diff --git a/BUILDING.txt b/BUILDING.txt index b5b53ee8b8..68a7e43249 100644 --- a/BUILDING.txt +++ b/BUILDING.txt @@ -13,7 +13,7 @@ needed even if you have a 64-bit system). 3) Download and install Netbeans IDE 7.0.1 (http://netbeans.org/) -4) Download and build the release version of Libewf 20120304 (note that TSK will fail with Libewf 1 and the new alpha versions). All you need is the dll file. +4) Download and build the release version of Libewf2 (20120304 or later). All you need is the dll file. Note that you will get a launching error if you use libewf 1. - http://sourceforge.net/projects/libewf/ 5) Set LIBEWF_HOME environment variable to root directory of LIBEWF @@ -55,5 +55,5 @@ rebuild both the dll and the JAR file. --------------- Brian Carrier -11/9/2011 +4/6/2012 carrier sleuthkit org diff --git a/Case/javahelp/org/sleuthkit/autopsy/casemodule/docs/aboutImage.html b/Case/javahelp/org/sleuthkit/autopsy/casemodule/docs/aboutImage.html index e941cd4eaa..7d0c8a61a6 100644 --- a/Case/javahelp/org/sleuthkit/autopsy/casemodule/docs/aboutImage.html +++ b/Case/javahelp/org/sleuthkit/autopsy/casemodule/docs/aboutImage.html @@ -1,51 +1,30 @@ - - - - - About Image - - - - -

About Images

-

- In Autopsy, an "Image" refers to the "Disk Image". Before an image can be analyzed, it must be added to a case. -

-

Autopsy creates a database for each image that it imports. This database is a SQLite database and it contains all of the file system metadata from the image. When adding an image, it will take a little bit of time to populate the database. The database is stored in the case directory, but the image will stay in its original location.

- -

Supported Formats

-

- Currently, Autopsy only supports these formats of image: -

- -

Adding an Image

-

- To see how to add image to the current opened case, click here. -

- -

Removing an Image

-

- You can remove an image in the Case Properties window. -

- - - - \ No newline at end of file + + + + Disk Image Basics + + + + +

About Disk Images

+

+ In Autopsy, an "image" refers to a byte-for-byte copy of a hard drive or other storage media. To analyze an image, you must use the Add Image Wizardto add it to a case. +

+

Autopsy populates an embedded database for each image that it imports. This database is a SQLite database and it contains all of the file system metadata from the image. The database is stored in the case directory, but the image will stay in its original location. The image must remain accessible for the duration of the anlaysis because the database contains only basic file system information. The image is needed to retrieve file content.

+ +

Supported Formats

+

+ Currently, Autopsy supports these image formats: +

+ +

Removing an Image

+

+ You cannot currently remove an image from a case. +

+ + + diff --git a/Case/javahelp/org/sleuthkit/autopsy/casemodule/docs/addImage.html b/Case/javahelp/org/sleuthkit/autopsy/casemodule/docs/addImage.html index 327a299e52..10200d8256 100644 --- a/Case/javahelp/org/sleuthkit/autopsy/casemodule/docs/addImage.html +++ b/Case/javahelp/org/sleuthkit/autopsy/casemodule/docs/addImage.html @@ -1,45 +1,29 @@ - - - - - Adding An Image - - - - -

Adding An Image

-

- There are several ways to add an image to the currently opened case: -

- -

- After that, a "Add Image" wizard dialog will show up. Then follow these following steps:

- -

Note that Autopsy will store the path to the image in its configuration file. If the image moves, then Autopsy will give an error because it can't find the image file. - - - \ No newline at end of file + + + + Adding Image Wizard + + + + +

Adding An Image

+

+ There are two ways to add an image to the currently opened case: +

+ +

+ This will bring up the Add Image wizard. It will guide you through the process. Here are some notes on what is going on during the process:

+ +

Note that Autopsy will store the path to the image in its configuration file. If the image moves, then Autopsy will give an error because it can't find the image file. + + \ No newline at end of file diff --git a/Case/javahelp/org/sleuthkit/autopsy/casemodule/docs/casemodule-about.html b/Case/javahelp/org/sleuthkit/autopsy/casemodule/docs/casemodule-about.html index 83243973f6..ced5e907a3 100644 --- a/Case/javahelp/org/sleuthkit/autopsy/casemodule/docs/casemodule-about.html +++ b/Case/javahelp/org/sleuthkit/autopsy/casemodule/docs/casemodule-about.html @@ -1,50 +1,26 @@ - - - - About Cases - - - - -

