.java +++ b/Core/src/org/sleuthkit/autopsy/modules/interestingitems/FilesSet.java @@ -22,6 +22,7 @@ import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; +import java.util.UUID; import java.util.regex.Pattern; import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.TskData; @@ -135,6 +136,7 @@ final class FilesSet { */ static class Rule { + private final String uuid; private final String ruleName; private final FileNameFilter fileNameFilter; private final MetaTypeFilter metaTypeFilter; @@ -150,8 +152,11 @@ final class FilesSet { * @param pathFilter A file path filter, may be null. */ Rule(String ruleName, FileNameFilter fileNameFilter, MetaTypeFilter metaTypeFilter, ParentPathFilter pathFilter) { + // since ruleName is optional, ruleUUID can be used to uniquely identify a rule. + this.uuid = UUID.randomUUID().toString(); + if (ruleName == null) { - throw new NullPointerException("Interesting files set rule name cannot be null"); + throw new IllegalArgumentException("Interesting files set rule name cannot be null"); } if (fileNameFilter == null) { throw new IllegalArgumentException("Interesting files set rule file name filter cannot be null"); @@ -235,6 +240,13 @@ final class FilesSet { return this.ruleName + " (" + fileNameFilter.getTextToMatch() + ")"; } + /** + * @return the ruleUUID + */ + public String getUuid() { + return this.uuid; + } + /** * An interface for the file attribute filters of which interesting * files set membership rules are composed. @@ -345,8 +357,11 @@ final class FilesSet { * * @param text The text to be matched. */ - AbstractTextFilter(String text) { - this.textMatcher = new FilesSet.Rule.CaseInsensitiveStringComparisionMatcher(text); + AbstractTextFilter(String text, Boolean partialMatch) { + if(partialMatch) + this.textMatcher = new FilesSet.Rule.CaseInsensitivePartialStringComparisionMatcher(text); + else + this.textMatcher = new FilesSet.Rule.CaseInsensitiveStringComparisionMatcher(text); } /** @@ -412,7 +427,7 @@ final class FilesSet { * @param path The path to be matched. */ ParentPathFilter(String path) { - super(path); + super(path, true); } /** @@ -429,7 +444,7 @@ final class FilesSet { */ @Override public boolean passes(AbstractFile file) { - return this.textMatches(file.getParentPath()); + return this.textMatches(file.getParentPath() + "/"); } } @@ -454,7 +469,7 @@ final class FilesSet { * @param name The file name to be matched. */ FullNameFilter(String name) { - super(name); + super(name, false); } /** @@ -492,7 +507,7 @@ final class FilesSet { // If there is a leading ".", strip it since // AbstractFile.getFileNameExtension() returns just the // extension chars and not the dot. - super(extension.startsWith(".") ? extension.substring(1) : extension); + super(extension.startsWith(".") ? extension.substring(1) : extension, false); } /** @@ -502,7 +517,7 @@ final class FilesSet { * matched. */ ExtensionFilter(Pattern extension) { - super(extension.pattern()); + super(extension.pattern(), false); } /** @@ -590,6 +605,50 @@ final class FilesSet { } + /** + * A text matcher that does a case-insensitive string comparison. + */ + private static class CaseInsensitivePartialStringComparisionMatcher implements TextMatcher { + + private final String textToMatch; + private final Pattern pattern; + + /** + * Construct a text matcher that does a case-insensitive string + * comparison. + * + * @param textToMatch The text to match. + */ + CaseInsensitivePartialStringComparisionMatcher(String textToMatch) { + this.textToMatch = textToMatch; + this.pattern = Pattern.compile(Pattern.quote(textToMatch), Pattern.CASE_INSENSITIVE); + } + + /** + * @inheritDoc + */ + @Override + public String getTextToMatch() { + return this.textToMatch; + } + + /** + * @inheritDoc + */ + @Override + public boolean isRegex() { + return false; + } + + /** + * @inheritDoc + */ + @Override + public boolean textMatches(String subject) { + return pattern.matcher(subject).find(); + } + } + /** * A text matcher that does regular expression matching. */ diff --git a/Core/src/org/sleuthkit/autopsy/modules/interestingitems/InterestingItemDefsManager.java b/Core/src/org/sleuthkit/autopsy/modules/interestingitems/InterestingItemDefsManager.java index 6980c0ff51..22b2c7ac0b 100755 --- a/Core/src/org/sleuthkit/autopsy/modules/interestingitems/InterestingItemDefsManager.java +++ b/Core/src/org/sleuthkit/autopsy/modules/interestingitems/InterestingItemDefsManager.java @@ -121,6 +121,7 @@ final class InterestingItemDefsManager extends Observable { private static final String NAME_RULE_TAG = "NAME"; //NON-NLS private static final String EXTENSION_RULE_TAG = "EXTENSION"; //NON-NLS private static final String NAME_ATTR = "name"; //NON-NLS + private static final String RULE_UUID_ATTR = "ruleUUID"; //NON-NLS private static final String DESC_ATTR = "description"; //NON-NLS private static final String IGNORE_KNOWN_FILES_ATTR = "ignoreKnown"; //NON-NLS private static final String TYPE_FILTER_ATTR = "typeFilter"; //NON-NLS @@ -234,10 +235,10 @@ final class InterestingItemDefsManager extends Observable { Element elem = (Element) nameRuleElems.item(j); FilesSet.Rule rule = FilesSetXML.readFileNameRule(elem); if (rule != null) { - if (!rules.containsKey(rule.getName())) { - rules.put(rule.getName(), rule); + if (!rules.containsKey(rule.getUuid())) { + rules.put(rule.getUuid(), rule); } else { - logger.log(Level.SEVERE, "Found duplicate rule {0} for set named {1} in interesting file sets definition file at {2}, discarding malformed set", new Object[]{rule.getName(), setName, filePath}); // NON-NLS + logger.log(Level.SEVERE, "Found duplicate rule {0} for set named {1} in interesting file sets definition file at {2}, discarding malformed set", new Object[]{rule.getUuid(), setName, filePath}); // NON-NLS return; } } else { @@ -252,10 +253,10 @@ final class InterestingItemDefsManager extends Observable { Element elem = (Element) extRuleElems.item(j); FilesSet.Rule rule = FilesSetXML.readFileExtensionRule(elem); if (rule != null) { - if (!rules.containsKey(rule.getName())) { - rules.put(rule.getName(), rule); + if (!rules.containsKey(rule.getUuid())) { + rules.put(rule.getUuid(), rule); } else { - logger.log(Level.SEVERE, "Found duplicate rule {0} for set named {1} in interesting file sets definition file at {2}, discarding malformed set", new Object[]{rule.getName(), setName, filePath}); //NOI18N + logger.log(Level.SEVERE, "Found duplicate rule {0} for set named {1} in interesting file sets definition file at {2}, discarding malformed set", new Object[]{rule.getUuid(), setName, filePath}); //NOI18N return; } } else { @@ -517,6 +518,7 @@ final class InterestingItemDefsManager extends Observable { ruleElement = doc.createElement(FilesSetXML.EXTENSION_RULE_TAG); } + // Add the rule name attribute. ruleElement.setAttribute(FilesSetXML.NAME_ATTR, rule.getName()); diff --git a/Core/src/org/sleuthkit/autopsy/modules/interestingitems/InterestingItemDefsPanel.java b/Core/src/org/sleuthkit/autopsy/modules/interestingitems/InterestingItemDefsPanel.java index 993039f601..70d7ec3d64 100755 --- a/Core/src/org/sleuthkit/autopsy/modules/interestingitems/InterestingItemDefsPanel.java +++ b/Core/src/org/sleuthkit/autopsy/modules/interestingitems/InterestingItemDefsPanel.java @@ -29,6 +29,7 @@ import javax.swing.event.ListSelectionEvent; import javax.swing.event.ListSelectionListener; import org.openide.util.NbBundle; import org.sleuthkit.autopsy.corecomponents.OptionsPanel; +import org.sleuthkit.autopsy.coreutils.MessageNotifyUtil; import org.sleuthkit.autopsy.ingest.IngestModuleGlobalSettingsPanel; /** @@ -255,6 +256,14 @@ final class InterestingItemDefsPanel extends IngestModuleGlobalSettingsPanel imp option = JOptionPane.showConfirmDialog(null, panel, NbBundle.getMessage(FilesSetPanel.class, "FilesSetPanel.title"), JOptionPane.OK_CANCEL_OPTION, JOptionPane.PLAIN_MESSAGE); } while (option == JOptionPane.OK_OPTION && !panel.isValidDefinition()); + // If rule set with same name already exists, do not add to the filesSets hashMap. + if(this.filesSets.containsKey(panel.getFilesSetName())) { + MessageNotifyUtil.Message.error(NbBundle.getMessage(this.getClass(), + "InterestingItemDefsPanel.doFileSetsDialog.duplicateRuleSet.text", + panel.getFilesSetName())); + return; + } + if (option == JOptionPane.OK_OPTION) { Map rules = new HashMap<>(); if (selectedSet != null) { @@ -303,7 +312,7 @@ final class InterestingItemDefsPanel extends IngestModuleGlobalSettingsPanel imp // Remove the "old" rule definition and add the new/edited // definition. if (selectedRule != null) { - rules.remove(selectedRule.getName()); + rules.remove(selectedRule.getUuid()); } FilesSet.Rule newRule = new FilesSet.Rule(panel.getRuleName(), panel.getFileNameFilter(), panel.getMetaTypeFilter(), panel.getPathFilter()); rules.put(Integer.toString(newRule.hashCode()), newRule); @@ -725,7 +734,7 @@ final class InterestingItemDefsPanel extends IngestModuleGlobalSettingsPanel imp FilesSet oldSet = this.setsList.getSelectedValue(); Map rules = new HashMap<>(oldSet.getRules()); FilesSet.Rule selectedRule = this.rulesList.getSelectedValue(); - rules.remove(selectedRule.getName()); + rules.remove(selectedRule.getUuid()); this.replaceFilesSet(oldSet, oldSet.getName(), oldSet.getDescription(), oldSet.ignoresKnownFiles(), rules); }//GEN-LAST:event_deleteRuleButtonActionPerformed diff --git a/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java b/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java index 40801f4ab2..51c074c1db 100644 --- a/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java +++ b/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java @@ -63,6 +63,7 @@ import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.ContentTag; import org.sleuthkit.datamodel.SleuthkitCase; +import org.sleuthkit.datamodel.SleuthkitCase.CaseDbQuery; import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskData; @@ -892,19 +893,22 @@ import org.sleuthkit.datamodel.TskData; */ @SuppressWarnings("deprecation") private void writeKeywordHits(List tableModules, String comment, HashSet tagNamesFilter) { - ResultSet listsRs = null; - try { - // Query for keyword lists-only so that we can tell modules what lists - // will exist for their index. - // @@@ There is a bug in here. We should use the tags in the below code - // so that we only report the lists that we will later provide with real - // hits. If no keyord hits are tagged, then we make the page for nothing. - listsRs = skCase.runQuery("SELECT att.value_text AS list " + //NON-NLS - "FROM blackboard_attributes AS att, blackboard_artifacts AS art " + //NON-NLS - "WHERE att.attribute_type_id = " + ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID() + " " + //NON-NLS - "AND art.artifact_type_id = " + ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID() + " " + //NON-NLS - "AND att.artifact_id = art.artifact_id " + //NON-NLS - "GROUP BY list"); //NON-NLS + + // Query for keyword lists-only so that we can tell modules what lists + // will exist for their index. + // @@@ There is a bug in here. We should use the tags in the below code + // so that we only report the lists that we will later provide with real + // hits. If no keyord hits are tagged, then we make the page for nothing. + String keywordListQuery = + "SELECT att.value_text AS list " + //NON-NLS + "FROM blackboard_attributes AS att, blackboard_artifacts AS art " + //NON-NLS + "WHERE att.attribute_type_id = " + ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID() + " " + //NON-NLS + "AND art.artifact_type_id = " + ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID() + " " + //NON-NLS + "AND att.artifact_id = art.artifact_id " + //NON-NLS + "GROUP BY list"; //NON-NLS + + try (CaseDbQuery dbQuery = skCase.executeQuery(keywordListQuery)) { + ResultSet listsRs = dbQuery.getResultSet(); List lists = new ArrayList<>(); while(listsRs.next()) { String list = listsRs.getString("list"); //NON-NLS @@ -923,36 +927,32 @@ import org.sleuthkit.datamodel.TskData; ARTIFACT_TYPE.TSK_KEYWORD_HIT.getDisplayName())); } } - catch (SQLException ex) { + catch (TskCoreException | SQLException ex) { errorList.add(NbBundle.getMessage(this.getClass(), "ReportGenerator.errList.failedQueryKWLists")); - logger.log(Level.SEVERE, "Failed to query keyword lists.", ex); //NON-NLS + logger.log(Level.SEVERE, "Failed to query keyword lists: ", ex); //NON-NLS return; - } finally { - if (listsRs != null) { - try { - skCase.closeRunQuery(listsRs); - } catch (SQLException ex) { - } - } } - ResultSet rs = null; - try { - // Query for keywords, grouped by list - rs = skCase.runQuery("SELECT art.artifact_id, art.obj_id, att1.value_text AS keyword, att2.value_text AS preview, att3.value_text AS list, f.name AS name, f.parent_path AS parent_path " + //NON-NLS - "FROM blackboard_artifacts AS art, blackboard_attributes AS att1, blackboard_attributes AS att2, blackboard_attributes AS att3, tsk_files AS f " + //NON-NLS - "WHERE (att1.artifact_id = art.artifact_id) " + //NON-NLS - "AND (att2.artifact_id = art.artifact_id) " + //NON-NLS - "AND (att3.artifact_id = art.artifact_id) " + //NON-NLS - "AND (f.obj_id = art.obj_id) " + //NON-NLS - "AND (att1.attribute_type_id = " + ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID() + ") " + //NON-NLS - "AND (att2.attribute_type_id = " + ATTRIBUTE_TYPE.TSK_KEYWORD_PREVIEW.getTypeID() + ") " + //NON-NLS - "AND (att3.attribute_type_id = " + ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID() + ") " + //NON-NLS - "AND (art.artifact_type_id = " + ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID() + ") " + //NON-NLS - "ORDER BY list, keyword, parent_path, name"); //NON-NLS + // Query for keywords, grouped by list + String keywordsQuery = + "SELECT art.artifact_id, art.obj_id, att1.value_text AS keyword, att2.value_text AS preview, att3.value_text AS list, f.name AS name, f.parent_path AS parent_path " + //NON-NLS + "FROM blackboard_artifacts AS art, blackboard_attributes AS att1, blackboard_attributes AS att2, blackboard_attributes AS att3, tsk_files AS f " + //NON-NLS + "WHERE (att1.artifact_id = art.artifact_id) " + //NON-NLS + "AND (att2.artifact_id = art.artifact_id) " + //NON-NLS + "AND (att3.artifact_id = art.artifact_id) " + //NON-NLS + "AND (f.obj_id = art.obj_id) " + //NON-NLS + "AND (att1.attribute_type_id = " + ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID() + ") " + //NON-NLS + "AND (att2.attribute_type_id = " + ATTRIBUTE_TYPE.TSK_KEYWORD_PREVIEW.getTypeID() + ") " + //NON-NLS + "AND (att3.attribute_type_id = " + ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID() + ") " + //NON-NLS + "AND (art.artifact_type_id = " + ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID() + ") " + //NON-NLS + "ORDER BY list, keyword, parent_path, name"; //NON-NLS + + try (CaseDbQuery dbQuery = skCase.executeQuery(keywordsQuery)) { + ResultSet resultSet = dbQuery.getResultSet(); + String currentKeyword = ""; String currentList = ""; - while (rs.next()) { + while (resultSet.next()) { // Check to see if all the TableReportModules have been canceled if (tableModules.isEmpty()) { break; @@ -966,16 +966,16 @@ import org.sleuthkit.datamodel.TskData; } // Get any tags that associated with this artifact and apply the tag filter. - HashSet uniqueTagNames = getUniqueTagNames(rs.getLong("artifact_id")); //NON-NLS + HashSet uniqueTagNames = getUniqueTagNames(resultSet.getLong("artifact_id")); //NON-NLS if(failsTagFilter(uniqueTagNames, tagNamesFilter)) { continue; } String tagsList = makeCommaSeparatedList(uniqueTagNames); - Long objId = rs.getLong("obj_id"); //NON-NLS - String keyword = rs.getString("keyword"); //NON-NLS - String preview = rs.getString("preview"); //NON-NLS - String list = rs.getString("list"); //NON-NLS + Long objId = resultSet.getLong("obj_id"); //NON-NLS + String keyword = resultSet.getString("keyword"); //NON-NLS + String preview = resultSet.getString("preview"); //NON-NLS + String list = resultSet.getString("list"); //NON-NLS String uniquePath = ""; try { @@ -1029,16 +1029,9 @@ import org.sleuthkit.datamodel.TskData; tableProgress.get(module).increment(); module.endDataType(); } - } catch (SQLException ex) { + } catch (TskCoreException | SQLException ex) { errorList.add(NbBundle.getMessage(this.getClass(), "ReportGenerator.errList.failedQueryKWs")); - logger.log(Level.SEVERE, "Failed to query keywords.", ex); //NON-NLS - } finally { - if (rs != null) { - try { - skCase.closeRunQuery(rs); - } catch (SQLException ex) { - } - } + logger.log(Level.SEVERE, "Failed to query keywords: ", ex); //NON-NLS } } @@ -1048,15 +1041,17 @@ import org.sleuthkit.datamodel.TskData; */ @SuppressWarnings("deprecation") private void writeHashsetHits(List tableModules, String comment, HashSet tagNamesFilter) { - ResultSet listsRs = null; - try { + String hashsetsQuery = + "SELECT att.value_text AS list " + //NON-NLS + "FROM blackboard_attributes AS att, blackboard_artifacts AS art " + //NON-NLS + "WHERE att.attribute_type_id = " + ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID() + " " + //NON-NLS + "AND art.artifact_type_id = " + ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID() + " " + //NON-NLS + "AND att.artifact_id = art.artifact_id " + //NON-NLS + "GROUP BY list"; //NON-NLS + + try (CaseDbQuery dbQuery = skCase.executeQuery(hashsetsQuery)) { // Query for hashsets - listsRs = skCase.runQuery("SELECT att.value_text AS list " + //NON-NLS - "FROM blackboard_attributes AS att, blackboard_artifacts AS art " + //NON-NLS - "WHERE att.attribute_type_id = " + ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID() + " " + //NON-NLS - "AND art.artifact_type_id = " + ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID() + " " + //NON-NLS - "AND att.artifact_id = art.artifact_id " + //NON-NLS - "GROUP BY list"); //NON-NLS + ResultSet listsRs = dbQuery.getResultSet(); List lists = new ArrayList<>(); while(listsRs.next()) { lists.add(listsRs.getString("list")); //NON-NLS @@ -1069,31 +1064,26 @@ import org.sleuthkit.datamodel.TskData; NbBundle.getMessage(this.getClass(), "ReportGenerator.progress.processing", ARTIFACT_TYPE.TSK_HASHSET_HIT.getDisplayName())); } - } catch (SQLException ex) { + } catch (TskCoreException | SQLException ex) { errorList.add(NbBundle.getMessage(this.getClass(), "ReportGenerator.errList.failedQueryHashsetLists")); - logger.log(Level.SEVERE, "Failed to query hashset lists.", ex); //NON-NLS + logger.log(Level.SEVERE, "Failed to query hashset lists: ", ex); //NON-NLS return; - } finally { - if (listsRs != null) { - try { - skCase.closeRunQuery(listsRs); - } catch (SQLException ex) { - } - } } - ResultSet rs = null; - try { + String hashsetHitsQuery = + "SELECT art.artifact_id, art.obj_id, att.value_text AS setname, f.name AS name, f.size AS size, f.parent_path AS parent_path " + //NON-NLS + "FROM blackboard_artifacts AS art, blackboard_attributes AS att, tsk_files AS f " + //NON-NLS + "WHERE (att.artifact_id = art.artifact_id) " + //NON-NLS + "AND (f.obj_id = art.obj_id) " + //NON-NLS + "AND (att.attribute_type_id = " + ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID() + ") " + //NON-NLS + "AND (art.artifact_type_id = " + ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID() + ") " + //NON-NLS + "ORDER BY setname, parent_path, name, size"; //NON-NLS + + try (CaseDbQuery dbQuery = skCase.executeQuery(hashsetHitsQuery)) { // Query for hashset hits - rs = skCase.runQuery("SELECT art.artifact_id, art.obj_id, att.value_text AS setname, f.name AS name, f.size AS size, f.parent_path AS parent_path " + //NON-NLS - "FROM blackboard_artifacts AS art, blackboard_attributes AS att, tsk_files AS f " + //NON-NLS - "WHERE (att.artifact_id = art.artifact_id) " + //NON-NLS - "AND (f.obj_id = art.obj_id) " + //NON-NLS - "AND (att.attribute_type_id = " + ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID() + ") " + //NON-NLS - "AND (art.artifact_type_id = " + ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID() + ") " + //NON-NLS - "ORDER BY setname, parent_path, name, size"); //NON-NLS + ResultSet resultSet = dbQuery.getResultSet(); String currentSet = ""; - while (rs.next()) { + while (resultSet.next()) { // Check to see if all the TableReportModules have been canceled if (tableModules.isEmpty()) { break; @@ -1107,15 +1097,15 @@ import org.sleuthkit.datamodel.TskData; } // Get any tags that associated with this artifact and apply the tag filter. - HashSet uniqueTagNames = getUniqueTagNames(rs.getLong("artifact_id")); //NON-NLS + HashSet uniqueTagNames = getUniqueTagNames(resultSet.getLong("artifact_id")); //NON-NLS if(failsTagFilter(uniqueTagNames, tagNamesFilter)) { continue; } String tagsList = makeCommaSeparatedList(uniqueTagNames); - Long objId = rs.getLong("obj_id"); //NON-NLS - String set = rs.getString("setname"); //NON-NLS - String size = rs.getString("size"); //NON-NLS + Long objId = resultSet.getLong("obj_id"); //NON-NLS + String set = resultSet.getString("setname"); //NON-NLS + String size = resultSet.getString("size"); //NON-NLS String uniquePath = ""; try { @@ -1156,16 +1146,9 @@ import org.sleuthkit.datamodel.TskData; tableProgress.get(module).increment(); module.endDataType(); } - } catch (SQLException ex) { + } catch (TskCoreException | SQLException ex) { errorList.add(NbBundle.getMessage(this.getClass(), "ReportGenerator.errList.failedQueryHashsetHits")); - logger.log(Level.SEVERE, "Failed to query hashsets hits.", ex); //NON-NLS - } finally { - if (rs != null) { - try { - skCase.closeRunQuery(rs); - } catch (SQLException ex) { - } - } + logger.log(Level.SEVERE, "Failed to query hashsets hits: ", ex); //NON-NLS } } @@ -1878,14 +1861,22 @@ import org.sleuthkit.datamodel.TskData; * @throws SQLException */ @SuppressWarnings("deprecation") - private HashSet getUniqueTagNames(long artifactId) throws SQLException { + private HashSet getUniqueTagNames(long artifactId) throws TskCoreException { HashSet uniqueTagNames = new HashSet<>(); - ResultSet tagNameRows = skCase.runQuery("SELECT display_name, artifact_id FROM tag_names AS tn, blackboard_artifact_tags AS bat " + //NON-NLS - "WHERE tn.tag_name_id = bat.tag_name_id AND bat.artifact_id = " + artifactId); //NON-NLS - while (tagNameRows.next()) { - uniqueTagNames.add(tagNameRows.getString("display_name")); //NON-NLS + + String query = "SELECT display_name, artifact_id FROM tag_names AS tn, blackboard_artifact_tags AS bat " + //NON-NLS + "WHERE tn.tag_name_id = bat.tag_name_id AND bat.artifact_id = " + artifactId; //NON-NLS + + try (CaseDbQuery dbQuery = skCase.executeQuery(query)) { + ResultSet tagNameRows = dbQuery.getResultSet(); + while (tagNameRows.next()) { + uniqueTagNames.add(tagNameRows.getString("display_name")); //NON-NLS + } } - skCase.closeRunQuery(tagNameRows); + catch (TskCoreException | SQLException ex) { + throw new TskCoreException("Error getting tag names for artifact: ", ex); + } + return uniqueTagNames; } diff --git a/Core/src/org/sleuthkit/autopsy/timeline/TimeLineController.java b/Core/src/org/sleuthkit/autopsy/timeline/TimeLineController.java index 91da1a556b..4cf3b20713 100644 --- a/Core/src/org/sleuthkit/autopsy/timeline/TimeLineController.java +++ b/Core/src/org/sleuthkit/autopsy/timeline/TimeLineController.java @@ -78,6 +78,7 @@ import org.sleuthkit.autopsy.timeline.zooming.DescriptionLOD; import org.sleuthkit.autopsy.timeline.zooming.EventTypeZoomLevel; import org.sleuthkit.autopsy.timeline.zooming.ZoomParams; import org.sleuthkit.datamodel.SleuthkitCase; +import org.sleuthkit.datamodel.SleuthkitCase.CaseDbQuery; import org.sleuthkit.datamodel.TskCoreException; /** Controller in the MVC design along with model = {@link FilteredEventsModel} @@ -357,13 +358,15 @@ public class TimeLineController { @SuppressWarnings("deprecation") private long getCaseLastArtifactID(final SleuthkitCase sleuthkitCase) { long caseLastArtfId = -1; - try (ResultSet runQuery = sleuthkitCase.runQuery("select Max(artifact_id) as max_id from blackboard_artifacts")) { // NON-NLS - while (runQuery.next()) { - caseLastArtfId = runQuery.getLong("max_id"); // NON-NLS + String query = "select Max(artifact_id) as max_id from blackboard_artifacts"; // NON-NLS + + try (CaseDbQuery dbQuery = sleuthkitCase.executeQuery(query)) { + ResultSet resultSet = dbQuery.getResultSet(); + while (resultSet.next()) { + caseLastArtfId = resultSet.getLong("max_id"); // NON-NLS } - sleuthkitCase.closeRunQuery(runQuery); - } catch (SQLException ex) { - Exceptions.printStackTrace(ex); + } catch (TskCoreException | SQLException ex) { + LOGGER.log(Level.SEVERE, "Error getting last artifact id: ", ex); // NON-NLS } return caseLastArtfId; } diff --git a/build.xml b/build.xml index 41f550cab5..22abd3b0d7 100644 --- a/build.xml +++ b/build.xml @@ -69,9 +69,12 @@ - + + + + @@ -229,7 +232,7 @@ - + diff --git a/docs/doxygen-user/Doxyfile b/docs/doxygen-user/Doxyfile old mode 100644 new mode 100755 index 97af2cd71a..719fe44c76 --- a/docs/doxygen-user/Doxyfile +++ b/docs/doxygen-user/Doxyfile @@ -1372,7 +1372,7 @@ DISABLE_INDEX = NO # The default value is: NO. # This tag requires that the tag GENERATE_HTML is set to YES. -GENERATE_TREEVIEW = YES +GENERATE_TREEVIEW = NO # The ENUM_VALUES_PER_LINE tag can be used to set the number of enum values that # doxygen will group on one line in the generated HTML documentation. @@ -1486,7 +1486,7 @@ MATHJAX_CODEFILE = # The default value is: YES. # This tag requires that the tag GENERATE_HTML is set to YES. -SEARCHENGINE = YES +SEARCHENGINE = NO # When the SERVER_BASED_SEARCH tag is enabled the search engine will be # implemented using a web server instead of a web client using Javascript. There @@ -2117,7 +2117,7 @@ DOT_NUM_THREADS = 0 # The default value is: Helvetica. # This tag requires that the tag HAVE_DOT is set to YES. -DOT_FONTNAME = FreeSans +DOT_FONTNAME = # The DOT_FONTSIZE tag can be used to set the size (in points) of the font of # dot graphs. diff --git a/docs/doxygen-user/EXIF_parser_page.dox b/docs/doxygen-user/EXIF_parser_page.dox new file mode 100755 index 0000000000..7837d9c2c2 --- /dev/null +++ b/docs/doxygen-user/EXIF_parser_page.dox @@ -0,0 +1,29 @@ +/*! \page EXIF_parser_page EXIF Parser Module + +What Does It Do +======== + +The EXIF Parser module extracts EXIF (Exchangeable Image File Format) information from ingested pictures. This information can contain geolocation data for the picture, time, date, camera model and settings (exposure values, resolution, etc) and other information. The discovered attributes are added to the BlackBoard. + +This can tell you where and when a picture was taken, and give clues to the camera that took it. + +Configuration +======= + +There is no configuration required. + +Using the Module +====== +Select the checkbox in the Ingest Modules settings screen to enable the EXIF Parser. + +Ingest Settings +------ +There are no runtime ingest settings required. + +Seeing Results +------ +Results are shown in the Results tree. + +\image html EXIF-tree.PNG + +*/ diff --git a/docs/doxygen-user/README.txt b/docs/doxygen-user/README.txt old mode 100644 new mode 100755 diff --git a/docs/doxygen-user/android_analyzer.dox b/docs/doxygen-user/android_analyzer.dox new file mode 100755 index 0000000000..f23df9714c --- /dev/null +++ b/docs/doxygen-user/android_analyzer.dox @@ -0,0 +1,47 @@ +/*! \page android_analyzer_page Android Analyzer Module + +What Does It Do +======== + +The Android Analyzer module allows you to analyze SQLite and other files from an Android device. It works on Physical dumps from most Android devices (note that we do not provide an acquisition method). Autopsy will not support older Android devices that do not have a volume system. These devices will often have a single physical image file for them and there is no information in the image that describes the layout of the file systems. Autopsy will therefore not be able to detect what it is. + + +The module should be able to extract the following: + +- Text messages / SMS / MMS +- Call Logs +- Contacts +- Tango Messages +- Words with Friends Messages +- GPS from the browser and Google Maps +- GPS from cache.wifi and cache.cell files + +NOTE: These database formats vary by version of OS and different vendors can place the databases in different places. Autopsy may not support all versions and vendors. + +NOTE: This module is not exhaustive with its support for Android. It was created as a starting point for others to contribute plug-ins for 3rd party apps. See the Developer docs for information on writing modules. + + +Configuration +======= + +There is no configuration required. + +Using the Module +====== + +Simply add your physical images or file system dumps as data sources and enable the Android Analyzer module. + +Ingest Settings +------ +There are no runtime ingest settings required. + +Seeing Results +------ +The results show up in the tree under "Results", "Extracted Content". + +\image html android_analyzer_output.PNG + +*/ + + +*/ diff --git a/docs/doxygen-user/archive_extractor.dox b/docs/doxygen-user/archive_extractor.dox new file mode 100755 index 0000000000..0479305aca --- /dev/null +++ b/docs/doxygen-user/archive_extractor.dox @@ -0,0 +1,33 @@ +/*! \page archive_extractor_page Archive Extractor Module + +What Does It Do +======== + +The Archive Extractor module opens ZIP, RAR, and other archive formats and sends the files from those archive files back through the ingest pipeline for analysis. + +This module expands archive files to enable Autopsy to analyze all files on the system. It enables keyword search and hash lookup to analyze files inside of archives + +Configuration +======= + +There is no configuration required. + +Using the Module +====== +Select the checkbox in the Ingest Modules settings screen to enable the Archive Extractor. + +Ingest Settings +------ +There are no runtime ingest settings required. + +Seeing Results +------ +Each file extracted shows up in the data source tree view as a child of the archive containing it, + +\image html zipped_children_1.PNG +
+
+and as an archive under "Views", "File Types", "Archives". +\image html zipped_children_2.PNG + +*/ diff --git a/docs/doxygen-user/case_management.dox b/docs/doxygen-user/case_management.dox old mode 100644 new mode 100755 index bf933e460a..ecefe03cb1 --- a/docs/doxygen-user/case_management.dox +++ b/docs/doxygen-user/case_management.dox @@ -2,15 +2,17 @@ You need to create a case before you can analyze data in Autopsy. A case can contain one or more data sources (disk images, disk devices, logical files). The data sources can be from multiple drives in a single computer or from multiple computers. It's up to you. -Each case has its own directory that is named based on the case name. The directory will contain configuration files, a database, reports, and other files that modules generates. The main Autopsy case configuration file has a .aut extension. +Each case has its own directory that is named based on the case name. The directory will contain configuration files, a database, reports, and other files that modules generates. The main Autopsy case configuration file has an ".aut" extension. \section case_create Creating a Case -There are several ways to create a new case: -- The opening window has a button to create a new case. -- The "File" -> "New Case..." menu item +\image html splashscreen.PNG -The "New Case" wizard dialog will open and you will need to enter the case name and base directory. A directory for the case will be created inside of the "base directory". If the directory already exists, you will need to either delete the existing directory or choose a different combination of names. +There are several ways to create a new case: +- The opening splash screen has a button to create a new case. +- The "File", "Create New Case" menu item + +The New Case wizard dialog will open and you will need to enter the case name and base directory. A directory for the case will be created inside of the "base directory". If the directory already exists, you will need to either delete the existing directory or choose a different combination of names. \image html case-newcase.png @@ -21,8 +23,8 @@ After you create the case, you will be prompted to add a data source, as describ \section case_open Opening a Case To open a case, either: -- Choose "Open Case" or "Open Recent Case" from the opening window. -- The "File" -> "Open Case" menu item or "File" -> "Open Recent Case" +- Choose "Open Existing Case" or "Open Recent Case" from the opening splash screen. +- Choose the "File", "Open Case" menu item or "File", "Open Recent Case" Navigate to the case directory and select the ".aut" file. diff --git a/docs/doxygen-user/content_viewer.dox b/docs/doxygen-user/content_viewer.dox new file mode 100755 index 0000000000..27de79f7c4 --- /dev/null +++ b/docs/doxygen-user/content_viewer.dox @@ -0,0 +1,23 @@ +/*! \page content_viewer_page Content Viewer + +The Content Viewer lives in the lower right-hand side of the Autopsy main screen and show pictures, video, hex, text, extracted strings, metadata, etc. They are enabled when you select a file in the file list above it. + +The Content Viewer is context-aware, meaning it will present different views of the content based on the type of file selected. For example, a .JPG would show up as a picture, a text file would show up as text, and a .bin file would show up as hex output. + +The screenshots below show some examples of content viewers in action. +
+\image html content-viewer-1.PNG +
+
+\image html content-viewer-2.PNG +
+
+\image html content-viewer-3.PNG +
+
+\image html content-viewer-4.PNG +
+
+\image html content-viewer-5.PNG +
