mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-15 01:07:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into artifact_viewer_thread

Browse Source
This commit is contained in:
Richard Cordovano 2013-09-04 13:08:21 -04:00
commit ecf2cecdb3
4 changed files with 50 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/AbstractKeywordSearchPerformer.java
View File

@ -83,13 +83,22 @@ abstract class AbstractKeywordSearchPerformer extends javax.swing.JPanel impleme
@Override
public void search() {
boolean isRunning = IngestManager.getDefault().isModuleRunning(KeywordSearchIngestModule.getDefault());
if (filesIndexed == 0) {
KeywordSearchUtil.displayDialog("Keyword Search Error", "No files are indexed, please index an image before searching", KeywordSearchUtil.DIALOG_MESSAGE_TYPE.ERROR);
if (isRunning) {
KeywordSearchUtil.displayDialog("Keyword Search Error", "<html>No files are in index yet. <br />"
+ "Try again later. Index is updated every " + KeywordSearchSettings.getUpdateFrequency().getTime() + " minutes.</html>", KeywordSearchUtil.DIALOG_MESSAGE_TYPE.ERROR);
}
else {
KeywordSearchUtil.displayDialog("Keyword Search Error", "<html>No files were indexed.<br />"
+ "Re-ingest the image with the Keyword Search Module enabled. </html>", KeywordSearchUtil.DIALOG_MESSAGE_TYPE.ERROR);
}
return;
}
//check if keyword search module ingest is running (indexing, etc)
if (IngestManager.getDefault().isModuleRunning(KeywordSearchIngestModule.getDefault())) {
if (isRunning) {
if (KeywordSearchUtil.displayConfirmDialog("Keyword Search Ingest in Progress",
"<html>Keyword Search Ingest is currently running.<br />"
+ "Not all files have been indexed and this search might yield incomplete results.<br />"

2
KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchPanel.java
View File

@ -43,7 +43,7 @@ import org.apache.solr.client.solrj.SolrServerException;
import org.sleuthkit.autopsy.casemodule.Case;
/**
* Keyword search toolbar which allows to search for single terms or phrases
* Keyword search toolbar (in upper right, by default) which allows to search for single terms or phrases
*
* The toolbar uses a different font from the rest of the application, Monospaced 14,
* due to the necessity to find a font that displays both Arabic and Asian fonts at an acceptable size.

