diff --git a/docs/doxygen-dev/footer.html b/docs/doxygen-dev/footer.html
index 5ab86c6e86..b874c74742 100755
--- a/docs/doxygen-dev/footer.html
+++ b/docs/doxygen-dev/footer.html
@@ -1,5 +1,5 @@
-Copyright © 2012-2019 Basis Technology. Generated on $date
+
Copyright © 2012-2020 Basis Technology. Generated on $date
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.
diff --git a/docs/doxygen-user/Doxyfile b/docs/doxygen-user/Doxyfile
index 1bb3773a70..8295d9df5a 100644
--- a/docs/doxygen-user/Doxyfile
+++ b/docs/doxygen-user/Doxyfile
@@ -38,7 +38,7 @@ PROJECT_NAME = "Autopsy User Documentation"
# could be handy for archiving the generated documentation or if some version
# control system is used.
-PROJECT_NUMBER = 4.13.0
+PROJECT_NUMBER = 4.14.0
# Using the PROJECT_BRIEF tag one can provide an optional one line description
# for a project that appears at the top of each page and should give viewer a
@@ -1025,7 +1025,7 @@ GENERATE_HTML = YES
# The default directory is: html.
# This tag requires that the tag GENERATE_HTML is set to YES.
-HTML_OUTPUT = 4.13.0
+HTML_OUTPUT = 4.14.0
# The HTML_FILE_EXTENSION tag can be used to specify the file extension for each
# generated HTML page (for example: .htm, .php, .asp).
diff --git a/docs/doxygen-user/content_viewer.dox b/docs/doxygen-user/content_viewer.dox
index d7f3420fbc..66ec679565 100644
--- a/docs/doxygen-user/content_viewer.dox
+++ b/docs/doxygen-user/content_viewer.dox
@@ -54,6 +54,10 @@ It will display most image types, which can be scaled and rotated:
\image html content_viewer_app_image.png
+It displays video files, allowing you to move play/pause, move forward or backward 30 seconds, adjust the volume, and change the playback speed.
+
+\image html content_viewer_video.png
+
It also allows you to browse SQLite tables and export their contents as CSV:
\image html content_viewer_app_sqlite.png
@@ -82,6 +86,12 @@ The File Metadata tab displays basic information about the file, such as type, s
\image html content_viewer_metadata.png
+\section cv_context Context
+
+The Context tab shows the the source of attached files and allows you to view the original result. In the image below you can see the context for an image that was sent as an email attachment.
+
+\image html content_viewer_context.png
+
\section cv_results Results
The Results tab is active when selecting items with associated results such as keyword hits, call logs, and messages. The exact fields displayed depend on the type of result. The two images below show the Results tab for a call log and a web bookmark.
diff --git a/docs/doxygen-user/data_sources.dox b/docs/doxygen-user/data_sources.dox
index 2395d43460..6aeed0bbb1 100644
--- a/docs/doxygen-user/data_sources.dox
+++ b/docs/doxygen-user/data_sources.dox
@@ -3,7 +3,7 @@
A data source is the thing you want to analyze. It can be a disk image, some logical files, a local disk, etc. You must open a case prior to adding a data source to Autopsy.
-Autopsy supports four types of data sources:
+Autopsy supports multiple types of data sources:
- Disk Image or VM File: A file (or set of files) that is a byte-for-byte copy of a hard drive or media card, or a virtual machine image. (see \ref ds_img)
- Local Disk: Local storage device (local drive, USB-attached drive, etc.). (see \ref ds_local)
- Logical Files: Local files or folders. (see \ref ds_log)
@@ -42,7 +42,7 @@ NOTE: If you are adding a data source to a multi-user case, ensure that all Auto
6) After the ingest modules have been configured and the basic examination of the data source is complete, the ingest modules will begin to analyze the file contents.
-You cannot remove a data source from a case.
+Data sources can be removed from cases created with Autopsy 4.14.0 and later. See the section \ref data_source_deletion "below".
\section ds_img Adding a Disk Image
@@ -128,4 +128,12 @@ To add exported text files:
\image html xry_dsp.png
+\section data_source_deletion Deleting Data Sources
+
+As of Autopsy 4.14.0, data sources can be removed from cases. Removing a data source will delete all files associate with the data source, as well as all results from running ingest modules, tags, and timeline data. \ref reporting_page "Reports" will not be deleted, as most are not associated with a specific data source. If a new data source was created while processing another (from the \ref vm_extractor_page for example), this new data source will also be deleted if its parent is deleted.
+
+To delete a data source, right click it in either the \ref tree_viewer_page or the \ref result_viewer_page and select "Remove Data Source". If the case was originally created with a version of Autopsy earlier than 4.14.0 then this option will be disabled. After a confirmation dialog, the case will close and then reopen after the data source has been removed.