About Cases

-

- In Autopsy, a "case" is a container concept for a set of images. The set of images could be from multiple drives in a single computer or from multiple computers. When you make a case, it will create a directory to hold all of the information. The directory will contain a configuration file, some databases, and some other information. -

- -

Creating a Case

-

- Refer to the Creating a Case page for more details. -

- -

Opening a Case

-

- There are three ways to open a case: -

-

- After that, a File Chooser dialog will show up. Then select a ".aut" file that you previously created. It will be in the case folder. -

- -

What's Next?

-

After you create a case, you can add an image to the case.

-

If you want to view case details or edit some case information, use the Case Properties window. - - - + + + About Cases + + + + +

About Cases

+

+ In Autopsy, a "case" is a container concept for a set of images. The set of images could be from multiple drives in a single computer or from multiple computers. When you make a case, it will create a directory to hold all of the information. The directory will contain a configuration file, some databases, and some other information. The configuration file as a .aut extension. +

+ +

If you want to view case details or edit some case information, use the Case Properties window. + +

Creating a Case

+

+ Refer to the Creating a Case page for more details. +

+ +

Opening a Case

+

+ To open a case, choose "Open Case" from the File menu or use the "Ctrl + O" keyboard short cut. + Navigate to the case directory and select the ".aut" file. +

+ + diff --git a/Case/javahelp/org/sleuthkit/autopsy/casemodule/docs/hashDbMgmt.html b/Case/javahelp/org/sleuthkit/autopsy/casemodule/docs/hashDbMgmt.html index aa613a88aa..1a98b75d10 100644 --- a/Case/javahelp/org/sleuthkit/autopsy/casemodule/docs/hashDbMgmt.html +++ b/Case/javahelp/org/sleuthkit/autopsy/casemodule/docs/hashDbMgmt.html @@ -1,50 +1,47 @@ - - - - Hash Database Management - - - - -

Hash Database Management Window

-

- The Hash Database Management window is where you can set and update your hash database information. Hash databases are used to identify files that are 'known'. -

-

- -

Autopsy allows for a single known bad hash database to be set and the NIST NSRL. Before they can be used, an index of them must exist. - The index can be directly copied in or it can be created within Autopsy. When you select the database from within this window, it will tell you if the index needs to be created. Autopsy - uses the hash database management system from The Sleuth Kit. You can manually create an index using the 'hfind' command line tool.

- -

Note that the NSRL contains hashes of 'known files' that may be good or bad depending on your perspective and investigation type. For example, the existence of a piece of financial software - may be interesting to your investigation and that software could be in the NSRL. Therefore, Autopsy treats files that are found in the NSRL as simplyi 'known' and does not specify good or bad.

- -

To use the NSRL, you must concatenate all of the NSRLFile.txt files together. You can use 'cat' on a Unix system or from within Cygwin to do this.

- -

The 'known bad' hash database can be in the hashkeeper, md5sum, or NSRL format.

- -

Autopsy uses hash databases when the image is added to the case. Each file is hashed and looked up in the configured databases. If the file is found in the NSRL, then it will be marked as - 'known' in the case database. If it is found in the known bad hash database, it will be marked as 'known bad' in the case database.

- -

You can see the lookup results in a couple of places. In the File Search data explorer, there is an option to choose the 'known status'. From here, you can do a search to see all 'known bad' files. - From here, you can also choose to ignore all 'known' files that were found in the NSRL. You can also see the status of the file in a column when the file is listed.

- -

Currently, you cannot reprocess a disk image with a new hash database after it has been added to a case.