43
docs/QuickStartGuide/index.html
View File

@ -48,27 +48,18 @@
Next, supply it with the location of the source to add.
</p>
<ul>
<li>For image, point to location of disk image on your system. Autopsy currently supports E01 and raw (dd) files.
For multi-part/split images, you will need to specify only the first file in an image set (i.e. the E01 file) and Autopsy will find the rest of the files.
<li>For a disk image, browse to the first file in the set (Autopsy will find the rest of the files). Autopsy currently supports E01 and raw (dd) files.
</li>
<li>
For local disk, select one of the detected disks.
Autopsy will add the current view of the disk to the case (i.e. snapshot of the meta-data).
However, the individual file content (not meta-data) does get updated with the changes made to the disk.
Note, you may need run Autopsy as an Administrator to detect all disks.
</li>
<li>For logical files, add one or more local files or folders on your system.</li>
<li>For logical files (a single file or folder of files), use the "Add" button to add one or more files or folders on your system to the case. Folders will be recursively added to the case.</li>
</ul>
<p>
It may take a few minutes to add the data source to the case.
During this time, an internal database is being created of the file system contents.
</p>
<p>
There are a couple of options in the wizard that will allow you to make the ingest process faster.
These typically deal with deleted files.
@ -77,6 +68,10 @@
Use these options to control how long the analysis will take.
</p>
<p>
Autopsy will start to analyze these data sources and add them to the case and internal database. While it is doing that, it will prompt you to configure the Ingest Modules. </p>
<h2>Ingest Modules</h2>
<p>
You will next be prompted to configure the Ingest Modules.
@ -86,12 +81,14 @@
</p>
<ul>
<li><strong>Recent Activity</strong>
extracts user activity as saved by web browsers and the OS.
extracts user activity as saved by web browsers and the OS. Also runs regripper on the registry hive.
</li>
<li><strong>Hash Lookup</strong>
uses hash databases to ignore known files from the NIST NSRL and flag known bad files.
Use the "Advanced" button to configure the hash databases to use during this process.
You will get updates on known bad file hits as the ingest occurs.
Use the "Advanced" button to add and configure the hash databases to use during this process.
You will get updates on known bad file hits as the ingest occurs. You can later add hash databases
via the Tools -&gt; Options menu in the main UI. You can download an index of the NIST NSRL from
<a href="http://sourceforge.net/projects/autopsy/files/NSRL/">here</a>.
</li>
<li><strong>Keyword Search</strong>
uses keyword lists to identify files with specific words in them.
@ -100,17 +97,16 @@
The keyword lists that you select during ingest will be searched for at periodic intervals and you will get the results in real-time.
You do not need to wait for all files to be indexed.
</li>
<li><strong>Archive Extractor</strong> opens ZIP, RAR, and other archive formats and sends the files from those archive files back
through the pipelines for analysis.</li>
<li><strong>Exif Image Parser</strong> extracts EXIF information from JPEG files and posts the results into the tree in the main UI.</li>
<li><strong>Thunderbird Parser</strong> Identifies Thunderbird MBOX files and extracts the e-mails from them.</li>
</ul>
<p>
When you select a module, you will have the option to change its settings.
For example, you can configure which keyword search lists to use during ingest and which hash databases to use.
Refer to the help system inside of Autopsy for details on configuring each module.
</p>
<p>
When selecting the ingest modules, you will also need to choose the update frequency.
This setting configures how often you will get updates from the ingest modules when they are running in the background.
The more frequent the updates, the longer the overall process will take.
</p>
<p>
While ingest modules are running in the background, you will see a progress bar in the lower right.
You can use the GUI to review incoming results and perform other tasks while ingest at that time.
@ -122,8 +118,10 @@
<p>You will start all of your analysis techniques from the tree on the left.</p>
<ul>
<li>The Data Sources root node shows all data in the case.</li>
<ul>
<li>The individual image nodes show the file system structure of the disk images or local disks in the case.</li>
<li>The LogicalFileSet nodes show the logical files in the case.</li>
</ul>
<li>The Views node shows the same data from a file type or timeline perspective.</li>
<li>The Results node shows the output from the ingest modules.</li>
</ul>
@ -145,6 +143,8 @@
The results will be shown in a table in the upper right.
</p>
<p> You can tag (or bookmark) arbitrary files so that you can more quickly find them later or so that you can include them specifically in a report.</p>
<h2>Ingest Inbox</h2>
<p>
As you are going through the results in the tree, the ingest modules are running in the background.
@ -162,6 +162,9 @@
</p>
<p> When you select a message, you can then jump to the Results tree where more details can be found or jump to the file's location in the filesystem.</p>
<h2>Timeline (Beta)</h2>
<p>There is a basic timeline view that you can access via the Tools -&gt; Make Timeline feature. This will take a few minutes to create the timeline for analysis. Its features are still in development.</p>
<h1>Example Use Cases</h1>
<p>In this section, we will provide examples of how to do common analysis tasks.</p>
@ -209,7 +212,7 @@
</p>
<hr>
<p><i>Copyright &#169; 2012 Basis Technology.</i></p>
<p><i>Copyright &#169; 2012-2013 Basis Technology.</i></p>
<p><i>
This work is licensed under a
<a rel="license" href="http://creativecommons.org/licenses/by-sa/3.0/us/">Creative Commons Attribution-Share Alike 3.0 United States License</a>.

13
docs/javahelp-notes.txt Normal file
View File

@ -0,0 +1,13 @@
This is my cheat sheet for the confusing set of files that make up JavaHelp.
- Each module has its own helpset in a docs folder under the src folder. You can create a new helpset in NetBeans UI.
- module-hs.xml is the help set file. I don't think this needs updating.
- module-map.xml maps a target name to the path where it can be found.
- module-toc.xml organizes the files to how they are displayed in the navigation tree on the left. It will merge helpsets together that have the same "text" fields in the 'tocitem' element.
- module-idx.xml allows you to map keywords to a specific file in the helpset. (NOTE: I think many existing help sets are not properly using this feature).
Steps to add a help file:
- Create the HTML file in the docs directory (copy an existing one).
- Create an entry in module-map.xml and create a unique target name for the file. We've been using the package name to make it unique.
- Add an entry to the module-toc.xml file to place it in the right place in the structure.