diff --git a/docs/doxygen-user/content_viewer.dox b/docs/doxygen-user/content_viewer.dox index df35baac99..00304b3ef7 100644 --- a/docs/doxygen-user/content_viewer.dox +++ b/docs/doxygen-user/content_viewer.dox @@ -6,15 +6,15 @@ The Content Viewer is context-aware, meaning different tabs will be enabled depe \image html content_viewer_options_panel.png -When a Result type is selected in the Result Viewer (as opposed to a file), most of the tabs will correspond to the file associated with the result and not the result itself. For example, when selecting a Keyword Hit, the "Hex", "Strings", and "File Metadata" tabs will show data from the file where the keyword was found. The descriptions below will generally assume a file has been selected, but most also apply when we have a file associated with a selected result. +When a result item is selected in the Result Viewer (as opposed to a file), most of the tabs will correspond to the file associated with the result and not the result itself. For example, when selecting a keyword hit, the "Hex", "Strings", and "File Metadata" tabs will show data from the file where the keyword was found. The descriptions below will generally assume a file has been selected, but most also apply when we have a file associated with a selected result. \section cv_hex Hex -The Hex Content Viewer is nearly always available and shows you the raw and exact contents of a file. In this content viewer, the data of the file is represented as hexadecimal values grouped in 2 groups of 8 bytes, followed by one group of 16 ASCII characters which are derived from each pair of hex values (each byte). Non-printable ASCII characters and characters that would take more than one character space are typically represented by a dot (".") in the following ASCII field. +The Hex tab is nearly always available and shows you the raw and exact contents of a file. In this tab, the data of the file is represented as hexadecimal values grouped in 2 groups of 8 bytes, followed by one group of 16 ASCII characters which are derived from each pair of hex values (each byte). Non-printable ASCII characters and characters that would take more than one character space are typically represented by a dot (".") in the following ASCII field. \image html content_viewer_hex.png -If desired, you can open the file in an external hex editor. This is configured through the "External Viewer" tab on the options panel. HxD has been tested to work, but alternate hex editors may also be compatible. +If desired, you can open the file in an external hex editor. This is configured through the "External Viewer" tab on the options panel. HxD has been verified to work with Autopsy, but alternate hex editors may also be compatible. \image html content_viewer_hex_editor_setup.png @@ -24,7 +24,7 @@ Note that this process saves the file to disk before launching the hex editor. A \section cv_text Text -The Text tab has three subtabs for displaying the text contained in the selected item. +The Text tab has three sub tabs for displaying the text contained in the selected item. \subsection cv_strings Strings @@ -38,7 +38,7 @@ Different scripts can be chosen from the drop-down menu to display results for n \subsection cv_indexed_text Indexed Text -The Indexed Text tab shows the text that has been indexed by the \ref keyword_search_page. You can switch the "Text Source" field to "Result Text" to see which text has been indexed for associated results. +The Indexed Text tab shows the text that has been indexed by the \ref keyword_search_page. You can switch the "Text Source" field to "Result Text" to see the text has been indexed for results associated with a file. \image html content_viewer_indexed_text.png @@ -78,13 +78,13 @@ The Message tab shows details of emails and SMS messages. \section cv_metadata File Metadata -The File Metadata tab displays basic information about the file, such as type, size, and hash. It also displays the output of the Sleuth Kit istat tool. +The File Metadata tab displays basic information about the file, such as type, size, and hash. It also displays the output of the SleuthKit istat tool. \image html content_viewer_metadata.png \section cv_results Results -The Results tab is active when selecting entries that are part of the Results tree, such as keyword hits, call logs, and messages. It is also active when looking at a file that has results associated with it. The exact fields displayed depend on the type of entry. The two images below show the Results tab for a call log and a web bookmark. +The Results tab is active when selecting items with associated results such as keyword hits, call logs, and messages. The exact fields displayed depend on the type of result. The two images below show the Results tab for a call log and a web bookmark. \image html content_viewer_results_call.png