- - - - \ No newline at end of file + + + + Hash Database Management + + + + +

Hash Database Management Window

+

+ The Hash Database Management window is where you can set and update your hash database information. Hash databases are used to identify files that are 'known'. +

+

+ +

Notable / Known Bad Hashsets

+

Autopsy allows for a single known bad hash database to be set. Future versions will support multiple hash sets. Autopsy supports three formats: +

+ +

NIST NSRL

+

Autopsy can use the NIST NSRL to detect 'known files'. Note that the NSRL contains hashes of 'known files' that may be good or bad depending on your perspective and investigation type. For example, the existence of a piece of financial software + may be interesting to your investigation and that software could be in the NSRL. Therefore, Autopsy treats files that are found in the NSRL as simplyi 'known' and does not specify good or bad. Ingest modules have the option of ignoring files that were found in the NSRL.

+ +

To use the NSRL, you must concatenate all of the NSRLFile.txt files together. You can use 'cat' on a Unix system or from within Cygwin to do this.

+ +

Adding Hashsets

+

Autopsy needs an index of the hashset. It can make one if you import only the hashset. When you select the database from within this window, it will tell you if the index needs to be created. Autopsy + uses the hash database management system from The Sleuth Kit. You can manually create an index using the 'hfind' command line tool.

+ +

You can also specify only the index file and not use the full hashset. This can save space. To do this, specify the .idx file from the Hash Database Management window.

+ +

Using Hashsets

+

There is an ingest module that will hash the files and look them up in the hashsets. It will flag files that were in the notable hashset and those results will be shown in the Results tree of the Data Explorer. + +

Other ingest modules are able to use the known status of a file to decide if they should ignore the file or process it. + +

You can also see the results in the File Search window. There is an option to choose the 'known status'. From here, you can do a search to see all 'known bad' files. + From here, you can also choose to ignore all 'known' files that were found in the NSRL. You can also see the status of the file in a column when the file is listed.

+ + + diff --git a/Case/javahelp/org/sleuthkit/autopsy/casemodule/docs/overview.html b/Case/javahelp/org/sleuthkit/autopsy/casemodule/docs/overview.html old mode 100644 new mode 100755 index 3b3716d90f..88094aaf4c --- a/Case/javahelp/org/sleuthkit/autopsy/casemodule/docs/overview.html +++ b/Case/javahelp/org/sleuthkit/autopsy/casemodule/docs/overview.html @@ -19,12 +19,12 @@ and open the template in the editor.

The main window has three major areas:

-

The main take away from this should be that analysis techniques can be found on the left-hand side, the results are always listed in the upper right, and the file contents are displayed in the lower left. +

The main take away from this should be that analysis techniques and result categories can be found on the left-hand side, the results from choosing something on the left are always listed in the upper right, and the file contents are displayed in the lower left.

Autopsy Overview Window diff --git a/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/corecomponents-about.html b/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/corecomponents-about.html index c212ee26dd..a6231ca999 100644 --- a/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/corecomponents-about.html +++ b/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/corecomponents-about.html @@ -1,30 +1,26 @@ - - - - About CoreComponents - - - - -

About CoreComponents

-

- - Contains data result and data content. -

- - - + + + About CoreComponents + + + + +

About CoreComponents

+

+ + Contains data result and data content. +

+ + + diff --git a/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/corecomponents-idx.xml b/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/corecomponents-idx.xml index 651659b2b4..c34284c398 100644 --- a/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/corecomponents-idx.xml +++ b/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/corecomponents-idx.xml @@ -1,31 +1,30 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/corecomponents-map.xml b/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/corecomponents-map.xml index a8379fb4cf..1ac9eb1ae3 100644 --- a/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/corecomponents-map.xml +++ b/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/corecomponents-map.xml @@ -1,28 +1,27 @@ - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/corecomponents-toc.xml b/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/corecomponents-toc.xml index eb5d8fa3d0..92f6485548 100644 --- a/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/corecomponents-toc.xml +++ b/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/corecomponents-toc.xml @@ -1,45 +1,31 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/datacontent-about.html b/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/datacontent-about.html index 6d648e57ec..79b1cb0ede 100644 --- a/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/datacontent-about.html +++ b/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/datacontent-about.html @@ -1,45 +1,37 @@ - - - - - About Content Viewers - - - - -

About Content Viewers

-

- The "Content Viewers" are in the lower right area of the interface. They allow you to view raw data. The data being shown should be have been selected from a Result Viewer window (upper right). -

-

- Currently, there are 3 main tabs on "Content Viewer" window: -

-

- -

Example

-

- Here's one of the example of a "Content Viewer" window: -
-      Example of Content Viewer Window -

- - - + + + + About Content Viewers + + + + +

Content Viewers

+

+ The Content Viewer area is in the lower right area of the interface. This area is used to view a specific file in a variety of formats. There are different tabs for different viewers. Not all tabs support all file types, so only some of them will be enabled. To display data in this area, it must be selected from the Result Viewer window (upper right). +

+ +

The Content Viewer area is part of a plug-in framework. You can install modules that will add more viewer types. This section describes the viewers that come by default with Autopsy.