+
+\image html data_source_delete.png
+
*/
\ No newline at end of file
diff --git a/docs/doxygen-user/extension_mismatch.dox b/docs/doxygen-user/extension_mismatch.dox
index 2866ecedc0..25bac5e3fe 100644
--- a/docs/doxygen-user/extension_mismatch.dox
+++ b/docs/doxygen-user/extension_mismatch.dox
@@ -14,6 +14,10 @@ One can add and remove MIME types in the "Tools", "Options", "File Extension Mis
\image html extension-mismatch-detected-configuration.PNG
+If you'd like to contribute your changes back to the community, then you'll need to upload your updated %APPDATA%\autopsy\dev\config\mismatch_config.xml file by either:
+- Make a fork of the Github Autopsy repository, copy the new file into the src\org\sleuthkit\autopsy\fileextmismatch folder and submit a pull request
+- Attach the entire mismatch_config.xml file to a github issue.
+
Using the Module
======
Note that you can get a lot of false positives with this module. You can add your own rules to Autopsy to reduce unwanted hits.
diff --git a/docs/doxygen-user/file_discovery.dox b/docs/doxygen-user/file_discovery.dox
new file mode 100644
index 0000000000..a92b41dc43
--- /dev/null
+++ b/docs/doxygen-user/file_discovery.dox
@@ -0,0 +1,189 @@
+/*! \page file_discovery_page File Discovery
+
+\section file_disc_overview Overview
+
+The file discovery tool shows images or videos that match a set of filters configured by the user. You can choose how to group and order your results in order to see the most relevant data first.
+
+\section file_disc_prereq Prerequisites
+
+We suggest running all \ref ingest_page "ingest modules" before launching file discovery, but if time is a factor the following are the modules that are the most important. You will see a warning if you open file discovery without running the \ref file_type_identification_page and \ref EXIF_parser_page.
+
+Required ingest modules:
+
+- \ref file_type_identification_page
+
+
+Optional ingest modules:
+
+- \ref cr_ingest_module - Needed to use the \ref file_disc_occur_filter
+
- \ref EXIF_parser_page - Needed to use the \ref file_disc_user_filter
+
- \ref hash_db_page - Needed to use the \ref file_disc_hash_filter and to de-duplicate files
+
- \ref interesting_files_identifier_page - Needed to use the \ref file_disc_int_filter
+
- \ref object_detection_page - Needed to use the \ref file_disc_obj_filter
+
+
+\section file_disc_run Running File Discovery
+
+To launch file discovery, either click the "File Discovery" icon near the top of the Autopsy UI or go to "Tools", "File Discovery". There are three steps when setting up file discovery, which flow from the top of the panel to the bottom:
+
+- \ref file_disc_type "Choose the file type"
+
- \ref file_disc_filtering "Set up filters"
+
- \ref file_disc_grouping "Choose how to group and sort the results
+
+
+Once everything is set up, use the "Show" button at the bottom of the left panel to display your results. If you want to cancel a search in progress you can use the "Cancel" button.
+
+\image html FileDiscovery/fd_main.png
+
+\subsection file_disc_type File Type
+
+The first step is choosing whether you want to display images or videos. The file type is determined by the MIME type of the file, which is why the file_type_identification_page must be run to see any results. Switching between the file types will clear any results being displayed and reset the filters.
+
+\image html FileDiscovery/fd_fileType.png
+
+\subsection file_disc_filtering Filtering
+
+The second step is to select and configure your filters. For most filters, you enable them using the checkbox on the left and then select your options. Multiple options can be selected by using CTRL + left click. Files must pass all enabled filters to be displayed.
+
+\subsubsection file_disc_size_filter File Size Filter
+
+The file size filter lets you restrict the size of your results. The options are different for images and videos - an extra small image might be under 16 KB while an extra small video is anything under 500 KB.
+
+\image html FileDiscovery/fd_fileSizeFilter.png
+
+\subsubsection file_disc_ds_filter Data Source Filter
+
+The data source filter lets you restrict which data sources in your case to include in the results.
+
+\image html FileDiscovery/fd_dataSourceFilter.png
+
+\subsubsection file_disc_occur_filter Past Occurrences Filter
+
+The past occurrences filter uses the \ref central_repo_page "central repository" and \ref hash_db_page "known hash sets" to restrict how commom/rare a file must be to be included in the results. By default, the "Known Files" option is disabled, meaning that any file matching the NSRL or other white-listed hash set will not be displayed.
+
+\image html FileDiscovery/fd_pastOccur.png
+
+The counts for the rest of the options are based on how many data sources in your central repository contain a copy of this file (based on hash). If a file only appears in one data source in the current case, then it will match "Unique(1)". If it has only been seen in a few other data source, it will match "Rare(2-10)". Note that it doesn't matter how many times a file appears in each data source - a file could have twenty copies in one data source and still be "unique".