+*/ diff --git a/docs/doxygen-user/data_sources.dox b/docs/doxygen-user/data_sources.dox old mode 100644 new mode 100755 index 5dc8e8e0ed..7078fe5380 --- a/docs/doxygen-user/data_sources.dox +++ b/docs/doxygen-user/data_sources.dox @@ -1,7 +1,7 @@ /*! \page ds_page Data Sources -Data source is the term that we use in Autopsy to refer to disk images, logical files, etc. This is the data that you want to add in to analyze. You must have a case open before you can add a data source. +A data source the thing you want to analyze. It can be a disk image, some logical files, a local drive, etc. You must open a case prior to adding a data source to Autopsy. Autopsy supports three types of data sources: - Disk Image: A file (or set of files) that is a byte-for-byte copy of a hard drive or media card. (see \ref ds_img) @@ -15,13 +15,9 @@ Autopsy supports three types of data sources: You can add a data source in several ways: - After you create a case, it automatically prompts you to add a data source. - There is a toolbar item to add a Data Source when a case is open. -- The "File" -> "Add Data Source" menu item when a case is open. +- The "File", "Add Data Source" menu item when a case is open. -The data source must remain accessible for the duration of the analysis because the case contains only a reference to the data source. It does not copy the data source into the case folder. - - - -\section ds_process Data Source Adding Process +The data source must remain accessible for the duration of the analysis because the case contains a reference to the data source. It does not copy the data source into the case folder. Regardless of the type of data source, there are some common steps in the process: @@ -41,12 +37,10 @@ Regardless of the type of data source, there are some common steps in the proces 5) After the ingest modules have been configured and the basic examination of the data source is complete, the ingest modules will begin to analyze the file contents. - +You cannot remove a data source from a case. \section ds_img Adding a Disk Image -Supported Image Formats - Autopsy supports disk images in the following formats: - Raw Single (For example: *.img, *.dd, *.raw, etc) - Raw Split (For example: *.001, *.002, *.aa, *.ab, etc) @@ -55,7 +49,7 @@ Autopsy supports disk images in the following formats: To add a disk image: -# Choose "Image File" from the pull down. --# Browse to the first file in the disk image. You need to specify only the first file and it will find the rest. +-# Browse to the first file in the disk image. You need to specify only the first file and Autopsy will find the rest. -# Choose the timezone that the disk image came from. This is most important for when adding FAT file systems because it does not store timezone information and Autopsy will not know how to normalize to UTC. -# Choose to perform orphan file finding on FAT file systems. This can be a time intensive process because it will require that Autopsy look at each sector in the device. @@ -80,7 +74,7 @@ You can add files or folders that are on your local computer (or on a shared dri Some things to note when doing this: - Autopsy ignores the time stamps on files that it adds this way because they could be the timestamps when they were copied onto your examination device. -- If you have a USB-attached device that you are analyzing and you choose to add the device's contents using this method, then note that it will not look at unallocated space or deleted files. Autopsy will only be able to see the allocated files. You should add the device as a "Logical Drive" to get the unallocated space. +- If you have a USB-attached device that you are analyzing and you choose to add the device's contents using this method, then note that it will not look at unallocated space or deleted files. Autopsy will only be able to see the allocated files. You should add the device as a "Logical Drive" to analyze the unallocated space. To add logical files: -# Choose "Logical Files" from the pull down. @@ -89,8 +83,4 @@ To add logical files: All of the files that you added in the panel will be grouped together into a single data source, called "LogicalFileSet" in the main UI. -\section ds_rem Removing a Data Source - -You cannot currently remove an data source from a case. - */ \ No newline at end of file diff --git a/docs/doxygen-user/e01_verifier.dox b/docs/doxygen-user/e01_verifier.dox new file mode 100755 index 0000000000..7c1f6100e6 --- /dev/null +++ b/docs/doxygen-user/e01_verifier.dox @@ -0,0 +1,31 @@ +/*! \page e01_verifier_page E01 Verifier Module + +What Does It Do +======== + +The E01 Verifier module computes a checksum on E01 files and compares with the E01 file's internal checksum to ensure they match. +This can detect if the E01 module is corrupted. + + +Configuration +======= + +There is no configuration required. + + +Using the Module +====== +Select the checkbox in the Ingest Modules list to use this module. + +Ingest Settings +------ +There are no runtime ingest settings required. + +Seeing Results +------ + +You only see results from this module if the E01 is corrupted. A failure to load is shown below. + +\image html e01-verifier.png + +*/ diff --git a/docs/doxygen-user/email_parser.dox b/docs/doxygen-user/email_parser.dox new file mode 100755 index 0000000000..550ad2b67a --- /dev/null +++ b/docs/doxygen-user/email_parser.dox @@ -0,0 +1,30 @@ +/*! \page email_parser_page Email Parser Module + +What Does It Do +======== + +The Email Parser module identifies Thunderbird MBOX files and PST format files based on file signatures, extracting the e-mails from them, adding the results to the Blackboard. This module skips known files and creates a Blackboard artifact for each message. It adds email attachments as derived files. + +This allows the user to identify email-based communications from the system being analyzed. + +Configuration +======= + +There is no configuration required. + + +Using the Module +====== +Explore the "Results", "E-Mail Messages" portion of the tree to review the results of this module. + +Ingest Settings +------ +There are no runtime ingest settings required. + +Seeing Results +------ +The results of this show up in the "Results", "E-Mail Messages" portion of the tree. + +\image html email_results.PNG + +*/ diff --git a/docs/doxygen-user/extension_mismatch.dox b/docs/doxygen-user/extension_mismatch.dox new file mode 100755 index 0000000000..77221690e4 --- /dev/null +++ b/docs/doxygen-user/extension_mismatch.dox @@ -0,0 +1,35 @@ +/*! \page extension_mismatch_detector_page Extension Mismatch Detector Module + +What Does It Do +======== + +Extension Mismatch Detector module uses the results from the File Type Identification and flags files that have an extension not traditionally associated with the file's detected type. It ignores 'known' (NSRL) files. You can customize the MIME types and file extensions per MIME type in "Tools", "Options", "File Extension Mismatch". + +This detects files that someone may be trying to hide. + +Configuration +======= +One can add and remove MIME types in the "Tools", "Options", "File Extension Mismatch" dialog box, as well as add and remove extensions to particular MIME types. +
+\image html extension-mismatch-detected-configuration.PNG +
+ +Using the Module +====== +Note that you can get a lot of false positives with this module. You can add your own rules to Autopsy to reduce unwanted hits. + +Ingest Settings +------ + +In the ingest settings, the user can choose if the module should skip files without extensions and skip text files. Both of these options are enabled by default. + +\image html extension-mismatch-detected-ingest-settings.PNG + + +Seeing Results +------ +Results are shown in the Results tree under "Extension Mismatch Detected". + +\image html extension-mismatch-detected.PNG + +*/ diff --git a/docs/doxygen-user/file_search.dox b/docs/doxygen-user/file_search.dox old mode 100644 new mode 100755 index 91bf0d1c32..0e899fa24c --- a/docs/doxygen-user/file_search.dox +++ b/docs/doxygen-user/file_search.dox @@ -1,31 +1,18 @@ -/*! \page file_search File Search +/*! \page file_search_page File Search \section about_file_search About File Search -File Search tool can be accessed either from the Tools menu or by right-clicking on image node in the Data Explorer / Directory Tree. By using File Search, you can specify, filter, and show the directories and files that you want to see from the images in the current opened case. The File Search results will be populated in a brand new Table Result viewer on the right-hand side. +The File Search tool can be accessed either from the Tools menu or by right-clicking on a data source node in the Data Explorer / Directory Tree. By using File Search, you can specify, filter, and show the directories and files that you want to see from the images in the currently opened case. The File Search results will be populated in a brand new Table Result viewer on the right-hand side. Currently, Autopsy only supports 4 categories in File Search: Name, Size, Date, and Known Status based search. -Note: Currently File Search doesn't support regular expression, however the Keyword Search feature of Autopsy does also look in file names and it does support regular expressions, which can complimentary to the File Search. -How to Open File Search:\n -To see how to open File Search, click \ref how_to_open_file_search "here".\n -Note: The File Search Window is opened and closed automatically. If there's a case opened and there is at least one image inside that case, File Search Window can't be closed. - -How to Use File Search: \n -To see how to use File Search, click \ref how_to_use_file_search "here". - -Example -Here's an example of a File Search window: - -\image html file-search-top-component.PNG +Note: Currently File Search doesn't support regular expressions. The Keyword Search feature of Autopsy does support regular expressions and can be used for to search for files and/or directories by name. \section how_to_open_file_search How To Open File Search -How to Open File Search To open the File Search, you can do one of the following thing: -Right click an image and choose "Open File Search by Attributes". +Right-click a data source and choose "Open File Search by Attributes". \image html open-file-search-component-1.PNG -Select the "Tools" > "File Search by Attributes". +or select the "Tools", "File Search by Attributes". \image html open-file-search-component-2.PNG -Note: The File Search Window is opened and closed automatically. If there's a case opened and there is at least one image inside that case, File Search Window can't be closed. \section how_to_use_file_search How To Use File Search @@ -41,8 +28,8 @@ Search for all files and directory whose "date property" is within the date rang \li Known Status: Search for all files and directory whose known status is recognized as either Unknown, Known, or Known Bad. For more on Known Status, see Hash Database Management. To use any of these filters, check the box next to the category and click "Search" button to start the search process. The result will show up in the "Result Viewer". -Example -Here's an example where I try to get all the directories and files whose name contains "hello", has a size greater than 1000 Bytes,was created between 06/15/2010 and 06/16/2010 (in GMT-5 timezone), and is an unknown file: + +Here's an example where we try to get all the directories and files whose name contains "hello", has a size greater than 1000 Bytes,was created between 06/15/2010 and 06/16/2010 (in GMT-5 timezone), and is an unknown file: \image html example-of-file-sarch.PNG */ \ No newline at end of file diff --git a/docs/doxygen-user/filetype.dox b/docs/doxygen-user/filetype.dox index 029b68a317..633d317d14 100644 --- a/docs/doxygen-user/filetype.dox +++ b/docs/doxygen-user/filetype.dox @@ -1,4 +1,4 @@ -/*! \page filetype_page File Type Module +/*! \page file_type_identification_page File Type Identification Module What Does It Do ======== @@ -7,17 +7,18 @@ The File Type ID module identifies files based on their internal signatures and You should enable this module because many other modules depend on its results to determine if they should analyze a file. Some examples include: -- Extension Mismatch Module -- \subpage kwsrch_page +- \subpage extension_mismatch_detector_page +- \subpage keyword_search_page Configuration ======= -You do not need to configure anything with this module unless you want to define your own types. To define your own types, go to the Tools -> Options -> File Type Id panel. +You do not need to configure anything with this module unless you want to define your own types. To define your own types, go to "Tools", "Options", "File Type Id" panel. From there, you can define rules based on the offset of the signature and if the signature is a byte sequence of an ASCII string. +\image html filetype.png Using the Module ====== @@ -31,7 +32,7 @@ a data source. All user-defined and Tika rules are always applied. Seeing Results ------ -This module does not have obvious impacts in the user interface, though it is used by many othe modules. +This module does not have obvious impacts in the user interface, though it is used by many other modules. To see the file type of an individual file, view the "Results" tab in the lower right when you navigate to the file. You should see a page in there that mentions the file type. diff --git a/docs/doxygen-user/footer.html b/docs/doxygen-user/footer.html old mode 100644 new mode 100755 diff --git a/docs/doxygen-user/hashdb_lookup.dox b/docs/doxygen-user/hashdb_lookup.dox old mode 100644 new mode 100755 index f966b253e3..20d948302d --- a/docs/doxygen-user/hashdb_lookup.dox +++ b/docs/doxygen-user/hashdb_lookup.dox @@ -1,33 +1,68 @@ /*! \page hash_db_page Hash Database Lookup Module -Autopsy has an ingest module that calculates hash values and looks up the hash values in a database to determine if the file is known bad, known (in general), or unknown. This page outlines that module and its configuration. - - -\section hash_db_config Configuring the module +What Does It Do +======== + +The Hash Database Lookup Module calculates MD5 hash values for files and looks up hash values in a database to determine if the file is known bad, known (in general), or unknown. +Configuration +======= The Hash Database Management window is where you can set and update your hash database information. Hash databases are used to identify files that are 'known'. -\li Known good files are those that can be safely ignored. This set of files frequently includes standard OS and application files. Ignoring such uninteresting to the investigator files, can greatly reduce image analysis time. +\li Known good files are those that can be safely ignored. This set of files frequently includes standard OS and application files. Ignoring such uninteresting-to-the-investigator files, can greatly reduce image analysis time. \li Known bad (also called notable) files are those that should raise awareness. This set will vary depending on the type of investigation, but common examples include contraband images and malware. \section notable_known_bad_hashsets Notable / Known Bad Hashsets -Autopsy allows for multiple known bad hash databases to be set. Autopsy supports three formats: +Autopsy allows for multiple known bad hash databases to be set. Autopsy supports the following formats: \li EnCase: An EnCase hashset file. \li MD5sum: Output from running the md5, md5sum, or md5deep program on a set of files. \li NSRL: The format of the NSRL database. \li HashKeeper: Hashset file conforming to the HashKeeper standard. -NIST_NSRL: -Autopsy can use the NIST NSRL to detect 'known files'. Note that the NSRL contains hashes of 'known files' that may be good or bad depending on your perspective and investigation type. For example, the existence of a piece of financial software may be interesting to your investigation and that software could be in the NSRL. Therefore, Autopsy treats files that are found in the NSRL as simply 'known' and does not specify good or bad. Ingest modules have the option of ignoring files that were found in the NSRL. -To use the NSRL, you must concatenate all of the NSRLFile.txt files together. You can use 'cat' on a Unix system or from within Cygwin to do this. \section adding_hashsets Adding Hashsets Autopsy needs an index of the hashset to actualy use a hash database. It can create the index if you import only the hashset. When you select the database from within this window, it will tell you if the index needs to be created. Autopsy uses the hash database management system from The Sleuth Kit. You can manually create an index using the 'hfind' command line tool or you can use Autopsy. If you attempt proceed without indexing a database, Autopsy will offer to automatically produce an index for you. You can also specify only the index file and not use the full hashset - the index file is sufficient to identify known files. This can save space. To do this, specify the .idx file from the Hash Database Management window. + +
\section using_hashsets Using Hashsets -There is an \ref ingest "ingest module" that will hash the files and look them up in the hashsets. It will flag files that were in the notable hashset and those results will be shown in the Results tree of the \ref directory_tree "Data Explorer". +There is an \ref ingest_page "ingest module" that will hash the files and look them up in the hashsets. It will flag files that were in the notable hashset and those results will be shown in the Results tree of the \ref tree_viewer_page. Other ingest modules are able to use the known status of a file to decide if they should ignore the file or process it. You can also see the results in the \ref how_to_open_file_search "File Search" window. There is an option to choose the 'known status'. From here, you can do a search to see all 'known bad' files. From here, you can also choose to ignore all 'known' files that were found in the NSRL. You can also see the status of the file in a column when the file is listed. -\image html hash-database-configuration.PNG - +
+NIST NSRL +------ +Autopsy can use the NIST NSRL to detect 'known files'. The NSRL contains hashes of 'known files' that may be good or bad depending on your perspective and investigation type. For example, the existence of a piece of financial software may be interesting to your investigation and that software could be in the NSRL. Therefore, Autopsy treats files that are found in the NSRL as simply 'known' and does not specify good or bad. Ingest modules have the option of ignoring files that were found in the NSRL. + +To use the NSRL, you may download a pre-made index from http://sourceforge.net/projects/autopsy/files/NSRL. Download the NSRL-XYZm-autopsy.zip (where 'XYZ' is the version number. As of this writing, it is 247) and unzip the file. Use the "Tools", "Options" menu and select the "Hash Database" tab. Click "Import Database" and browse to the location of the unzipped NSRL file. You can change the Hash Set Name if desired. Select the type of database desired, choosing "Send ingest inbox message for each hit" if desired, and then click "OK". + +
+\image html nsrl_import_process.PNG +
+
+ +The screenshot below shows an imported NSRL. +
+\image html nsrl_imported.PNG +
+