+ +

Here's an example of a "Content Viewer" window:

+
+      Example of Content Viewer Window + +

Default Viewers

+

+ Currently, there are 3 main tabs on "Content Viewer" window: +

+

+ +

Example

+

+ +

+ + + diff --git a/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/dataresult-about.html b/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/dataresult-about.html index b0ff962a20..2881b3ec5e 100644 --- a/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/dataresult-about.html +++ b/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/dataresult-about.html @@ -1,64 +1,41 @@ - - - - - About Result Viewers - - - - -

About Result Viewers

-

- The Result Viewer windows are in the upper right area of the interface and display the results from a Data Explorer window. - You will have the option in this are to display the results in a variety of formats. - Currently, there are 2 main tabs on "Result Viewer" window: -

-

- -

Right Click Functions

-

- Viewers in Result Viewers have some right click function that built in into them: -

-    1. Open File in External Viewer
-      This right click function will open the selected node/data in an "external" application. Note: This does not support all file types. -

- -    2. View in New Window
-      This right click function will pop up a new "Content Viewers" window for the selected node/data. You can dock this new window or close it. -

- -    3. Extract
-      This right click function will extract the selected file or directory to any location on the local hard drive (you can specify the location). -

- -    4. View (Hex and String)
-      This right click function will change the active tab on the main "Content Viewers" window to be the selected tab. -

-

- -

Example

-

- Here's one of the example of a "Result Viewer" window: -
-      Example of Result Viewer Window -

- - - + + + + Result Viewers + + + + +

Result Viewers

+

+ The Result Viewer windows are in the upper right area of the interface and display the results from selecting something in the Explorer Tree area. + You will have the option in this are to display the results in a variety of formats. + Currently, there are 2 main tabs on "Result Viewer" window: +

+

+ +

Right Click Functions

+

+ Viewers in Result Viewers have some right click function that built in into them. Here are some examples that you may see: +

+

+ +

Example

+

+ Here's one of the example of a "Result Viewer" window: +
+      Example of Result Viewer Window +

+ + + diff --git a/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/picture-content-viewer.html b/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/picture-content-viewer.html index 03390f1c61..95989041d7 100644 --- a/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/picture-content-viewer.html +++ b/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/picture-content-viewer.html @@ -1,40 +1,23 @@ - - - - - Picture Content Viewer - - - - -

Picture Content Viewer

-

- Picture Content Viewer will show the actual picture from the picture file. - Currently, Picture Content Viewer only support JPG, GIF, and PNG formats. - If you select an non-picture file or an unsupported picture format on the "Result Viewers", this tab will be disabled. -

-

- -

Example

-

- Here's one of the example of "Picture Content Viewer": -
-      Example of Picture Content Viewer Tab -

- - - \ No newline at end of file + + + + Media Content Viewer + + + + +

Media Content Viewer

+

+ The Media Content Viewer will show a picture or video file. Video files can be played and paused. The size of the picture or video will be reduced to fit into the screen. If you want more complex analysis of the media, then you must export the file.

+

If you select an non-picture file or an unsupported picture format on the "Result Viewers", this tab will be disabled.

+ +

+ + +

+ Here's one of the example of the "Media Content Viewer": +
+      Example of Picture Content Viewer Tab +

+ + diff --git a/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/string-content-viewer.html b/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/string-content-viewer.html index 7c1286dc30..755827bc2a 100644 --- a/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/string-content-viewer.html +++ b/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/string-content-viewer.html @@ -1,38 +1,20 @@ - - - - - String Content Viewer - - - - -

String Content Viewer

-

- Strings Content Viewer just scans the data of the file / folder and show you it for printable ASCII strings of a default length of 4 or more ASCII characters. If the length of printable ASCII is less than 4, it won't show the string. -

-

- -

Example

-

- Here's one of the example of "String Content Viewer": -
-      Example of String Content Viewer Tab -

- - - \ No newline at end of file + + + + String Content Viewer + + + + +

String Content Viewer

+

Strings Content Viewer scans the data of the file / folder and searches it for data that could be text. If it finds data that is ASCII data and at least four characters long, then it displays it to the user.