+
+\subsubsection file_disc_user_filter Possibly User Created
+
+The possibly user created filter restricts the results to files that suspected to be raw images or videos.
+
+\image html FileDiscovery/fd_userCreatedFilter.png
+
+This means the image or video must have a "User Content Suspected" result associated with it. These primarily come from the \ref EXIF_parser_page "Exif parser module".
+
+\image html FileDiscovery/fd_userContentArtifact.png
+
+\subsubsection file_disc_hash_filter Hash Set Filter
+
+The hash set filter restricts the results to files found in the selected hash sets. Only notable hash sets that have hits in the current case are listed (though those hits may not be images or videos). See the \ref hash_db_page page for more information on creating and using hash sets.
+
+\image html FileDiscovery/fd_hashSetFilter.png
+
+\subsubsection file_disc_int_filter Interesting Item Filter
+
+The interesting item filter restricts the results to files found in the selected interesting item rule sets. Only interesting file rule sets that have results in the current case are listed (though those matches may not be images or videos). See the \ref interesting_files_identifier_page page for more information on creating and using interesting item rule sets.
+
+\image html FileDiscovery/fd_interestingItemsFilter.png
+
+\subsubsection file_disc_obj_filter Object Detected Filter
+
+The object detected filter restricts the results to files that matched the selected classifiers. Only classifiers that have results in the current case are listed. Note that currently the built-in \ref object_detection_page ingest module only works on images, so you should generally not use this filter with videos. See the \ref object_detection_page page for more information on setting up classifiers.
+
+\image html FileDiscovery/fd_objectFilter.png
+
+\subsubsection file_disc_parent_filter Parent Folder Filter
+
+The parent folder filter either restricts the path the files can be on. This filter works differently than the others in that the individual options do not have to be selected - every rule that has been entered will be applied.
+
+\image html FileDiscovery/fd_parentFilter.png
+
+You can enter paths that should be included and paths that should be ignored. For both you then specify whether the path string you entered is a full path or a substring. For full path matches you'll need to include the leading and trailing slashes. Full path matches are also case-sensitive.
+
+The default options, shown above, will exclude any file that has a "Windows" folder or a "Program Files" folder in its path. It would exclude files like "/Windows/System32/image1.jpg" but would not exclude "/My Pictures/Bay Windows/image2.jpg" because the slashes around "Windows" force it to match the exact folder name.
+
+Here is another example. This rule was created with "Full" and "Include" selected.
+
+\image html FileDiscovery/fd_parentEx2.png
+
+This matches the file "/LogicalFileSet2/File Discovery/bird1.tif" but not any images in subfolders under "File Discovery".
+
+When there are multiple path options in the filter, they will be applied as follows:
+
+- The file path must match every "exclude" rule to pass
+
- If any "include" rules exist, the file path must match at least one "include" rule to pass
+
+
+This allows you to, for example, make rules to include both the "My Documents" and the "My Pictures" folders.
+
+\subsection file_disc_grouping Grouping and Sorting
+
+The final options are for how you want to group and sort your results.
+
+\image html FileDiscovery/fd_grouping.png
+
+The first option lets you choose the top level grouping for your results and the second option lets you choose how to sort them. The groups appear in the middle column of the file discovery panel. Note that some of the grouping options may not always appear - for example, grouping by past occurrences will only be present if the \ref central_repo_page is enabled, and grouping by hash set will only be present if there are hash set hits in your current case. The example below shows the groups created using the default options (group by file size, order groups by group name):
+
+\image html FileDiscovery/fd_groupingSize.png
+
+In the case of file size and past occurrences, ordering by group name is based on the natural ordering of the group (largest to smallest or most rare to most common). For the other groups it will be alphabetical. Ordering groups by size will sort them based on how many files each group contains, going largest to smallest. For example, here we've grouped by interesting item set and ordered the groups by their size.
+
+\image html FileDiscovery/fd_groupingInt.png
+
+The interesting items filter was not enabled so most images ended up in the "None" group, meaning they have no interesting file result associated with them. The final group in the list contains a file that matched both interesting item rule sets.
+
+The last grouping and sorting option is choosing how to sort the results within a group. This is the order of the results in the top right panel after selecting a group from the middle column. Note that due to the merging of results with the same hash in that panel, ordering by file name, path, or data source can vary. See the \ref file_disc_dedupe section below for more information.
+
+\section file_disc_results Viewing Results
+
+\subsection file_disc_results_overview Overview
+
+Once you select your options and click "Show", you'll see a list of groups in the middle panel. Selecting one of these groups will display the results from that group in the right panel. If your results are images, you'll see thumbnails for each image in the top area of the right panel.
+
+\image html FileDiscovery/fd_resultGroups.png
+
+If your results are videos, each result will display four thumbnails from the video.