diff --git a/docs/doxygen-user/machine_translation.dox b/docs/doxygen-user/machine_translation.dox index ba4b061ab4..ee3fbd07da 100644 --- a/docs/doxygen-user/machine_translation.dox +++ b/docs/doxygen-user/machine_translation.dox @@ -26,7 +26,7 @@ Once enabled, the translated versions of the file and folder names will be shown \section mt_content_viewer Translating File Content -After you set up a machine translation service, the Translation tab under the Text content viewer will be active. The Translation tab allows you to use your service to translate the beginning of a file. For example, you might see the following in the default Indexed Text tab: +After you set up a machine translation service, the Translation tab under the Text tab in the Content Viewer will be active. The Translation tab allows you to use your service to translate the beginning of a file. For example, you might see the following in the default Indexed Text tab: \image html mt_content_viewer_untranslated_text.png diff --git a/docs/doxygen-user/reporting.dox b/docs/doxygen-user/reporting.dox index 7eb3897430..02a21ed3d8 100644 --- a/docs/doxygen-user/reporting.dox +++ b/docs/doxygen-user/reporting.dox @@ -64,17 +64,17 @@ show up as Hashset Hits. \subsection report_case_uco CASE-UCO -This module creates an JSON output file in CASE-UCO format from a single data source. +This module creates an JSON output file in CASE-UCO format for a single data source. \image html reports_case.png \subsection report_files Files - Text -This report module allows you create a tab or comma delimited text file from all files in the current case. Start by selecting which delimiter you would like to use. +This report module allows you create a tab or comma delimited text file report of all of the files in the current case. Start by selecting which delimiter you would like to use. \image html reports_files_delimiter.png -You can then select which fields should be exported. +You can then select which fields should be reported. \image html reports_files_config.png
@@ -88,7 +88,7 @@ This report module generates a KML file from any GPS data in the case. This file \subsection report_portable_case Portable Case -This report module generates a new Autopsy case from any tagged files and results. See the \ref portable_case_page page for additional information. +This report module generates a new Autopsy case that includes tagged and/or interesting items. See the \ref portable_case_page page for additional information. \subsection report_stix STIX diff --git a/docs/doxygen-user/result_viewer.dox b/docs/doxygen-user/result_viewer.dox index 8dfe1df9f8..22f2e048d8 100644 --- a/docs/doxygen-user/result_viewer.dox +++ b/docs/doxygen-user/result_viewer.dox @@ -4,28 +4,28 @@ The Result Viewer is located on the top right of the Autopsy screen and shows th \section result_viewer_table Table Viewers -Table Results Viewer (Directory Listing) displays the data catalog as a table with some details (properties) of each file. For files, the properties that it shows are: name, time (modified, changed, accessed, and created), size, flags (directory and meta), mode, user ID, group ID, metadata address, attribute address, and type (directory and meta). For other data types the columns will be different. Click the "Table" tab to select this view. +The main table viewer in the "Listing" tab displays the contents of the current selection as a table with some details (properties) of each item. For files, some examples of the properties that this viewer shows are: name, time (modified, changed, accessed, and created), size, flags (directory and meta), mode, user ID, group ID, metadata address, attribute address, and type (directory and meta). For other data types, the columns will be different. Click the "Table" tab to select this view. -The following shows the result viewer when a folder is selected from the data source section of the tree. +The following shows the main table viewer when a folder is selected in the Data Source section of the tree viewer. \image html result-viewer-example-1.PNG -As mentioned above, the Result Viewer is context-aware which means it will show applicable columns for the data type selected. The following shows the data in the "Web Bookmarks" node in the \ref tree_viewer_page. +As mentioned above, the table viewer is context-aware which means it will show applicable columns for the data type selected. The following shows the data in the "Web Bookmarks" node in the \ref tree_viewer_page. \image html result-viewer-example-3.PNG \subsection result_viewer_sco SCO Columns -By default, the first three columns after the file name in the results viewer are named "S", "C" and "O". +By default, the first three columns after the file name in the table viewer are named "S", "C" and "O". \image html view_options_sco.png -These columns display the following: +These columns display the following information: @@ -33,29 +33,29 @@ To display more information about why an icon has appeared, you can hover over i \subsection export_csv Exporting to CSV -You can export the contents of the Result Viewer to a CSV file in two ways. The "Save table as CSV" button in the upper left will save the entire contents of the Result Viewer to a CSV file. You can also select files in the Result Viewer and then right-click and select "Export select rows to CSV" to write only a subset of the rows. +You can export the contents of a table viewer to a CSV file in two ways. The "Save table as CSV" button in the upper left will save the entire contents of the table viewer to a CSV file. You can also select rows in the table viewer and then right-click and select "Export selected rows to CSV" to save only a subset of the rows: \image html result_viewer_csv.PNG \subsection right_click_functions Right Click Functions -Viewers in Result Viewers have certain right-click functions built-in into them that can be accessed when a node a certain type is selected (a file, directory or a result). +Table viewers in the Results Viewer have certain right-click functions built-in into them that can be accessed when a row of a particular type is