+

Note that this is different from the Text Content Viewer, which displays the text for a file that is stored in the keyword search index. The results may be the same or they could be different.

+ +

Example

+

+ Here's one of the example of "String Content Viewer": +
+      Example of String Content Viewer Tab +

+ + diff --git a/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/text-content-viewer.html b/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/text-content-viewer.html new file mode 100755 index 0000000000..c59313b343 --- /dev/null +++ b/CoreComponents/javahelp/org/sleuthkit/autopsy/corecomponents/docs/text-content-viewer.html @@ -0,0 +1,16 @@ + + + + String Content Viewer + + + + +

Text Content Viewer

+

Text Content Viewer uses the keyword search index that may have been populated during Image Ingest. If a file has text stored in the index, then this tab will be enabled and it will be displayed to the user.

+ +

This tab may have more text on it than the "Strings Content Viewer", which relies on searching the file for text-looking data. Some files, like PDF, will not have text-looking data at the byte-level, but the keyword indexing process knows how to interpret a PDF file and produce text.

+ +

If this tab is not enabled, then either the file has no text or you did not enable Keyword Search as an ingest module. Note that this viewer is also used to display keyword hits.

+ + diff --git a/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/directorytree-about.html b/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/directorytree-about.html old mode 100644 new mode 100755 index 4dc6504dae..689a60d756 --- a/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/directorytree-about.html +++ b/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/directorytree-about.html @@ -1,50 +1,24 @@ - - About Directory Tree + Explorer Tree -

About Directory Tree

+

About Explorer Tree

- Directory Tree is one of the main windows in Autopsy. Here, you can see and analyze all the images (also volumes and directories inside that images) which are shown in tree format. You can also see the details of the image, volume, and the file system from directory tree. -

+ The explorer tree is a very important area of the interface. This is where you will start many of your analysis approaches and find results from automated procedures. The tree has three main areas: +

-

How to Open Directory Tree

- To see how to open Directory Tree, click here. -

- Note: The Directory Tree Window is opened and closed automatically. If there's a case opened and there is at least one image inside that case, Directory Tree Window can't be closed. -

-

- -

How to Use Directory Tree

-

- To see how to use Directory Tree, click here. -

-

- -

Example

-

- Here's an example of a Directory Tree window: -   Directory Tree Top Component Window + Here's an example of an Explorer Tree:
+   Explorer Tree

- + diff --git a/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/directorytree-idx.xml b/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/directorytree-idx.xml index 35230646f0..7d897a7c0d 100644 --- a/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/directorytree-idx.xml +++ b/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/directorytree-idx.xml @@ -6,8 +6,6 @@ and open the template in the editor. - - diff --git a/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/directorytree-map.xml b/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/directorytree-map.xml index d8f3b9ce81..64eefae2b2 100644 --- a/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/directorytree-map.xml +++ b/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/directorytree-map.xml @@ -6,7 +6,6 @@ and open the template in the editor. - diff --git a/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/directorytree-toc.xml b/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/directorytree-toc.xml old mode 100644 new mode 100755 index ab71cee268..0b5bbe594d --- a/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/directorytree-toc.xml +++ b/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/directorytree-toc.xml @@ -1,10 +1,7 @@ - - - - - File System Details Window - - - - -

File System Details Window

-

- File System Details Windows shows the general and detailed information of file system from the selected volume. -

-

- -

General File System Information

-

- This windows shows the information about file system type, image offset, volume ID, block size, block count, root metadata entry, first metadata entry, and last metadata entry. -

-

- -

Detailed File System Information

-

- More coming about this information... -

-

- -

Example

-

-     Example of File System Details Window -

- - - \ No newline at end of file + + + + File System Details Window + + + + +

File System Details Window

+

+ The File System Details indow shows you the general information about a file system in the disk image. You can open the window by by right clicking on a file system and choosing "File System Details". +

+

Right click on directory tree to show File System Details

+ +

There are two sections to this window: General and Detailed. The general information section has data associated with all types of file systems, such as its type, starting location, number of blocks, etc. + The detailed section has information that is specific to the type of file system. Some file systems will have more data here than others.

