Added case management to user docs

Core/src/org/sleuthkit/autopsy/casemodule/docs/caseProperties.html

@@ -1,28 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-<html>
-    <head>
-        <title>Case Properties Window</title>
-        <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
-        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-    </head>
-    <body>
-        <h2>Case Properties Window</h2>
-        <p>
-            Case Properties Window is where you can check some information about the currently opened case
-            (case name, case creation date, case directory, and images in this case).
-        </p>
-        
-        <p>In this window, you can also do the following things:</p>
-        <ul>
-            <li>Change/update the case name</li>
-            <li>Delete the current case</li>
-        </ul>
-
-        <h2>How to Open Case Properties Window</h2>
-        <p>To open the "Case Properties" window, go to "File" and then select "Case Properties..."</p>
-
-        <h2>Example</h2>
-        <p>Here's an example of the "Case Properties" window:</p>
-        <img src="CasePropertiesHelp.png" alt="Case Properties Help" />
-    </body>
-</html>

Core/src/org/sleuthkit/autopsy/casemodule/docs/createNewCase.html

@@ -1,25 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
-<html>
-    <head>
-        <title>Creating A Case</title>
-        <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
-        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-    </head>
-    <body>
-        <h2>Creating a Case</h2>
-        <p>There are several ways to create a new case:</p>
-        <ul>
-            <li>Go to "File" and select "New Case..."</li>
-            <li>Press "Ctrl + N" on the keyboard</li>
-        </ul>
-        <p>
-            The "New Case" wizard dialog will open and you will need to enter the case name and base directory.
-            Each case will have its own directory and the path of the directory is created by combining the "base directory" with the "case name".
-            If the directory already exists, you will need to either delete the existing directory or choose a different combination of names.
-        </p>
-
-        <h2>Example:</h2>
-        <p> Here's an example of the "New Case" wizard dialog:</p>
-        <img src="NewCaseWizardHelp.png" alt="New Case Wizard Help" />
-    </body>
-</html>

docs/doxygen-user/Doxyfile

@@ -665,7 +665,8 @@ INPUT                  = main.dox \
                          installation.dox \
                          quick_start.dox \
                          image_viewer.dox \
-                         timeline.dox
+                         timeline.dox \
+                         case_mgmt.dox
 
 # This tag can be used to specify the character encoding of the source files
 # that doxygen parses. Internally doxygen uses the UTF-8 encoding, which is