+
+\image html FileDiscovery/fd_videos.png
+
+When you select a result from the top of the right panel, you'll see the path to the corresponding file(s) in the "Instances" panel below the thumbnails. There may be more than one file instance associated with a result - see the \ref file_disc_dedupe section below. You can right-click on files in the instances panel to use most of options available in the normal \ref result_viewer_page.
+
+\image html FileDiscovery/fd_instanceContext.png
+
+The bottom section of the panel is identical to the standard \ref content_viewer_page and displays data corresponding to the file instance selected in the middle of the panel.
+
+\subsection file_disc_dedupe De-duplication
+
+Assuming the \ref hash_db_page module has been run, all files in a result group with the same hash will be merged together under a single instance. You can see the number of instances of each file under the thumbnail, and each file instance will be displayed in the middle section of the panel.
+
+
+
+\image html FileDiscovery/fd_dupeEx.png
+
+Clicking on a particular instance will load data for that file in the content viewer area at the bottom.
+
+Note that files in different groups will not be merged together or appear under the instances list of each other. For example, if you choose to group by parent folder and have two instances of a file with the same hash but in different folders, each will appear once under its parent folder. Grouping by file size (the default) will always merge every instance of the same file.
+
+\subsection file_disc_icons Status Icons
+
+A number of icons may be displayed in the bottom right of the thumbnails to help point out notable results. Hovering over the icon will display a message explaining why the icon is present. In the image below, the yellow icon is present because the file is associated with an interesting item set.
+
+\image html FileDiscovery/fd_icon.png
+
+Most of the icons match what would be displayed in the "S" column of the normal \ref result_viewer_page.
+
+| Icon | Usage |
+|-------|------|
+\image html FileDiscovery/yellow-circle-yield.png "" | \ref interesting_files_identifier_page "Interesting file set match" or normal \ref tagging_page "file tag"
+\image html FileDiscovery/red-circle-exclamation.png "" | Notable \ref hash_db_page "hash set hit" or notable \ref tagging_page "file tag"
+\image html FileDiscovery/file-icon-deleted.png "" | Deleted file (every instance is deleted)
+
+
+\subsection file_disc_paging Paging
+
+If the group you select has many results, the results will be split up into pages. You can use the left and right arrows to move between pages or type in the page number you wish to go to. You can adjust the number of results per page using the drop down box in the upper right.
+
+\image html FileDiscovery/fd_paging.png
+
+*/
\ No newline at end of file
diff --git a/docs/doxygen-user/footer.html b/docs/doxygen-user/footer.html
index 5ab86c6e86..b874c74742 100644
--- a/docs/doxygen-user/footer.html
+++ b/docs/doxygen-user/footer.html
@@ -1,5 +1,5 @@
-Copyright © 2012-2019 Basis Technology. Generated on $date
+
Copyright © 2012-2020 Basis Technology. Generated on $date
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.
diff --git a/docs/doxygen-user/geolocation.dox b/docs/doxygen-user/geolocation.dox
index 30dbb75c4c..a4c78351cf 100644
--- a/docs/doxygen-user/geolocation.dox
+++ b/docs/doxygen-user/geolocation.dox
@@ -49,7 +49,7 @@ on the Geolocation panel in the Options dialog. There are four options for geolo
- Default online tile server
-- The default Geolocation window tile data source is the Microsoft Virtual Earth server bing.com\maps.
+
- The default Geolocation window tile data source is the Microsoft Virtual Earth server https://www.bing.com/maps.
- OpenStreetMap server
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_dataSourceFilter.png b/docs/doxygen-user/images/FileDiscovery/fd_dataSourceFilter.png
new file mode 100644
index 0000000000..9c42198839
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_dataSourceFilter.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_dupeEx.png b/docs/doxygen-user/images/FileDiscovery/fd_dupeEx.png
new file mode 100644
index 0000000000..e711bc95cc
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_dupeEx.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_fileSizeFilter.png b/docs/doxygen-user/images/FileDiscovery/fd_fileSizeFilter.png
new file mode 100644
index 0000000000..1e2bdb7f84
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_fileSizeFilter.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_fileType.png b/docs/doxygen-user/images/FileDiscovery/fd_fileType.png
new file mode 100644
index 0000000000..e7ae704fe5
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_fileType.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_grouping.png b/docs/doxygen-user/images/FileDiscovery/fd_grouping.png