+ + +Using the Module +====== + +Ingest Settings +------ +When hashsets are configured, the user can select the hashsets to use during the ingest process. + +\image html hash-lookup.png + + + +Seeing Results +------ + +Results show up in the tree as "Hashset Hits", grouped by the name of the hash set. + +\image html hashset-hits.png */ diff --git a/docs/doxygen-user/image_viewer.dox b/docs/doxygen-user/image_gallery.dox similarity index 95% rename from docs/doxygen-user/image_viewer.dox rename to docs/doxygen-user/image_gallery.dox index 2c9a78ce71..51bb0fb4d1 100644 --- a/docs/doxygen-user/image_viewer.dox +++ b/docs/doxygen-user/image_gallery.dox @@ -1,4 +1,4 @@ -/*! \page image_viewer Image and Video Viewer +/*! \page image_gallery_page Image Gallery Module Overview ======== This document outlines the use of the new Image Gallery feature of Autopsy. This feature was funded by DHS S&T to help provide free and open source digital forensics tools to law enforcement. @@ -8,12 +8,11 @@ The new image gallery feature has been designed specifically with child-exploita - Allows examiner to start viewing images immediately upon adding them to the case. As images are hashed, they are updated in the interface. You do not need to wait until the entire image is ingested. This document assumes basic familiarity with Autopsy. - Quick Start =========== -1. The Image Gallery tool can be configured to collect data about images/videos as ingest runs or all at once after ingest. To change this setting go to Tools->Options->Image /Video Gallery. This setting is saved per case, but can not be changed during ingest. +1. The Image Gallery tool can be configured to collect data about images/videos as ingest runs or all at once after ingest. To change this setting go to "Tools", "Options", "Image /Video Gallery". This setting is saved per case, but can not be changed during ingest. 2. Create a case as normal and add a disk image (or folder of files) as a data source. Ensure that you have the hash lookup module enabled with NSRL and known bad hashsets, the EXIF module enabled, and the File Type module enabled. -3. Click Tools->View Images/Videos in the menu. This will open the Autopsy Image/Video Gallery tool in a new window. +3. Click "Tools", "Analyze Images/Videos" in the menu. This will open the Autopsy Image/Video Analysis tool in a new window. 4. Groups of images will be presented as they are analyzed by the background ingest modules. You can later resort and regroup, but it is required to keep it grouped by folder while ingest is still ongoing. 5. As each group is reviewed, the next highest priority group is presented, according to a sorting criteria (the default is the density of hash set hits). 6. Images that were hits from hashsets, will have a dashed border around them. diff --git a/docs/doxygen-user/images/EXIF-tree.PNG b/docs/doxygen-user/images/EXIF-tree.PNG new file mode 100755 index 0000000000..6fdc2efcd4 Binary files /dev/null and b/docs/doxygen-user/images/EXIF-tree.PNG differ diff --git a/docs/doxygen-user/images/add-data-source.PNG b/docs/doxygen-user/images/add-data-source.PNG old mode 100644 new mode 100755 diff --git a/docs/doxygen-user/images/android_analyzer_output.PNG b/docs/doxygen-user/images/android_analyzer_output.PNG new file mode 100755 index 0000000000..91606a187b Binary files /dev/null and b/docs/doxygen-user/images/android_analyzer_output.PNG differ diff --git a/docs/doxygen-user/images/case-newcase.png b/docs/doxygen-user/images/case-newcase.png old mode 100644 new mode 100755 index f86132d9a8..5d580db797 Binary files a/docs/doxygen-user/images/case-newcase.png and b/docs/doxygen-user/images/case-newcase.png differ diff --git a/docs/doxygen-user/images/content-viewer-1.PNG b/docs/doxygen-user/images/content-viewer-1.PNG new file mode 100755 index 0000000000..6e83fd8ee8 Binary files /dev/null and b/docs/doxygen-user/images/content-viewer-1.PNG differ diff --git a/docs/doxygen-user/images/content-viewer-2.PNG b/docs/doxygen-user/images/content-viewer-2.PNG new file mode 100755 index 0000000000..ef8c50494f Binary files /dev/null and b/docs/doxygen-user/images/content-viewer-2.PNG differ diff --git a/docs/doxygen-user/images/content-viewer-3.PNG b/docs/doxygen-user/images/content-viewer-3.PNG new file mode 100755 index 0000000000..4be1388616 Binary files /dev/null and b/docs/doxygen-user/images/content-viewer-3.PNG differ diff --git a/docs/doxygen-user/images/content-viewer-4.PNG b/docs/doxygen-user/images/content-viewer-4.PNG new file mode 100755 index 0000000000..43519f5c27 Binary files /dev/null and b/docs/doxygen-user/images/content-viewer-4.PNG differ diff --git a/docs/doxygen-user/images/content-viewer-5.PNG b/docs/doxygen-user/images/content-viewer-5.PNG new file mode 100755 index 0000000000..186b2d466c Binary files /dev/null and b/docs/doxygen-user/images/content-viewer-5.PNG differ diff --git a/docs/doxygen-user/images/content-viewer-window-example.PNG b/docs/doxygen-user/images/content-viewer-window-example.PNG deleted file mode 100644 index ba2b083220..0000000000 Binary files a/docs/doxygen-user/images/content-viewer-window-example.PNG and /dev/null differ diff --git a/docs/doxygen-user/images/data-source-progress-bar.PNG b/docs/doxygen-user/images/data-source-progress-bar.PNG old mode 100644 new mode 100755 index 59afc70a20..d5a443d011 Binary files a/docs/doxygen-user/images/data-source-progress-bar.PNG and b/docs/doxygen-user/images/data-source-progress-bar.PNG differ diff --git a/docs/doxygen-user/images/directory-tree.PNG b/docs/doxygen-user/images/directory-tree.PNG new file mode 100755 index 0000000000..0d7f4bd50d Binary files /dev/null and b/docs/doxygen-user/images/directory-tree.PNG differ diff --git a/docs/doxygen-user/images/e01-verifier.PNG b/docs/doxygen-user/images/e01-verifier.PNG new file mode 100755 index 0000000000..3f5d3c3faa Binary files /dev/null and b/docs/doxygen-user/images/e01-verifier.PNG differ diff --git a/docs/doxygen-user/images/email_results.PNG b/docs/doxygen-user/images/email_results.PNG new file mode 100755 index 0000000000..1e7f744746 Binary files /dev/null and b/docs/doxygen-user/images/email_results.PNG differ diff --git a/docs/doxygen-user/images/example-of-file-sarch.PNG b/docs/doxygen-user/images/example-of-file-sarch.PNG old mode 100644 new mode 100755 diff --git a/docs/doxygen-user/images/explorer-tree.PNG b/docs/doxygen-user/images/explorer-tree.PNG old mode 100644 new mode 100755 diff --git a/docs/doxygen-user/images/extension-mismatch-detected-configuration.PNG b/docs/doxygen-user/images/extension-mismatch-detected-configuration.PNG new file mode 100755 index 0000000000..d93257a5d5 Binary files /dev/null and b/docs/doxygen-user/images/extension-mismatch-detected-configuration.PNG differ diff --git a/docs/doxygen-user/images/extension-mismatch-detected-ingest-settings.PNG b/docs/doxygen-user/images/extension-mismatch-detected-ingest-settings.PNG new file mode 100755 index 0000000000..3a40a5c340 Binary files /dev/null and b/docs/doxygen-user/images/extension-mismatch-detected-ingest-settings.PNG differ diff --git a/docs/doxygen-user/images/extension-mismatch-detected.PNG b/docs/doxygen-user/images/extension-mismatch-detected.PNG new file mode 100755 index 0000000000..7b4085ce9a Binary files /dev/null and b/docs/doxygen-user/images/extension-mismatch-detected.PNG differ diff --git a/docs/doxygen-user/images/extracted_content.PNG b/docs/doxygen-user/images/extracted_content.PNG new file mode 100755 index 0000000000..b8696a93e7 Binary files /dev/null and b/docs/doxygen-user/images/extracted_content.PNG differ diff --git a/docs/doxygen-user/images/extracting-unallocated-space.PNG b/docs/doxygen-user/images/extracting-unallocated-space.PNG old mode 100644 new mode 100755 diff --git a/docs/doxygen-user/images/file-search-top-component.PNG b/docs/doxygen-user/images/file-search-top-component.PNG old mode 100644 new mode 100755 diff --git a/docs/doxygen-user/images/filetype.PNG b/docs/doxygen-user/images/filetype.PNG new file mode 100755 index 0000000000..d14cc5470a Binary files /dev/null and b/docs/doxygen-user/images/filetype.PNG differ diff --git a/docs/doxygen-user/images/generate-report-1.PNG b/docs/doxygen-user/images/generate-report-1.PNG new file mode 100755 index 0000000000..d2114ca3cf Binary files /dev/null and b/docs/doxygen-user/images/generate-report-1.PNG differ diff --git a/docs/doxygen-user/images/generate-report-2.PNG b/docs/doxygen-user/images/generate-report-2.PNG new file mode 100755 index 0000000000..3ca822fb27 Binary files /dev/null and b/docs/doxygen-user/images/generate-report-2.PNG differ diff --git a/docs/doxygen-user/images/generate-report-3.PNG b/docs/doxygen-user/images/generate-report-3.PNG new file mode 100755 index 0000000000..6f764c9c89 Binary files /dev/null and b/docs/doxygen-user/images/generate-report-3.PNG differ diff --git a/docs/doxygen-user/images/generate-report-4.PNG b/docs/doxygen-user/images/generate-report-4.PNG new file mode 100755 index 0000000000..906ac42752 Binary files /dev/null and b/docs/doxygen-user/images/generate-report-4.PNG differ diff --git a/docs/doxygen-user/images/generate-report-5.PNG b/docs/doxygen-user/images/generate-report-5.PNG new file mode 100755 index 0000000000..c177044235 Binary files /dev/null and b/docs/doxygen-user/images/generate-report-5.PNG differ diff --git a/docs/doxygen-user/images/generate-report-6.PNG b/docs/doxygen-user/images/generate-report-6.PNG new file mode 100755 index 0000000000..df7229bb40 Binary files /dev/null and b/docs/doxygen-user/images/generate-report-6.PNG differ diff --git a/docs/doxygen-user/images/hash-database-configuration.PNG b/docs/doxygen-user/images/hash-database-configuration.PNG deleted file mode 100644 index 46891afa5b..0000000000 Binary files a/docs/doxygen-user/images/hash-database-configuration.PNG and /dev/null differ diff --git a/docs/doxygen-user/images/hash-lookup.PNG b/docs/doxygen-user/images/hash-lookup.PNG new file mode 100755 index 0000000000..5f70223b5e Binary files /dev/null and b/docs/doxygen-user/images/hash-lookup.PNG differ diff --git a/docs/doxygen-user/images/hashset-hits.PNG b/docs/doxygen-user/images/hashset-hits.PNG new file mode 100755 index 0000000000..3677e8adca Binary files /dev/null and b/docs/doxygen-user/images/hashset-hits.PNG differ diff --git a/docs/doxygen-user/images/hex-content-viewer-tab.PNG b/docs/doxygen-user/images/hex-content-viewer-tab.PNG old mode 100644 new mode 100755 diff --git a/docs/doxygen-user/images/inbox-button.PNG b/docs/doxygen-user/images/inbox-button.PNG old mode 100644 new mode 100755 diff --git a/docs/doxygen-user/images/inbox-detail-screen.PNG b/docs/doxygen-user/images/inbox-detail-screen.PNG old mode 100644 new mode 100755 diff --git a/docs/doxygen-user/images/inbox-main-screen.PNG b/docs/doxygen-user/images/inbox-main-screen.PNG old mode 100644 new mode 100755 index be50ee0a40..04d1f7e2ea Binary files a/docs/doxygen-user/images/inbox-main-screen.PNG and b/docs/doxygen-user/images/inbox-main-screen.PNG differ diff --git a/docs/doxygen-user/images/ingest_pipeline.PNG b/docs/doxygen-user/images/ingest_pipeline.PNG new file mode 100755 index 0000000000..a91b73f642 Binary files /dev/null and b/docs/doxygen-user/images/ingest_pipeline.PNG differ diff --git a/docs/doxygen-user/images/interesting_files_configuration.PNG b/docs/doxygen-user/images/interesting_files_configuration.PNG new file mode 100755 index 0000000000..60d4b1772f Binary files /dev/null and b/docs/doxygen-user/images/interesting_files_configuration.PNG differ diff --git a/docs/doxygen-user/images/interesting_files_ingest_settings.PNG b/docs/doxygen-user/images/interesting_files_ingest_settings.PNG new file mode 100755 index 0000000000..61f78c7e26 Binary files /dev/null and b/docs/doxygen-user/images/interesting_files_ingest_settings.PNG differ diff --git a/docs/doxygen-user/images/interesting_files_results.PNG b/docs/doxygen-user/images/interesting_files_results.PNG new file mode 100755 index 0000000000..26dd994cd9 Binary files /dev/null and b/docs/doxygen-user/images/interesting_files_results.PNG differ diff --git a/docs/doxygen-user/images/keyword-search-bar.PNG b/docs/doxygen-user/images/keyword-search-bar.PNG old mode 100644 new mode 100755 index ea8d62ff4f..dc9cc74111 Binary files a/docs/doxygen-user/images/keyword-search-bar.PNG and b/docs/doxygen-user/images/keyword-search-bar.PNG differ diff --git a/docs/doxygen-user/images/keyword-search-configuration-dialog-general.PNG b/docs/doxygen-user/images/keyword-search-configuration-dialog-general.PNG old mode 100644 new mode 100755 index 4eed672ec6..97dc6da4e3 Binary files a/docs/doxygen-user/images/keyword-search-configuration-dialog-general.PNG and b/docs/doxygen-user/images/keyword-search-configuration-dialog-general.PNG differ diff --git a/docs/doxygen-user/images/keyword-search-configuration-dialog-string-extraction.PNG b/docs/doxygen-user/images/keyword-search-configuration-dialog-string-extraction.PNG old mode 100644 new mode 100755 index ee8199878b..643cf6c25e Binary files a/docs/doxygen-user/images/keyword-search-configuration-dialog-string-extraction.PNG and b/docs/doxygen-user/images/keyword-search-configuration-dialog-string-extraction.PNG differ diff --git a/docs/doxygen-user/images/keyword-search-configuration-dialog.PNG b/docs/doxygen-user/images/keyword-search-configuration-dialog.PNG old mode 100644 new mode 100755 index 998b7a0e87..cb2ce5f32a Binary files a/docs/doxygen-user/images/keyword-search-configuration-dialog.PNG and b/docs/doxygen-user/images/keyword-search-configuration-dialog.PNG differ diff --git a/docs/doxygen-user/images/keyword-search-hits.PNG b/docs/doxygen-user/images/keyword-search-hits.PNG new file mode 100755 index 0000000000..446bd9ada3 Binary files /dev/null and b/docs/doxygen-user/images/keyword-search-hits.PNG differ diff --git a/docs/doxygen-user/images/keyword-search-ingest-settings.PNG b/docs/doxygen-user/images/keyword-search-ingest-settings.PNG new file mode 100755 index 0000000000..a393e24c8d Binary files /dev/null and b/docs/doxygen-user/images/keyword-search-ingest-settings.PNG differ diff --git a/docs/doxygen-user/images/keyword-search-list-results.PNG b/docs/doxygen-user/images/keyword-search-list-results.PNG new file mode 100755 index 0000000000..83cda9c20e Binary files /dev/null and b/docs/doxygen-user/images/keyword-search-list-results.PNG differ diff --git a/docs/doxygen-user/images/keyword-search-list.PNG b/docs/doxygen-user/images/keyword-search-list.PNG new file mode 100755 index 0000000000..0e33fa769d Binary files /dev/null and b/docs/doxygen-user/images/keyword-search-list.PNG differ diff --git a/docs/doxygen-user/images/nsrl_import_process.png b/docs/doxygen-user/images/nsrl_import_process.png new file mode 100644 index 0000000000..43a2c89eb0 Binary files /dev/null and b/docs/doxygen-user/images/nsrl_import_process.png differ diff --git a/docs/doxygen-user/images/nsrl_imported.png b/docs/doxygen-user/images/nsrl_imported.png new file mode 100644 index 0000000000..c597cc18ab Binary files /dev/null and b/docs/doxygen-user/images/nsrl_imported.png differ diff --git a/docs/doxygen-user/images/open-file-search-component-1.PNG b/docs/doxygen-user/images/open-file-search-component-1.PNG old mode 100644 new mode 100755 index 90dd45ee3b..7c86dbdfc4 Binary files a/docs/doxygen-user/images/open-file-search-component-1.PNG and b/docs/doxygen-user/images/open-file-search-component-1.PNG differ diff --git a/docs/doxygen-user/images/open-file-search-component-2.PNG b/docs/doxygen-user/images/open-file-search-component-2.PNG old mode 100644 new mode 100755 index 230b3687b2..64d15ab367 Binary files a/docs/doxygen-user/images/open-file-search-component-2.PNG and b/docs/doxygen-user/images/open-file-search-component-2.PNG differ diff --git a/docs/doxygen-user/images/photorec_output.PNG b/docs/doxygen-user/images/photorec_output.PNG new file mode 100755 index 0000000000..859ed4f871 Binary files /dev/null and b/docs/doxygen-user/images/photorec_output.PNG differ diff --git a/docs/doxygen-user/images/picture-content-viewer-tab.PNG b/docs/doxygen-user/images/picture-content-viewer-tab.PNG old mode 100644 new mode 100755 diff --git a/docs/doxygen-user/images/result-viewer-example.PNG b/docs/doxygen-user/images/result-viewer-example-1.PNG similarity index 100% rename from docs/doxygen-user/images/result-viewer-example.PNG rename to docs/doxygen-user/images/result-viewer-example-1.PNG diff --git a/docs/doxygen-user/images/result-viewer-example-2.PNG b/docs/doxygen-user/images/result-viewer-example-2.PNG new file mode 100755 index 0000000000..25be40d481 Binary files /dev/null and b/docs/doxygen-user/images/result-viewer-example-2.PNG differ diff --git a/docs/doxygen-user/images/result-viewer-example-3.PNG b/docs/doxygen-user/images/result-viewer-example-3.PNG new file mode 100755 index 0000000000..fbdda31e8a Binary files /dev/null and b/docs/doxygen-user/images/result-viewer-example-3.PNG differ diff --git a/docs/doxygen-user/images/result-viewer-window-example.PNG b/docs/doxygen-user/images/result-viewer-window-example.PNG old mode 100644 new mode 100755 diff --git a/docs/doxygen-user/images/screenshot.png b/docs/doxygen-user/images/screenshot.png old mode 100644 new mode 100755 index b6b6d840b6..bc94b4b382 Binary files a/docs/doxygen-user/images/screenshot.png and b/docs/doxygen-user/images/screenshot.png differ diff --git a/docs/doxygen-user/images/select-data-source-type.PNG b/docs/doxygen-user/images/select-data-source-type.PNG old mode 100644 new mode 100755 index b8afc7d9a3..5f250104d1 Binary files a/docs/doxygen-user/images/select-data-source-type.PNG and b/docs/doxygen-user/images/select-data-source-type.PNG differ diff --git a/docs/doxygen-user/images/select-ingest-modules.PNG b/docs/doxygen-user/images/select-ingest-modules.PNG old mode 100644 new mode 100755 index 999b5b3cf4..1f227102b8 Binary files a/docs/doxygen-user/images/select-ingest-modules.PNG and b/docs/doxygen-user/images/select-ingest-modules.PNG differ diff --git a/docs/doxygen-user/images/splashscreen.PNG b/docs/doxygen-user/images/splashscreen.PNG