selected (a file, a directory, or a result). Here are some examples that you may see: -\li Open File in External Viewer: Opens the selected file in an "external" application as defined by the local OS or through the External Viewer tab on the Options menu. For example, HTML files may be opened by IE or Firefox, depending on what the local system is configured to use. -\li View in New Window: Opens the content in a new internal Content Viewer (instead of in the default location in the lower right). -\li Extract: Make a local copy of the file or directory for further analysis. +\li Open File in External Viewer: Opens the selected file in an "external" application as defined by the local OS or through the External Viewer tab that you can navigate to by selecting the Options menu item from the Tools menu. For example, HTML files may be opened by Chrome or Firefox or some other browser, depending on what the local system is configured to use. +\li View in New Window: Opens the selected item in a new content viewer (instead of in the default location in the lower right area of the main window). +\li Extract: Makes a local copy of a selected file or directory for further analysis. -\section thumbnail_result_viewer Thumbnail Result Viewers -Thumbnail Results Viewer displays the data catalog as a table of thumbnail images in adjustable sizes. This viewer only supports picture files (Currently, only supports JPG, GIF, and PNG formats). Click the Thumbnail tab to select this view. Note that for a large number of images in a directory selected in the Data Explorer, or for a View selected that contains a large number of images, it might take a while to populate this view for the first time before the images are cached. +\section thumbnail_result_viewer Thumbnail Viewers +Thumbnail viewers display items selected in the Tree Viewer as a table of thumbnail images in adjustable sizes. This viewer only supports "picture" files (currently only supports the JPG, GIF, and PNG formats). Click on the Thumbnail tab in the Listing tab to select this view. Note that for a large number of images in a directory selected in the Data Sources area of the Tree Viewer, or for a selection in the Views area of the Tree Viewer that contains a large number of images, it might take a while to populate the thumbnail viewer for the first time, before the thumbnails are cached. \image html thumbnail-result-viewer-tab.PNG \section result_viewer_paging Paging -The Result Viewer can have problems displaying large numbers of rows. To address this, when there are over a certain numer of rows (10,000 by default), the results will be split into pages. The controls at the top right will allow you to browse the different pages. +A table viewer can perform slowly when displaying a large numbers of rows. To address this, when there are over a certain numer of rows (10,000 by default), the results will be split into pages. The paging controls at the top right of the table view allow you to browse the different pages. \image html result_viewer_paging.PNG -You can adust the page sizes through \ref view_options_page or turn it off entirely. +You can adust the page sizes through \ref view_options_page or turn paging off entirely. */ diff --git a/docs/doxygen-user/tree_viewer.dox b/docs/doxygen-user/tree_viewer.dox index b49af95f14..b163018f4f 100644 --- a/docs/doxygen-user/tree_viewer.dox +++ b/docs/doxygen-user/tree_viewer.dox @@ -1,45 +1,44 @@ /*! \page tree_viewer_page Tree Viewer -The tree on the left-hand side is where you can browse the files in the image and find saved results from automated procedures (ingest). The tree has five main areas: -- Data Sources: This shows the directory tree hierarchy of the file systems in the images. You can navigate to a specific file or directory here. Each data source added is represented as a drive. If you add a data source multiple times, it shows up multiple times. -- Views: Specific types of files from the data sources are shown here, aggregated by type or other properties. Files here can come from more than one data source. Look here for files of a specific type or property. -- Results: Where you can see the results from the background ingest tasks and you can see your previous search results. Go here to see what was found by the ingest modules and to find your previous search results. -- Tags: Where files and results that have been \ref tagging_page "tagged" are shown -- Reports: References to reports that you have generated or that ingest modules have created show up here +The tree on the left-hand side of the main window is where you can browse the files in the data sources in the case and find saved results from automated analyis (ingest). The tree has five main areas: +- Data Sources: This shows the directory tree hierarchy of the data sources. You can navigate to a specific file or directory here. Each data source added to the case is represented as a distinct sub tree. If you add a data source multiple times, it shows up multiple times. +- Views: Specific types of files from the data sources are shown here, aggregated by type or other properties. Files here can come from more than one data source. +- Results: This is where you can see the results from both the automated analysis (ingest) running in the background and your search results. +- Tags: This is where files and results that have been \ref tagging_page "tagged" are shown. +- Reports: Reports that you have generated, or that ingest modules have