new file mode 100644
index 0000000000..7d1441bee1
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_grouping.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_groupingInt.png b/docs/doxygen-user/images/FileDiscovery/fd_groupingInt.png
new file mode 100644
index 0000000000..1de9099297
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_groupingInt.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_groupingSize.png b/docs/doxygen-user/images/FileDiscovery/fd_groupingSize.png
new file mode 100644
index 0000000000..e21707eb44
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_groupingSize.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_hashSetFilter.png b/docs/doxygen-user/images/FileDiscovery/fd_hashSetFilter.png
new file mode 100644
index 0000000000..8c05e72524
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_hashSetFilter.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_icon.png b/docs/doxygen-user/images/FileDiscovery/fd_icon.png
new file mode 100644
index 0000000000..575395bad7
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_icon.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_instanceContext.png b/docs/doxygen-user/images/FileDiscovery/fd_instanceContext.png
new file mode 100644
index 0000000000..e8d7961da2
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_instanceContext.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_interestingItemsFilter.png b/docs/doxygen-user/images/FileDiscovery/fd_interestingItemsFilter.png
new file mode 100644
index 0000000000..4362a904d9
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_interestingItemsFilter.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_loadSettings.png b/docs/doxygen-user/images/FileDiscovery/fd_loadSettings.png
new file mode 100644
index 0000000000..0ed2169853
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_loadSettings.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_main.png b/docs/doxygen-user/images/FileDiscovery/fd_main.png
new file mode 100644
index 0000000000..1412f43892
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_main.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_objectFilter.png b/docs/doxygen-user/images/FileDiscovery/fd_objectFilter.png
new file mode 100644
index 0000000000..42efcee8fa
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_objectFilter.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_paging.png b/docs/doxygen-user/images/FileDiscovery/fd_paging.png
new file mode 100644
index 0000000000..7a18889e5e
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_paging.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_parentEx2.png b/docs/doxygen-user/images/FileDiscovery/fd_parentEx2.png
new file mode 100644
index 0000000000..102f39f92b
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_parentEx2.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_parentFilter.png b/docs/doxygen-user/images/FileDiscovery/fd_parentFilter.png
new file mode 100644
index 0000000000..5cf24a7fda
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_parentFilter.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_pastOccur.png b/docs/doxygen-user/images/FileDiscovery/fd_pastOccur.png
new file mode 100644
index 0000000000..9b04f882c9
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_pastOccur.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_resultGroups.png b/docs/doxygen-user/images/FileDiscovery/fd_resultGroups.png
new file mode 100644
index 0000000000..02e644a605
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_resultGroups.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_userContentArtifact.png b/docs/doxygen-user/images/FileDiscovery/fd_userContentArtifact.png
new file mode 100644
index 0000000000..f4af8f8fb6
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_userContentArtifact.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_userCreatedFilter.png b/docs/doxygen-user/images/FileDiscovery/fd_userCreatedFilter.png
new file mode 100644
index 0000000000..510624fcd0
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_userCreatedFilter.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/fd_videos.png b/docs/doxygen-user/images/FileDiscovery/fd_videos.png
new file mode 100644
index 0000000000..eb36a81f41
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/fd_videos.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/file-icon-deleted.png b/docs/doxygen-user/images/FileDiscovery/file-icon-deleted.png
new file mode 100644
index 0000000000..ef172e501b
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/file-icon-deleted.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/red-circle-exclamation.png b/docs/doxygen-user/images/FileDiscovery/red-circle-exclamation.png
new file mode 100644
index 0000000000..26b61e6f06
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/red-circle-exclamation.png differ
