mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-19 02:57:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'develop' of https://github.com/sleuthkit/autopsy into develop

Browse Source
This commit is contained in:
raman-bt 2014-01-21 08:13:06 -05:00
commit c3330e3968
55 changed files with 1449 additions and 1634 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
API-CHANGES.txt
View File

@ -1,9 +1,5 @@
Changes to make to API when we are ready to make backward incompatible changes: Changes to make to API when we are ready to make backward incompatible changes:
- HTMLReport has special API for more context on columns and special handling in REportGenerator. Change all reports to the new API. - HTMLReport has special API for more context on columns and special handling in REportGenerator. Change all reports to the new API.
- DataContentViewer.isPreferred does not need isSupported to be passed in
- DataContentViewerHex and Strings can have the public setDataView methods removed in favor of the new private ones
- Content.getUniquePath() should not thrown TskException. We should deal with it in the method. - Content.getUniquePath() should not thrown TskException. We should deal with it in the method.
- Make the list of events that Case fires off to be part of an enum to group them together (like IngestManager does). - Make the list of events that Case fires off to be part of an enum to group them together (like IngestManager does).
- Sub-modules in RecentActivity have a bunch of public/protected variables that do not need to be. (i.e. ExtractRegistry.rrFullFound).
- Delete BrowserType enum and BrowserActivityType in RecentActivity.

5
Core/src/org/sleuthkit/autopsy/casemodule/AddImageTask.java
View File

@ -234,9 +234,6 @@ public class AddImageTask implements Runnable {
if (!(cancelled || hasCritError)) { if (!(cancelled || hasCritError)) {
try { try {
// Tell the progress monitor we're done
progressMonitor.setProgress(100);
if (newContents.isEmpty()) { if (newContents.isEmpty()) {
if (addImageProcess != null) { // and if we're done configuring ingest if (addImageProcess != null) { // and if we're done configuring ingest
// commit anything // commit anything
@ -255,6 +252,8 @@ public class AddImageTask implements Runnable {
else { //already commited? else { //already commited?
logger.log(Level.INFO, "Assuming image already committed, will not commit."); logger.log(Level.INFO, "Assuming image already committed, will not commit.");
} }
// Tell the progress monitor we're done
progressMonitor.setProgress(100);
} catch (Exception ex) { } catch (Exception ex) {
//handle unchecked exceptions post image add //handle unchecked exceptions post image add

102
Core/src/org/sleuthkit/autopsy/casemodule/docs/aboutImage.html
View File

@ -1,51 +1,51 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<title>Data Source Basics</title> <title>Data Source Basics</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css"> <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head> </head>
<body> <body>
<h2>About Data Sources</h2> <h2>About Data Sources</h2>
<p> <p>
Autopsy supports 3 types of data sources that can be added to the Case:</p> Autopsy supports 3 types of data sources that can be added to the Case:</p>
<ul> <ul>
<li>Disk Image (raw, Encase, etc). <li>Disk Image (raw, Encase, etc).
"Image" refers to a byte-for-byte copy of a hard drive or other storage media. "Image" refers to a byte-for-byte copy of a hard drive or other storage media.
</li> </li>
<li>Disk Device (physical or logical disk partition, plugged in the user machine and detected by Autopsy). <li>Disk Device (physical or logical disk partition, plugged in the user machine and detected by Autopsy).
Note: to correctly detect all devices, Autopsy needs to run as Administrator. Note: to correctly detect all devices, Autopsy needs to run as Administrator.
</li> </li>
<li>Logical Files (files and folders on the user machine file system)</li> <li>Logical Files (files and folders on the user machine file system)</li>
</ul> </ul>
<p> <p>
User needs to select the data source type from the pull down menu in the Add Data Source wizard. User needs to select the data source type from the pull down menu in the Add Data Source wizard.
</p> </p>
<p> <p>
To analyze a Data Source, user should use the <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/addImage.html">Add Data Source Wizard</a> To analyze a Data Source, user should use the <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/addImage.html">Add Data Source Wizard</a>
to add it to a <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/casemodule-about.html">case</a>. to add it to a <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/casemodule-about.html">case</a>.
</p> </p>
<p> <p>
Autopsy populates an embedded database for each data source (image, disk device, logical files) that it imports. Autopsy populates an embedded database for each data source (image, disk device, logical files) that it imports.
This database is a SQLite database and it contains all of the file system metadata from the input data source. This database is a SQLite database and it contains all of the file system metadata from the input data source.
The database is stored in the case directory, but the data source will stay in its original location. The database is stored in the case directory, but the data source will stay in its original location.
The data source must remain accessible for the duration of the analysis because the database contains only basic file system information (meta-data, not the actual content). The data source must remain accessible for the duration of the analysis because the database contains only basic file system information (meta-data, not the actual content).
The image / files are needed to retrieve file content. The image / files are needed to retrieve file content.
</p> </p>
<h2>Supported Image Formats</h2> <h2>Supported Image Formats</h2>
<p>Currently, Autopsy supports these image formats:</p> <p>Currently, Autopsy supports these image formats:</p>
<ul> <ul>
<li>Raw Single (For example: *.img, *.dd, *.raw, etc)</li> <li>Raw Single (For example: *.img, *.dd, *.raw, etc)</li>
<li>Raw Split (For example: *.001, *.002, *.aa, *.ab, etc)</li> <li>Raw Split (For example: *.001, *.002, *.aa, *.ab, etc)</li>
<li>EnCase (For example: *.e01, *e02, etc)</li> <li>EnCase (For example: *.e01, *e02, etc)</li>
</ul> </ul>
<h2>Removing a Data Source</h2> <h2>Removing a Data Source</h2>
<p>You cannot currently remove an data source from a case.</p> <p>You cannot currently remove an data source from a case.</p>
</body> </body>
</html> </html>

104
Core/src/org/sleuthkit/autopsy/casemodule/docs/addImage.html
View File

@ -1,53 +1,53 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<title>Adding Data Source (Image, Disk, Files) Wizard</title> <title>Adding Data Source (Image, Disk, Files) Wizard</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css"> <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head> </head>
<body> <body>
<h2>Adding a Data Source</h2> <h2>Adding a Data Source</h2>
<p>There are two ways to add an data source to the currently opened case:</p> <p>There are two ways to add an data source to the currently opened case:</p>
<ul> <ul>
<li>Go to "File" and select "Add Data Source..." </li> <li>Go to "File" and select "Add Data Source..." </li>
<li>Select the <img src="addImage-icon.png" alt="Add Image Icon" /> icon on the toolbar</li> <li>Select the <img src="addImage-icon.png" alt="Add Image Icon" /> icon on the toolbar</li>
</ul> </ul>
<p>This will bring up the Add Data Source wizard. It will guide you through the process.</p> <p>This will bring up the Add Data Source wizard. It will guide you through the process.</p>
<p>Here are some notes on what is going on during the process:</p> <p>Here are some notes on what is going on during the process:</p>
<ul> <ul>
<li> <li>
The first panel will ask you to select the data source type and The first panel will ask you to select the data source type and
browse for the data source (image or files located on the computer, or select the device detected). browse for the data source (image or files located on the computer, or select the device detected).
In case of adding a disk image, you will also need to specify the timezone that the disk image came from In case of adding a disk image, you will also need to specify the timezone that the disk image came from
so that the dates and times can be properly displayed and converted. so that the dates and times can be properly displayed and converted.
As soon as you click 'Next >', Autopsy will begin analyzing the disk image and populating the database in the background. As soon as you click 'Next >', Autopsy will begin analyzing the disk image and populating the database in the background.
<br /> <br />
<img src="AddImageWizard1_Help.png" alt="Add Image Wizard Panel 1 Help" /> <img src="AddImageWizard1_Help.png" alt="Add Image Wizard Panel 1 Help" />
</li> </li>
<li> <li>
The second panel allows you to choose which ingest modules to run on the image. The second panel allows you to choose which ingest modules to run on the image.
Refer to the <a href="nbdocs:/org/sleuthkit/autopsy/ingest/docs/ingest-about.html">Image Ingest</a> part of the help guide for more details. Refer to the <a href="nbdocs:/org/sleuthkit/autopsy/ingest/docs/ingest-about.html">Image Ingest</a> part of the help guide for more details.
<br /> <br />
<img src="AddImageWizard2_Help.png" alt="Add Image Wizard Panel 3 Help" /> <img src="AddImageWizard2_Help.png" alt="Add Image Wizard Panel 3 Help" />
</li> </li>
<li> <li>
The third panel provides a progress bar and information about the data source Autopsy is currently processing. The third panel provides a progress bar and information about the data source Autopsy is currently processing.
If small enough, the input may have already finished processing, allowing you to continue past this panel. If small enough, the input may have already finished processing, allowing you to continue past this panel.
However, it may be necessary to wait for a short time while the database is populated. However, it may be necessary to wait for a short time while the database is populated.
<br /> <br />
<img src="AddImageWizard3_Help.png" alt="Add Image Wizard Panel 2 Help" /> <img src="AddImageWizard3_Help.png" alt="Add Image Wizard Panel 2 Help" />
</li> </li>
<li> <li>
Once the input data source finishes adding, the ingest modules you selected will automatically run in the background. Once the input data source finishes adding, the ingest modules you selected will automatically run in the background.
If the data source is processed before you select ingest modules, Autopsy will wait until you have done so. If the data source is processed before you select ingest modules, Autopsy will wait until you have done so.
</li> </li>
</ul> </ul>
<p> <p>
Note that in case of image, Autopsy will store the path to the image in its configuration file. Note that in case of image, Autopsy will store the path to the image in its configuration file.
If the image moves, then Autopsy will give an error because it can't find the image file and it will prompt user to point to the new image location. If the image moves, then Autopsy will give an error because it can't find the image file and it will prompt user to point to the new image location.
</p> </p>
</body> </body>
</html> </html>

54
Core/src/org/sleuthkit/autopsy/casemodule/docs/caseProperties.html
View File

@ -1,28 +1,28 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<title>Case Properties Window</title> <title>Case Properties Window</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css"> <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head> </head>
<body> <body>
<h2>Case Properties Window</h2> <h2>Case Properties Window</h2>
<p> <p>
Case Properties Window is where you can check some information about the currently opened case Case Properties Window is where you can check some information about the currently opened case
(case name, case creation date, case directory, and images in this case). (case name, case creation date, case directory, and images in this case).
</p> </p>
<p>In this window, you can also do the following things:</p> <p>In this window, you can also do the following things:</p>
<ul> <ul>
<li>Change/update the case name</li> <li>Change/update the case name</li>
<li>Delete the current case</li> <li>Delete the current case</li>
</ul> </ul>
<h2>How to Open Case Properties Window</h2> <h2>How to Open Case Properties Window</h2>
<p>To open the "Case Properties" window, go to "File" and then select "Case Properties..."</p> <p>To open the "Case Properties" window, go to "File" and then select "Case Properties..."</p>
<h2>Example</h2> <h2>Example</h2>
<p>Here's an example of the "Case Properties" window:</p> <p>Here's an example of the "Case Properties" window:</p>
<img src="CasePropertiesHelp.png" alt="Case Properties Help" /> <img src="CasePropertiesHelp.png" alt="Case Properties Help" />
</body> </body>
</html> </html>

66
Core/src/org/sleuthkit/autopsy/casemodule/docs/casemodule-about.html
View File

@ -1,33 +1,33 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<title>About Cases</title> <title>About Cases</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css"> <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head> </head>
<body> <body>
<h2>About Cases</h2> <h2>About Cases</h2>
<p> <p>
In Autopsy, a "case" is a container concept for a set of <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/aboutImage.html">input data sources (disk images, disk devices, logical files)</a>. In Autopsy, a "case" is a container concept for a set of <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/aboutImage.html">input data sources (disk images, disk devices, logical files)</a>.
The set of data could be from multiple drives in a single computer or from multiple computers. The set of data could be from multiple drives in a single computer or from multiple computers.
When you make a case, it will create a directory to hold all of the information. When you make a case, it will create a directory to hold all of the information.
The directory will contain the main Autopsy configuration file, other module's configuration files, The directory will contain the main Autopsy configuration file, other module's configuration files,
some databases, generated reports, and some other information (temporary files, cache files). some databases, generated reports, and some other information (temporary files, cache files).
The main Autopsy case configuration file as a .aut extension - that is the file used to "Open" the case. The main Autopsy case configuration file as a .aut extension - that is the file used to "Open" the case.
In general, it is recommended for the user not to modify any files in the Case directory and leave it to Autopsy manage it. In general, it is recommended for the user not to modify any files in the Case directory and leave it to Autopsy manage it.
</p> </p>
<p> <p>
If you want to view case details or edit some case information, If you want to view case details or edit some case information,
use the <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/caseProperties.html">Case Properties</a> window. use the <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/caseProperties.html">Case Properties</a> window.
</p> </p>
<h2>Creating a Case</h2> <h2>Creating a Case</h2>
<p>Refer to the <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/createNewCase.html">Creating a Case</a> page for more details.</p> <p>Refer to the <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/createNewCase.html">Creating a Case</a> page for more details.</p>
<h2>Opening a Case</h2> <h2>Opening a Case</h2>
<p> <p>
To open a case, choose "Open Case" from the File menu or use the "Ctrl + O" keyboard shortcut. To open a case, choose "Open Case" from the File menu or use the "Ctrl + O" keyboard shortcut.
Navigate to the case directory and select the ".aut" file. Navigate to the case directory and select the ".aut" file.
</p> </p>
</body> </body>
</html> </html>

48
Core/src/org/sleuthkit/autopsy/casemodule/docs/createNewCase.html
View File

@ -1,25 +1,25 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<title>Creating A Case</title> <title>Creating A Case</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css"> <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head> </head>
<body> <body>
<h2>Creating a Case</h2> <h2>Creating a Case</h2>
<p>There are several ways to create a new case:</p> <p>There are several ways to create a new case:</p>
<ul> <ul>
<li>Go to "File" and select "New Case..."</li> <li>Go to "File" and select "New Case..."</li>
<li>Press "Ctrl + N" on the keyboard</li> <li>Press "Ctrl + N" on the keyboard</li>
</ul> </ul>
<p> <p>
The "New Case" wizard dialog will open and you will need to enter the case name and base directory. The "New Case" wizard dialog will open and you will need to enter the case name and base directory.
Each case will have its own directory and the path of the directory is created by combining the "base directory" with the "case name". Each case will have its own directory and the path of the directory is created by combining the "base directory" with the "case name".
If the directory already exists, you will need to either delete the existing directory or choose a different combination of names. If the directory already exists, you will need to either delete the existing directory or choose a different combination of names.
</p> </p>
<h2>Example:</h2> <h2>Example:</h2>
<p> Here's an example of the "New Case" wizard dialog:</p> <p> Here's an example of the "New Case" wizard dialog:</p>
<img src="NewCaseWizardHelp.png" alt="New Case Wizard Help" /> <img src="NewCaseWizardHelp.png" alt="New Case Wizard Help" />
</body> </body>
</html> </html>