new file mode 100755 index 0000000000..9827d781ff Binary files /dev/null and b/docs/doxygen-user/images/splashscreen.PNG differ diff --git a/docs/doxygen-user/images/string-content-viewer-tab.PNG b/docs/doxygen-user/images/string-content-viewer-tab.PNG old mode 100644 new mode 100755 diff --git a/docs/doxygen-user/images/table-result-viewer-tab.PNG b/docs/doxygen-user/images/table-result-viewer-tab.PNG old mode 100644 new mode 100755 diff --git a/docs/doxygen-user/images/tagging-1.PNG b/docs/doxygen-user/images/tagging-1.PNG new file mode 100755 index 0000000000..b2a91afe0b Binary files /dev/null and b/docs/doxygen-user/images/tagging-1.PNG differ diff --git a/docs/doxygen-user/images/tagging-2.PNG b/docs/doxygen-user/images/tagging-2.PNG new file mode 100755 index 0000000000..8a1b3c07b4 Binary files /dev/null and b/docs/doxygen-user/images/tagging-2.PNG differ diff --git a/docs/doxygen-user/images/tagging-3.PNG b/docs/doxygen-user/images/tagging-3.PNG new file mode 100755 index 0000000000..92f5b3c940 Binary files /dev/null and b/docs/doxygen-user/images/tagging-3.PNG differ diff --git a/docs/doxygen-user/images/tagging-4.PNG b/docs/doxygen-user/images/tagging-4.PNG new file mode 100755 index 0000000000..1b98aaddf8 Binary files /dev/null and b/docs/doxygen-user/images/tagging-4.PNG differ diff --git a/docs/doxygen-user/images/text-view.PNG b/docs/doxygen-user/images/text-view.PNG old mode 100644 new mode 100755 diff --git a/docs/doxygen-user/images/threadcount.PNG b/docs/doxygen-user/images/threadcount.PNG new file mode 100755 index 0000000000..c465a4a3e8 Binary files /dev/null and b/docs/doxygen-user/images/threadcount.PNG differ diff --git a/docs/doxygen-user/images/thumbnail-result-viewer-tab.PNG b/docs/doxygen-user/images/thumbnail-result-viewer-tab.PNG old mode 100644 new mode 100755 diff --git a/docs/doxygen-user/images/ui-layout-1.png b/docs/doxygen-user/images/ui-layout-1.png new file mode 100755 index 0000000000..7a99d1e264 Binary files /dev/null and b/docs/doxygen-user/images/ui-layout-1.png differ diff --git a/docs/doxygen-user/images/zipped_children_1.PNG b/docs/doxygen-user/images/zipped_children_1.PNG new file mode 100755 index 0000000000..d391c91105 Binary files /dev/null and b/docs/doxygen-user/images/zipped_children_1.PNG differ diff --git a/docs/doxygen-user/images/zipped_children_2.PNG b/docs/doxygen-user/images/zipped_children_2.PNG new file mode 100755 index 0000000000..f1e7318258 Binary files /dev/null and b/docs/doxygen-user/images/zipped_children_2.PNG differ diff --git a/docs/doxygen-user/ingest.dox b/docs/doxygen-user/ingest.dox index 0d3306d872..1d2257433d 100644 --- a/docs/doxygen-user/ingest.dox +++ b/docs/doxygen-user/ingest.dox @@ -1,10 +1,10 @@ /*! \page ingest_page Ingest Modules -Ingest modules analyze the data in a data source. They perform all of the analysis of the files and parse their contents. Examples include hash calculation, keyword search, and web artifact extraction. +Ingest modules analyze the data in a data source. They perform all of the analysis of the files and parse their contents. Examples include \ref hash_db_page "hash calculation and lookup", \ref keyword_search_page "keyword searching", and \ref recent_activity_page "web artifact extraction". -Immediately after you add a data source to a case (see \ref ds_page), you will be presented with a dialog to configure the ingest modules to run on it. Once configured, they will run in the background and provide you real-time results when the find relevant information. +Immediately after you add a data source to a case (see \ref ds_page), you will be presented with a dialog to configure the ingest modules to run on it. Once configured, they will run in the background and provide you real-time results when they find relevant information. -This page covers the use of ingest modules. Specific pages will cover the configuration of specific modules. See \ref module_install_page for details on installing 3rd party ingest modules. +This page covers the use of ingest modules. Specific pages will cover the configuration of specific modules. See \ref module_install_page for details on installing 3rd-party ingest modules. \section ingest_performance Multi-threaded and Priority @@ -12,7 +12,7 @@ Ingest modules are configured to find user content quickly. The ingest modules \image html ingest_pipeline.png -Multiple pipelines may be running at the same time. By default, 2 pipelines are running, but you can add more depending on how many cores you have on your system. You can configure the number of pipelines to make in the Tools -> Options -> General area. +Multiple pipelines may be running at the same time. By default, two pipelines are running, but you can add more depending on how many cores you have on your system. You can configure the number of pipelines to make in the "Tools", "Options", "General" area. Autopsy prioritizes user content over other types of files and will send data from the "Documents and Settings" folder or "Users" folder into the pipelines before the "Windows" folder. It prioritizes each folder in the system to ensure that user content is analyzed before other content. @@ -25,7 +25,7 @@ There are two ways to start ingest modules: Once ingest is started, you can review the currently running ingest tasks in the task bar on the bottom-right corner of the main window. The ingest tasks can be canceled by the user if so desired. -Note: sometimes the cancellation process make take several seconds or more to complete cleanly, depending on what the ingest module was currently doing. +Note: sometimes the cancellation process may take several seconds or more to complete cleanly, depending on what the ingest module was currently doing. \section ingest_configure Configuring Ingest Modules @@ -35,9 +35,9 @@ You will be presented with an interface to configure the ingest modules. From he There are two places to configure ingest modules. When you select the module name, you may have some "run time" options to configure in the panel to the right. These are generally settings that you may want to change from image to image. -There may also be an "Advanced" button that is enabled in the lower corner. Pressing this button allows you to change global settings that are not specific to a single image. This advanced configuration panel can often be found in the "Tools" > "Options" menu too. +There may also be an "Advanced" button that is enabled in the lower corner. Pressing this button allows you to change global settings that are not specific to a single image. This advanced configuration panel can often be found in the "Tools", "Options" menu too. -As an example, the hash lookup module will allow you to enable or disable hash databases in the "run time" options panel, but requires you to go to the "Advanced" era to add or remove hash databases from the Autopsy configuration. +As an example, the hash lookup module will allow you to enable or disable hash databases in the "run time" options panel, but requires you to go to the "Advanced" dialog to add or remove hash databases from the Autopsy configuration. \section ingest_results Viewing Ingest Module Results diff --git a/docs/doxygen-user/installation.dox b/docs/doxygen-user/installation.dox old mode 100644 new mode 100755 index 125f0e27bc..48e6308f99 --- a/docs/doxygen-user/installation.dox +++ b/docs/doxygen-user/installation.dox @@ -10,7 +10,7 @@ http://sleuthkit.org/autopsy/download.php The current version of Autopsy 3 runs only on Microsoft Windows. We have gotten it to run on other platforms, such as Linux and OS X, but we do not have it in a state that makes it easy to distribute and find the needed libraries. -The Windows installer is self contained and will place everything in the needed places. Simply follow the standard prompts for target installation directory. +The Windows installer is self-contained and will place everything in the needed places. Simply follow the standard prompts for installation. Optimizing Performance @@ -18,14 +18,16 @@ Optimizing Performance After installing Autopsy, there are several hardware-based things that we suggest you do to optimize performance: -1) Change the number of parallel pipelines that can be run at a time. The default is 2 pipelines, but this can be increased if you are running on a system with several cores. To do this: -- Run Autopsy from the start menu or desktop -- When presented with the case creation screen, cancel/close the menu window -- Select tools > options -- On the first tab, there is a drop down for "number of ingest" threads. We recommend that you set this value to be smaller than the number of cores minus two. If you set this number too high, performance can degrade because the pipelines are fighting for the same resources. Testing should be done to find an optimal setting. +1) Change the number of parallel pipelines used at run time. The default is two pipelines, but this can be increased if you are running on a system with several cores. To do this: +- Run Autopsy from the Start Menu or desktop +- When presented with the case creation splash screen, cancel/close the window +- Select "Tools", "Options" +- On the "Autopsy" tab, there is a drop down for "Number of thread to use for file ingest". We recommend that you set this value to be smaller than the number of cores minus two. If you set this number too high, performance can degrade because the pipelines are fighting for the same resources. Individual testing should be done to find an optimal setting. - After each change, restart Autopsy to let this setting take effect. -2) When making a case, use different drives to store the case and the images. The case directory is where the SQLite database and keyword search index is stored. This allows the maximum amount of data to be read and written at the same time. +\image html threadcount.PNG + +2) When making a case, use different drives to store the case and the images. The case directory is where the SQLite database and keyword search index are stored. This allows the maximum amount of data to be read and written at the same time. 3) We have had best performance using either local solid state drives or fibre channel-attached SAN storage. diff --git a/docs/doxygen-user/interesting_files.dox b/docs/doxygen-user/interesting_files.dox new file mode 100755 index 0000000000..5525845991 --- /dev/null +++ b/docs/doxygen-user/interesting_files.dox @@ -0,0 +1,79 @@ +/*! \page interesting_files_identifier_page Interesting Files Identifier Module + +What Does It Do +======== + +The Interesting Files module allows you to search for files or directories in a data source and generate alerts when they are found. You configure rules for the files that you want to find. + +Use this to be notified when certain things are found. There are examples below that generate alerts when VMWare images are found or when iPhone backup files are found. This module is useful for file types that will frequently have a consistent name and that may not be part of the standard checklist that you look for, or if you simply want to automate your checklist. + +Configuration +======= + +Add rules using "Tools", "Options", "Interesting Files". + +All rules need to be part of a set. Sets need to have the following defined: + +- Set Name (required) +- Set Description (optional) + +Rules specify what to look for in a data source. Each rule specifies: +- Type: If the rule should be applied to only files, only directories, or both files and directories. +- Name Pattern: String to match the file name against. +- Name Pattern Type: Should the pattern be matched against the full file type or just the extension. +- Path Pattern: A substring of the parent path that must be matched. This allows you to restrict generic names to a specific structure (such as an application name). A substring match is performed. +- Rule Name: Additional details that are displayed in the UI when that rule is matched. This allows you to determine which rule in the set matched. + +\image html interesting_files_configuration.PNG + + +VMWare Example +-------- +This set of rules is to detect VMWare Player or vmdk files. This would help to make sure you look into the virtual machines for additional evidence. + +NOTE: This is not extensive and is simply a minimal example: + + +- Set Name: VMWare +- Rule 1: + - Type: Files + - Full Name: vmplayer.exe + - Name: Program EXE +- Rule 2: + - Type: Files + - Extension: vmdk + - Name: VMDK File + +iPhone Backups Example +------------- +This set of rules is to detect a folder for iPhone Backups. These are typically in a folder such as "%AppData%\Roaming\Apple Computer\MobileSync\Backup" on Windows. Here is a rule that you could use for that. + +- Set Name: iPhone Backups +- Rule 1: + - Type: Directory + - Name: Backup + - Path: Apple Computer/MobileSync + + +Using the Module +====== + +When you enable the Interesting Files module, you can choose what rule sets to enable. To add rules, use the "Advanced" button from the ingest module panel. + +When files are found, they will be in the Interesting Files area of the tree. You should see the set and rule names with the match. + + +Ingest Settings +------ + +When running the ingest modules, the user can choose which interesting file rules to enable . +
+\image html interesting_files_ingest_settings.PNG + +Seeing Results +------ +The results show up in the tree under "Results", "Interesting Items". + +\image html interesting_files_results.PNG + +*/ diff --git a/docs/doxygen-user/keyword_search.dox b/docs/doxygen-user/keyword_search.dox index 2cf62e2417..ec880cac75 100644 --- a/docs/doxygen-user/keyword_search.dox +++ b/docs/doxygen-user/keyword_search.dox @@ -1,27 +1,18 @@ -/*! \page kwsrch_page Keyword Search Module +/*! \page keyword_search_page Keyword Search Module -Autopsy ships a keyword search module, which provides the \ref ingest "ingest capability" and also supports a manual text search mode. +What Does It Do +======== -The keyword search ingest module extracts text from the files on the image being ingested and adds them to the index that can then be searched. +The Keyword Search module facilitates both the \ref ingest_page "ingest" portion of searching and also supports manual text searching after ingest has completed. It extracts text from the files being ingested and adds them to a Solr index that can then be searched. -Autopsy tries its best to extract maximum amount of text from the files being indexed. First, the indexing will try to extract text from supported file formats, such as pure text file format, MS Office Documents, PDF files, Email files, and many others. If the file is not supported by the standard text extractor, Autopsy will fallback to string extraction algorithm. String extraction on unknown file formats or arbitrary binary files can often still extract a good amount of text from the file, often good enough to provide additional clues. However, string extraction will not be able to extract text strings from binary files that have been encrypted. +Autopsy tries its best to extract the maximum amount of text from the files being indexed. First, the indexing will try to extract text from supported file formats, such as pure text file format, MS Office Documents, PDF files, Email, and many others. If the file is not supported by the standard text extractor, Autopsy will fall back to a string extraction algorithm. String extraction on unknown file formats or arbitrary binary files can often extract a sizeable amount of text from a file, often enough to provide additional clues to reviewers. String extraction will not extract text strings from encrypted files. -Autopsy ships with some built-in lists that define regular expressions and enable user to search for Phone Numbers, IP addresses, URLs and E-mail addresses. However, enabling some of these very general lists can produce a very large number of hits, many of them can be false-positives. +Configuration +======= -Once files are in the index, they can be searched quickly for specific keywords, regular expressions, or using keyword search lists that can contain a mixture of keywords and regular expressions. Search queries can be executed automatically by the ingest during the ingest run, or at the end of the ingest, depending on the current settings and the time it takes to ingest the image. - -Search queries can also be executed manually by the user at any time, as long as there are some files already indexed and ready to be searched. - -Keyword search module will save the search results regardless whether the search is performed by the ingest process, or manually by the user. The saved results are available in the Directory Tree in the left hand side panel. - -To see keyword search results in real-time while ingest is running, add keyword lists using the \subpage keyword_search_configuration_dialog "Keyword Search Configuration Dialog" and select the "Use during ingest" check box. You can select "Send messages to inbox during ingest" per list, if the hits on that list should be reported in the Inbox, which is recommended for very specific searches. - -See (\ref ingest "Ingest") for more information on ingest in general. - -Once there are files in the index, the \subpage keyword_search_bar "Keyword Search Bar" will be available for use to manually search at any time. - - +Autopsy ships with some built-in lists that define regular expressions and enable the user to search for Phone Numbers, IP addresses, URLs and E-mail addresses. However, enabling some of these very general lists can produce a very large number of hits, and many of them can be false-positives. Regular expressions involving backtracking can potentially take a long time to complete. +Once files are placed in the Solr index, they can be searched quickly for specific keywords, regular expressions, or keyword search lists that can contain a mixture of keywords and regular expressions. Search queries can be executed automatically during the ingest run or at the end of the ingest, depending on the current settings and the time it takes to ingest the image. \section keyword_search_configuration_dialog Keyword Search Configuration Dialog @@ -35,48 +26,97 @@ To create a list, select the 'New List' button and choose a name for the new Key List Import and Export \n Autopsy supports importing Encase tab-delimited lists as well as lists created previously with Autopsy. For Encase lists, folder structure and hierarchy is currently ignored. This will be fixed in a future version. There is currently no way to export lists for use with Encase. This will also be added in future releases. +Lists tab \n +\image html keyword-search-configuration-dialog.PNG + +