+ +

An example is shown here:
+     Example of File System Details Window +

+ + diff --git a/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/how-to-use-directorytree.html b/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/how-to-use-directorytree.html deleted file mode 100644 index 4926bad183..0000000000 --- a/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/how-to-use-directorytree.html +++ /dev/null @@ -1,54 +0,0 @@ - - - - - How to Use Directory Tree - - - - -

How to Use Directory Tree

-

- Information on Directory Tree functionality: -

-   1. To pass the data and show it on the "Result Viewer".
-        To pass the data and show it on the "Result Viewer", select / click the corresponding node on the Directory Tree. -

-        select node on directory tree -

-   2. To show the "Image Details"
-        To see the detail of the image, right click on the image node and select "Image Details".
-        Note: To know more about "Image Detail" window, click here. -

-        Right click on directory tree to show Image Details -

-   3. To show the "Volume Details"
-        To see the detail of the volume, right click on the volume node and select "Volume Details".
-        Note: To know more about "Volume Detail" window, click here. -

-        Right click on directory tree to show Volume Details -

-   4. To show the "File System Details"
-        To see the detail of the file system of a volume, right click on that volume node and select "File System Details".
-        Note: To know more about "File System Detail" window, click here. -

-        Right click on directory tree to show File System Details -

-

- - - \ No newline at end of file diff --git a/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/image-details.html b/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/image-details.html old mode 100644 new mode 100755 index 01c3f4e672..3c39a5bfbe --- a/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/image-details.html +++ b/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/image-details.html @@ -1,36 +1,20 @@ - - - - - Image Details Window - - - - -

Image Details Window

-

- Image Details Windows shows the information about name, type, and sector size of the selected image. -

-

- -

Example

-

-     Example of Image Details Window -

- - - \ No newline at end of file + + + + Image Details Window + + + + +

Image Details Window

+

+ The Image Details window shows you basic information about a disk image. You can access it by right-clicking on an image in the tree and choosing "Image Details". +

+ +

Right click on directory tree to show Image Details

+ +

An example is shown here:
+     Example of Image Details Window +

+ + diff --git a/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/node_selected.png b/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/node_selected.png deleted file mode 100644 index bf6e31eb56..0000000000 Binary files a/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/node_selected.png and /dev/null differ diff --git a/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/open-directorytree.html b/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/open-directorytree.html deleted file mode 100644 index 28812459ff..0000000000 --- a/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/open-directorytree.html +++ /dev/null @@ -1,45 +0,0 @@ - - - - - How to Open Directory Tree - - - - -

How to Open Directory Tree

-

- To open the Directory Tree, you can do one of the following thing: -

    -
  • - Click the Directory Tree tab. -

    -   Open Directory Tree Top Component 1 -

    -
    • -
  • - Select the "Tools" -> "Directory Tree" -

    -   Open Directory Tree Top Component 2 -

    -
    • -
- - Note: The Directory Tree Window is opened and closed automatically. If there's a case opened and there is at least one image inside that case, Directory Tree Window can't be closed. - - - \ No newline at end of file diff --git a/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/open_directoryTree1.png b/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/open_directoryTree1.png deleted file mode 100644 index a25586f317..0000000000 Binary files a/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/open_directoryTree1.png and /dev/null differ diff --git a/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/open_directoryTree2.png b/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/open_directoryTree2.png deleted file mode 100644 index f988720bc6..0000000000 Binary files a/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/open_directoryTree2.png and /dev/null differ diff --git a/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/volume-details.html b/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/volume-details.html old mode 100644 new mode 100755 index 598a30bf40..daf66aa22e --- a/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/volume-details.html +++ b/DirectoryTree/javahelp/org/sleuthkit/autopsy/directorytree/docs/volume-details.html @@ -1,36 +1,22 @@ - - - - - Volume Details Window - - - - -

Volume Details Window

-

- Volume Details Windows shows the information about volume ID, starting sector, the length, description, and flags of the selected volume. -