created, show up here. -You can also use the "Group by data source" option available through the \ref view_options_page to move the views, results, and tags subtrees under their corresponding data sources. This can be helpful on very large cases to reduce the size of each node. +You can also use the "Group by data source" option available through the \ref view_options_page to move the Views, Results, and Tags tree nodes under their corresponding data sources. This can be helpful on very large cases to reduce the size of each sub tree. For example: \image html ui_layout_group_tree.PNG \section ui_tree_ds Data Sources -The Data Sources section shows each data source that has been added to the case, in order added (top one is first). -Right clicking on the various nodes in the Data Sources section of the tree will allow you to get more options for each data source and its contents. +The Data Sources area shows each data source that has been added to the case, in order added (top one is first). +Right clicking on the various nodes in the Data Sources area of the tree will allow you to get more options for each data source and its contents. -Unallocated space is chunks of the file system that is currently not being used for anything. Unallocated space can store deleted files and other interesting artifacts. On the actual image, Unallocated space is stored in blocks with distinct locations on the system. However, because of the way various carving tools work, it is more ideal to feed them a single, large unallocated file. Autopsy provides access to both methods of looking at unallocated space. -\li Individual blocks in a volume There is a folder named "Unalloc". This folder contains all the individual unallocated blocks as the image is storing them. You can right click and extract them the same way you can extract any other type of file in the Directory Tree. -\li Single files Right click on a volume and select "Extract Unallocated Space as Single File" to concatenate all the unallocated files in the volume into a single, continuous file. (If desired, you can right click on an image, and select "Extract Unallocated Space to Single Files" which will do the same thing, but once for each volume in the image). +Unallocated space is the chunks of a file system that are currently not being used for anything. Unallocated space can hold deleted files and other interesting artifacts. In an image data source, unallocated space is stored in blocks with distinct locations in the file system. However, because of the way carving tools work, it is better to feed these tools a single, large unallocated space file. Autopsy provides access to both methods of looking at unallocated space. +\li Individual blocks in a volume For each volume, there is a "virtual" folder named "$Unalloc". This folder contains all the individual unallocated blocks in contiguous runs (unallocated space files) as the image is storing them. You can right click and extract any unallocated space file the same way you can extract any other type of file in the Data Sources area. +\li Single files Right click on a volume and select "Extract Unallocated Space as Single File" to concatenate all of the unallocated space files in the volume into a single, continuous file. (If desired, you can right click on an image, and select "Extract Unallocated Space to Single Files" which will do the same thing, but once for each volume in the image). An example of the single file extraction option is shown below. \image html extracting-unallocated-space.PNG \section ui_tree_views Views -Views filter all the files in the case by some external property of the file, not by any internal analysis of the file. -- File Type Sorts files by file extension or MIME type, and shows them in the appropriate group. For example, .mp3 and .wav both end up in the "Audio" group. -- Recent Files Displays files that are accessed within the last seven days the user had the device. -- Deleted Files Displays files that have been deleted but the names have been recovered. -- File Size Sorts files based upon size. This can give you an idea where to look for files you are interested in. +Views filter all the files in the case by some property of the file. +- File Types Sorts files by file extension or by MIME type, and shows them in the appropriate group. For example, files with .mp3 and .wav extensions end up in the "Audio" group. +- Deleted Files Displays files that have been deleted, but the names have been recovered. +- File Size Sorts files based on size. \section ui_tree_results Results -- Extracted Content: Many ingest modules will place results here; EXIF data, GPS locations, or Web History for example -- Keyword Hits: Keyword search hits show up here -- Hashset Hits: Hashset hits show up here -- E-Mail Messages: Email messages show up here -- Interesting Items: Things deemed interesting show up here -- Accounts: Credit card accounts show up here -- Tags: Any item you tag shows up here so you can find it again easily +- Extracted Content: Many ingest modules will place results here; EXIF metadata, GPS locations, or Web history for example. +- Keyword Hits: Keyword search hits show up here. +- Hashset Hits: Hashset hits show up here. +- E-Mail Messages: Email messages show up here. +- Interesting Items: Things deemed interesting show up here. +- Accounts: Credit card accounts show up here. +- Tags: Any item you tag shows up here so you can find it again easily. \section ui_tree_reports Reports