String extraction setting \n The string extraction setting defines how strings are extracted from files from which text cannot be extracted because their file formats are not supported. This is the case with arbitrary binary files (such as the page file) and chunks of unallocated space that represent deleted files. -When we extract strings from binary files we need to interpet sequences of bytes as text differently, depending on the possible text encoding and script/language used. In many cases we don't know what the specific encoding / language the text is be encoded in in advance. However, it helps if the investigator is looking for a specific language, because by selecting less languages the indexing performance will be improved and a number of false positives will be reduced. -The default setting is to search for English strings only, encoded as either UTF8 or UTF16. This setting has the best performance (shortest ingest time). -The user can also use the String Viewer first and try different script/language settings, and see which setting gives satisfactory results for the type of text relevant to the investigation. Then the same setting that works for the investigation can be applied to the keyword search ingest. +When we extract strings from binary files we need to interpet sequences of bytes as text differently, depending on the possible text encoding and script/language used. In many cases we don't know in advance what the specific encoding/language the text is encoded in. However, it helps if the investigator is looking for a specific language, because by selecting less languages the indexing performance will be improved and the number of false positives will be reduced. +The default setting is to search for English strings only, encoded as either UTF8 or UTF16. This setting has the best performance (shortest ingest time). +The user can also use the String Viewer first and try different script/language settings, and see which settings give satisfactory results for the type of text relevant to the investigation. Then the same setting that works for the investigation can be applied to the keyword search ingest. +
+ String Extraction tab +\image html keyword-search-configuration-dialog-string-extraction.PNG + +
+
+General Settings \n +
NIST NSRL Support \n The hash database ingest service can be configured to use the NIST NSRL hash database of known files. The keyword search advanced configuration dialog "General" tab contains an option to skip keyword indexing and search on files that have previously marked as "known" and uninteresting files. Selecting this option can greatly reduce size of the index and improve ingest performance. In most cases, user does not need to keyword search for "known" files. Result update frequency during ingest \n -To control how frequently searches are executed during ingest, user can adjust the timing setting available in the keyword search advanced configuration dialog "General" tab. Setting the number of minutes lower will result in more frequent index updates and searches being executed and the user will be able to see results more in real-time. However, more frequent updates can affect the overall performance, especially on lower-end systems, and can potentially lengthen the overall time needed for the ingest to complete. +To control how frequently searches are executed during ingest, the user can adjust the timing setting available in the keyword search advanced configuration dialog "General" tab. Setting the number of minutes lower will result in more frequent index updates and searches being executed and the user will be able to see results more in real-time. However, more frequent updates can affect the overall performance, especially on lower-end systems, and can potentially lengthen the overall time needed for the ingest to complete. -Lists tab \n -\image html keyword-search-configuration-dialog.PNG - - String Extraction tab -\image html keyword-search-configuration-dialog-string-extraction.PNG +One can also choose to have no periodic searches. This will speed up the ingest. Users choosing this option can run their keyword searches once the entire keyword search index is complete. General tab \image html keyword-search-configuration-dialog-general.PNG + - + +
+Using the Module +====== +Search queries can be executed manually by the user at any time, as long as there are some files already indexed and ready to be searched. Searching before indexing is complete will naturally only search indexes that are already compiled. + + +See \ref ingest_page "Ingest" for more information on ingest in general. + +Once there are files in the index, the \subpage keyword_search_bar "Keyword Search Bar" will be available for use to manually search at any time. + + + +Ingest Settings +------ +The Ingest Settings for the Keyword Search module allow the user to enable or disable the specific built-in search expressions, Phone Numbers, IP Addresses, Email Addresses, and URLs. Using the Advanced button (covered below), one can add custom keyword groups. + +\image html keyword-search-ingest-settings.PNG + +
\section keyword_search_bar Keyword Search Bar -The keyword search bar is used to search for keywords in the manual mode (outside of ingest). The existing index will be searched for matching words, phrases, lists, or regular expressions. Results will be opened in a separate Results Viewer for every search executed and they will also be saved in the Directory Tree. +The keyword search bar is used to search for keywords in the manual mode (outside of ingest). The existing index will be searched for matching words, phrases, lists, or regular expressions. Individual Keyword Search \n -Individual keyword or regular expressions can be quickly searched using the search text box widget. To toggle between keyword and regular expression mode, use the down arrow in the search box. +Individual keyword or regular expressions can quickly be searched using the search text box widget. You can select "Exact Match", "Substring Match" and "Regular Expression" match. + +\image html keyword-search-bar.PNG +
+Results will be opened in a separate Results Viewer for every search executed and they will also be saved in the Directory Tree as shown in the screenshot below. +
+\image html keyword-search-hits.PNG +
Keyword List Search \n Lists created using the Keyword Search Configuration Dialog can be manually searched by the user by pressing on the 'Keyword Lists' button, selecting the check boxes corresponding to the lists to be searched, and pressing the 'Search' button. -Searching during ingest \n -The manual search for individual keywords or regular expressions can be executed also during the ongoing ingest on the current index using the search text box widget. Note however, that you may miss some results if not entire index has yet been populated. Autopsy enables you to perform the search on an incomplete index in order to retrieve some preliminary results in real-time. +\image html keyword-search-list.PNG +
+The results of the keyword list search are shown in the tree, as shown below. +
+\image html keyword-search-list-results.PNG +
-During the ingest, the manual search by keyword list is deactivated. A newly selected list can instead be added to the ongoing ingest, and it will be searched in the background instead. +Searching during ingest \n +Manual search for individual keywords or regular expressions can be executed while ingest is ongoing, using the current index. Note however, that you may miss some results if the entire index has not yet been populated. Autopsy enables you to perform the search on an incomplete index in order to retrieve some preliminary results in real-time. + +During the ingest, the manual search by keyword list is deactivated. A newly selected list can instead be added, and it will be searched in the background instead. Keywords and lists can be managed during ingest. -\image html keyword-search-bar.PNG + +Seeing Results +------ + +The Keyword Search module will save the search results regardless whether the search is performed by the ingest process, or manually by the user. The saved results are available in the Directory Tree in the left hand side panel. + +To see keyword search results in real-time while ingest is running, add keyword lists using the \subpage keyword_search_configuration_dialog "Keyword Search Configuration Dialog" and select the "Use during ingest" check box. You can select "Send messages to inbox during ingest" per list, if the hits on that list should be reported in the Inbox, which is recommended for very specific searches. + */ diff --git a/docs/doxygen-user/main.dox b/docs/doxygen-user/main.dox index eb01eef1bc..5b32a02497 100644 --- a/docs/doxygen-user/main.dox +++ b/docs/doxygen-user/main.dox @@ -4,9 +4,9 @@ Overview ----- -This is the User's Guide for the open source Autopsy platform (http://www.sleuthkit.org/autopsy/). Autopsy allows you to examine a hard drive or mobile device and recover evidence from it. This is the user guide to help you use the tool. If you are looking for the developer's guide to help you develop modules, it can be found at http://www.sleuthkit.org/autopsy/docs/api-docs/3.1/. +This is the User's Guide for the open source Autopsy platform. Autopsy allows you to examine a hard drive or mobile device and recover evidence from it. This guide should help you with using Autopsy. The developer's guide will help you develop your own Autopsy modules. -Note that Autopsy 3 is a complete rewrite from Autopsy 2 and none of this document is relevant to Autopsy 2. +Autopsy 3 is a complete rewrite from Autopsy 2, and none of this document is relevant to Autopsy 2. Help Topics ------- @@ -18,29 +18,34 @@ The following topics are available here: - Cases and Adding Data Sources - \subpage cases_page - \subpage ds_page -- Automated Analysis - + - \subpage uilayout_page +- Automated Analysis (Modules) - \subpage ingest_page "Ingest Modules" + - \subpage recent_activity_page - \subpage hash_db_page - - \subpage filetype_page - - Extension Mismatch Module - - Exif Module - - \subpage kwsrch_page - - E-mail Module - - Archive Module - - Recent Activity Module - - \subpage android_page - - \subpage interesting_page + - \subpage file_type_identification_page + - \subpage archive_extractor_page + - \subpage EXIF_parser_page + - \subpage keyword_search_page + - \subpage email_parser_page + - \subpage extension_mismatch_detector_page + - \subpage e01_verifier_page + - \subpage android_analyzer_page + - \subpage interesting_files_identifier_page + - \subpage photorec_carver_page - Manual Analysis - - \subpage uilayout_page - - \subpage file_search "File Search" - - \subpage image_viewer - - \subpage timeline + - \subpage tree_viewer_page + - \subpage result_viewer_page + - \subpage content_viewer_page + + - \subpage file_search_page + - \subpage timeline_page - \subpage stix_page - Reporting - - Tagging + - \subpage tagging_page + - \subpage reporting_page - \subpage module_install_page -If the topic you need is not listed, refer to the Help system in the tool or the wiki (http://wiki.sleuthkit.org/index.php?title=Autopsy_User%27s_Guide). +If the topic you need is not listed, refer to the Autopsy Wiki or join the SleuthKit User List at SourceForge. */ diff --git a/docs/doxygen-user/module_install.dox b/docs/doxygen-user/module_install.dox index ed877043b0..ad8337e660 100644 --- a/docs/doxygen-user/module_install.dox +++ b/docs/doxygen-user/module_install.dox @@ -1,4 +1,4 @@ -/*! \page module_install_page Installing 3rd Party Modules +/*! \page module_install_page Installing 3rd-Party Modules There are various places in Autopsy that developers can write custom plug-in modules. This page covers how to install them. @@ -7,11 +7,11 @@ There are two types of modules: - Modules written in Python that are shipped as a folder in a ZIP file. \section module_install_nbm Installing NetBeans Module -If you have a NBM file, then it may contain one or more Autopsy modules. To install it, use the plugin manager at "Tools" > "Plugins". +If you have an NBM file, then it may contain one or more Autopsy modules. To install it, use the plugin manager at "Tools", "Plugins". Choose the "Downloaded" tab and then choose "Add Plugins". Browse to the NBM file. It may require you to restart Autopsy. \section module_install_python Installing Python Module -If you have a ZIP file with a Python module in it, then unzip the file and you should get a folder. Open the Python module library folder using Tools -> Python Plugins. Copy the module folder into there and Autopsy should identify it next time it loads modules. +If you have a ZIP file with a Python module in it, then unzip the file and you should get a folder. Open the Python module library folder using "Tools", "Python Plugins". Copy the module folder into there and Autopsy should identify and use it next time it loads modules. */ diff --git a/docs/doxygen-user/photorec_carver.dox b/docs/doxygen-user/photorec_carver.dox new file mode 100755 index 0000000000..e61ec90da8 --- /dev/null +++ b/docs/doxygen-user/photorec_carver.dox @@ -0,0 +1,32 @@ +/*! \page photorec_carver_page PhotoRec Carver Module + +What Does It Do +======== + +The PhotoRec Carver module carves files from unallocated space in the data source and sends the files found through the ingest processing chain. + +This can help a reviewer discover more information about files that used to be on the device and were subsequently deleted. These are simply extra files that were found in "empty" portions of the device storage. + + +Configuration +======= + +There is nothing to configure for this module. + + +Using the Module +====== +Select the checkbox in the Ingest Modules settings screen to enable the PhotoRec Carver. Ensure that "Process Unallocated Space" is selected. + +Ingest Settings +------ +There are no run-time settings for this module, but the global setting to "Process Unallocated Space" needs to be selected to make this work. + +Seeing Results +------ +The results of carving show up on the tree under the appropriate data source with the heading "$CarvedFiles". + +\image html photorec_output.PNG + +Applicable types also show up in the "Views", "File Types" portion of the the tree, depending upon the file type. +*/ diff --git a/docs/doxygen-user/quick_start_guide.dox b/docs/doxygen-user/quick_start_guide.dox old mode 100644 new mode 100755 index 66c6e7114d..e9aa409633 --- a/docs/doxygen-user/quick_start_guide.dox +++ b/docs/doxygen-user/quick_start_guide.dox @@ -2,39 +2,44 @@ \section s1 Adding a Data Source (image, local disk, logical files) -Data sources are added to a case. A case can have a single data source or it can have multiple data source if they are related. Currently, a single report is generated for an entire case, so if you need to report on individual data sources, then you should use one data source per case. +Data sources are added to a case. A case can have a single data source or it can have multiple data sources. Currently, a single report is generated for an entire case, so if you need to report on individual data sources, then you should use one data source per case. If there are many drives/phones/other data sources for one investigation, then your case should have multiple data sources. \subsection s2 Creating a Case -To create a case, use either the "Create New Case" option on the Welcome screen or from the "File" menu. This will start the New Case Wizard. You will need to supply it with the name of the case and a directory to store the case results into. You can optionally provide case numbers and other details. +To create a case, use either the "Create New Case" option on the Welcome screen or from the "File" menu. This will start the New Case Wizard. You will need to supply it with the name of the case and a directory to store the case results into. You can optionally provide case numbers and reviewer names. \subsection s3 Adding a Data Source -The next step is to add input data source to the case. The Add Data Source Wizard will start automatically after the case is created or you can manually start it from the "File" menu or toolbar. You will need to choose the type of input data source to add (image, local disk or logical files and folders). Next, supply it with the location of the source to add. +The next step is to add an input data source to the case. The Add Data Source Wizard will start automatically after the case is created or you can manually start it from the "File" menu or toolbar. You will need to choose the type of input data source to add (image, local disk, or logical files and folders). Next, supply it with the location of the source to add. - For a disk image, browse to the first file in the set (Autopsy will find