diff --git a/docs/doxygen-user/images/FileDiscovery/yellow-circle-yield.png b/docs/doxygen-user/images/FileDiscovery/yellow-circle-yield.png
new file mode 100644
index 0000000000..85c873f33f
Binary files /dev/null and b/docs/doxygen-user/images/FileDiscovery/yellow-circle-yield.png differ
diff --git a/docs/doxygen-user/images/content_viewer_annotations.png b/docs/doxygen-user/images/content_viewer_annotations.png
index 671a842099..aa37590379 100644
Binary files a/docs/doxygen-user/images/content_viewer_annotations.png and b/docs/doxygen-user/images/content_viewer_annotations.png differ
diff --git a/docs/doxygen-user/images/content_viewer_app_image.png b/docs/doxygen-user/images/content_viewer_app_image.png
index 42b57d27c6..c3ba7a0052 100644
Binary files a/docs/doxygen-user/images/content_viewer_app_image.png and b/docs/doxygen-user/images/content_viewer_app_image.png differ
diff --git a/docs/doxygen-user/images/content_viewer_app_plist.png b/docs/doxygen-user/images/content_viewer_app_plist.png
index 29da91b7ac..815b5d2ed9 100644
Binary files a/docs/doxygen-user/images/content_viewer_app_plist.png and b/docs/doxygen-user/images/content_viewer_app_plist.png differ
diff --git a/docs/doxygen-user/images/content_viewer_app_sqlite.png b/docs/doxygen-user/images/content_viewer_app_sqlite.png
index 0166cb32e3..9bc708593f 100644
Binary files a/docs/doxygen-user/images/content_viewer_app_sqlite.png and b/docs/doxygen-user/images/content_viewer_app_sqlite.png differ
diff --git a/docs/doxygen-user/images/content_viewer_context.png b/docs/doxygen-user/images/content_viewer_context.png
new file mode 100644
index 0000000000..c808e6c0b2
Binary files /dev/null and b/docs/doxygen-user/images/content_viewer_context.png differ
diff --git a/docs/doxygen-user/images/content_viewer_hex.png b/docs/doxygen-user/images/content_viewer_hex.png
index 330c0468a7..0843548450 100644
Binary files a/docs/doxygen-user/images/content_viewer_hex.png and b/docs/doxygen-user/images/content_viewer_hex.png differ
diff --git a/docs/doxygen-user/images/content_viewer_html.png b/docs/doxygen-user/images/content_viewer_html.png
index 29f2f86ea4..4a24941951 100644
Binary files a/docs/doxygen-user/images/content_viewer_html.png and b/docs/doxygen-user/images/content_viewer_html.png differ
diff --git a/docs/doxygen-user/images/content_viewer_indexed_text.png b/docs/doxygen-user/images/content_viewer_indexed_text.png
index 83c0076eda..e25cbee5c5 100644
Binary files a/docs/doxygen-user/images/content_viewer_indexed_text.png and b/docs/doxygen-user/images/content_viewer_indexed_text.png differ
diff --git a/docs/doxygen-user/images/content_viewer_message.png b/docs/doxygen-user/images/content_viewer_message.png
index f927289531..7f3e109396 100644
Binary files a/docs/doxygen-user/images/content_viewer_message.png and b/docs/doxygen-user/images/content_viewer_message.png differ
diff --git a/docs/doxygen-user/images/content_viewer_metadata.png b/docs/doxygen-user/images/content_viewer_metadata.png
index 1c25115398..fd38248776 100644
Binary files a/docs/doxygen-user/images/content_viewer_metadata.png and b/docs/doxygen-user/images/content_viewer_metadata.png differ
diff --git a/docs/doxygen-user/images/content_viewer_other_occurrences.png b/docs/doxygen-user/images/content_viewer_other_occurrences.png
index 3bdac5b67b..c8a69e15d2 100644
Binary files a/docs/doxygen-user/images/content_viewer_other_occurrences.png and b/docs/doxygen-user/images/content_viewer_other_occurrences.png differ
diff --git a/docs/doxygen-user/images/content_viewer_registry.png b/docs/doxygen-user/images/content_viewer_registry.png
index 43149fcb7f..ee45181c85 100644
Binary files a/docs/doxygen-user/images/content_viewer_registry.png and b/docs/doxygen-user/images/content_viewer_registry.png differ
diff --git a/docs/doxygen-user/images/content_viewer_results_bookmark.png b/docs/doxygen-user/images/content_viewer_results_bookmark.png
index 6baa7f7383..7dbc61bc7a 100644
Binary files a/docs/doxygen-user/images/content_viewer_results_bookmark.png and b/docs/doxygen-user/images/content_viewer_results_bookmark.png differ
diff --git a/docs/doxygen-user/images/content_viewer_results_call.png b/docs/doxygen-user/images/content_viewer_results_call.png
index 03b79bf1f0..fa554e873a 100644
Binary files a/docs/doxygen-user/images/content_viewer_results_call.png and b/docs/doxygen-user/images/content_viewer_results_call.png differ
diff --git a/docs/doxygen-user/images/content_viewer_strings_cyrillic.png b/docs/doxygen-user/images/content_viewer_strings_cyrillic.png
index f70ba0c130..0318a383d6 100644
Binary files a/docs/doxygen-user/images/content_viewer_strings_cyrillic.png and b/docs/doxygen-user/images/content_viewer_strings_cyrillic.png differ
diff --git a/docs/doxygen-user/images/content_viewer_strings_latin.png b/docs/doxygen-user/images/content_viewer_strings_latin.png
index 6968326d65..ba4403e518 100644