150
Core/src/org/sleuthkit/autopsy/casemodule/docs/hashDbMgmt.html
View File

@ -1,75 +1,75 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<title>Hash Database Management</title> <title>Hash Database Management</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css"> <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head> </head>
<body> <body>
<h2>Hash Database Management Window</h2> <h2>Hash Database Management Window</h2>
<p> <p>
The Hash Database Management window is where you can set and update your hash database information. The Hash Database Management window is where you can set and update your hash database information.
Hash databases are used to identify files that are 'known'. Hash databases are used to identify files that are 'known'.
</p> </p>
<ul> <ul>
<li> <li>
Known good files are those that can be safely ignored. Known good files are those that can be safely ignored.
This set of files frequently includes standard OS and application files. This set of files frequently includes standard OS and application files.
Ignoring such uninteresting to the investigator files, can greatly reduce image analysis time. Ignoring such uninteresting to the investigator files, can greatly reduce image analysis time.
</li> </li>
<li> <li>
Known bad (also called notable) files are those that should raise awareness. Known bad (also called notable) files are those that should raise awareness.
This set will vary depending on the type of investigation, but common examples include contraband images and malware. This set will vary depending on the type of investigation, but common examples include contraband images and malware.
</li> </li>
</ul> </ul>
<h2>Notable / Known Bad Hashsets</h2> <h2>Notable / Known Bad Hashsets</h2>
<p>Autopsy allows for multiple known bad hash databases to be set. Autopsy supports three formats:</p> <p>Autopsy allows for multiple known bad hash databases to be set. Autopsy supports three formats:</p>
<ul> <ul>
<li>EnCase: An EnCase hashset file.</li> <li>EnCase: An EnCase hashset file.</li>
<li>MD5sum: Output from running the md5, md5sum, or md5deep program on a set of files.</li> <li>MD5sum: Output from running the md5, md5sum, or md5deep program on a set of files.</li>
<li>NSRL: The format of the NSRL database.</li> <li>NSRL: The format of the NSRL database.</li>
<li>HashKeeper: Hashset file conforming to the HashKeeper standard.</li> <li>HashKeeper: Hashset file conforming to the HashKeeper standard.</li>
</ul> </ul>
<h2>NIST NSRL</h2> <h2>NIST NSRL</h2>
<p> <p>
Autopsy can use the <a href="http://www.nsrl.nist.gov">NIST NSRL</a> to detect 'known files'. Autopsy can use the <a href="http://www.nsrl.nist.gov">NIST NSRL</a> to detect 'known files'.
Note that the NSRL contains hashes of 'known files' that may be good or bad depending on your perspective and investigation type. Note that the NSRL contains hashes of 'known files' that may be good or bad depending on your perspective and investigation type.
For example, the existence of a piece of financial software may be interesting to your investigation and that software could be in the NSRL. For example, the existence of a piece of financial software may be interesting to your investigation and that software could be in the NSRL.
Therefore, Autopsy treats files that are found in the NSRL as simply 'known' and does not specify good or bad. Therefore, Autopsy treats files that are found in the NSRL as simply 'known' and does not specify good or bad.
Ingest modules have the option of ignoring files that were found in the NSRL. Ingest modules have the option of ignoring files that were found in the NSRL.
</p> </p>
<p> <p>
To use the NSRL, you must concatenate all of the NSRLFile.txt files together. To use the NSRL, you must concatenate all of the NSRLFile.txt files together.
You can use 'cat' on a Unix system or from within Cygwin to do this. You can use 'cat' on a Unix system or from within Cygwin to do this.
</p> </p>
<h2>Adding Hashsets</h2> <h2>Adding Hashsets</h2>
<p> <p>
Autopsy needs an index of the hashset to actualy use a hash database. Autopsy needs an index of the hashset to actualy use a hash database.
It can create the index if you import only the hashset. It can create the index if you import only the hashset.
When you select the database from within this window, it will tell you if the index needs to be created. When you select the database from within this window, it will tell you if the index needs to be created.
Autopsy uses the hash database management system from The Sleuth Kit. You can manually create an index using the 'hfind' command line tool or you can use Autopsy. Autopsy uses the hash database management system from The Sleuth Kit. You can manually create an index using the 'hfind' command line tool or you can use Autopsy.
If you attempt proceed without indexing a database, Autopsy will offer to automatically produce an index for you. If you attempt proceed without indexing a database, Autopsy will offer to automatically produce an index for you.
</p> </p>
<p> <p>
You can also specify only the index file and not use the full hashset - the index file is sufficient to identify known files. You can also specify only the index file and not use the full hashset - the index file is sufficient to identify known files.
This can save space. To do this, specify the .idx file from the Hash Database Management window. This can save space. To do this, specify the .idx file from the Hash Database Management window.
</p> </p>
<h2>Using Hashsets</h2> <h2>Using Hashsets</h2>
<p> <p>
There is an <a href="nbdocs:/org/sleuthkit/autopsy/ingest/docs/ingest-about.html">ingest module</a> that will hash the files and look them up in the hashsets. There is an <a href="nbdocs:/org/sleuthkit/autopsy/ingest/docs/ingest-about.html">ingest module</a> that will hash the files and look them up in the hashsets.
It will flag files that were in the notable hashset and those results will be shown in the Results tree of the <a href="nbdocs:/org/sleuthkit/autopsy/directorytree/docs/directorytree-about.html">Data Explorer</a>. It will flag files that were in the notable hashset and those results will be shown in the Results tree of the <a href="nbdocs:/org/sleuthkit/autopsy/directorytree/docs/directorytree-about.html">Data Explorer</a>.
</p> </p>
<p>Other ingest modules are able to use the known status of a file to decide if they should ignore the file or process it.</p> <p>Other ingest modules are able to use the known status of a file to decide if they should ignore the file or process it.</p>
<p> <p>
You can also see the results in the <a href="nbdocs:/org/sleuthkit/autopsy/filesearch/docs/open-filesearch.html">File Search</a> window. You can also see the results in the <a href="nbdocs:/org/sleuthkit/autopsy/filesearch/docs/open-filesearch.html">File Search</a> window.
There is an option to choose the 'known status'. From here, you can do a search to see all 'known bad' files. There is an option to choose the 'known status'. From here, you can do a search to see all 'known bad' files.
From here, you can also choose to ignore all 'known' files that were found in the NSRL. From here, you can also choose to ignore all 'known' files that were found in the NSRL.
You can also see the status of the file in a column when the file is listed. You can also see the status of the file in a column when the file is listed.
</p> </p>
<img src="hashdb.PNG" alt="Hash Database Configuration" /> <img src="hashdb.PNG" alt="Hash Database Configuration" />
</body> </body>
</html> </html>

130
Core/src/org/sleuthkit/autopsy/casemodule/docs/overview.html
View File

@ -1,66 +1,66 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<title>Overview</title> <title>Overview</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css"> <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head> </head>
<body> <body>
<h2>Overview</h2> <h2>Overview</h2>
<p> <p>
Autopsy allows you to conduct a digital forensic investigation. Autopsy allows you to conduct a digital forensic investigation.
It is a graphical interface to The Sleuth Kit and other tools. It is a graphical interface to The Sleuth Kit and other tools.
This page outlines the basic concepts of the program. This page outlines the basic concepts of the program.
The remainder of the help guide is organized around these concepts. The remainder of the help guide is organized around these concepts.
</p> </p>
<p> <p>
The main Autopsy features include: importing a Data Source (image, disk, files) and exploring its file systems, The main Autopsy features include: importing a Data Source (image, disk, files) and exploring its file systems,
running analysis modules (ingest), viewing ingest results, viewing content and generating reports. running analysis modules (ingest), viewing ingest results, viewing content and generating reports.
</p> </p>
<p> <p>
Autopsy is an extensible application; it provides a plug-in framework that allows other other parties to supply plug-ins and supply additional: Autopsy is an extensible application; it provides a plug-in framework that allows other other parties to supply plug-ins and supply additional:
image and file ingest for new types of analysis, different content viewers and different types of reports to be supported. image and file ingest for new types of analysis, different content viewers and different types of reports to be supported.
There are plug-ins for for several ingest modules, viewers and reports that are bundled by default with Autopsy. There are plug-ins for for several ingest modules, viewers and reports that are bundled by default with Autopsy.
</p> </p>
<p> <p>
All data is organized around the concept of a <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/casemodule-about.html">case</a>. All data is organized around the concept of a <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/casemodule-about.html">case</a>.
A case can have one or more data <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/aboutImage.html">sources</a> loaded into it. A case can have one or more data <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/aboutImage.html">sources</a> loaded into it.
</p> </p>
<p>The main window has three major areas:</p> <p>The main window has three major areas:</p>
<ul> <ul>
<li> <li>
<a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/dataexplorer-about.html">Data Explorer Tree</a>: <a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/dataexplorer-about.html">Data Explorer Tree</a>:
This area is where you go find major analysis functionality. This area is where you go find major analysis functionality.
It allows you to start finding the relevant files quickly. It allows you to start finding the relevant files quickly.
</li> </li>
<li> <li>
<a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/dataresult-about.html">Result Viewers</a>: <a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/dataresult-about.html">Result Viewers</a>:
This area is where the files and directories that were found from the explorer window can be viewed. This area is where the files and directories that were found from the explorer window can be viewed.
There are different formatting options for the files. There are different formatting options for the files.
</li> </li>
<li> <li>
<a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/datacontent-about.html">Content Viewers</a>: <a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/datacontent-about.html">Content Viewers</a>:
This area is where file content can be viewed after they are selected from the Result Viewer area. This area is where file content can be viewed after they are selected from the Result Viewer area.
</li> </li>
</ul> </ul>
<p> <p>
The main take away from this should be that analysis techniques and result categories can be found on the left-hand side, The main take away from this should be that analysis techniques and result categories can be found on the left-hand side,
the results from choosing something on the left are always listed in the upper right, the results from choosing something on the left are always listed in the upper right,
and the file contents are displayed in the lower left. and the file contents are displayed in the lower left.
</p> </p>
<img src="Autopsy_overview.png" alt="Autopsy Overview Window" /> <img src="Autopsy_overview.png" alt="Autopsy Overview Window" />
</body> </body>
</html> </html>
<!-- <!--
Tip: to create a link which will open in an external web browser, try: Tip: to create a link which will open in an external web browser, try:
<object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer"> <object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer">
<param name="content" value="http://www.netbeans.org/"> <param name="content" value="http://www.netbeans.org/">
<param name="text" value="<html><u>http://www.netbeans.org/</u></html>"> <param name="text" value="<html><u>http://www.netbeans.org/</u></html>">
<param name="textFontSize" value="medium"> <param name="textFontSize" value="medium">
<param name="textColor" value="blue"> <param name="textColor" value="blue">
</object> </object>
To create a link to a help set from another module, you need to know the code name base and path, e.g.: To create a link to a help set from another module, you need to know the code name base and path, e.g.:
<a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a> <a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a>
(This link will behave sanely if that module is disabled or missing.) (This link will behave sanely if that module is disabled or missing.)
--> -->

2
Core/src/org/sleuthkit/autopsy/contentviewers/Metadata.java
View File

@ -185,7 +185,7 @@ public class Metadata extends javax.swing.JPanel implements DataContentViewer
} }
@Override @Override
public int isPreferred(Node node, boolean isSupported) { public int isPreferred(Node node) {
return 1; return 1;
} }
} }

7
Core/src/org/sleuthkit/autopsy/corecomponentinterfaces/DataContentViewer.java
View File

@ -83,16 +83,15 @@ public interface DataContentViewer {
* Checks whether the given viewer is preferred for the Node. * Checks whether the given viewer is preferred for the Node.
* This is a bit subjective, but the idea is that Autopsy wants to display * This is a bit subjective, but the idea is that Autopsy wants to display
* the most relevant tab. The more generic the viewer, the lower * the most relevant tab. The more generic the viewer, the lower
* the return value should be. * the return value should be. This will only be called on viewers that
* support the given node.
* *
* @param node Node to check for preference * @param node Node to check for preference
* @param isSupported true if the viewer is supported by the node, false otherwise
* as determined by a previous check
* @return an int (0-10) higher return means the viewer has higher priority * @return an int (0-10) higher return means the viewer has higher priority
* 0 means not supported * 0 means not supported
* 1 to 2 means the module will display all file types (such as the hex viewer) * 1 to 2 means the module will display all file types (such as the hex viewer)
* 3-10 are prioritized by Content viewer developer. Modules that operate on very * 3-10 are prioritized by Content viewer developer. Modules that operate on very
* few file types should be towards 10. * few file types should be towards 10.
*/ */
public int isPreferred(Node node, boolean isSupported); public int isPreferred(Node node);
} }

6
Core/src/org/sleuthkit/autopsy/corecomponents/DataContentPanel.java
View File

@ -181,7 +181,7 @@ public class DataContentPanel extends javax.swing.JPanel implements DataContent,
jTabbedPane1.setEnabledAt(i, true); jTabbedPane1.setEnabledAt(i, true);
// remember the viewer with the highest preference value // remember the viewer with the highest preference value
int currentPreferred = dcv.isPreferred(selectedNode, true); int currentPreferred = dcv.isPreferred(selectedNode);
if (currentPreferred > maxPreferred) { if (currentPreferred > maxPreferred) {
preferredViewerIndex = i; preferredViewerIndex = i;
maxPreferred = currentPreferred; maxPreferred = currentPreferred;
@ -258,8 +258,8 @@ public class DataContentPanel extends javax.swing.JPanel implements DataContent,
return this.wrapped.isSupported(node); return this.wrapped.isSupported(node);
} }
int isPreferred(Node node, boolean isSupported) { int isPreferred(Node node) {
return this.wrapped.isPreferred(node, isSupported); return this.wrapped.isPreferred(node);
} }
} }

13
Core/src/org/sleuthkit/autopsy/corecomponents/DataContentViewerArtifact.java
View File

@ -330,18 +330,13 @@ public class DataContentViewerArtifact extends javax.swing.JPanel implements Dat
} }
@Override @Override
public int isPreferred(Node node, boolean isSupported) { public int isPreferred(Node node) {
BlackboardArtifact artifact = node.getLookup().lookup(BlackboardArtifact.class); BlackboardArtifact artifact = node.getLookup().lookup(BlackboardArtifact.class);
if(isSupported) { if(artifact == null) {
if(artifact == null) { return 3;
return 3;
}
else {
return 5;
}
} }
else { else {
return 0; return 5;
} }
} }

8
Core/src/org/sleuthkit/autopsy/corecomponents/DataContentViewerHex.java
View File

@ -434,12 +434,8 @@ public class DataContentViewerHex extends javax.swing.JPanel implements DataCont
} }
@Override @Override
public int isPreferred(Node node, boolean isSupported) { public int isPreferred(Node node) {
if (isSupported) { return 1;
return 1;
} else {
return 0;
}
} }
@Override @Override

31
Core/src/org/sleuthkit/autopsy/corecomponents/DataContentViewerMedia.java
View File

@ -226,25 +226,22 @@ public class DataContentViewerMedia extends javax.swing.JPanel implements DataCo
} }
@Override @Override
public int isPreferred(Node node, boolean isSupported) { public int isPreferred(Node node) {
if (isSupported) { //special case, check if deleted video, then do not make it preferred
//special case, check if deleted video, then do not make it preferred AbstractFile file = node.getLookup().lookup(AbstractFile.class);
AbstractFile file = node.getLookup().lookup(AbstractFile.class); if (file == null) {
if (file == null) {
return 0;
}
String name = file.getName().toLowerCase();
boolean deleted = file.isDirNameFlagSet(TSK_FS_NAME_FLAG_ENUM.UNALLOC);
if (containsExt(name, videoExtensions) && deleted) {
return 0;
}
else {
return 7;
}
} else {
return 0; return 0;
} }
String name = file.getName().toLowerCase();
boolean deleted = file.isDirNameFlagSet(TSK_FS_NAME_FLAG_ENUM.UNALLOC);
if (containsExt(name, videoExtensions) && deleted) {
return 0;
}
else {
return 7;
}
} }
private static boolean containsExt(String name, String[] exts) { private static boolean containsExt(String name, String[] exts) {