the rest of the files). Autopsy currently supports E01 and raw (dd) files. -- For local disk, select one of the detected disks. Autopsy will add the current view of the disk to the case (i.e. snapshot of the meta-data). However, the individual file content (not meta-data) does get updated with the changes made to the disk. Note, you may need run Autopsy as an Administrator to detect all disks. +- For local disk, select one of the detected disks. Autopsy will add the current view of the disk to the case (i.e. snapshot of the meta-data). However, the individual file content (not meta-data) does get updated with the changes made to the disk. Note, you may need run Autopsy as an Administrator to detect all disks. - For logical files (a single file or folder of files), use the "Add" button to add one or more files or folders on your system to the case. Folders will be recursively added to the case. There are a couple of options in the wizard that will allow you to make the ingest process faster. These typically deal with deleted files. It will take longer if unallocated space is analyzed and the entire drive is searched for deleted files. In some scenarios, these recovery steps must be performed and in other scenarios these steps are not needed and instead fast results on the allocated files are needed. Use these options to control how long the analysis will take. -Autopsy will start to analyze these data sources and add them to the case and internal database. While it is doing that, it will prompt you to configure the Ingest Modules. +Autopsy will start to analyze these data sources and add them to the case and the internal database. While it is doing that, it will prompt you to configure the Ingest Modules. \subsection s4 Ingest Modules -You will next be prompted to configure the Ingest Modules. Ingest modules will run in the background and perform specific tasks. The Ingest Modules analyze files in a prioritized order so that files in a user's directory are analyzed before files in other folders. Ingest modules can be developed by third-parties and here are some of the standard ingest modules that come with Autopsy: +You will next be prompted to configure the Ingest Modules. Ingest modules will run in the background and perform specific tasks. The Ingest Modules analyze files in a prioritized order so that files in a user's directory are analyzed before files in other folders. Ingest modules can be developed by third-parties. The standard ingest modules included with Autopsy are: -- Recent Activity extracts user activity as saved by web browsers and the OS. Also runs regripper on the registry hive. -- Hash Lookup uses hash databases to ignore known files from the NIST NSRL and flag known bad files. Use the "Advanced" button to add and configure the hash databases to use during this process. You will get updates on known bad file hits as the ingest occurs. You can later add hash databases via the Tools -> Options menu in the main UI. You can download an index of the NIST NSRL from http://sourceforge.net/projects/autopsy/files/NSRL/ -- Keyword Search uses keyword lists to identify files with specific words in them. You can select the keyword lists to search for automatically and you can create new lists using the "Advanced" button. Note that with keyword search, you can always conduct searches after ingest has finished. The keyword lists that you select during ingest will be searched for at periodic intervals and you will get the results in real-time. You do not need to wait for all files to be indexed. -- Archive Extractor opens ZIP, RAR, and other archive formats and sends the files from those archive files back through the pipelines for analysis. -- Exif Image Parser extracts EXIF information from JPEG files and posts the results into the tree in the main UI. -- Thunderbird Parser Identifies Thunderbird MBOX files and extracts the e-mails from them. +- \subpage recent_activity_page extracts user activity as saved by web browsers and the OS. Also runs Regripper on the registry hive. +- \subpage hash_db_page uses hash databases to ignore known files from the NIST NSRL and flag known bad files. Use the "Advanced" button to add and configure the hash databases to use during this process. You will get updates on known bad file hits as the ingest occurs. You can later add hash databases via the Tools -> Options menu in the main UI. You can download an index of the NIST NSRL from http://sourceforge.net/projects/autopsy/files/NSRL/ +- \subpage file_type_identification_page determines file types based on signatures and reports them based on MIME type. It stores the results in the Blackboard and many modules depend on this. It uses the Tika open source library. You can define your own custom file types in Tools, Options, File Types. +- \subpage archive_extractor_page opens ZIP, RAR, and other archive formats and sends the files from those archive files back through the pipelines for analysis. +- \subpage EXIF_parser_page extracts EXIF information from JPEG files and posts the results into the tree in the main UI. +- \subpage keyword_search_page uses keyword lists to identify files with specific words in them. You can select the keyword lists to search for automatically and you can create new lists using the "Advanced" button. Note that with keyword search, you can always conduct searches after ingest has finished. The keyword lists that you select during ingest will be searched for at periodic intervals and you will get the results in real-time. You do not need to wait for all files to be indexed before performing a keyword search, however you will only get results from files that have already been indexed when you perform your search. +- \subpage email_parser_page identifies Thunderbird MBOX files and PST format files based on file signatures, extracting the e-mails from them, adding the results to the Blackboard. +- \subpage extension_mismatch_detector_page uses the results from the File Type Identification and flags files that have an extension not traditionally associated with the file's detected type. Ignores 'known' (NSRL) files. You can customize the MIME types and file extensions per MIME type in Tools, Options, File Extension Mismatch. +- \subpage e01_verifier_page computes a checksum on E01 files and compares with the E01 file's internal checksum to ensure they match. +- \subpage android_analyzer_page allows you to parse common items from Android devices. Places artifacts into the BlackBoard. +- \subpage interesting_files_identifier_page searches for files and directories based on user-specified rules in Tools, Options, Interesting Files. It works as a "File Alerting Module". It generates messages in the inbox when specified files are found. +- \subpage photorec_carver_page carves files from unallocated space and sends them through the file processing chain. +When you select a module, you will have the option to change its settings. For example, you can configure which keyword search lists to use during ingest and which hash databases to use. Refer to the individual module help for details on configuring each module. -When you select a module, you will have the option to change its settings. For example, you can configure which keyword search lists to use during ingest and which hash databases to use. Refer to the help system inside of Autopsy for details on configuring each module. - -While ingest modules are running in the background, you will see a progress bar in the lower right. You can use the GUI to review incoming results and perform other tasks while ingest at that time. +While ingest modules are running in the background, you will see a progress bar in the lower right. You can use the GUI to review incoming results and perform other tasks while ingesting at the same time. \section s1a Analysis Basics @@ -54,7 +59,7 @@ If you are viewing files from the Views and Results nodes, you can right-click o If you want to search for single keywords, then you can use the search box in the upper right of the program. The results will be shown in a table in the upper right. -You can tag (or bookmark) arbitrary files so that you can more quickly find them later or so that you can include them specifically in a report. +You can tag (bookmark) arbitrary files so that you can more quickly find them later or so that you can include them specifically in a report. \subsection s2a Ingest Inbox @@ -71,8 +76,8 @@ You may learn that a known bad file was found or that a file was found with a re When you select a message, you can then jump to the Results tree where more details can be found or jump to the file's location in the filesystem. -\subsection s2b Timeline (beta) -There is a basic timeline view that you can access via the Tools -> Make Timeline feature. This will take a few minutes to create the timeline for analysis. Its features are still in development. +\subsection s2b Timeline +There is a basic timeline view that you can access via the "Tools", "Make Timeline" feature. This will take a few minutes to create the timeline for analysis. Its features are still in development. \section s5 Example Use Cases @@ -88,7 +93,7 @@ There, you can find bookmarks, cookies, downloads, and history. If you want to see if the data source had known bad files, make sure that the Hash Lookup ingest module was enabled. You can then view the "Hashset Hits" section in the "Results" area of the tree on the left. -Note that hash lookup can take a long time, so this section will be updated as long as the ingest process is occurring. +Note that hash lookup can take a long time, so this section will be updated as long as the ingest process is ongoing. Use the Ingest Inbox to keep track of what known bad files were recently found. When you find a known bad file in this interface, you may want to right click on the file to also view the file's original location. @@ -100,7 +105,7 @@ If you want to see all images and video on the disk image, then go to the " Select either "Images" or "Videos". You can use the thumbnail option in the upper right to view thumbnails of all images. -Note: We are working on making this more efficient when there are lots of images and we are working on the feature to display video thumbnails. +Note: We are working on making this more efficient when there are lots of images. We are also working on the feature to display video thumbnails. You can select an image or video from the upper right and view the video or image in the lower right. Video will be played with sound. diff --git a/docs/doxygen-user/recent_activity.dox b/docs/doxygen-user/recent_activity.dox new file mode 100755 index 0000000000..41efe651c0 --- /dev/null +++ b/docs/doxygen-user/recent_activity.dox @@ -0,0 +1,29 @@ +/*! \page recent_activity_page Recent Activity Module + +What Does It Do +======== + +The Recent Activity module extracts user activity as saved by web browsers (including web searches), installed programs, and the operating system. It also runs Regripper on the Registry hive. + +This allows you to see what activity has occured in the last seven days of usage, what web sites were vistied, what the machine did, and what it connected to. + +Configuration +======= + +There is nothing to configure for this module. + + +Using the Module +====== + +Ingest Settings +------ +There are no run-time settings for this module. + +Seeing Results +------ +Results show up in the tree under "Extracted Content". + +\image html extracted_content.png + +*/ diff --git a/docs/doxygen-user/reporting.dox b/docs/doxygen-user/reporting.dox new file mode 100755 index 0000000000..494d28ccc0 --- /dev/null +++ b/docs/doxygen-user/reporting.dox @@ -0,0 +1,42 @@ +/*! \page reporting_page Reporting + +Reporting + +To create a report, go to "Tools", "Generate Report". You can choose several different types of reports. We will go through the HTML report here. +\image html generate-report-1.PNG +
+ +When you have selected a report type, choose between +- All Results +- Tagged Results + +
+\image html generate-report-2.PNG +
+ +If you select All Results, you can choose the Data Types (Artifact Types) you would like included. +
+\image html generate-report-3.PNG +
+ +If you select Tagged Results, you can choose the tags you would like included. +
+\image html generate-report-4.PNG +
+
+In our case, an HTML report is generated. +
+
+All Results HTML Report: +
+\image html generate-report-5.PNG +
+
+Tagged Results HTML Report: +
+\image html generate-report-6.PNG +
+There are other types of reports to choose, but they operate on the same principle. Select either All Results or Tagged results to include. +
+ +*/ diff --git a/docs/doxygen-user/result_viewer.dox b/docs/doxygen-user/result_viewer.dox new file mode 100755 index 0000000000..d8aa4156ef --- /dev/null +++ b/docs/doxygen-user/result_viewer.dox @@ -0,0 +1,20 @@ +/*! \page result_viewer_page Result Viewer + +The Result Viewer is located on the top right of the Autopsy screen. It shows lists of files and their corresponding attributes such as time, path, size, checksum, etc. + +
+\image html result-viewer-example-1.PNG +
+ +You can also switch it to Thumbnail view to see thumbnails of the content in the selected folder. + +
+\image html result-viewer-example-2.PNG +
+ +The Result Viewer is context-aware, meaning it will show applicable columns for the data type selected. +
+\image html result-viewer-example-3.PNG +
+ +*/ diff --git a/docs/doxygen-user/result_viewers.dox b/docs/doxygen-user/result_viewers.dox new file mode 100644 index 0000000000..190f2d7e5f --- /dev/null +++ b/docs/doxygen-user/result_viewers.dox @@ -0,0 +1,20 @@ +/*! \page result_viewer_page Result Viewer + +The Result Viewer is located on the top right of the Autopsy screen. It shows lists of files and their corresponding attributes such as time, path, size, checksum, etc. + +
+\image html result-viewer-example-1.PNG +
+ +You can also switch it to Thumbnail view to see thumbnails of the content in the selected folder. + +
+\image html result-viewer-example-2.PNG +
+ +The Result Viewer is context-aware, meaning it will show applicable columns for the data type in selected. +
+\image html result-viewer-example-3.PNG +
+ +*/ diff --git a/docs/doxygen-user/stix.dox b/docs/doxygen-user/stix.dox old mode 100644 new mode 100755 diff --git a/docs/doxygen-user/tagging.dox b/docs/doxygen-user/tagging.dox new file mode 100755 index 0000000000..71be81158d --- /dev/null +++ b/docs/doxygen-user/tagging.dox @@ -0,0 +1,33 @@ +/*! \page tagging_page Tagging + +Tagging (or Bookmarking) allows you to create a reference to a file or object and easily find it later. + +When an interesting item is discovered, the user can tag it by right-clicking the item and selecting one of the tag options. + +When you tag a Blackboard artifact result, you have the choice to either: +- Tag File -- use this when the file itself is of interest +- Tag Result -- use this when the result is of interest + +Which to choose depends upon the context and what you desire in the final report. + +\image html tagging-1.PNG + +Once you have choosen to tag the file or the result, there are two more options: +- Quick Tag -- use this if you just want the tag +- Tag and Comment -- use this if you need to add a comment about this tag + +\image html tagging-2.PNG +
+You can create arbitrary tag names. Autopsy remembers your tag names from previous cases, so choose wisely. Choose a tag from the list you have created, or create a "New Tag". + +\image html tagging-3.PNG + +You can apply tags to groups of items at once. Select multiple items in the Blackboard, right click, and add the appropriate tag. +Items may have more than one tag. + +Tagged results are shown in the "Results" portion of the tree under "Tags". + +
+\image html tagging-4.PNG +
+*/ diff --git a/docs/doxygen-user/timeline.dox b/docs/doxygen-user/timeline.dox old mode 100644 new mode 100755 index 655bfdc0f1..67c306bb84 --- a/docs/doxygen-user/timeline.dox +++ b/docs/doxygen-user/timeline.dox @@ -1,13 +1,13 @@ -/*! \page timeline Timeline +/*! \page timeline_page Timeline Overview ======== -This document outlines the use of the new Timeline feature of Autopsy. This feature was funded by DHS S&T to help provide free and open source digital forensics tools to law enforcement. +This document outlines the use of the Timeline feature of Autopsy. This feature was funded by DHS S&T to help provide free and open source digital forensics tools to law enforcement. This document assumes basic familiarity with Autopsy. Quick Start =========== -# Create a case as normal and add a disk image (or folder of files) as a data source. To get the most out of the timeline, ensure that you have the hash lookup module enabled with NSRL (to ignore known files) and have the EXIF and recent activity modules enabled to collect additional temporal data. --# After the image has been added, click Tools-> Timeline in the menu. This will open the Timeline tool in a new window. You can do this while ingest is running, but you will not have access to the temporal data that will be found after you create the timeline, unless you re-open the timeline tool. +-# After the image has been added, click "Tools", "Timeline" in the menu. This will open the Timeline tool in a new window. You can do this while ingest is running, but you will not have access to the temporal data that will be found after you create the timeline, unless you re-open the timeline tool. diff --git a/docs/doxygen-user/tree_viewer.dox b/docs/doxygen-user/tree_viewer.dox new file mode 100755 index 0000000000..6a40c02d8d --- /dev/null +++ b/docs/doxygen-user/tree_viewer.dox @@ -0,0 +1,10 @@ +/*! \page tree_viewer_page Tree Viewer + +The Tree Viewer shows the discovered folders by the data sources they come from, as well as a list of files in the folders. It is located on the left side of the Autopsy screen. + +Each folder in the tree on the left shows how many items are contained within it in parenthesis after the directory name. See the picture below. + +