docs/doxygen-user/case_mgmt.dox

@@ -0,0 +1,129 @@
+/*! \page case_mgmt_page Cases and Data Sources
+
+\section case_mgmt_cases Cases
+
+You need to create a case before you can analyze data in Autopsy.  A case can contain one or more data sources (disk images, disk devices, logical files). The data sources can be from multiple drives in a single computer or from multiple computers.  It's up to you. 
+
+Each case has its own directory that is named based on the case name. The directory will contain configuration files, a database, reports, and other files that modules generates. The main Autopsy case configuration file has a .aut extension. 
+
+\subsection case_mgmt_case_create Creating a Case
+
+There are several ways to create a new case:
+- The opening window has a button to create a new case.
+- The "File" -> "New Case..." menu item
+
+The "New Case" wizard dialog will open and you will need to enter the case name and base directory. A directory for the case will be created inside of the "base directory". If the directory already exists, you will need to either delete the existing directory or choose a different combination of names.
+
+\image html case-newcase.png
+
+You will also be prompted for optional information, such as investigator name and case number.  
+
+After you create the case, you will be prompted to add a data source, as described in \ref case_mgmt_ds_add. 
+
+\subsection case_mgmt_case_open Opening a Case
+
+To open a case, either:
+- Choose "Open Case" or "Open Recent Case" from the opening window.
+- The "File" -> "Open Case" menu item or "File" -> "Open Recent Case"
+
+Navigate to the case directory and select the ".aut" file.
+
+
+
+\section case_mgmt_ds Data Sources
+
+Data source is the term that we use in Autopsy to refer to disk images, logical files, etc.  This is the data that you want to add in to analyze.  You must have a case open before you can add a data source. 
+
+Autopsy supports three types of data sources:
+- Disk Image: A file (or set of files) that is a byte-for-byte copy of a hard drive or media card.  (see \ref case_mgmt_ds_img)
+- Local Drive: Local storage device (local drive, USB-attached drive, etc.).  (see \ref case_mgmt_ds_local)
+- Logical Files: Local files or folders. (see \ref case_mgmt_ds_log)
+
+
+
+\subsection case_mgmt_ds_add Adding a Data Source
+
+You can add a data source in several ways:
+- After you create a case, it automatically prompts you to add a data source.
+- There is a toolbar item to add a Data Source when a case is open.
+- The "File" -> "Add Data Source" menu item when a case is open.
+
+The data source must remain accessible for the duration of the analysis because the case contains only a reference to the data source.  It does not copy the data source into the case folder. 
+
+
+
+\subsection case_mgmt_ds_process Data Source Adding Process
+
+Regardless of the type of data source, there are some common steps in the process:
+
+1) You will be prompted to specify the data source to add (details are provided below)
+
+\image html case-addds.png
+
+2) Autopsy will perform a basic examination of the data source and populate an embedded database with an entry for each file in the data source. No content is analyzed in the process, only the files are enumerated. 
+
+3) While it is examining the data source, you will be prompted with a list of ingest modules to enable. 
+
+\image html case-modules.png
+
+4) After you configure the ingest modules, you may need to wait for Autopsy to finish its basic examination of the data source. 
+
+\image html case-progress.png
+
+5) After the ingest modules have been configured and the basic examination of the data source is complete, the ingest modules will begin to analyze the file contents. 
+
+
+
+\subsection case_mgmt_ds_img Adding a Disk Image
+
+Supported Image Formats
+
+Autopsy supports disk images in the following formats: 
+- Raw Single (For example: *.img, *.dd, *.raw, etc)
+- Raw Split (For example: *.001, *.002, *.aa, *.ab, etc)
+- EnCase (For example: *.e01, *e02, etc)
+
+To add a disk image:
+
+-# Choose "Image File" from the pull down.
+-# Browse to the first file in the disk image. You need to specify only the first file and it will find the rest.  
+-# Choose the timezone that the disk image came from.  This is most important for when adding FAT file systems because it does not store timezone information and Autopsy will not know how to normalize to UTC.
+-# Choose to perform orphan file finding on FAT file systems.  This can be a time intensive process because it will require that Autopsy look at each sector in the device.  
+
+
+\subsection case_mgmt_ds_local Adding a Local Drive
+
+Autopsy can analyze a local drive without needing to first make an image copy of it. This is most useful when analyzing a USB-attached device through a write blocker.  
+
+Note that if you are analyzing a local drive that is being updated, then Autopsy will not see files that are added after you add it as a data source.  
+
+You will need to be running Autopsy as an Administrator to view all devices.  
+
+To add a local drive:
+-# Choose "Local Drive" from the pull down.
+-# Choose the device from the pull down list.
+-# Choose to perform orphan file finding.  See comment in \ref case_mgmt_ds_img about this setting.
+
+
+\subsection case_mgmt_ds_log Adding a Logical File
+
+You can add files or folders that are on your local computer (or on a shared drive) without putting them into a disk image.  This is useful if you have only a collection of files that you want to analyze.  
+
+Some things to note when doing this:
+- Autopsy ignores the time stamps on files that it adds this way because they could be the timestamps when they were copied onto your examination device.
+- If you have a USB-attached device that you are analyzing and you choose to add the device's contents using this method, then note that it will not look at unallocated space or deleted files.  Autopsy will only be able to see the allocated files.  You should add the device as a "Logical Drive" to get the unallocated space.
+
+To add logical files:
+-# Choose "Logical Files" from the pull down.
+-# Press the "Add" button and navigate to a folder or file to add.  Choosing a folder will cause all of its contents (including sub-folders) to be added.
+-# Continue to press "Add" until all files and folders have been selected.
+
+All of the files that you added in the panel will be grouped together into a single data source, called "LogicalFileSet" in the main UI. 
+
+\subsection case_mgmt_ds_rem Removing a Data Source
+
+You cannot currently remove an data source from a case.
+
+
+
+*/

docs/doxygen-user/main.dox

@@ -15,6 +15,7 @@ The following topics are available here:
 
 - \subpage installation_page
 - \subpage quick_start_page
+- \subpage case_mgmt_page
 - \subpage image_viewer_page
 - \subpage timeline_page