63
Core/src/org/sleuthkit/autopsy/corecomponents/DataContentViewerString.java
View File

@ -322,14 +322,6 @@ public class DataContentViewerString extends javax.swing.JPanel implements DataC
private javax.swing.JLabel totalPageLabel; private javax.swing.JLabel totalPageLabel;
// End of variables declaration//GEN-END:variables // End of variables declaration//GEN-END:variables
@Deprecated
public void setDataView(Content dataSource, long offset, boolean reset) {
if (reset) {
resetComponent();
return;
}
setDataView(dataSource, offset);
}
/** /**
* Sets the DataView (The tabbed panel) * Sets the DataView (The tabbed panel)
@ -399,6 +391,30 @@ public class DataContentViewerString extends javax.swing.JPanel implements DataC
this.setCursor(null); this.setCursor(null);
} }
private void setDataView(StringContent dataSource) {
this.setCursor(Cursor.getPredefinedCursor(Cursor.WAIT_CURSOR));
try {
this.dataSource = null;
// set the data on the bottom and show it
String text = dataSource.getString();
nextPageButton.setEnabled(false);
prevPageButton.setEnabled(false);
currentPage = 1;
int totalPage = 1;
totalPageLabel.setText(Integer.toString(totalPage));
currentPageLabel.setText(Integer.toString(currentPage));
outputViewPane.setText(text); // set the output view
setComponentsVisibility(true); // shows the components that not needed
outputViewPane.moveCaretPosition(0);
} finally {
this.setCursor(null);
}
}
/** /**
* To set the visibility of specific components in this class. * To set the visibility of specific components in this class.
@ -484,12 +500,8 @@ public class DataContentViewerString extends javax.swing.JPanel implements DataC
} }
@Override @Override
public int isPreferred(Node node, boolean isSupported) { public int isPreferred(Node node) {
if (node != null && isSupported) { return 1;
return 1;
} else {
return 0;
}
} }
@Override @Override
@ -497,29 +509,6 @@ public class DataContentViewerString extends javax.swing.JPanel implements DataC
return this; return this;
} }
private void setDataView(StringContent dataSource) {
this.setCursor(Cursor.getPredefinedCursor(Cursor.WAIT_CURSOR));
try {
this.dataSource = null;
// set the data on the bottom and show it
String text = dataSource.getString();
nextPageButton.setEnabled(false);
prevPageButton.setEnabled(false);
currentPage = 1;
int totalPage = 1;
totalPageLabel.setText(Integer.toString(totalPage));
currentPageLabel.setText(Integer.toString(currentPage));
outputViewPane.setText(text); // set the output view
setComponentsVisibility(true); // shows the components that not needed
outputViewPane.moveCaretPosition(0);
} finally {
this.setCursor(null);
}
}
/* Show the right click menu only if evt is the correct mouse event */ /* Show the right click menu only if evt is the correct mouse event */
private void maybeShowPopup(java.awt.event.MouseEvent evt) { private void maybeShowPopup(java.awt.event.MouseEvent evt) {

62
Core/src/org/sleuthkit/autopsy/corecomponents/docs/corecomponents-toc.xml
View File

@ -1,31 +1,31 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE toc PUBLIC "-//Sun Microsystems Inc.//DTD JavaHelp TOC Version 2.0//EN" "http://java.sun.com/products/javahelp/toc_2_0.dtd"> <!DOCTYPE toc PUBLIC "-//Sun Microsystems Inc.//DTD JavaHelp TOC Version 2.0//EN" "http://java.sun.com/products/javahelp/toc_2_0.dtd">
<toc version="2.0"> <toc version="2.0">
<tocitem text="Data Explorers"> <tocitem text="Data Explorers">
<tocitem text="About Data Explorers" target="org.sleuthkit.autopsy.corecomponents.dataexplorer-about"/> <tocitem text="About Data Explorers" target="org.sleuthkit.autopsy.corecomponents.dataexplorer-about"/>
<tocitem text="Directory Tree"> <tocitem text="Directory Tree">
<tocitem text="About Directory Tree" target="org.sleuthkit.autopsy.directorytree.about"/> <tocitem text="About Directory Tree" target="org.sleuthkit.autopsy.directorytree.about"/>
<tocitem text="Image Details Window" target="org.sleuthkit.autopsy.directorytree.image-details"/> <tocitem text="Image Details Window" target="org.sleuthkit.autopsy.directorytree.image-details"/>
<tocitem text="Volume Details Window" target="org.sleuthkit.autopsy.directorytree.volume-details"/> <tocitem text="Volume Details Window" target="org.sleuthkit.autopsy.directorytree.volume-details"/>
<tocitem text="Extracting Unallocated Space" target="org.sleuthkit.autopsy.directorytree.unallocated-space"/> <tocitem text="Extracting Unallocated Space" target="org.sleuthkit.autopsy.directorytree.unallocated-space"/>
</tocitem> </tocitem>
<tocitem text="File Search"> <tocitem text="File Search">
<tocitem text="About File Search" target="org.sleuthkit.autopsy.filesearch.about"/> <tocitem text="About File Search" target="org.sleuthkit.autopsy.filesearch.about"/>
<tocitem text="How to Open File Search" target="org.sleuthkit.autopsy.filesearch.open-filesearch"/> <tocitem text="How to Open File Search" target="org.sleuthkit.autopsy.filesearch.open-filesearch"/>
<tocitem text="How to Use File Search" target="org.sleuthkit.autopsy.filesearch.how-to-use-filesearch"/> <tocitem text="How to Use File Search" target="org.sleuthkit.autopsy.filesearch.how-to-use-filesearch"/>
</tocitem> </tocitem>
</tocitem> </tocitem>
<tocitem text="Result Viewers"> <tocitem text="Result Viewers">
<tocitem text="About Result Viewers" target="org.sleuthkit.autopsy.corecomponents.dataresult-about"/> <tocitem text="About Result Viewers" target="org.sleuthkit.autopsy.corecomponents.dataresult-about"/>
<tocitem text="Table Results Viewer" target="org.sleuthkit.autopsy.corecomponents.table-results-viewer"/> <tocitem text="Table Results Viewer" target="org.sleuthkit.autopsy.corecomponents.table-results-viewer"/>
<tocitem text="Thumbnail Result Viewer" target="org.sleuthkit.autopsy.corecomponents.thumbnail-results-viewer"/> <tocitem text="Thumbnail Result Viewer" target="org.sleuthkit.autopsy.corecomponents.thumbnail-results-viewer"/>
</tocitem> </tocitem>
<tocitem text="Content Viewers"> <tocitem text="Content Viewers">
<tocitem text="About Content Viewers" target="org.sleuthkit.autopsy.corecomponents.datacontent-about"/> <tocitem text="About Content Viewers" target="org.sleuthkit.autopsy.corecomponents.datacontent-about"/>
<tocitem text="Hex Content Viewer" target="org.sleuthkit.autopsy.corecomponents.hex-content-viewer"/> <tocitem text="Hex Content Viewer" target="org.sleuthkit.autopsy.corecomponents.hex-content-viewer"/>
<tocitem text="String Content Viewer" target="org.sleuthkit.autopsy.corecomponents.string-content-viewer"/> <tocitem text="String Content Viewer" target="org.sleuthkit.autopsy.corecomponents.string-content-viewer"/>
<tocitem text="Text Content Viewer" target="org.sleuthkit.autopsy.corecomponents.text-content-viewer"/> <tocitem text="Text Content Viewer" target="org.sleuthkit.autopsy.corecomponents.text-content-viewer"/>
<tocitem text="Media Content Viewer" target="org.sleuthkit.autopsy.corecomponents.picture-content-viewer"/> <tocitem text="Media Content Viewer" target="org.sleuthkit.autopsy.corecomponents.picture-content-viewer"/>
</tocitem> </tocitem>
</toc> </toc>

98
Core/src/org/sleuthkit/autopsy/corecomponents/docs/datacontent-about.html
View File

@ -1,50 +1,50 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<title>About Content Viewers</title> <title>About Content Viewers</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css"> <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head> </head>
<body> <body>
<h2>Content Viewers</h2> <h2>Content Viewers</h2>
<p> <p>
The Content Viewer area is in the lower right area of the interface. The Content Viewer area is in the lower right area of the interface.
This area is used to view a specific file in a variety of formats. This area is used to view a specific file in a variety of formats.
There are different tabs for different viewers. There are different tabs for different viewers.
Not all tabs support all file types, so only some of them will be enabled. Not all tabs support all file types, so only some of them will be enabled.
To display data in this area, a file must be selected from the To display data in this area, a file must be selected from the
<a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/dataresult-about.html">Result Viewer</a> window. <a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/dataresult-about.html">Result Viewer</a> window.
</p> </p>
<p> <p>
The Content Viewer area is part of a plug-in framework. The Content Viewer area is part of a plug-in framework.
You can install modules that will add more viewer types. You can install modules that will add more viewer types.
This section describes the viewers that come by default with Autopsy. This section describes the viewers that come by default with Autopsy.
</p> </p>
<p>Here's an example of a "Content Viewer" window:</p> <p>Here's an example of a "Content Viewer" window:</p>
<img src="ContentViewer_example.png" alt="Example of Content Viewer Window" /> <img src="ContentViewer_example.png" alt="Example of Content Viewer Window" />
<h2>Default Viewers</h2> <h2>Default Viewers</h2>
<p> Currently, there are 5 main tabs on "Content Viewer" window:</p> <p> Currently, there are 5 main tabs on "Content Viewer" window:</p>
<ul> <ul>
<li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/result-viewer.html">Result Viewer</a></li> <li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/result-viewer.html">Result Viewer</a></li>
<li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/hex-content-viewer.html">Hex Content Viewer</a></li> <li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/hex-content-viewer.html">Hex Content Viewer</a></li>
<li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/string-content-viewer.html">String Content Viewer</a></li> <li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/string-content-viewer.html">String Content Viewer</a></li>
<li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/picture-content-viewer.html">Media Viewer</a></li> <li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/picture-content-viewer.html">Media Viewer</a></li>
<li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/text-content-viewer.html">Text Viewer</a></li> <li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/text-content-viewer.html">Text Viewer</a></li>
</ul> </ul>
</body> </body>
</html> </html>
<!-- <!--
Tip: to create a link which will open in an external web browser, try: Tip: to create a link which will open in an external web browser, try:
<object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer"> <object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer">
<param name="content" value="http://www.netbeans.org/"> <param name="content" value="http://www.netbeans.org/">
<param name="text" value="<html><u>http://www.netbeans.org/</u></html>"> <param name="text" value="<html><u>http://www.netbeans.org/</u></html>">
<param name="textFontSize" value="medium"> <param name="textFontSize" value="medium">
<param name="textColor" value="blue"> <param name="textColor" value="blue">
</object> </object>
To create a link to a help set from another module, you need to know the code name base and path, e.g.: To create a link to a help set from another module, you need to know the code name base and path, e.g.:
<a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a> <a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a>
(This link will behave sanely if that module is disabled or missing.) (This link will behave sanely if that module is disabled or missing.)
!--> !-->

92
Core/src/org/sleuthkit/autopsy/corecomponents/docs/dataexplorer-about.html
View File

@ -1,47 +1,47 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<title>Data Explorers</title> <title>Data Explorers</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css"> <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head> </head>
<body> <body>
<h2>About the Data Explorer</h2> <h2>About the Data Explorer</h2>
<p> <p>
The Data Explorer view in Autopsy is the <a href="nbdocs:/org/sleuthkit/autopsy/directorytree/docs/directorytree-about.html">directory tree</a> The Data Explorer view in Autopsy is the <a href="nbdocs:/org/sleuthkit/autopsy/directorytree/docs/directorytree-about.html">directory tree</a>
node structure seen on the left hand side. node structure seen on the left hand side.
</p> </p>
<p>The data explorer contains the following data:</p> <p>The data explorer contains the following data:</p>
<ul> <ul>
<li>Image file-system with its directory structure that can be navigated,</li> <li>Image file-system with its directory structure that can be navigated,</li>
<li>Saved results of image and file analysis, such as results produced by the ingest process,</li> <li>Saved results of image and file analysis, such as results produced by the ingest process,</li>
<li>Built-in views and filters on the file-system and saved results.</li> <li>Built-in views and filters on the file-system and saved results.</li>
</ul> </ul>
<p>The data explorer provides different methods for finding relevant data, such as:</p> <p>The data explorer provides different methods for finding relevant data, such as:</p>
<ul> <ul>
<li>All files of a specific type</li> <li>All files of a specific type</li>
<li>Different extracted content types (web bookmarks, web history, installed programs, devices, etc.)</li> <li>Different extracted content types (web bookmarks, web history, installed programs, devices, etc.)</li>
<li>Hash database hits</li> <li>Hash database hits</li>
<li>Keyword hits</li> <li>Keyword hits</li>
<li>File bookmarks</li> <li>File bookmarks</li>
</ul> </ul>
<p> <p>
The Data Explorer will publish all relevant data to the <a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/dataresult-about.html">Result Viewer</a> The Data Explorer will publish all relevant data to the <a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/dataresult-about.html">Result Viewer</a>
when specific nodes are clicked. In general, if you are looking for an 'analysis technique', then this is where you should look. when specific nodes are clicked. In general, if you are looking for an 'analysis technique', then this is where you should look.
</p> </p>
</body> </body>
</html> </html>
<!-- <!--
Tip: to create a link which will open in an external web browser, try: Tip: to create a link which will open in an external web browser, try:
<object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer"> <object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer">
<param name="content" value="http://www.netbeans.org/"> <param name="content" value="http://www.netbeans.org/">
<param name="text" value="<html><u>http://www.netbeans.org/</u></html>"> <param name="text" value="<html><u>http://www.netbeans.org/</u></html>">
<param name="textFontSize" value="medium"> <param name="textFontSize" value="medium">
<param name="textColor" value="blue"> <param name="textColor" value="blue">
</object> </object>
To create a link to a help set from another module, you need to know the code name base and path, e.g.: To create a link to a help set from another module, you need to know the code name base and path, e.g.:
<a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a> <a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a>
(This link will behave sanely if that module is disabled or missing.) (This link will behave sanely if that module is disabled or missing.)
!--> !-->

90
Core/src/org/sleuthkit/autopsy/corecomponents/docs/dataresult-about.html
View File

@ -1,45 +1,45 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<title>Result Viewers</title> <title>Result Viewers</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css"> <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head> </head>
<body> <body>
<h2>Result Viewers</h2> <h2>Result Viewers</h2>
<p> <p>
The Result Viewer windows are in the upper right area of the interface and display the results from selecting something in the The Result Viewer windows are in the upper right area of the interface and display the results from selecting something in the
<a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/dataexplorer-about.html">Data Explorer Tree</a> area. <a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/dataexplorer-about.html">Data Explorer Tree</a> area.
You will have the option to display the results in a variety of formats. You will have the option to display the results in a variety of formats.
</p> </p>
<p>Currently, there are 2 main tabs in the Result Viewer window:</p> <p>Currently, there are 2 main tabs in the Result Viewer window:</p>
<ul> <ul>
<li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/table-results-viewer.html">Table Results Viewer</a></li> <li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/table-results-viewer.html">Table Results Viewer</a></li>
<li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/thumbnail-results-viewer.html">Thumbnail Results Viewer</a></li> <li><a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/thumbnail-results-viewer.html">Thumbnail Results Viewer</a></li>
</ul> </ul>
<h2>Right Click Functions</h2> <h2>Right Click Functions</h2>
<p> <p>
Viewers in Result Viewers have certain right-click functions built-in into them that can be accessed when a node a certain type is selected (a file, directory or a result). Viewers in Result Viewers have certain right-click functions built-in into them that can be accessed when a node a certain type is selected (a file, directory or a result).
</p> </p>
<p>Here are some examples that you may see:</p> <p>Here are some examples that you may see:</p>
<ul> <ul>
<li><strong>Open File in External Viewer</strong>: <li><strong>Open File in External Viewer</strong>:
Opens the selected file in an "external" application as defined by the local OS. Opens the selected file in an "external" application as defined by the local OS.
For example, HTML files may be opened by IE or Firefox, depending on what the local system is configured to use.</li> For example, HTML files may be opened by IE or Firefox, depending on what the local system is configured to use.</li>
<li><strong>View in New Window:</strong> <li><strong>View in New Window:</strong>
Opens the content in a new internal Content Viewer (instead of in the default location in the lower right).</li> Opens the content in a new internal Content Viewer (instead of in the default location in the lower right).</li>
<li><strong>Extract:</strong> <li><strong>Extract:</strong>
Make a local copy of the file or directory for further analysis.</li> Make a local copy of the file or directory for further analysis.</li>
<li><strong>Search for files with the same MD5 Hash:</strong> <li><strong>Search for files with the same MD5 Hash:</strong>
Searches the entire file-system for any files with the same MD5 Hash as the one selected.</li> Searches the entire file-system for any files with the same MD5 Hash as the one selected.</li>
</ul> </ul>
<h2>Example</h2> <h2>Example</h2>
<p>Below is an example of a "Result Viewer" window:</p> <p>Below is an example of a "Result Viewer" window:</p>
<img src="ResultViewer_example.png" alt="Example of Result Viewer Window" /> <img src="ResultViewer_example.png" alt="Example of Result Viewer Window" />
</body> </body>
</html> </html>