Binary files a/docs/doxygen-user/images/content_viewer_strings_latin.png and b/docs/doxygen-user/images/content_viewer_strings_latin.png differ
diff --git a/docs/doxygen-user/images/content_viewer_video.png b/docs/doxygen-user/images/content_viewer_video.png
new file mode 100644
index 0000000000..f3a26ef8f6
Binary files /dev/null and b/docs/doxygen-user/images/content_viewer_video.png differ
diff --git a/docs/doxygen-user/images/cvt_contacts.png b/docs/doxygen-user/images/cvt_contacts.png
index 9d86b82ccc..4f674e6579 100644
Binary files a/docs/doxygen-user/images/cvt_contacts.png and b/docs/doxygen-user/images/cvt_contacts.png differ
diff --git a/docs/doxygen-user/images/data_source_delete.png b/docs/doxygen-user/images/data_source_delete.png
new file mode 100644
index 0000000000..d33e42e107
Binary files /dev/null and b/docs/doxygen-user/images/data_source_delete.png differ
diff --git a/docs/doxygen-user/images/plaso_config.png b/docs/doxygen-user/images/plaso_config.png
new file mode 100644
index 0000000000..e31aea1a23
Binary files /dev/null and b/docs/doxygen-user/images/plaso_config.png differ
diff --git a/docs/doxygen-user/images/plaso_timeline.png b/docs/doxygen-user/images/plaso_timeline.png
new file mode 100644
index 0000000000..af112b2732
Binary files /dev/null and b/docs/doxygen-user/images/plaso_timeline.png differ
diff --git a/docs/doxygen-user/images/ui-layout-1.PNG b/docs/doxygen-user/images/ui-layout-1.PNG
index 7f9485888d..8e54967524 100644
Binary files a/docs/doxygen-user/images/ui-layout-1.PNG and b/docs/doxygen-user/images/ui-layout-1.PNG differ
diff --git a/docs/doxygen-user/main.dox b/docs/doxygen-user/main.dox
index 87b279247d..1322042b91 100644
--- a/docs/doxygen-user/main.dox
+++ b/docs/doxygen-user/main.dox
@@ -67,7 +67,7 @@ The following topics are available here:
- \subpage timeline_page
- \subpage communications_page
- \subpage geolocation_page
-
+ - \subpage file_discovery_page
- Reporting
- \subpage tagging_page
diff --git a/docs/doxygen-user/plaso.dox b/docs/doxygen-user/plaso.dox
new file mode 100644
index 0000000000..9b013c97c1
--- /dev/null
+++ b/docs/doxygen-user/plaso.dox
@@ -0,0 +1,19 @@
+/*! \page plaso_page Plaso
+
+Plaso is a framework for running modules to extract timestamps for various types of files. The Plaso ingest module runs Plaso to generate events that are displayed in the Autopsy \ref timeline_page. For more information on Plaso, see the documentation.
+
+\section plaso_config Running the Module
+
+The Plaso ingest module runs dozens of individual parsers and can take a long time to run. In testing, the slowest parsers by far were winreg, pe, and chrome_cache. chrome_cache is always disabled as it duplicates events created by the \ref recent_activity_page. You can choose to enable the winreg and pe modules on the ingest module configuration panel.
+
+\image html plaso_config.png
+
+Plaso will only run on \ref ds_img "disk image data sources".
+
+\section plaso_results Viewing Results
+
+The Plaso events will be shown in the \ref timeline_page Timeline. Note that events created by Plaso are not displayed in the \ref tree_viewer_page.
+
+\image html plaso_timeline.png
+
+*/
\ No newline at end of file
diff --git a/docs/doxygen/Doxyfile b/docs/doxygen/Doxyfile
index d73868792a..dd78bc69ea 100644
--- a/docs/doxygen/Doxyfile
+++ b/docs/doxygen/Doxyfile
@@ -38,7 +38,7 @@ PROJECT_NAME = "Autopsy"
# could be handy for archiving the generated documentation or if some version
# control system is used.
-PROJECT_NUMBER = 4.13.0
+PROJECT_NUMBER = 4.14.0
# Using the PROJECT_BRIEF tag one can provide an optional one line description
# for a project that appears a the top of each page and should give viewer a
@@ -1066,7 +1066,7 @@ GENERATE_HTML = YES
# The default directory is: html.
# This tag requires that the tag GENERATE_HTML is set to YES.
-HTML_OUTPUT = api-docs/4.13.0/
+HTML_OUTPUT = api-docs/4.14.0/
# The HTML_FILE_EXTENSION tag can be used to specify the file extension for each
# generated HTML page (for example: .htm, .php, .asp).
diff --git a/docs/doxygen/footer.html b/docs/doxygen/footer.html
index 8bf1577a45..f703eb2a5e 100644
--- a/docs/doxygen/footer.html
+++ b/docs/doxygen/footer.html
@@ -1,5 +1,5 @@
-Copyright © 2012-2019 Basis Technology. Generated on: $date
+
Copyright © 2012-2020 Basis Technology. Generated on: $date
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.
diff --git a/nbproject/project.properties b/nbproject/project.properties
index 8132096d48..1f61a9c967 100644
--- a/nbproject/project.properties
+++ b/nbproject/project.properties
@@ -4,7 +4,7 @@ app.title=Autopsy
### lowercase version of above
app.name=${branding.token}
### if left unset, version will default to today's date
-app.version=4.13.0
+app.version=4.14.0
### build.type must be one of: DEVELOPMENT, RELEASE
#build.type=RELEASE
build.type=DEVELOPMENT
diff --git a/thirdparty/rr-full/Parse/Win32Registry/Base.pm b/thirdparty/rr-full/Parse/Win32Registry/Base.pm