+\image html directory-tree.PNG +
+*/ diff --git a/docs/doxygen-user/uilayout.dox b/docs/doxygen-user/uilayout.dox index a97c35cbbb..e5b298451b 100644 --- a/docs/doxygen-user/uilayout.dox +++ b/docs/doxygen-user/uilayout.dox @@ -1,55 +1,72 @@ /*! \page uilayout_page UI Layout +
\section ui_overview Overview -Three parts of the UI…. +The major areas in the Autopsy User Interface (UI) are: +- \ref ui_tree, shown outlined in green below +- \ref ui_results, shown outlined in blue below +- \ref ui_content, shown outlined in red below +- \ref ui_keyword, shown outlined in yellow below +- \ref ui_status, shown in solid purple below + +\image html ui-layout-1.PNG + +
+
+
+\section ui_tree Tree Viewer +\subpage tree_viewer_page "More..." +
-\section ui_tree Left-side Tree - -The tree on the left-hand side is where you will start many of your analysis approaches and find saved results from automated procedures (ingest). The tree has three main areas: -\li Images: Where you can find the directory tree hierarchy of the file systems in the images. Go here to navigate to a specific file or directory. -\li Views: Where you can view all of the files in the images, but organized by file type or dates instead of directories. Go here if you are looking for files of a given type or that were recently used. -\li Results: Where you can see the results from the background ingest tasks and you can see your previous search results. Go here to see what was found by the ingest modules and to find your previous search results. -\li Tags: Where you can view all file and results that have been bookmarked for easy access. -\li Reports: Where you can find references to reports that you have generated or that some of the ingest modules created. +The tree on the left-hand side is find saved results from automated procedures (ingest). The tree has four main areas: +- Data Sources: This shows the directory tree hierarchy of the file systems in the images. You can navigate to a specific file or directory here. Each data source added is represented as a drive. If you add a data source multiple times, it shows up multiple times. +- Views: Specific types of files from the data sources are shown here, aggregated by type or other properties. Files here can come from more than one data source. Look here for files of a specific type or property. +- Results: Where you can see the results from the background ingest tasks and you can see your previous search results. Go here to see what was found by the ingest modules and to find your previous search results. +- Reports: References to reports that you have generated or that ingest modules have created show up here -Below is an example of the tree -\image html explorer-tree.PNG +\subsection ui_tree_ds Data Sources +The Data Sources section shows each data source that has been added to the case, in order added (top one is first). +Right clicking on the various nodes in the Data Sources section of the tree will allow you to get more options for each data source and its contents. -\subsection ui_tree_ds Data Source Section - -Right clicking on the various nodes in the tree will allow you to get more options for each data source and its contents. - -One item to mention in this area is extracting unallocated space. Unallocated space are chunks of the file system that is currently not being used for anything. Unallocated space can store deleted files and other interesting artifacts. On the actual image, Unallocated space is stored in blocks with distinct locations on the system. However, because of the way various carving tools work, it is more ideal to feed them a single, large unallocated file. Autopsy provides access to both methods of looking at unallocated space. -\li Individual Blocks Underneath a volume, there is a folder named Unalloc. This folder contains all the individual unallocated blocks as the image is storing them. You can right click and extract them the same way you can extract any other type of file in the Directory Tree. -\li Single Files There are two ways to extract unallocated space as a single file. Right clicking on a volume and selecting "Extract Unallocated Space as Single File" will concatenate all the unallocated files into a single, continuous file for the volume. The second way is to right click on an image, and select "Extract Unallocated Space to Single Files". This option will extract one single file for each volume in the image. Progress on extraction is sent to the progress bar in the bottom right. Progress is based on number of files concatenated. These files are stored in the Export folder under the case directory. Files are named according to ImageName-Unalloc-ImageObjectID-VolumeID.dat This naming scheme ensures that no duplicate file names will occur even if an there are two images with the same name in a case. - -Below is where to find the single file extraction option +Unallocated space is chunks of the file system that is currently not being used for anything. Unallocated space can store deleted files and other interesting artifacts. On the actual image, Unallocated space is stored in blocks with distinct locations on the system. However, because of the way various carving tools work, it is more ideal to feed them a single, large unallocated file. Autopsy provides access to both methods of looking at unallocated space. +\li Individual blocks in a volume There is a folder named "Unalloc". This folder contains all the individual unallocated blocks as the image is storing them. You can right click and extract them the same way you can extract any other type of file in the Directory Tree. +\li Single files Right click on a volume and select "Extract Unallocated Space as Single File" to concatenate all the unallocated files in the volume into a single, continuous file. (If desired, you can right click on an image, and select "Extract Unallocated Space to Single Files" which will do the same thing, but once for each volume in the image). +An example of the single file extraction option is shown below. \image html extracting-unallocated-space.PNG -\subsection ui_tree_views Views Section +\subsection ui_tree_views Views -TODO - -\subsection ui_tree_results Results Section - -TODO - -\subsection ui_tree_tags Tags Section - -TODO - -\subsection ui_tree_reports Reports Section - -TODO +Views filter all the files in the case by some external property of the file, not by any internal analysis of the file. +- File Type Sorts files by file extension, and shows them in the appropriate group. For example, .mp3 and .wav both end up in the "Audio" group. +- Recent Files Displays files that are accessed within the last seven days the user had the device. +- Deleted Files Displays files that have been deleted but the names have been recovered. +- File Size Sorts files based upon size. This can give you an idea where to look for files you are interested in. -\section ui_results Upper-right Results Viewer Area +\subsection ui_tree_results Results +- Extracted Content: Many ingest modules will place results here; EXIF data, GPS locations, or Web History for example +- Keyword Hits: Keyword search hits show up here +- Hashset Hits: Hashset hits show up here +- E-Mail Messages: Email messages show up here +- Interesting Items: Things deemed interesting show up here +- Tags: Any item you tag shows up here so you can find it again easily + +\subsection ui_tree_reports Reports + +Reports can be added by \subpage ingest_page or created using the \subpage reporting_page tool. + +
+
+
+\section ui_results Result Viewer +\subpage result_viewer_page "More..." +
The Result Viewer windows are in the upper right area of the interface and display the results from selecting something in the tree. You will have the option to display the results in a variety of formats. @@ -61,39 +78,39 @@ Here are some examples that you may see: \li Extract: Make a local copy of the file or directory for further analysis. \li Search for files with the same MD5 Hash: Searches the entire file-system for any files with the same MD5 Hash as the one selected. - -\subsection table_result_viewer Table Result Viewers - -Thumbnail Results Viewer -Thumbnail Results Viewer displays the data catalog as a table of thumbnail images in adjustable sizes. This viewer only supports picture file(s) (Currently, only supports JPG, GIF, and PNG formats). Click the Thumbnail tab to select this view. Note that for a large number of images in a directory selected in the Data Explorer, or for a View selected that contains a large number of images, it might take a while to populate this view for the first time before the images are cached. +\subsection thumbnail_result_viewer Thumbnail Result Viewers +Thumbnail Results Viewer displays the data catalog as a table of thumbnail images in adjustable sizes. This viewer only supports picture files (Currently, only supports JPG, GIF, and PNG formats). Click the Thumbnail tab to select this view. Note that for a large number of images in a directory selected in the Data Explorer, or for a View selected that contains a large number of images, it might take a while to populate this view for the first time before the images are cached. Example\n -Below is an example of "Table Results Viewer" window: -\image html table-result-viewer-tab.PNG +Below is an example of "Thumbnail Results Viewer" window: +\image html thumbnail-result-viewer-tab.PNG - -\subsection thumbnail_result_viewer Thumbnail Result Viewers +\subsection table_result_viewer Table Result Viewers Table Results Viewer (Directory Listing) displays the data catalog as a table with some details (properties) of each file. The properties that it shows are: name, time (modified, changed, accessed, and created), size, flags (directory and meta), mode, user ID, group ID, metadata address, attribute address, and type (directory and meta). Click the Table Viewer tab to select this view. The Results Viewer can be also activated for saved results and it can show a high level results grouped, or a results at a file level, depending on which node on the Directory Tree is selected to populate the Table Results Viewer. Example\n Below is an example of a "Table Results Viewer" window: -\image html thumbnail-result-viewer-tab.PNG +\image html table-result-viewer-tab.PNG - - -\section ui_content Lower-right Content Viewer Area +
+
+
+\section ui_content Content Viewer +\subpage content_viewer_page "More..." +
The Content Viewer area is in the lower right area of the interface. This area is used to view a specific file in a variety of formats. There are different tabs for different viewers. Not all tabs support all file types, so only some of them will be enabled. To display data in this area, a file must be selected from the Result Viewer window. The Content Viewer area is part of a plug-in framework. You can install modules that will add more viewer types. This section describes the viewers that come by default with Autopsy. \subsection result_content_viewers Result Content Viewer -Result Content Viewer shows the artifacts (saved results) associated with the item selected in the Result Viewer. +Content Viewer shows the artifacts (saved results) associated with the item selected in the Result Viewer. + Example Below is an example of "Result Content Viewer" window: -\image html result-viewer-example.PNG +\image html result-viewer-example-1.PNG \subsection hex_content_viewer Hex Content Viewer Hex Content Viewer shows you the raw and exact contents of a file. In this Hex Content Viewer, the data of the file is represented as hexadecimal values grouped in 2 groups of 8 bytes, followed by one group of 16 ASCII characters which are derived from each pair of hex values (each byte). Non-printable ASCII characters and characters that would take more than one character space are typically represented by a dot (".") in the following ASCII field. @@ -114,9 +131,9 @@ Here's one of the example of the "Media Content Viewer": \subsection string_content_viewer String Content Viewer -Strings Content Viewer scans (potentially binary) data of the file / folder and searches it for data that could be text. When appropriate data is found, the String Content Viewer shows data strings extracted from binary, decoded, and interpreted as UTF8/16 for the selected script/language. +The String Content Viewer scans (potentially binary) data of the file / folder and searches it for data that could be text. When appropriate data is found, the String Content Viewer shows data strings extracted from binary, decoded, and interpreted as UTF8/16 for the selected script/language. -Note that this is different from the Text Content Viewer, which displays the text for a file that is stored in the keyword search index. The results may be the same or they could be different, depending how the data were interpreted by the indexer. +Note that this is different from the Text Content Viewer, which displays the text for a file that is stored in the keyword search index. The results may be the same or they could be different, depending how the data is interpreted by the indexer. Example \n Below is an example of "String Content Viewer" window: @@ -133,4 +150,16 @@ If this tab is not enabled, then either the file has no text or you did not enab \image html text-view.PNG +
+
+
+\section ui_keyword Keyword Search +Keyword Search allows the user to search for keywords in the data source. It is covered in more detail here: \subpage keyword_search_page +
+
+
+\section ui_status Status Area +The Status area will show progress bars while ingest is occuring. This visually indicates to the user what portion of the processing is already complete. The user can click on the progress bars to see further detail or to cancel ingest jobs. +
+ */ diff --git a/docs/doxygen-user/workflow.dox b/docs/doxygen-user/workflow.dox index ca24019681..0ed9fbbf2f 100644 --- a/docs/doxygen-user/workflow.dox +++ b/docs/doxygen-user/workflow.dox @@ -3,8 +3,8 @@ Analyzing data in Autopsy uses the following workflow: -# Create a Case: A case is a container for one or more data sources. One must be created before data is analyzed. See \ref cases_page for more details. -# Adding a Data Source: One or more data sources are added to the case. Data sources include disk images and local files. See \ref ds_page for more details. --# Analyze with Ingest Modules: After the data source is added, ingest modules to operate in the background to analyze the data. Results are posted to the interface in real time and provide alerts as necessary. Example ingest modules include hash calculation and lookup, keyword searching, and web artifact extraction. 3rd party modules can be developed and added to the pipelines. See \ref ingest_page. --# Manual Analysis: User navigates interface, file contents, and ingest module results to identify the evidence. Interesting items can be tagged for later reporting and analysis. --# Report Generation: User generates final report based on tagged or all results. +-# Analyze with Ingest Modules: After the data source is added, ingest modules operate in the background to analyze the data. Results are posted to the interface in real time and provide alerts as necessary. Example ingest modules include \ref hash_db_page "hash calculation and lookup", \ref keyword_search_page "keyword searching", and \ref recent_activity_page "web artifact extraction". 3rd-party modules can be developed and added to the pipelines. See \ref ingest_page. +-# Manual Analysis: The user navigates the interface, file contents, and ingest module results to identify the evidence. Interesting items can be tagged for later reporting and analysis. +-# Report Generation: The user initiates a final report based on selected tags or results. */ diff --git a/docs/doxygen/Doxyfile b/docs/doxygen/Doxyfile old mode 100644 new mode 100755 diff --git a/docs/doxygen/footer.html b/docs/doxygen/footer.html old mode 100644 new mode 100755 diff --git a/docs/doxygen/main.dox b/docs/doxygen/main.dox old mode 100644 new mode 100755 diff --git a/docs/doxygen/modAdvanced.dox b/docs/doxygen/modAdvanced.dox old mode 100644 new mode 100755 diff --git a/docs/doxygen/modContent.dox b/docs/doxygen/modContent.dox old mode 100644 new mode 100755 diff --git a/docs/doxygen/modDev.dox b/docs/doxygen/modDev.dox old mode 100644 new mode 100755 diff --git a/docs/doxygen/modDevPython.dox b/docs/doxygen/modDevPython.dox old mode 100644 new mode 100755 diff --git a/docs/doxygen/modIngest.dox b/docs/doxygen/modIngest.dox old mode 100644 new mode 100755 diff --git a/docs/doxygen/modMobile.dox b/docs/doxygen/modMobile.dox old mode 100644 new mode 100755 diff --git a/docs/doxygen/modReport.dox b/docs/doxygen/modReport.dox old mode 100644 new mode 100755 diff --git a/docs/doxygen/modResult.dox b/docs/doxygen/modResult.dox old mode 100644 new mode 100755 diff --git a/docs/doxygen/native_libs.dox b/docs/doxygen/native_libs.dox old mode 100644 new mode 100755 diff --git a/docs/doxygen/platformConcepts.dox b/docs/doxygen/platformConcepts.dox old mode 100644 new mode 100755 diff --git a/docs/doxygen/regressionTesting.dox b/docs/doxygen/regressionTesting.dox old mode 100644 new mode 100755 diff --git a/docs/doxygen/viewer_image.jpg b/docs/doxygen/viewer_image.jpg old mode 100644 new mode 100755 diff --git a/docs/doxygen/workflow.dox b/docs/doxygen/workflow.dox old mode 100644 new mode 100755 diff --git a/docs/javahelp-notes.txt b/docs/javahelp-notes.txt old mode 100644 new mode 100755