-

- -

Example

-

-     Example of Volume Details Window -

- - - \ No newline at end of file + + + + Volume Details Window + + + + +

Volume Details Window

+

+ The Volume Details window shows you information about a volume. It shows information such as the starting sector, length, and description. You can view the information by right clicking on a volume in the tree and choosing "Volume Details". +

+ +

Right click on directory tree to show Volume Details

+ + +

+ An example is shown here:
+     Example of Volume Details Window +

+ + diff --git a/DirectoryTree/src/org/sleuthkit/autopsy/directorytree/DirectoryTreeTopComponent.java b/DirectoryTree/src/org/sleuthkit/autopsy/directorytree/DirectoryTreeTopComponent.java index 5a970aad7f..e4ca524a9a 100644 --- a/DirectoryTree/src/org/sleuthkit/autopsy/directorytree/DirectoryTreeTopComponent.java +++ b/DirectoryTree/src/org/sleuthkit/autopsy/directorytree/DirectoryTreeTopComponent.java @@ -31,6 +31,7 @@ import java.util.List; import java.util.logging.Level; import java.util.logging.Logger; import javax.swing.Action; +import javax.swing.JOptionPane; import javax.swing.JPanel; import javax.swing.SwingUtilities; import javax.swing.tree.TreeSelectionModel; @@ -620,12 +621,19 @@ public final class DirectoryTreeTopComponent extends TopComponent implements Dat } Node originNode = origin.getNode(); - //int count = originNode.getChildren().getNodesCount(true); - //if (count > 1000) { - // DirectoryTreeTopComponent.this.setCursor(null); - // JOptionPane.showMessageDialog(caller, "Note: The selected directory contains " + count + " child files and folders. It may take some time to display them.\n\nAlso note that in the current version of Autopsy this will also make certain functions very slow (thumbnail view in particular, should be fixed in a future version)", "Large Data", JOptionPane.INFORMATION_MESSAGE); - // DirectoryTreeTopComponent.this.setCursor(Cursor.getPredefinedCursor(Cursor.WAIT_CURSOR)); - //} + int count = originNode.getChildren().getNodesCount(true); + if (count > 1000) { + DirectoryTreeTopComponent.this.setCursor(null); + int choice = JOptionPane.showConfirmDialog(caller, "Note: The selected location contains " + count + " items.\n" + + "It may take some time to display them.\n\n" + + "Also note that there is a limitation in " + Case.getAppName() + " that will make certain functions very slow,\n" + + "thumbnail view in particular (which should be fixed in a future version).\n" + + "Do you want to continue loading these objects?"); + if(choice != JOptionPane.OK_OPTION) { + return; + } + DirectoryTreeTopComponent.this.setCursor(Cursor.getPredefinedCursor(Cursor.WAIT_CURSOR)); + } DirectoryTreeTopComponent.this.setCursor(Cursor.getPredefinedCursor(Cursor.WAIT_CURSOR)); //set node, wrap in filter node first to filter out children Node drfn = new DataResultFilterNode(originNode, DirectoryTreeTopComponent.this.em); diff --git a/Ingest/nbproject/project.xml b/Ingest/nbproject/project.xml index 9100e37d4e..b147601fc2 100644 --- a/Ingest/nbproject/project.xml +++ b/Ingest/nbproject/project.xml @@ -20,6 +20,15 @@ + + org.netbeans.modules.javahelp + + + + 1 + 2.22.1 + + org.netbeans.modules.settings diff --git a/Ingest/src/org/sleuthkit/autopsy/ingest/docs/ingest-about.html b/Ingest/src/org/sleuthkit/autopsy/ingest/docs/ingest-about.html new file mode 100755 index 0000000000..708df31df5 --- /dev/null +++ b/Ingest/src/org/sleuthkit/autopsy/ingest/docs/ingest-about.html @@ -0,0 +1,36 @@ + + + Image Ingest + + + + +

Image Ingest

+

Autopsy tries to automate as many things as possible for you. There are many tasks that will always be performed in a digital investigation and the ingest manager is responsible for making sure that they happen.

+ +

The ingest process begins after the basic file system information has been added to the database. The ingest process is similar to triage. A series of ingest modules (described in a following section) run automatically behind the scenes and make their results available as soon as possible.