40
Core/src/org/sleuthkit/autopsy/corecomponents/docs/hex-content-viewer.html
View File

@ -1,21 +1,21 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<title>Hex Content Viewer</title> <title>Hex Content Viewer</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css"> <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head> </head>
<body> <body>
<h2>Hex Content Viewer</h2> <h2>Hex Content Viewer</h2>
<p> <p>
Hex Content Viewer shows you the raw and exact contents of a file. Hex Content Viewer shows you the raw and exact contents of a file.
In this Hex Content Viewer, the data of the file is represented as hexadecimal values grouped in 2 groups of 8 bytes, In this Hex Content Viewer, the data of the file is represented as hexadecimal values grouped in 2 groups of 8 bytes,
followed by one group of 16 ASCII characters which are derived from each pair of hex values (each byte). followed by one group of 16 ASCII characters which are derived from each pair of hex values (each byte).
Non-printable ASCII characters and characters that would take more than one character space are typically represented by a dot (".") in the following ASCII field. Non-printable ASCII characters and characters that would take more than one character space are typically represented by a dot (".") in the following ASCII field.
</p> </p>
<h2>Example</h2> <h2>Example</h2>
<p>Below is an example of "Hex Content Viewer" window:</p> <p>Below is an example of "Hex Content Viewer" window:</p>
<img src="Hex_Content_Viewer.png" alt="Example of Hex Content Viewer Tab" /> <img src="Hex_Content_Viewer.png" alt="Example of Hex Content Viewer Tab" />
</body> </body>
</html> </html>

40
Core/src/org/sleuthkit/autopsy/corecomponents/docs/picture-content-viewer.html
View File

@ -1,20 +1,20 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<title>Media Content Viewer</title> <title>Media Content Viewer</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css"> <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head> </head>
<body> <body>
<h2>Media Content Viewer</h2> <h2>Media Content Viewer</h2>
<p> <p>
The Media Content Viewer will show a picture or video file. The Media Content Viewer will show a picture or video file.
Video files can be played and paused. Video files can be played and paused.
The size of the picture or video will be reduced to fit into the screen. The size of the picture or video will be reduced to fit into the screen.
If you want more complex analysis of the media, then you must export the file. If you want more complex analysis of the media, then you must export the file.
</p> </p>
<p>If you select an non-picture file or an unsupported picture format on the "Result Viewers", this tab will be disabled.</p> <p>If you select an non-picture file or an unsupported picture format on the "Result Viewers", this tab will be disabled.</p>
<p>Here's one of the example of the "Media Content Viewer":</p> <p>Here's one of the example of the "Media Content Viewer":</p>
<img src="Picture_Content_Viewer.png" alt="Example of Picture Content Viewer Tab" /> <img src="Picture_Content_Viewer.png" alt="Example of Picture Content Viewer Tab" />
</body> </body>
</html> </html>

54
Core/src/org/sleuthkit/autopsy/corecomponents/docs/result-viewer.html
View File

@ -1,28 +1,28 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<title>Result Content Viewer</title> <title>Result Content Viewer</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css"> <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head> </head>
<body> <body>
<h2>Result Content Viewer</h2> <h2>Result Content Viewer</h2>
<p>Result Content Viewer shows the artifacts (saved results) associated with the item selected in the Result Viewer.</p> <p>Result Content Viewer shows the artifacts (saved results) associated with the item selected in the Result Viewer.</p>
<h2>Example</h2> <h2>Example</h2>
<p>Below is an example of "Result Content Viewer" window:</p> <p>Below is an example of "Result Content Viewer" window:</p>
<img src="Result_Viewer.png" alt="Example of Result Content Viewer Tab" /> <img src="Result_Viewer.png" alt="Example of Result Content Viewer Tab" />
</body> </body>
</html> </html>
<!-- <!--
Tip: to create a link which will open in an external web browser, try: Tip: to create a link which will open in an external web browser, try:
<object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer"> <object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer">
<param name="content" value="http://www.netbeans.org/"> <param name="content" value="http://www.netbeans.org/">
<param name="text" value="<html><u>http://www.netbeans.org/</u></html>"> <param name="text" value="<html><u>http://www.netbeans.org/</u></html>">
<param name="textFontSize" value="medium"> <param name="textFontSize" value="medium">
<param name="textColor" value="blue"> <param name="textColor" value="blue">
</object> </object>
To create a link to a help set from another module, you need to know the code name base and path, e.g.: To create a link to a help set from another module, you need to know the code name base and path, e.g.:
<a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a> <a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a>
(This link will behave sanely if that module is disabled or missing.) (This link will behave sanely if that module is disabled or missing.)
!--> !-->

46
Core/src/org/sleuthkit/autopsy/corecomponents/docs/string-content-viewer.html
View File

@ -1,23 +1,23 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<title>String Content Viewer</title> <title>String Content Viewer</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css"> <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head> </head>
<body> <body>
<h2>String Content Viewer</h2> <h2>String Content Viewer</h2>
<p> <p>
Strings Content Viewer scans (potentially binary) data of the file / folder and searches it for data that could be text. Strings Content Viewer scans (potentially binary) data of the file / folder and searches it for data that could be text.
When appropriate data is found, the String Content Viewer shows data strings extracted from binary, decoded, and interpreted as UTF8/16 for the selected script/language. When appropriate data is found, the String Content Viewer shows data strings extracted from binary, decoded, and interpreted as UTF8/16 for the selected script/language.
</p> </p>
<p> <p>
Note that this is different from the Text Content Viewer, which displays the text for a file that is stored in the keyword search index. Note that this is different from the Text Content Viewer, which displays the text for a file that is stored in the keyword search index.
The results may be the same or they could be different, depending how the data were interpreted by the indexer. The results may be the same or they could be different, depending how the data were interpreted by the indexer.
</p> </p>
<h2>Example</h2> <h2>Example</h2>
<p>Below is an example of "String Content Viewer" window:</p> <p>Below is an example of "String Content Viewer" window:</p>
<img src="String_Content_Viewer.png" alt="Example of String Content Viewer Tab" /> <img src="String_Content_Viewer.png" alt="Example of String Content Viewer Tab" />
</body> </body>
</html> </html>

46
Core/src/org/sleuthkit/autopsy/corecomponents/docs/table-results-viewer.html
View File

@ -1,24 +1,24 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<title>Table Results (Directory Listing) Viewer</title> <title>Table Results (Directory Listing) Viewer</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css"> <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head> </head>
<body> <body>
<h2>Table Results Viewer</h2> <h2>Table Results Viewer</h2>
<p> <p>
Table Results Viewer (Directory Listing) displays the data catalog as a table with some details (properties) of each file. Table Results Viewer (Directory Listing) displays the data catalog as a table with some details (properties) of each file.
The properties that it shows are: name, time (modified, changed, accessed, and created), size, flags (directory and meta), mode, user ID, group ID, metadata address, attribute address, and type (directory and meta). The properties that it shows are: name, time (modified, changed, accessed, and created), size, flags (directory and meta), mode, user ID, group ID, metadata address, attribute address, and type (directory and meta).
Click the Table Viewer tab to select this view. Click the Table Viewer tab to select this view.
</p> </p>
<p> <p>
The Results Viewer can be also activated for saved results and it can show a high level results grouped, The Results Viewer can be also activated for saved results and it can show a high level results grouped,
or a results at a file level, depending on which node on the Directory Tree is selected to populate the Table Results Viewer. or a results at a file level, depending on which node on the Directory Tree is selected to populate the Table Results Viewer.
</p> </p>
<h2>Example</h2> <h2>Example</h2>
<p>Below is an example of a "Table Results Viewer" window:</p> <p>Below is an example of a "Table Results Viewer" window:</p>
<img src="Table_Results_Viewer.png" alt="Example of Table Result Viewers Tab" /> <img src="Table_Results_Viewer.png" alt="Example of Table Result Viewers Tab" />
</body> </body>
</html> </html>

60
Core/src/org/sleuthkit/autopsy/corecomponents/docs/text-content-viewer.html
View File

@ -1,30 +1,30 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<title>Text View</title> <title>Text View</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css"> <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head> </head>
<body> <body>
<h2>Text View</h2> <h2>Text View</h2>
<p> <p>
Text Content Viewer uses the keyword search index that may have been populated during Text Content Viewer uses the keyword search index that may have been populated during
<a href="nbdocs:/org/sleuthkit/autopsy/ingest/docs/ingest-about.html">Image Ingest</a>. <a href="nbdocs:/org/sleuthkit/autopsy/ingest/docs/ingest-about.html">Image Ingest</a>.
If a file has text stored in the index, then this tab will be enabled and it will be displayed to the user if a file or a result associated with a file is selected. If a file has text stored in the index, then this tab will be enabled and it will be displayed to the user if a file or a result associated with a file is selected.
</p> </p>
<p> <p>
This tab may have more text on it than the "String View", which relies on searching the file for text-looking data. This tab may have more text on it than the "String View", which relies on searching the file for text-looking data.
Some files, like PDF, will not have text-looking data at the byte-level, but the keyword indexing process knows how to interpret a PDF file and produce text. Some files, like PDF, will not have text-looking data at the byte-level, but the keyword indexing process knows how to interpret a PDF file and produce text.
For the files the indexer knows about, there may be the METADATA section at the end of the displayed extracted text. For the files the indexer knows about, there may be the METADATA section at the end of the displayed extracted text.
If an indexed document contains any metadata (such as creation date, author, etc), it will be displayed there. If an indexed document contains any metadata (such as creation date, author, etc), it will be displayed there.
Note that, unlike the "String View", the Text View does not have its built-in settings for the script/language to use for extracted strings. Note that, unlike the "String View", the Text View does not have its built-in settings for the script/language to use for extracted strings.
This is because the script/language is used at indexing time, and that setting is associated with the Keyword Search indexer, not the viewer. This is because the script/language is used at indexing time, and that setting is associated with the Keyword Search indexer, not the viewer.
</p> </p>
<p> <p>
If this tab is not enabled, then either the file has no text or you did not enable Keyword Search as an ingest module. If this tab is not enabled, then either the file has no text or you did not enable Keyword Search as an ingest module.
Note that this viewer is also used to display highlighted keyword hits when operated in the "Search Matches" mode, Note that this viewer is also used to display highlighted keyword hits when operated in the "Search Matches" mode,
selected on the right-hand side of the viewer's toolbar. selected on the right-hand side of the viewer's toolbar.
</p> </p>
<img src="textview.png" alt="Text View" /> <img src="textview.png" alt="Text View" />
</body> </body>
</html> </html>

42
Core/src/org/sleuthkit/autopsy/corecomponents/docs/thumbnail-results-viewer.html
View File

@ -1,22 +1,22 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<title>Thumbnail Results Viewer</title> <title>Thumbnail Results Viewer</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css"> <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head> </head>
<body> <body>
<h2>Thumbnail Results Viewer</h2> <h2>Thumbnail Results Viewer</h2>
<p> <p>
Thumbnail Results Viewer displays the data catalog as a table of thumbnail images in adjustable sizes. Thumbnail Results Viewer displays the data catalog as a table of thumbnail images in adjustable sizes.
This viewer only supports picture file(s) (Currently, only supports JPG, GIF, and PNG formats). This viewer only supports picture file(s) (Currently, only supports JPG, GIF, and PNG formats).
Click the Thumbnail tab to select this view. Click the Thumbnail tab to select this view.
Note that for a large number of images in a directory selected in the Data Explorer, or for a View selected that contains Note that for a large number of images in a directory selected in the Data Explorer, or for a View selected that contains
a large number of images, it might take a while to populate this view for the first time before the images are cached. a large number of images, it might take a while to populate this view for the first time before the images are cached.
</p> </p>
<h2>Example</h2> <h2>Example</h2>
<p>Below is an example of "Thumbnail Results Viewer" window:</p> <p>Below is an example of "Thumbnail Results Viewer" window:</p>
<img src="Thumbnail_Results_Viewer.png" alt="Example of Thumbnail Results Viewer Tab" /> <img src="Thumbnail_Results_Viewer.png" alt="Example of Thumbnail Results Viewer Tab" />
</body> </body>
</html> </html>

94
Core/src/org/sleuthkit/autopsy/directorytree/docs/directorytree-about.html
View File

@ -1,48 +1,48 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<title>Data Explorer (Directory Tree)</title> <title>Data Explorer (Directory Tree)</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css"> <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head> </head>
<body> <body>
<h2>About Data Explorer (Directory Tree)</h2> <h2>About Data Explorer (Directory Tree)</h2>
<p> <p>
The data explorer tree is a very important area of the interface. The data explorer tree is a very important area of the interface.
This is where you will start many of your analysis approaches and find saved results from automated procedures (ingest). This is where you will start many of your analysis approaches and find saved results from automated procedures (ingest).
The tree has three main areas: The tree has three main areas:
</p> </p>
<ul> <ul>
<li><strong>Images:</strong> <li><strong>Images:</strong>
Where you can find the directory tree hierarchy of the file systems in the images. Where you can find the directory tree hierarchy of the file systems in the images.
Go here to navigate to a specific file or directory. Go here to navigate to a specific file or directory.
</li> </li>
<li><strong>Views:</strong> <li><strong>Views:</strong>
Where you can view all of the files in the images, but organized by file type or dates instead of directories. Where you can view all of the files in the images, but organized by file type or dates instead of directories.
Go here if you are looking for files of a given type or that were recently used. Go here if you are looking for files of a given type or that were recently used.
</li> </li>
<li><strong>Results:</strong> <li><strong>Results:</strong>
Where you can see the results from the background ingest tasks and you can see your previous search results. Where you can see the results from the background ingest tasks and you can see your previous search results.
Go here to see what was found by the ingest modules and to find your previous search results. Go here to see what was found by the ingest modules and to find your previous search results.
</li> </li>
<li><strong>Bookmarks:</strong> <li><strong>Bookmarks:</strong>
Where you can view all file and results that have been bookmarked for easy access. Where you can view all file and results that have been bookmarked for easy access.
</li> </li>
</ul> </ul>
<p>Below is an example of an Data Explorer Tree window:</p> <p>Below is an example of an Data Explorer Tree window:</p>
<img src="DirectoryTree_example.png" alt="Explorer Tree" /> <img src="DirectoryTree_example.png" alt="Explorer Tree" />
</body> </body>
</html> </html>
<!-- <!--
Tip: to create a link which will open in an external web browser, try: Tip: to create a link which will open in an external web browser, try:
<object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer"> <object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer">
<param name="content" value="http://www.netbeans.org/"> <param name="content" value="http://www.netbeans.org/">
<param name="text" value="<html><u>http://www.netbeans.org/</u></html>"> <param name="text" value="<html><u>http://www.netbeans.org/</u></html>">
<param name="textFontSize" value="medium"> <param name="textFontSize" value="medium">
<param name="textColor" value="blue"> <param name="textColor" value="blue">
</object> </object>
To create a link to a help set from another module, you need to know the code name base and path, e.g.: To create a link to a help set from another module, you need to know the code name base and path, e.g.:
<a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a> <a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a>
(This link will behave sanely if that module is disabled or missing.) (This link will behave sanely if that module is disabled or missing.)
!--> !-->

40
Core/src/org/sleuthkit/autopsy/directorytree/docs/image-details.html
View File

@ -1,20 +1,20 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<title>Image Details Window</title> <title>Image Details Window</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css"> <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head> </head>
<body> <body>
<h2>Image Details Window</h2> <h2>Image Details Window</h2>
<p> <p>
The Image Details window shows you basic information about a disk image. The Image Details window shows you basic information about a disk image.
You can access it by right-clicking on an image in the tree and choosing "Image Details". You can access it by right-clicking on an image in the tree and choosing "Image Details".
</p> </p>
<img src="rightClick_imageDetails.png" alt="Right click on directory tree to show Image Details" /> <img src="rightClick_imageDetails.png" alt="Right click on directory tree to show Image Details" />
<p>An example is shown here:</p> <p>An example is shown here:</p>
<img src="ImageDetailHelp.png" alt="Example of Image Details Window" /> <img src="ImageDetailHelp.png" alt="Example of Image Details Window" />
</body> </body>
</html> </html>