+ +

You can start image ingest in two ways. When you add an image with the Add Image wizard, you will be shown the list of ingest modules and you can choose which you want to run and you can do some basic configuration of the modules. You can also launch the Ingest Manager run ingest by right clicking on an image in the explorer tree and choosing "Restart Image Ingest".

+

The results from the ingest module can typically be found in the Results area of the explorer tree. However, some modules may choose to write results to a local file or to some other location and not make them available in the UI.

+ +

Ingest Modules

+

+ An ingest module is resposible for extracting data from and searching images. Different modules will do different things. Examples include: +

    +
  • Calculate MD5 hash of each file
    • +
  • Lookup MD5 hash in database
    • +
  • Detect file type of each file
    • +
  • Keyword search each file
    • +
  • Extract web artifacts (downloads, history, etc.
    • +
+

+ +

Ingest modules can be created by third-party-developers and can be added independently of Autopsy.

+ +

Configuring Ingest Modules

+ There are two places to configure ingest modules. When the Ingest Manager is launched so that you can choose which ingest modules to run, there maybe a small set of configuration changes that the module allows you to set from that interface. Additional configuration is typically available from a separate dialog box that can be opened from either the "Tools" menu or with the "Advanced" button in the Ingest Manager. + +

Adding Ingest Modules

+

ADD HERE

+ + \ No newline at end of file diff --git a/Ingest/src/org/sleuthkit/autopsy/ingest/docs/ingest-hs.xml b/Ingest/src/org/sleuthkit/autopsy/ingest/docs/ingest-hs.xml new file mode 100755 index 0000000000..f8f481e596 --- /dev/null +++ b/Ingest/src/org/sleuthkit/autopsy/ingest/docs/ingest-hs.xml @@ -0,0 +1,28 @@ + + + + + org.sleuthkit.autopsy.ingest Help + + org.sleuthkit.autopsy.ingest.about + + + + TOC + + javax.help.TOCView + ingest-toc.xml + + + Index + + javax.help.IndexView + ingest-idx.xml + + + Search + + javax.help.SearchView + JavaHelpSearch + + diff --git a/Ingest/src/org/sleuthkit/autopsy/ingest/docs/ingest-idx.xml b/Ingest/src/org/sleuthkit/autopsy/ingest/docs/ingest-idx.xml new file mode 100755 index 0000000000..d7f31acc5c --- /dev/null +++ b/Ingest/src/org/sleuthkit/autopsy/ingest/docs/ingest-idx.xml @@ -0,0 +1,9 @@ + + + + + + diff --git a/Ingest/src/org/sleuthkit/autopsy/ingest/docs/ingest-map.xml b/Ingest/src/org/sleuthkit/autopsy/ingest/docs/ingest-map.xml new file mode 100755 index 0000000000..a6690dc4d8 --- /dev/null +++ b/Ingest/src/org/sleuthkit/autopsy/ingest/docs/ingest-map.xml @@ -0,0 +1,9 @@ + + + + + + diff --git a/Ingest/src/org/sleuthkit/autopsy/ingest/docs/ingest-toc.xml b/Ingest/src/org/sleuthkit/autopsy/ingest/docs/ingest-toc.xml new file mode 100755 index 0000000000..ef417cca8c --- /dev/null +++ b/Ingest/src/org/sleuthkit/autopsy/ingest/docs/ingest-toc.xml @@ -0,0 +1,11 @@ + + + + + + + + diff --git a/Ingest/src/org/sleuthkit/autopsy/ingest/docs/package-info.java b/Ingest/src/org/sleuthkit/autopsy/ingest/docs/package-info.java new file mode 100755 index 0000000000..729f222791 --- /dev/null +++ b/Ingest/src/org/sleuthkit/autopsy/ingest/docs/package-info.java @@ -0,0 +1,8 @@ +/* + * To change this template, choose Tools | Templates + * and open the template in the editor. + */ +@HelpSetRegistration(helpSet = "ingest-hs.xml", position = 3575) +package org.sleuthkit.autopsy.ingest.docs; + +import org.netbeans.api.javahelp.HelpSetRegistration; diff --git a/build-windows.xml b/build-windows.xml old mode 100644 new mode 100755