44
Core/src/org/sleuthkit/autopsy/directorytree/docs/volume-details.html
View File

@ -1,22 +1,22 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<title>Volume Details Window</title> <title>Volume Details Window</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css"> <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head> </head>
<body> <body>
<h2>Volume Details Window</h2> <h2>Volume Details Window</h2>
<p> <p>
The Volume Details window shows you information about a volume. The Volume Details window shows you information about a volume.
It shows information such as the starting sector, length, and description. It shows information such as the starting sector, length, and description.
You can view the information by right clicking on a volume in the tree and choosing "Volume Details". You can view the information by right clicking on a volume in the tree and choosing "Volume Details".
</p> </p>
<img src="rightClick_volumeDetails.png" alt="Right click on directory tree to show Volume Details" /> <img src="rightClick_volumeDetails.png" alt="Right click on directory tree to show Volume Details" />
<p>An example is shown here:</p> <p>An example is shown here:</p>
<img src="VolumeDetailHelp.png" alt="Example of Volume Details Window" /> <img src="VolumeDetailHelp.png" alt="Example of Volume Details Window" />
</body> </body>
</html> </html>

5
Core/src/org/sleuthkit/autopsy/examples/SampleContentViewer.java
View File

@ -166,10 +166,7 @@ public class SampleContentViewer extends javax.swing.JPanel implements DataConte
} }
@Override @Override
public int isPreferred(Node node, boolean isSupported) { public int isPreferred(Node node) {
if (isSupported == false) {
return 0;
}
// we return 1 since this module will operate on nearly all files // we return 1 since this module will operate on nearly all files
return 1; return 1;
} }

250
Core/src/org/sleuthkit/autopsy/examples/SampleDataSourceIngestModule.java
View File

@ -1,125 +1,125 @@
/* /*
* Sample module in the public domain. Feel free to use this as a template * Sample module in the public domain. Feel free to use this as a template
* for your modules. * for your modules.
* *
* Contact: Brian Carrier [carrier <at> sleuthkit [dot] org] * Contact: Brian Carrier [carrier <at> sleuthkit [dot] org]
* *
* This is free and unencumbered software released into the public domain. * This is free and unencumbered software released into the public domain.
* *
* Anyone is free to copy, modify, publish, use, compile, sell, or * Anyone is free to copy, modify, publish, use, compile, sell, or
* distribute this software, either in source code form or as a compiled * distribute this software, either in source code form or as a compiled
* binary, for any purpose, commercial or non-commercial, and by any * binary, for any purpose, commercial or non-commercial, and by any
* means. * means.
* *
* In jurisdictions that recognize copyright laws, the author or authors * In jurisdictions that recognize copyright laws, the author or authors
* of this software dedicate any and all copyright interest in the * of this software dedicate any and all copyright interest in the
* software to the public domain. We make this dedication for the benefit * software to the public domain. We make this dedication for the benefit
* of the public at large and to the detriment of our heirs and * of the public at large and to the detriment of our heirs and
* successors. We intend this dedication to be an overt act of * successors. We intend this dedication to be an overt act of
* relinquishment in perpetuity of all present and future rights to this * relinquishment in perpetuity of all present and future rights to this
* software under copyright law. * software under copyright law.
* *
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
* IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR * IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
* OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
* ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
* OTHER DEALINGS IN THE SOFTWARE. * OTHER DEALINGS IN THE SOFTWARE.
*/ */
package org.sleuthkit.autopsy.examples; package org.sleuthkit.autopsy.examples;
import java.util.List; import java.util.List;
import org.apache.log4j.Logger; import org.apache.log4j.Logger;
import org.openide.util.Exceptions; import org.openide.util.Exceptions;
import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.casemodule.services.FileManager; import org.sleuthkit.autopsy.casemodule.services.FileManager;
import org.sleuthkit.autopsy.casemodule.services.Services; import org.sleuthkit.autopsy.casemodule.services.Services;
import org.sleuthkit.autopsy.ingest.IngestDataSourceWorkerController; import org.sleuthkit.autopsy.ingest.IngestDataSourceWorkerController;
import org.sleuthkit.autopsy.ingest.IngestModuleDataSource; import org.sleuthkit.autopsy.ingest.IngestModuleDataSource;
import org.sleuthkit.autopsy.ingest.IngestModuleInit; import org.sleuthkit.autopsy.ingest.IngestModuleInit;
import org.sleuthkit.autopsy.ingest.PipelineContext; import org.sleuthkit.autopsy.ingest.PipelineContext;
import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.AbstractFile;
import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.FsContent; import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskCoreException;
/** /**
* Sample DataSource-level ingest module that doesn't do much at all. * Sample DataSource-level ingest module that doesn't do much at all.
* Just exists to show basic idea of these modules * Just exists to show basic idea of these modules
*/ */
public class SampleDataSourceIngestModule extends org.sleuthkit.autopsy.ingest.IngestModuleDataSource { public class SampleDataSourceIngestModule extends org.sleuthkit.autopsy.ingest.IngestModuleDataSource {
/* Data Source modules operate on a disk or set of logical files. They /* Data Source modules operate on a disk or set of logical files. They
* are passed in teh data source refernce and query it for things they want. * are passed in teh data source refernce and query it for things they want.
*/ */
@Override @Override
public void process(PipelineContext<IngestModuleDataSource> pipelineContext, Content dataSource, IngestDataSourceWorkerController controller) { public void process(PipelineContext<IngestModuleDataSource> pipelineContext, Content dataSource, IngestDataSourceWorkerController controller) {
Case case1 = Case.getCurrentCase(); Case case1 = Case.getCurrentCase();
SleuthkitCase sleuthkitCase = case1.getSleuthkitCase(); SleuthkitCase sleuthkitCase = case1.getSleuthkitCase();
Services services = new Services(sleuthkitCase); Services services = new Services(sleuthkitCase);
FileManager fm = services.getFileManager(); FileManager fm = services.getFileManager();
try { try {
/* you can use the findFiles method in FileManager (or similar ones in /* you can use the findFiles method in FileManager (or similar ones in
* SleuthkitCase to find files based only on their name. This * SleuthkitCase to find files based only on their name. This
* one finds files that have a .doc extension. */ * one finds files that have a .doc extension. */
List<AbstractFile> docFiles = fm.findFiles(dataSource, "%.doc"); List<AbstractFile> docFiles = fm.findFiles(dataSource, "%.doc");
for (AbstractFile file : docFiles) { for (AbstractFile file : docFiles) {
// do something with each doc file // do something with each doc file
} }
/* We can also do more general queries with findFilesWhere, which /* We can also do more general queries with findFilesWhere, which
* allows us to make our own WHERE clause in the database. * allows us to make our own WHERE clause in the database.
*/ */
long currentTime = System.currentTimeMillis()/1000; long currentTime = System.currentTimeMillis()/1000;
// go back 2 weeks // go back 2 weeks
long minTime = currentTime - (14 * 24 * 60 * 60); long minTime = currentTime - (14 * 24 * 60 * 60);
List<FsContent> otherFiles = sleuthkitCase.findFilesWhere("crtime > " + minTime); List<FsContent> otherFiles = sleuthkitCase.findFilesWhere("crtime > " + minTime);
// do something with these files... // do something with these files...
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
Logger log = Logger.getLogger(SampleDataSourceIngestModule.class); Logger log = Logger.getLogger(SampleDataSourceIngestModule.class);
log.fatal("Error retrieving files from database: " + ex.getLocalizedMessage()); log.fatal("Error retrieving files from database: " + ex.getLocalizedMessage());
return; return;
} }
} }
@Override @Override
public void init(IngestModuleInit initContext) { public void init(IngestModuleInit initContext) {
// do nothing // do nothing
} }
@Override @Override
public void complete() { public void complete() {
// do nothing // do nothing
} }
@Override @Override
public void stop() { public void stop() {
// do nothing // do nothing
} }
@Override @Override
public String getName() { public String getName() {
return "SampleDataSourceIngestModule"; return "SampleDataSourceIngestModule";
} }
@Override @Override
public String getVersion() { public String getVersion() {
return "1.0"; return "1.0";
} }
@Override @Override
public String getDescription() { public String getDescription() {
return "Doesn't do much"; return "Doesn't do much";
} }
@Override @Override
public boolean hasBackgroundJobsRunning() { public boolean hasBackgroundJobsRunning() {
return false; return false;
} }
} }

356
Core/src/org/sleuthkit/autopsy/examples/SampleFileIngestModule.java
View File

@ -1,178 +1,178 @@
/* /*
* Sample module in the public domain. Feel free to use this as a template * Sample module in the public domain. Feel free to use this as a template
* for your modules. * for your modules.
* *
* Contact: Brian Carrier [carrier <at> sleuthkit [dot] org] * Contact: Brian Carrier [carrier <at> sleuthkit [dot] org]
* *
* This is free and unencumbered software released into the public domain. * This is free and unencumbered software released into the public domain.
* *
* Anyone is free to copy, modify, publish, use, compile, sell, or * Anyone is free to copy, modify, publish, use, compile, sell, or
* distribute this software, either in source code form or as a compiled * distribute this software, either in source code form or as a compiled
* binary, for any purpose, commercial or non-commercial, and by any * binary, for any purpose, commercial or non-commercial, and by any
* means. * means.
* *
* In jurisdictions that recognize copyright laws, the author or authors * In jurisdictions that recognize copyright laws, the author or authors
* of this software dedicate any and all copyright interest in the * of this software dedicate any and all copyright interest in the
* software to the public domain. We make this dedication for the benefit * software to the public domain. We make this dedication for the benefit
* of the public at large and to the detriment of our heirs and * of the public at large and to the detriment of our heirs and
* successors. We intend this dedication to be an overt act of * successors. We intend this dedication to be an overt act of
* relinquishment in perpetuity of all present and future rights to this * relinquishment in perpetuity of all present and future rights to this
* software under copyright law. * software under copyright law.
* *
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
* IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR * IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
* OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
* ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
* OTHER DEALINGS IN THE SOFTWARE. * OTHER DEALINGS IN THE SOFTWARE.
*/ */
package org.sleuthkit.autopsy.examples; package org.sleuthkit.autopsy.examples;
import org.apache.log4j.Logger; import org.apache.log4j.Logger;
import org.openide.util.Exceptions; import org.openide.util.Exceptions;
import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.ingest.IngestModuleAbstractFile; import org.sleuthkit.autopsy.ingest.IngestModuleAbstractFile;
import org.sleuthkit.autopsy.ingest.IngestModuleInit; import org.sleuthkit.autopsy.ingest.IngestModuleInit;
import org.sleuthkit.autopsy.ingest.PipelineContext; import org.sleuthkit.autopsy.ingest.PipelineContext;
import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.AbstractFile;
import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskCoreException;
import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskData; import org.sleuthkit.datamodel.TskData;
/** /**
* This is a sample and simple module. It is a file-level ingest module, meaning * This is a sample and simple module. It is a file-level ingest module, meaning
* that it will get called on each file in the disk image / logical file set. * that it will get called on each file in the disk image / logical file set.
* It does a stupid calculation of the number of null bytes in the beginning of the * It does a stupid calculation of the number of null bytes in the beginning of the
* file in order to show the basic flow. * file in order to show the basic flow.
* *
* Autopsy has been hard coded to ignore this module based on the it's package name. * Autopsy has been hard coded to ignore this module based on the it's package name.
* IngestModuleLoader will not load things from the org.sleuthkit.autopsy.examples package. * IngestModuleLoader will not load things from the org.sleuthkit.autopsy.examples package.
* Either change the package or the loading code to make this module actually run. * Either change the package or the loading code to make this module actually run.
*/ */
public class SampleFileIngestModule extends org.sleuthkit.autopsy.ingest.IngestModuleAbstractFile { public class SampleFileIngestModule extends org.sleuthkit.autopsy.ingest.IngestModuleAbstractFile {
private int attrId = -1; private int attrId = -1;
private static SampleFileIngestModule defaultInstance = null; private static SampleFileIngestModule defaultInstance = null;
// Private to ensure Singleton status // Private to ensure Singleton status
private SampleFileIngestModule() { private SampleFileIngestModule() {
} }
// File-level ingest modules are currently singleton -- this is required // File-level ingest modules are currently singleton -- this is required
public static synchronized SampleFileIngestModule getDefault() { public static synchronized SampleFileIngestModule getDefault() {
//defaultInstance is a private static class variable //defaultInstance is a private static class variable
if (defaultInstance == null) { if (defaultInstance == null) {
defaultInstance = new SampleFileIngestModule(); defaultInstance = new SampleFileIngestModule();
} }
return defaultInstance; return defaultInstance;
} }
@Override @Override
public void init(IngestModuleInit initContext) { public void init(IngestModuleInit initContext) {
/* For this demo, we are going to make a private attribute to post our /* For this demo, we are going to make a private attribute to post our
* results to the blackbaord with. There are many standard blackboard artifact * results to the blackbaord with. There are many standard blackboard artifact
* and attribute types and you should first consider using one of those before * and attribute types and you should first consider using one of those before
* making private ones because other modules won't know about provate ones. * making private ones because other modules won't know about provate ones.
* Because our demo has results that have no real value, we do not have an * Because our demo has results that have no real value, we do not have an
* official attribute for them. * official attribute for them.
*/ */
Case case1 = Case.getCurrentCase(); Case case1 = Case.getCurrentCase();
SleuthkitCase sleuthkitCase = case1.getSleuthkitCase(); SleuthkitCase sleuthkitCase = case1.getSleuthkitCase();
// see if the type already exists in the blackboard. // see if the type already exists in the blackboard.
try { try {
attrId = sleuthkitCase.getAttrTypeID("ATTR_SAMPLE"); attrId = sleuthkitCase.getAttrTypeID("ATTR_SAMPLE");
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
// create it if not // create it if not
try { try {
attrId = sleuthkitCase.addAttrType("ATTR_SAMPLE", "Sample Attribute"); attrId = sleuthkitCase.addAttrType("ATTR_SAMPLE", "Sample Attribute");
} catch (TskCoreException ex1) { } catch (TskCoreException ex1) {
Logger log = Logger.getLogger(SampleFileIngestModule.class); Logger log = Logger.getLogger(SampleFileIngestModule.class);
log.fatal("Error adding attribute type: " + ex1.getLocalizedMessage()); log.fatal("Error adding attribute type: " + ex1.getLocalizedMessage());
attrId = -1; attrId = -1;
} }
} }
} }
@Override @Override
public ProcessResult process(PipelineContext<IngestModuleAbstractFile> pipelineContext, AbstractFile abstractFile) { public ProcessResult process(PipelineContext<IngestModuleAbstractFile> pipelineContext, AbstractFile abstractFile) {
// skip non-files // skip non-files
if ((abstractFile.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) || if ((abstractFile.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) ||
(abstractFile.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS)) { (abstractFile.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS)) {
return ProcessResult.OK; return ProcessResult.OK;
} }
// skip NSRL / known files // skip NSRL / known files
if (abstractFile.getKnown() == TskData.FileKnown.KNOWN) { if (abstractFile.getKnown() == TskData.FileKnown.KNOWN) {
return ProcessResult.OK; return ProcessResult.OK;
} }
/* Do a non-sensical calculation of the number of 0x00 bytes /* Do a non-sensical calculation of the number of 0x00 bytes
* in the first 1024-bytes of the file. This is for demo * in the first 1024-bytes of the file. This is for demo
* purposes only. * purposes only.
*/ */
try { try {
byte buffer[] = new byte[1024]; byte buffer[] = new byte[1024];
int len = abstractFile.read(buffer, 0, 1024); int len = abstractFile.read(buffer, 0, 1024);
int count = 0; int count = 0;
for (int i = 0; i < len; i++) { for (int i = 0; i < len; i++) {
if (buffer[i] == 0x00) { if (buffer[i] == 0x00) {
count++; count++;
} }
} }
if (attrId != -1) { if (attrId != -1) {
// Make an attribute using the ID for the private type that we previously created. // Make an attribute using the ID for the private type that we previously created.
BlackboardAttribute attr = new BlackboardAttribute(attrId, getName(), count); BlackboardAttribute attr = new BlackboardAttribute(attrId, getName(), count);
/* add it to the general info artifact. In real modules, you would likely have /* add it to the general info artifact. In real modules, you would likely have
* more complex data types and be making more specific artifacts. * more complex data types and be making more specific artifacts.
*/ */
BlackboardArtifact art = abstractFile.getGenInfoArtifact(); BlackboardArtifact art = abstractFile.getGenInfoArtifact();
art.addAttribute(attr); art.addAttribute(attr);
} }
return ProcessResult.OK; return ProcessResult.OK;
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
Exceptions.printStackTrace(ex); Exceptions.printStackTrace(ex);
return ProcessResult.ERROR; return ProcessResult.ERROR;
} }
} }
@Override @Override
public void complete() { public void complete() {
} }
@Override @Override
public void stop() { public void stop() {
} }
@Override @Override
public String getVersion() { public String getVersion() {
return "1.0"; return "1.0";
} }
@Override @Override
public String getName() { public String getName() {
return "SampleFileIngestModule"; return "SampleFileIngestModule";
} }
@Override @Override
public String getDescription() { public String getDescription() {
return "Doesn't do much"; return "Doesn't do much";
} }
@Override @Override
public boolean hasBackgroundJobsRunning() { public boolean hasBackgroundJobsRunning() {
// we're single threaded... // we're single threaded...
return false; return false;
} }
} }

104
Core/src/org/sleuthkit/autopsy/filesearch/docs/filesearch-about.html
View File

@ -1,52 +1,52 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<title>About File Search</title> <title>About File Search</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css"> <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head> </head>
<body> <body>
<h2>About File Search</h2> <h2>About File Search</h2>
<p> <p>
File Search tool can be accessed either from the Tools menu or by right-clicking on image node in the Data Explorer / Directory Tree. File Search tool can be accessed either from the Tools menu or by right-clicking on image node in the Data Explorer / Directory Tree.
By using File Search, you can specify, filter, and show the directories and files that you want to see from the images in the current opened case. By using File Search, you can specify, filter, and show the directories and files that you want to see from the images in the current opened case.
The File Search results will be populated in a brand new Table Result viewer on the right-hand side. The File Search results will be populated in a brand new Table Result viewer on the right-hand side.
</p> </p>
<p>Currently, Autopsy only supports 4 categories in File Search: Name, Size, Date, and Known Status based search.</p> <p>Currently, Autopsy only supports 4 categories in File Search: Name, Size, Date, and Known Status based search.</p>
<ul class="note"> <ul class="note">
<li><strong>Note:</strong> <li><strong>Note:</strong>
Currently File Search doesn't support regular expression, Currently File Search doesn't support regular expression,
however the Keyword Search feature of Autopsy does also look in file names and it does support regular expressions, however the Keyword Search feature of Autopsy does also look in file names and it does support regular expressions,
which can complimentary to the File Search. which can complimentary to the File Search.
</li> </li>
</ul> </ul>
<h2>How to Open File Search</h2> <h2>How to Open File Search</h2>
<p>To see how to open File Search, click <a href="nbdocs:/org/sleuthkit/autopsy/filesearch/docs/open-filesearch.html">here</a>.</p> <p>To see how to open File Search, click <a href="nbdocs:/org/sleuthkit/autopsy/filesearch/docs/open-filesearch.html">here</a>.</p>
<ul class="note"> <ul class="note">
<li><strong>Note:</strong> <li><strong>Note:</strong>
The File Search Window is opened and closed automatically. The File Search Window is opened and closed automatically.
If there's a case opened and there is at least one image inside that case, File Search Window can't be closed. If there's a case opened and there is at least one image inside that case, File Search Window can't be closed.
</li> </li>
</ul> </ul>
<h2>How to Use File Search</h2> <h2>How to Use File Search</h2>
<p>To see how to use File Search, click <a href="nbdocs:/org/sleuthkit/autopsy/filesearch/docs/how-to-use-filesearch.html">here</a>.</p> <p>To see how to use File Search, click <a href="nbdocs:/org/sleuthkit/autopsy/filesearch/docs/how-to-use-filesearch.html">here</a>.</p>
<h2>Example</h2> <h2>Example</h2>
<p>Here's an example of a File Search window:</p> <p>Here's an example of a File Search window:</p>
<img src="FileSearch_example.png" alt="File Search Top Component Window" /> <img src="FileSearch_example.png" alt="File Search Top Component Window" />
</body> </body>
</html> </html>
<!-- <!--
Tip: to create a link which will open in an external web browser, try: Tip: to create a link which will open in an external web browser, try:
<object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer"> <object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer">
<param name="content" value="http://www.netbeans.org/"> <param name="content" value="http://www.netbeans.org/">
<param name="text" value="<html><u>http://www.netbeans.org/</u></html>"> <param name="text" value="<html><u>http://www.netbeans.org/</u></html>">
<param name="textFontSize" value="medium"> <param name="textFontSize" value="medium">
<param name="textColor" value="blue"> <param name="textColor" value="blue">
</object> </object>
To create a link to a help set from another module, you need to know the code name base and path, e.g.: To create a link to a help set from another module, you need to know the code name base and path, e.g.:
<a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a> <a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a>
(This link will behave sanely if that module is disabled or missing.) (This link will behave sanely if that module is disabled or missing.)
--> -->

108
Core/src/org/sleuthkit/autopsy/filesearch/docs/how-to-use-filesearch.html
View File

@ -1,55 +1,55 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<title>How to Use File Search</title> <title>How to Use File Search</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css"> <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head> </head>
<body> <body>
<h2>How to Use File Search</h2> <h2>How to Use File Search</h2>
<p>Currently, there are 4 categories that you can use to filter and show the directories and files within the images in the current opened case.</p> <p>Currently, there are 4 categories that you can use to filter and show the directories and files within the images in the current opened case.</p>
<p>The categories are:</p> <p>The categories are:</p>
<ol> <ol>
<li><strong>Name:</strong> <li><strong>Name:</strong>
<p>Search for all files and directory whose name contains the pattern given.</p> <p>Search for all files and directory whose name contains the pattern given.</p>
<ul class="note"> <ul class="note">
<li><strong>Note:</strong> it doesn't support regular expression and keyword matching.</li> <li><strong>Note:</strong> it doesn't support regular expression and keyword matching.</li>
</ul> </ul>
</li> </li>
<li><strong>Size:</strong> <li><strong>Size:</strong>
<p> <p>
Search for all files and directory whose size matches the pattern given. Search for all files and directory whose size matches the pattern given.
The pattern can be "equal to", "greater than", and "less than". The pattern can be "equal to", "greater than", and "less than".
The unit for the size can be "Byte(s)", "KB", "MB", "GB", and "TB". The unit for the size can be "Byte(s)", "KB", "MB", "GB", and "TB".
</p> </p>
</li> </li>
<li><strong>Date:</strong> <li><strong>Date:</strong>
<p> <p>
Search for all files and directory whose "date property" is within the date range given. Search for all files and directory whose "date property" is within the date range given.
The "date properties" are "Modified Date", "Accessed Date", "Changed Date", and "Created Date". The "date properties" are "Modified Date", "Accessed Date", "Changed Date", and "Created Date".
You must also specify the timezone for the date given. You must also specify the timezone for the date given.
</p> </p>
</li> </li>
<li><strong>Known Status:</strong> <li><strong>Known Status:</strong>
<p> <p>
Search for all files and directory whose known status is recognized as either Unknown, Known, or Known Bad. Search for all files and directory whose known status is recognized as either Unknown, Known, or Known Bad.
For more on Known Status, see <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/hashDbMgmt.html">Hash Database Management</a>. For more on Known Status, see <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/hashDbMgmt.html">Hash Database Management</a>.
</p> </p>
<p> <p>
To use any of these filters, check the box next to the category and click "Search" button to start the search process. To use any of these filters, check the box next to the category and click "Search" button to start the search process.
The result will show up in the "<a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/dataresult-about.html">Result Viewer</a>". The result will show up in the "<a href="nbdocs:/org/sleuthkit/autopsy/corecomponents/docs/dataresult-about.html">Result Viewer</a>".
</p> </p>
</li> </li>
</ol> </ol>
<h2>Example</h2> <h2>Example</h2>
<p> <p>
Here's an example where I try to get all the directories and files whose name contains "hello", Here's an example where I try to get all the directories and files whose name contains "hello",
has a size greater than 1000 Bytes,was created between 06/15/2010 and 06/16/2010 (in GMT-5 timezone), and is an unknown file: has a size greater than 1000 Bytes,was created between 06/15/2010 and 06/16/2010 (in GMT-5 timezone), and is an unknown file:
</p> </p>
<img src="FileSearch_usage.png" alt="Example of File Search usage" /> <img src="FileSearch_usage.png" alt="Example of File Search usage" />
</body> </body>
</html> </html>

56
Core/src/org/sleuthkit/autopsy/filesearch/docs/open-filesearch.html
View File

@ -1,29 +1,29 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<title>How to Open File Search</title> <title>How to Open File Search</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css"> <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head> </head>
<body> <body>
<h2>How to Open File Search</h2> <h2>How to Open File Search</h2>
<p>To open the File Search, you can do one of the following thing:</p> <p>To open the File Search, you can do one of the following thing:</p>
<ul> <ul>
<li>Right click an image and choose "Open File Search by Attributes". <li>Right click an image and choose "Open File Search by Attributes".
<br> <br>
<img src="open_fileSearch1.png" alt="Open File Search Top Component 1" /> <img src="open_fileSearch1.png" alt="Open File Search Top Component 1" />
</li> </li>
<li>Select the "Tools" > "File Search by Attributes". <li>Select the "Tools" > "File Search by Attributes".
<br> <br>
<img src="open_fileSearch2.png" alt="Open File Search Top Component 2" /> <img src="open_fileSearch2.png" alt="Open File Search Top Component 2" />
</li> </li>
</ul> </ul>
<ul class="note"> <ul class="note">
<li><strong>Note:</strong> <li><strong>Note:</strong>
The File Search Window is opened and closed automatically. The File Search Window is opened and closed automatically.
If there's a case opened and there is at least one image inside that case, File Search Window can't be closed. If there's a case opened and there is at least one image inside that case, File Search Window can't be closed.
</li> </li>
</ul> </ul>
</body> </body>
</html> </html>

194
Core/src/org/sleuthkit/autopsy/ingest/docs/ingest-about.html
View File

@ -1,98 +1,98 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<title>Image Ingest</title> <title>Image Ingest</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css"> <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head> </head>
<body> <body>
<h2>Image Ingest</h2> <h2>Image Ingest</h2>
<p> <p>
Autopsy tries to automate as many things as possible for the user. Autopsy tries to automate as many things as possible for the user.
There are many tasks that will always be performed in a digital investigation and they normally involve some type of image or file analysis and extraction of a certain type of information. There are many tasks that will always be performed in a digital investigation and they normally involve some type of image or file analysis and extraction of a certain type of information.
The analysis can be a lengthy process, especially for large images and when a number of types of analysis needs to be performed. The analysis can be a lengthy process, especially for large images and when a number of types of analysis needs to be performed.
</p> </p>
<p> <p>
Ingest is a technique of automating these tasks. Autopsy allows to run these lengthy analysis tasks in the background, Ingest is a technique of automating these tasks. Autopsy allows to run these lengthy analysis tasks in the background,
while the user can browse the application interface and review the ingest results as their appear. while the user can browse the application interface and review the ingest results as their appear.
Ingest is similar to triage. Ingest is similar to triage.
Autopsy attempts to process files inside the ingested image in such order so that the more interesting files (user-related files) are processed files. Autopsy attempts to process files inside the ingested image in such order so that the more interesting files (user-related files) are processed files.
</p> </p>
<p> <p>
The ingest process begins after the basic file system information has been added to the database. The ingest process begins after the basic file system information has been added to the database.
A series of ingest modules (described in a following section) run automatically behind the scenes and make their results available as soon as possible. A series of ingest modules (described in a following section) run automatically behind the scenes and make their results available as soon as possible.
Autopsy is designed so that these results are reported to the user in real-time, Autopsy is designed so that these results are reported to the user in real-time,
and even for very large images to be processed there can be initial results available minutes, sometimes seconds after the analysis has started. and even for very large images to be processed there can be initial results available minutes, sometimes seconds after the analysis has started.
</p> </p>
<p> <p>
You can start image ingest in two ways. When you add an image with the <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/addImage.html">Add Data Source wizard</a>, You can start image ingest in two ways. When you add an image with the <a href="nbdocs:/org/sleuthkit/autopsy/casemodule/docs/addImage.html">Add Data Source wizard</a>,
you will be shown the list of ingest modules and you can choose which you want to run. you will be shown the list of ingest modules and you can choose which you want to run.
You can also launch the Ingest Manager run ingest by right clicking on an image in the explorer tree and choosing "Restart Image Ingest". You can also launch the Ingest Manager run ingest by right clicking on an image in the explorer tree and choosing "Restart Image Ingest".
</p> </p>
<p> <p>
Once ingest is started, you can review the currently running ingest tasks in the task bar on the bottom-right corner of the main window. Once ingest is started, you can review the currently running ingest tasks in the task bar on the bottom-right corner of the main window.
The ingest tasks can be canceled by the user if so desired. The ingest tasks can be canceled by the user if so desired.
</p> </p>
<ul class="note"> <ul class="note">
<li><strong>Note:</strong> <li><strong>Note:</strong>
sometimes the cancellation process make take several seconds or more to complete cleanly, depending on what the ingest module was currently doing. sometimes the cancellation process make take several seconds or more to complete cleanly, depending on what the ingest module was currently doing.
</li> </li>
</ul> </ul>
<p> <p>
The ingest message inbox will provide notifications when the particular ingest modules start and finish running. The ingest message inbox will provide notifications when the particular ingest modules start and finish running.
There may also be error notifications, and result notifications sent by specific ingest modules. There may also be error notifications, and result notifications sent by specific ingest modules.
</p> </p>
<p> <p>
The results from the ingest modules can typically be found in the Results area of the explorer tree. The results from the ingest modules can typically be found in the Results area of the explorer tree.
However, some modules may choose to write results to a local file or to some other location and not make them available in the UI. However, some modules may choose to write results to a local file or to some other location and not make them available in the UI.
</p> </p>
<h2>Ingest Modules</h2> <h2>Ingest Modules</h2>
<p> <p>
An ingest module is responsible for extracting data from and searching images. An ingest module is responsible for extracting data from and searching images.
Different modules will do different things. Examples include: Different modules will do different things. Examples include:
</p> </p>
<ul> <ul>
<li>Calculate MD5 hash of each file</li> <li>Calculate MD5 hash of each file</li>
<li>Lookup MD5 hash in database</li> <li>Lookup MD5 hash in database</li>
<li>Detect file type of each file</li> <li>Detect file type of each file</li>
<li>Keyword search each file</li> <li>Keyword search each file</li>
<li>Extract web artifacts (downloads, history, installed programs, web search engine queries, etc.)</li> <li>Extract web artifacts (downloads, history, installed programs, web search engine queries, etc.)</li>
<li>Extract Email messages</li> <li>Extract Email messages</li>
<li>Extract connected device IDs.</li> <li>Extract connected device IDs.</li>
<li>Extract EXIF meta-data from picture files</li> <li>Extract EXIF meta-data from picture files</li>
</ul> </ul>
<h2>Configuring Ingest Modules</h2> <h2>Configuring Ingest Modules</h2>
<p> <p>
There are two places to configure ingest modules. When the Ingest Manager is launched, there may be a small set of options the module allows you to edit directly in the Ingest Manager. There are two places to configure ingest modules. When the Ingest Manager is launched, there may be a small set of options the module allows you to edit directly in the Ingest Manager.
Additionally, the Ingest Manager may display an "Advanced" button, which will open up a larger configuration menu with more available settings. Additionally, the Ingest Manager may display an "Advanced" button, which will open up a larger configuration menu with more available settings.
This advanced configuration menu can often be found in the "Tools" > "Options" menu, along with the advanced settings for numerous other ingest modules. This advanced configuration menu can often be found in the "Tools" > "Options" menu, along with the advanced settings for numerous other ingest modules.
</p> </p>
<p> <p>
Before launching ingest, you should go over the modules configuration by selecting every module in the list and review the current ingest module settings. Before launching ingest, you should go over the modules configuration by selecting every module in the list and review the current ingest module settings.
Some modules need to be configured at least the first time Autopsy is used to have default configuration populated, otherwise they won't perform any analysis. Some modules need to be configured at least the first time Autopsy is used to have default configuration populated, otherwise they won't perform any analysis.
Changing the modules configuration will potentially affect number of results found, it might also affect the total time required for ingest to run and how fast the results are reported in real-time. Changing the modules configuration will potentially affect number of results found, it might also affect the total time required for ingest to run and how fast the results are reported in real-time.
</p> </p>
<h2>Adding Ingest Modules</h2> <h2>Adding Ingest Modules</h2>
<p> <p>
Ingest modules can be created by third-party-developers and can be added independently of Autopsy. Ingest modules can be created by third-party-developers and can be added independently of Autopsy.
This can be done through Autopsy's plugin manager. This is accessible through the "Tools" > "Plugins" menu. This can be done through Autopsy's plugin manager. This is accessible through the "Tools" > "Plugins" menu.
Currently, the best way to add an ingest module is by navigating to the module's NBM file after choosing "Add Plugin..." in the "Downloaded" tab of the plugin manager. Currently, the best way to add an ingest module is by navigating to the module's NBM file after choosing "Add Plugin..." in the "Downloaded" tab of the plugin manager.
Autopsy will require a restart after any modules are installed in order to properly load and display them. Autopsy will require a restart after any modules are installed in order to properly load and display them.
</p> </p>
</body> </body>
</html> </html>
<!-- <!--
Tip: to create a link which will open in an external web browser, try: Tip: to create a link which will open in an external web browser, try:
<object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer"> <object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer">
<param name="content" value="http://www.netbeans.org/"> <param name="content" value="http://www.netbeans.org/">
<param name="text" value="<html><u>http://www.netbeans.org/</u></html>"> <param name="text" value="<html><u>http://www.netbeans.org/</u></html>">
<param name="textFontSize" value="medium"> <param name="textFontSize" value="medium">
<param name="textColor" value="blue"> <param name="textColor" value="blue">
</object> </object>
To create a link to a help set from another module, you need to know the code name base and path, e.g.: To create a link to a help set from another module, you need to know the code name base and path, e.g.:
<a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a> <a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a>
(This link will behave sanely if that module is disabled or missing.) (This link will behave sanely if that module is disabled or missing.)
!--> !-->

110
Core/src/org/sleuthkit/autopsy/ingest/docs/ingest-inbox.html
View File

@ -1,56 +1,56 @@
<!-- <!--
Autopsy Forensic Browser Autopsy Forensic Browser
Copyright 2011 Basis Technology Corp. Copyright 2011 Basis Technology Corp.
Contact: carrier <at> sleuthkit <dot> org Contact: carrier <at> sleuthkit <dot> org
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.
You may obtain a copy of the License at You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0 http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
--> -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<title>Ingest Message Inbox</title> <title>Ingest Message Inbox</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css"> <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head> </head>
<body> <body>
<h2>Ingest Message Inbox</h2> <h2>Ingest Message Inbox</h2>
<p> <p>
The ingest message inbox is used by Autopsy to provide real-time updates during ingest. The ingest message inbox is used by Autopsy to provide real-time updates during ingest.
To open the inbox, click on the yellow warning sign in the top/right corner of the Autopsy window. To open the inbox, click on the yellow warning sign in the top/right corner of the Autopsy window.
The sign can display a number of incoming unread (not yet clicked) messages during ingest in its upper-right corner. The sign can display a number of incoming unread (not yet clicked) messages during ingest in its upper-right corner.
</p> </p>
<img src="inbox-button.png" alt="Inbox button" /> <img src="inbox-button.png" alt="Inbox button" />
<p> <p>
Ingest modules are able to post messages when notable events occur, Ingest modules are able to post messages when notable events occur,
such as a keyword or hash database hit. such as a keyword or hash database hit.
If a module posts many similar messages in a short time span, If a module posts many similar messages in a short time span,
the inbox will group those messages so that unique updates are not lost among the noise. the inbox will group those messages so that unique updates are not lost among the noise.
</p> </p>
<p> <p>
The grouped messages are colored with different shades to indicate their importance; The grouped messages are colored with different shades to indicate their importance;
if a message group contains a lower number of unique messages, if a message group contains a lower number of unique messages,
it is potentially more important than another group with a large number of unique messages. it is potentially more important than another group with a large number of unique messages.
The more unique important messages have a lighter background color. The more unique important messages have a lighter background color.
</p> </p>
<p>The ingest messages can be sorted by uniqueness/importance, or by chronological order in which they had appeared.</p> <p>The ingest messages can be sorted by uniqueness/importance, or by chronological order in which they had appeared.</p>
<p> <p>
A message can be clicked to view the message details. When a message is clicked, it is marked as "read". A message can be clicked to view the message details. When a message is clicked, it is marked as "read".
When updates are posted with regard to a specific result or file, the message is linked to that file When updates are posted with regard to a specific result or file, the message is linked to that file
and the buttons in the top/right corner of the message details view can be used to browse to that data. and the buttons in the top/right corner of the message details view can be used to browse to that data.
</p> </p>
<img src="inbox-main.PNG" alt="Inbox Main Screen" /> <img src="inbox-main.PNG" alt="Inbox Main Screen" />
<br /> <br />
<img src="inbox-details.PNG" alt="Inbox Details Screen" /> <img src="inbox-details.PNG" alt="Inbox Details Screen" />
</body> </body>
</html> </html>

10
HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/HashDbConfigPanel.java
View File

@ -50,7 +50,6 @@ public final class HashDbConfigPanel extends javax.swing.JPanel implements Optio
private static final String NO_SELECTION_TEXT = "No database selected"; private static final String NO_SELECTION_TEXT = "No database selected";
private static final String ERROR_GETTING_PATH_TEXT = "Error occurred getting path"; private static final String ERROR_GETTING_PATH_TEXT = "Error occurred getting path";
private static final String ERROR_GETTING_INDEX_STATUS_TEXT = "Error occurred getting status"; private static final String ERROR_GETTING_INDEX_STATUS_TEXT = "Error occurred getting status";
private static final String LEGACY_INDEX_FILE_EXTENSION = "-md5.idx";
private HashDbManager hashSetManager = HashDbManager.getInstance(); private HashDbManager hashSetManager = HashDbManager.getInstance();
private HashSetTableModel hashSetTableModel = new HashSetTableModel(); private HashSetTableModel hashSetTableModel = new HashSetTableModel();
@ -161,13 +160,10 @@ public final class HashDbConfigPanel extends javax.swing.JPanel implements Optio
hashDbIndexStatusLabel.setForeground(Color.black); hashDbIndexStatusLabel.setForeground(Color.black);
indexButton.setEnabled(false); indexButton.setEnabled(false);
} }
else if (db.hasLookupIndex()) { else if (db.hasIndex()) {
if (db.hasIndexOnly()) { if (db.hasIndexOnly()) {
hashDbIndexStatusLabel.setText("Index only"); hashDbIndexStatusLabel.setText("Index only");
} }
else if (db.getIndexPath().endsWith(LEGACY_INDEX_FILE_EXTENSION)) {
hashDbIndexStatusLabel.setText("Indexed (old format)");
}
else { else {
hashDbIndexStatusLabel.setText("Indexed"); hashDbIndexStatusLabel.setText("Indexed");
} }
@ -242,7 +238,7 @@ public final class HashDbConfigPanel extends javax.swing.JPanel implements Optio
List<HashDb> unindexed = new ArrayList<>(); List<HashDb> unindexed = new ArrayList<>();
for (HashDb hashSet : hashSetManager.getAllHashSets()) { for (HashDb hashSet : hashSetManager.getAllHashSets()) {
try { try {
if (!hashSet.hasLookupIndex()) { if (!hashSet.hasIndex()) {
unindexed.add(hashSet); unindexed.add(hashSet);
} }
} }
@ -376,7 +372,7 @@ public final class HashDbConfigPanel extends javax.swing.JPanel implements Optio
private boolean indexExists(int rowIndex){ private boolean indexExists(int rowIndex){
try { try {
return hashSets.get(rowIndex).hasLookupIndex(); return hashSets.get(rowIndex).hasIndex();
} }
catch (TskCoreException ex) { catch (TskCoreException ex) {
Logger.getLogger(HashSetTableModel.class.getName()).log(Level.SEVERE, "Error getting index info for hash database", ex); Logger.getLogger(HashSetTableModel.class.getName()).log(Level.SEVERE, "Error getting index info for hash database", ex);

14
HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/HashDbIngestModule.java
View File

@ -43,6 +43,7 @@ import org.sleuthkit.datamodel.TskCoreException;
import org.sleuthkit.datamodel.TskData; import org.sleuthkit.datamodel.TskData;
import org.sleuthkit.datamodel.TskException; import org.sleuthkit.datamodel.TskException;
import org.sleuthkit.autopsy.hashdatabase.HashDbManager.HashDb; import org.sleuthkit.autopsy.hashdatabase.HashDbManager.HashDb;
import org.sleuthkit.datamodel.HashInfo;
public class HashDbIngestModule extends IngestModuleAbstractFile { public class HashDbIngestModule extends IngestModuleAbstractFile {
private static HashDbIngestModule instance = null; private static HashDbIngestModule instance = null;
@ -164,7 +165,7 @@ public class HashDbIngestModule extends IngestModuleAbstractFile {
for (HashDb db : hashDbs) { for (HashDb db : hashDbs) {
if (db.getSearchDuringIngest()) { if (db.getSearchDuringIngest()) {
try { try {
if (db.hasLookupIndex()) { if (db.hasIndex()) {
hashDbsForIngest.add(db); hashDbsForIngest.add(db);
} }
} }
@ -218,7 +219,8 @@ public class HashDbIngestModule extends IngestModuleAbstractFile {
for (HashDb db : knownBadHashSets) { for (HashDb db : knownBadHashSets) {
try { try {
long lookupstart = System.currentTimeMillis(); long lookupstart = System.currentTimeMillis();
if (db.hasMd5HashOf(file)) { HashInfo hashInfo = db.lookUp(file);
if (null != hashInfo) {
foundBad = true; foundBad = true;
knownBadCount += 1; knownBadCount += 1;
try { try {
@ -231,14 +233,14 @@ public class HashDbIngestModule extends IngestModuleAbstractFile {
} }
String hashSetName = db.getHashSetName(); String hashSetName = db.getHashSetName();
String comment = ""; String comment = "";
ArrayList<String> comments = db.lookUp(file).getComments(); ArrayList<String> comments = hashInfo.getComments();
int i = 0; int i = 0;
for (String c : comments) { for (String c : comments) {
comment += c;
if (++i > 1) { if (++i > 1) {
c += ". "; comment += " ";
} }
comment += c;
if (comment.length() > MAX_COMMENT_SIZE) { if (comment.length() > MAX_COMMENT_SIZE) {
comment = comment.substring(0, MAX_COMMENT_SIZE) + "..."; comment = comment.substring(0, MAX_COMMENT_SIZE) + "...";
break; break;

18
HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/HashDbManager.java
View File

@ -243,9 +243,9 @@ public class HashDbManager implements PropertyChangeListener {
return hashDb; return hashDb;
} }
synchronized void indexHashDatabase(HashDb hashDb, boolean deleteIndexFile) { synchronized void indexHashDatabase(HashDb hashDb) {
hashDb.addPropertyChangeListener(this); hashDb.addPropertyChangeListener(this);
HashDbIndexer creator = new HashDbIndexer(hashDb, deleteIndexFile); HashDbIndexer creator = new HashDbIndexer(hashDb);
creator.execute(); creator.execute();
} }
@ -788,7 +788,7 @@ public class HashDbManager implements PropertyChangeListener {
* @throws TskCoreException * @throws TskCoreException
*/ */
public void addHashes(Content content, String comment) throws TskCoreException { public void addHashes(Content content, String comment) throws TskCoreException {
// TODO: This only works for AbstractFiles and MD5 hashes at present. // This only works for AbstractFiles and MD5 hashes at present.
assert content instanceof AbstractFile; assert content instanceof AbstractFile;
if (content instanceof AbstractFile) { if (content instanceof AbstractFile) {
AbstractFile file = (AbstractFile)content; AbstractFile file = (AbstractFile)content;
@ -812,7 +812,7 @@ public class HashDbManager implements PropertyChangeListener {
public HashInfo lookUp(Content content) throws TskCoreException { public HashInfo lookUp(Content content) throws TskCoreException {
HashInfo result = null; HashInfo result = null;
// TODO: This only works for AbstractFiles and MD5 hashes at present. // This only works for AbstractFiles and MD5 hashes at present.
assert content instanceof AbstractFile; assert content instanceof AbstractFile;
if (content instanceof AbstractFile) { if (content instanceof AbstractFile) {
AbstractFile file = (AbstractFile)content; AbstractFile file = (AbstractFile)content;
@ -823,12 +823,12 @@ public class HashDbManager implements PropertyChangeListener {
return result; return result;
} }
boolean hasLookupIndex() throws TskCoreException { boolean hasIndex() throws TskCoreException {
return SleuthkitJNI.hashDatabaseHasLookupIndex(handle); return SleuthkitJNI.hashDatabaseHasLookupIndex(handle);
} }
boolean hasIndexOnly() throws TskCoreException { boolean hasIndexOnly() throws TskCoreException {
return SleuthkitJNI.hashDatabaseHasLegacyLookupIndexOnly(handle); return SleuthkitJNI.hashDatabaseIsIndexOnly(handle);
} }
boolean canBeReIndexed() throws TskCoreException { boolean canBeReIndexed() throws TskCoreException {
@ -847,11 +847,9 @@ public class HashDbManager implements PropertyChangeListener {
private class HashDbIndexer extends SwingWorker<Object, Void> { private class HashDbIndexer extends SwingWorker<Object, Void> {
private ProgressHandle progress = null; private ProgressHandle progress = null;
private HashDb hashDb = null; private HashDb hashDb = null;
private boolean deleteIndexFile = false;
HashDbIndexer(HashDb hashDb, boolean deleteIndexFile) { HashDbIndexer(HashDb hashDb) {
this.hashDb = hashDb; this.hashDb = hashDb;
this.deleteIndexFile = deleteIndexFile;
}; };
@Override @Override
@ -861,7 +859,7 @@ public class HashDbManager implements PropertyChangeListener {
progress.start(); progress.start();
progress.switchToIndeterminate(); progress.switchToIndeterminate();
try { try {
SleuthkitJNI.createLookupIndexForHashDatabase(hashDb.handle, deleteIndexFile); SleuthkitJNI.createLookupIndexForHashDatabase(hashDb.handle);
} }
catch (TskCoreException ex) { catch (TskCoreException ex) {
Logger.getLogger(HashDb.class.getName()).log(Level.SEVERE, "Error indexing hash database", ex); Logger.getLogger(HashDb.class.getName()).log(Level.SEVERE, "Error indexing hash database", ex);

2
HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/HashDbSimpleConfigPanel.java
View File

@ -146,7 +146,7 @@ public class HashDbSimpleConfigPanel extends javax.swing.JPanel {
HashDb db = hashDatabases.get(rowIndex); HashDb db = hashDatabases.get(rowIndex);
boolean dbHasIndex = false; boolean dbHasIndex = false;
try { try {
dbHasIndex = db.hasLookupIndex(); dbHasIndex = db.hasIndex();
} }
catch (TskCoreException ex) { catch (TskCoreException ex) {
Logger.getLogger(HashDbSimpleConfigPanel.class.getName()).log(Level.SEVERE, "Error getting info for " + db.getHashSetName() + " hash database", ex); Logger.getLogger(HashDbSimpleConfigPanel.class.getName()).log(Level.SEVERE, "Error getting info for " + db.getHashSetName() + " hash database", ex);

29
HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/ModalNoButtons.java
View File

@ -21,13 +21,9 @@ package org.sleuthkit.autopsy.hashdatabase;
import java.beans.PropertyChangeEvent; import java.beans.PropertyChangeEvent;
import java.beans.PropertyChangeListener; import java.beans.PropertyChangeListener;
import java.io.File;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.logging.Level;
import javax.swing.JOptionPane; import javax.swing.JOptionPane;
import org.sleuthkit.autopsy.coreutils.Logger;
import org.sleuthkit.datamodel.TskCoreException;
import org.sleuthkit.autopsy.hashdatabase.HashDbManager.HashDb; import org.sleuthkit.autopsy.hashdatabase.HashDbManager.HashDb;
/** /**
@ -42,7 +38,6 @@ import org.sleuthkit.autopsy.hashdatabase.HashDbManager.HashDb;
*/ */
class ModalNoButtons extends javax.swing.JDialog implements PropertyChangeListener { class ModalNoButtons extends javax.swing.JDialog implements PropertyChangeListener {
private static final String INDEX_FILE_EXTENSION = ".kdb";
List<HashDb> unindexed; List<HashDb> unindexed;
HashDb toIndex; HashDb toIndex;
HashDbConfigPanel hdbmp; HashDbConfigPanel hdbmp;
@ -211,7 +206,7 @@ class ModalNoButtons extends javax.swing.JDialog implements PropertyChangeListen
this.CURRENTLYON_LABEL.setText("Currently indexing 1 database"); this.CURRENTLYON_LABEL.setText("Currently indexing 1 database");
if (!this.toIndex.isIndexing()) { if (!this.toIndex.isIndexing()) {
this.toIndex.addPropertyChangeListener(this); this.toIndex.addPropertyChangeListener(this);
HashDbManager.getInstance().indexHashDatabase(toIndex, okToDeleteOldIndexFile(toIndex)); HashDbManager.getInstance().indexHashDatabase(toIndex);
} }
} }
@ -227,7 +222,7 @@ class ModalNoButtons extends javax.swing.JDialog implements PropertyChangeListen
this.CURRENTLYON_LABEL.setText("Currently indexing 1 of " + length); this.CURRENTLYON_LABEL.setText("Currently indexing 1 of " + length);
if (!db.isIndexing()) { if (!db.isIndexing()) {
db.addPropertyChangeListener(this); db.addPropertyChangeListener(this);
HashDbManager.getInstance().indexHashDatabase(db, okToDeleteOldIndexFile(db)); HashDbManager.getInstance().indexHashDatabase(db);
} }
} }
} }
@ -255,23 +250,5 @@ class ModalNoButtons extends javax.swing.JDialog implements PropertyChangeListen
this.CURRENTLYON_LABEL.setText("Currently indexing " + currentcount + " of " + length); this.CURRENTLYON_LABEL.setText("Currently indexing " + currentcount + " of " + length);
} }
} }
} }
private boolean okToDeleteOldIndexFile(HashDb hashDb) {
boolean deleteOldIndexFile = true;
try {
if (hashDb.hasLookupIndex()) {
String indexPath = hashDb.getIndexPath();
File indexFile = new File(indexPath);
if (!indexPath.endsWith(INDEX_FILE_EXTENSION)) {
deleteOldIndexFile = JOptionPane.showConfirmDialog(this, "Updating index file format, delete " + indexFile.getName() + " file that uses the old file format?", "Delete Obsolete Index File", JOptionPane.YES_NO_OPTION) == JOptionPane.YES_OPTION;
}
}
}
catch (TskCoreException ex) {
Logger.getLogger(HashDbConfigPanel.class.getName()).log(Level.SEVERE, "Error getting index info for hash database", ex);
JOptionPane.showMessageDialog(null, "Error gettting index information for " + hashDb.getHashSetName() + " hash database. Cannot perform indexing operation.", "Hash Database Index Status Error", JOptionPane.ERROR_MESSAGE);
}
return deleteOldIndexFile;
}
} }

18
KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/ExtractedContentViewer.java
View File

@ -311,19 +311,15 @@ public class ExtractedContentViewer implements DataContentViewer {
} }
@Override @Override
public int isPreferred(Node node, public int isPreferred(Node node) {
boolean isSupported) {
BlackboardArtifact art = node.getLookup().lookup(BlackboardArtifact.class); BlackboardArtifact art = node.getLookup().lookup(BlackboardArtifact.class);
if (isSupported) {
if (art == null) { if (art == null) {
return 4; return 4;
} else if (art.getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) { } else if (art.getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
return 6; return 6;
} else {
return 4;
}
} else { } else {
return 0; return 4;
} }
} }

61
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/BrowserActivityType.java
View File

@ -1,61 +0,0 @@
/*
* Autopsy Forensic Browser
*
* Copyright 2012 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.recentactivity;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.Map;
/**
*
* No one seems to be using this
*/
@Deprecated
public enum BrowserActivityType {
Cookies(0),
Url(1),
Bookmarks(2);
private static final Map<Integer,BrowserActivityType> lookup
= new HashMap<Integer,BrowserActivityType>();
static {
for(BrowserActivityType bat : values())
lookup.put(bat.type, bat);
}
private int type;
private BrowserActivityType(int type)
{
this.type = type;
}
public int getType() { return type; }
public static BrowserActivityType get(int type) {
switch(type) {
case 0: return Cookies;
case 1: return Url;
case 2: return Bookmarks;
}
return null;
}
}

60
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/BrowserType.java
View File

@ -1,60 +0,0 @@
/*
* Autopsy Forensic Browser
*
* Copyright 2012 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.recentactivity;
import java.util.HashMap;
import java.util.Map;
/**
*
* No one is using this. It should go away
*/
@Deprecated
public enum BrowserType {
IE(0), //Internet Explorer
FF(1), //Firefox
CH(2); //Chrome
private static final Map<Integer,BrowserType> lookup
= new HashMap<Integer,BrowserType>();
static {
for(BrowserType bt : values())
lookup.put(bt.type, bt);
}
private int type;
private BrowserType(int type)
{
this.type = type;
}
public int getType() { return type; }
public static BrowserType get(int type) {
switch(type) {
case 0: return IE;
case 1: return FF;
case 2: return CH;
}
return null;
}
}

6
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java
View File

@ -55,7 +55,7 @@ import org.sleuthkit.datamodel.TskData;
/** /**
* Chrome recent activity extraction * Chrome recent activity extraction
*/ */
public class Chrome extends Extract { class Chrome extends Extract {
private static final String historyQuery = "SELECT urls.url, urls.title, urls.visit_count, urls.typed_count, " private static final String historyQuery = "SELECT urls.url, urls.title, urls.visit_count, urls.typed_count, "
+ "last_visit_time, urls.hidden, visits.visit_time, (SELECT urls.url FROM urls WHERE urls.id=visits.url) as from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url"; + "last_visit_time, urls.hidden, visits.visit_time, (SELECT urls.url FROM urls WHERE urls.id=visits.url) as from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url";
@ -65,8 +65,8 @@ public class Chrome extends Extract {
private static final String downloadQueryVersion30 = "SELECT current_path as full_path, url, start_time, received_bytes FROM downloads, downloads_url_chains WHERE downloads.id=downloads_url_chains.id"; private static final String downloadQueryVersion30 = "SELECT current_path as full_path, url, start_time, received_bytes FROM downloads, downloads_url_chains WHERE downloads.id=downloads_url_chains.id";
private static final String loginQuery = "select origin_url, username_value, signon_realm from logins"; private static final String loginQuery = "select origin_url, username_value, signon_realm from logins";
private final Logger logger = Logger.getLogger(this.getClass().getName()); private final Logger logger = Logger.getLogger(this.getClass().getName());
public int ChromeCount = 0; private int ChromeCount = 0;
final public static String MODULE_VERSION = "1.0"; final private static String MODULE_VERSION = "1.0";
private IngestServices services; private IngestServices services;
//hide public constructor to prevent from instantiation by ingest module loader //hide public constructor to prevent from instantiation by ingest module loader

8
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extract.java
View File

@ -33,14 +33,14 @@ import org.sleuthkit.autopsy.ingest.IngestModuleDataSource;
import org.sleuthkit.autopsy.report.SQLiteDBConnect; import org.sleuthkit.autopsy.report.SQLiteDBConnect;
import org.sleuthkit.datamodel.*; import org.sleuthkit.datamodel.*;
abstract public class Extract extends IngestModuleDataSource{ abstract class Extract extends IngestModuleDataSource{
protected Case currentCase = Case.getCurrentCase(); // get the most updated case protected Case currentCase = Case.getCurrentCase(); // get the most updated case
protected SleuthkitCase tskCase = currentCase.getSleuthkitCase(); protected SleuthkitCase tskCase = currentCase.getSleuthkitCase();
public final Logger logger = Logger.getLogger(this.getClass().getName()); public final Logger logger = Logger.getLogger(this.getClass().getName());
protected final ArrayList<String> errorMessages = new ArrayList<>(); private final ArrayList<String> errorMessages = new ArrayList<>();
protected String moduleName = ""; String moduleName = "";
protected boolean dataFound = false; boolean dataFound = false;
//hide public constructor to prevent from instantiation by ingest module loader //hide public constructor to prevent from instantiation by ingest module loader
Extract() { Extract() {

4
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java
View File

@ -68,7 +68,7 @@ import org.sleuthkit.autopsy.ingest.IngestModuleDataSource;
import org.sleuthkit.autopsy.ingest.IngestModuleInit; import org.sleuthkit.autopsy.ingest.IngestModuleInit;
import org.sleuthkit.datamodel.*; import org.sleuthkit.datamodel.*;
public class ExtractIE extends Extract { class ExtractIE extends Extract {
private static final Logger logger = Logger.getLogger(ExtractIE.class.getName()); private static final Logger logger = Logger.getLogger(ExtractIE.class.getName());
private IngestServices services; private IngestServices services;
@ -77,7 +77,7 @@ public class ExtractIE extends Extract {
private String PASCO_LIB_PATH; private String PASCO_LIB_PATH;
private String JAVA_PATH; private String JAVA_PATH;
final public static String MODULE_VERSION = "1.0"; final private static String MODULE_VERSION = "1.0";
private static final SimpleDateFormat dateFormatter = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"); private static final SimpleDateFormat dateFormatter = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'");
private ExecUtil execPasco; private ExecUtil execPasco;

10
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
View File

@ -57,14 +57,14 @@ import org.xml.sax.SAXException;
* and the second is a set that were customized for Autopsy to produce a more structured * and the second is a set that were customized for Autopsy to produce a more structured
* output of XML so that we can parse and turn into blackboard artifacts. * output of XML so that we can parse and turn into blackboard artifacts.
*/ */
public class ExtractRegistry extends Extract { class ExtractRegistry extends Extract {
public Logger logger = Logger.getLogger(this.getClass().getName()); private Logger logger = Logger.getLogger(this.getClass().getName());
private String RR_PATH; private String RR_PATH;
private String RR_FULL_PATH; private String RR_FULL_PATH;
boolean rrFound = false; // true if we found the Autopsy-specific version of regripper private boolean rrFound = false; // true if we found the Autopsy-specific version of regripper
boolean rrFullFound = false; // true if we found the full version of regripper private boolean rrFullFound = false; // true if we found the full version of regripper
final public static String MODULE_VERSION = "1.0"; final private static String MODULE_VERSION = "1.0";
private ExecUtil execRR; private ExecUtil execRR;
//hide public constructor to prevent from instantiation by ingest module loader //hide public constructor to prevent from instantiation by ingest module loader

2
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractUSB.java
View File

@ -40,7 +40,7 @@ import org.sleuthkit.autopsy.coreutils.PlatformUtil;
* Loads a file that maps USB IDs to names of makes and models. Uses Linux USB info. * Loads a file that maps USB IDs to names of makes and models. Uses Linux USB info.
* This should be renamed because it isn't extracting. It's just mapping IDs to names. * This should be renamed because it isn't extracting. It's just mapping IDs to names.
*/ */
public class ExtractUSB { class ExtractUSB {
private static final Logger logger = Logger.getLogger(ExtractUSB.class.getName()); private static final Logger logger = Logger.getLogger(ExtractUSB.class.getName());
private HashMap<String, USBInfo> devices; private HashMap<String, USBInfo> devices;
private static final String DataFile = "USB_DATA.txt"; private static final String DataFile = "USB_DATA.txt";

5
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java
View File

@ -50,7 +50,7 @@ import org.sleuthkit.datamodel.TskCoreException;
/** /**
* Firefox recent activity extraction * Firefox recent activity extraction
*/ */
public class Firefox extends Extract { class Firefox extends Extract {
private static final String historyQuery = "SELECT moz_historyvisits.id,url,title,visit_count,(visit_date/1000000) as visit_date,from_visit,(SELECT url FROM moz_places WHERE id=moz_historyvisits.from_visit) as ref FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id AND hidden = 0"; private static final String historyQuery = "SELECT moz_historyvisits.id,url,title,visit_count,(visit_date/1000000) as visit_date,from_visit,(SELECT url FROM moz_places WHERE id=moz_historyvisits.from_visit) as ref FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id AND hidden = 0";
private static final String cookieQuery = "SELECT name,value,host,expiry,(lastAccessed/1000000) as lastAccessed,(creationTime/1000000) as creationTime FROM moz_cookies"; private static final String cookieQuery = "SELECT name,value,host,expiry,(lastAccessed/1000000) as lastAccessed,(creationTime/1000000) as creationTime FROM moz_cookies";
@ -59,8 +59,7 @@ public class Firefox extends Extract {
private static final String downloadQuery = "SELECT target, source,(startTime/1000000) as startTime, maxBytes FROM moz_downloads"; private static final String downloadQuery = "SELECT target, source,(startTime/1000000) as startTime, maxBytes FROM moz_downloads";
private static final String downloadQueryVersion24 = "SELECT url, content as target, (lastModified/1000000) as lastModified FROM moz_places, moz_annos WHERE moz_places.id = moz_annos.place_id AND moz_annos.anno_attribute_id = 3"; private static final String downloadQueryVersion24 = "SELECT url, content as target, (lastModified/1000000) as lastModified FROM moz_places, moz_annos WHERE moz_places.id = moz_annos.place_id AND moz_annos.anno_attribute_id = 3";
public int FireFoxCount = 0; final private static String MODULE_VERSION = "1.0";
final public static String MODULE_VERSION = "1.0";
private IngestServices services; private IngestServices services;
//hide public constructor to prevent from instantiation by ingest module loader //hide public constructor to prevent from instantiation by ingest module loader

2
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java
View File

@ -51,7 +51,7 @@ public final class RAImageIngestModule extends IngestModuleDataSource {
private StringBuilder subCompleted = new StringBuilder(); private StringBuilder subCompleted = new StringBuilder();
private ArrayList<Extract> modules; private ArrayList<Extract> modules;
private List<Extract> browserModules; private List<Extract> browserModules;
final public static String MODULE_VERSION = Version.getVersion(); final private static String MODULE_VERSION = Version.getVersion();
//public constructor is required //public constructor is required
//as multiple instances are created for processing multiple images simultenously //as multiple instances are created for processing multiple images simultenously

8
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/SearchEngineURLQueryAnalyzer.java
View File

@ -62,14 +62,14 @@ import org.xml.sax.SAXException;
* To add search engines, edit SearchEngines.xml under RecentActivity * To add search engines, edit SearchEngines.xml under RecentActivity
* *
*/ */
public class SearchEngineURLQueryAnalyzer extends Extract { class SearchEngineURLQueryAnalyzer extends Extract {
private IngestServices services; private IngestServices services;
public static final String MODULE_NAME = "Search Engine URL Query Analyzer"; private static final String MODULE_NAME = "Search Engine URL Query Analyzer";
public final static String MODULE_VERSION = "1.0"; private final static String MODULE_VERSION = "1.0";
public static final String XMLFILE = "SEUQAMappings.xml"; private static final String XMLFILE = "SEUQAMappings.xml";
private static final String XSDFILE = "SearchEngineSchema.xsd"; private static final String XSDFILE = "SearchEngineSchema.xsd";

2
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java
View File

@ -50,7 +50,7 @@ import org.sleuthkit.datamodel.TskCoreException;
* *
* @author Alex * @author Alex
*/ */
public class Util { class Util {
private static Logger logger = Logger.getLogger(Util.class.getName()); private static Logger logger = Logger.getLogger(Util.class.getName());