index 6598f37b11..0b206e7bb5 100644
--- a/thirdparty/rr-full/Parse/Win32Registry/Base.pm
+++ b/thirdparty/rr-full/Parse/Win32Registry/Base.pm
@@ -161,14 +161,26 @@ sub unpack_windows_time {
# The equation can be found in several places on the Net.
# My thanks go to Dan Sully for Audio::WMA's _fileTimeToUnixTime
# which shows a perl implementation of it.
- my ($low, $high) = unpack("VV", $data);
- my $filetime = $high * 2 ** 32 + $low;
- my $epoch_time = int(($filetime - 116444736000000000) / 10000000);
+ my ($lo, $hi) = unpack("VV", $data);
+# my $filetime = $high * 2 ** 32 + $low;
+# my $epoch_time = int(($filetime - 116444736000000000) / 10000000);
+
+ my $epoch_time;
+ if ($lo == 0 && $hi == 0) {
+ $epoch_time = 0;
+ } else {
+ $lo -= 0xd53e8000;
+ $hi -= 0x019db1de;
+ $epoch_time = int($hi*429.4967296 + $lo/1e7);
+ };
+ $epoch_time = 0 if ($epoch_time < 0);
+
+
# adjust the UNIX epoch time to the local OS's epoch time
# (see perlport's Time and Date section)
- my $epoch_offset = timegm(0, 0, 0, 1, 0, 70);
- $epoch_time += $epoch_offset;
+ # my $epoch_offset = timegm(0, 0, 0, 1, 0, 70);
+ # $epoch_time += $epoch_offset;
if ($epoch_time < 0 || $epoch_time > 0x7fffffff) {
$epoch_time = undef;
diff --git a/thirdparty/rr-full/rip.exe b/thirdparty/rr-full/rip.exe
index 2becc8de6b..9a024202f3 100755
Binary files a/thirdparty/rr-full/rip.exe and b/thirdparty/rr-full/rip.exe differ
diff --git a/thirdparty/rr-full/rr.exe b/thirdparty/rr-full/rr.exe
index a96bba5daa..889b971889 100755
Binary files a/thirdparty/rr-full/rr.exe and b/thirdparty/rr-full/rr.exe differ
diff --git a/thirdparty/rr/Parse/Win32Registry/Base.pm b/thirdparty/rr/Parse/Win32Registry/Base.pm
index 6598f37b11..0b206e7bb5 100644
--- a/thirdparty/rr/Parse/Win32Registry/Base.pm
+++ b/thirdparty/rr/Parse/Win32Registry/Base.pm
@@ -161,14 +161,26 @@ sub unpack_windows_time {
# The equation can be found in several places on the Net.
# My thanks go to Dan Sully for Audio::WMA's _fileTimeToUnixTime
# which shows a perl implementation of it.
- my ($low, $high) = unpack("VV", $data);
- my $filetime = $high * 2 ** 32 + $low;
- my $epoch_time = int(($filetime - 116444736000000000) / 10000000);
+ my ($lo, $hi) = unpack("VV", $data);
+# my $filetime = $high * 2 ** 32 + $low;
+# my $epoch_time = int(($filetime - 116444736000000000) / 10000000);
+
+ my $epoch_time;
+ if ($lo == 0 && $hi == 0) {
+ $epoch_time = 0;
+ } else {
+ $lo -= 0xd53e8000;
+ $hi -= 0x019db1de;
+ $epoch_time = int($hi*429.4967296 + $lo/1e7);
+ };
+ $epoch_time = 0 if ($epoch_time < 0);
+
+
# adjust the UNIX epoch time to the local OS's epoch time
# (see perlport's Time and Date section)
- my $epoch_offset = timegm(0, 0, 0, 1, 0, 70);
- $epoch_time += $epoch_offset;
+ # my $epoch_offset = timegm(0, 0, 0, 1, 0, 70);
+ # $epoch_time += $epoch_offset;
if ($epoch_time < 0 || $epoch_time > 0x7fffffff) {
$epoch_time = undef;
diff --git a/thirdparty/rr/plugins/autopsyprocarchitecture.pl b/thirdparty/rr/plugins/autopsyprocarchitecture.pl
index a03a53f470..d5c0e63f6e 100644
--- a/thirdparty/rr/plugins/autopsyprocarchitecture.pl
+++ b/thirdparty/rr/plugins/autopsyprocarchitecture.pl
@@ -47,15 +47,14 @@ sub pluginmain {
my $arch = $env->get_value("PROCESSOR_ARCHITECTURE")->get_data();
::rptMsg("" . $arch . "");
};
- ::rptMsg($@) if ($@);
-
+ ::logMsg($@) if ($@);
}
else {
- ::rptMsg($env_path." not found.");
+ ::logMsg($env_path." not found.");
}
}
else {
- ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
#::logMsg($key_path." not found.");
}
}
diff --git a/thirdparty/rr/rip.exe b/thirdparty/rr/rip.exe
index 2becc8de6b..9a024202f3 100755
Binary files a/thirdparty/rr/rip.exe and b/thirdparty/rr/rip.exe differ
diff --git a/thirdparty/rr/rr.exe b/thirdparty/rr/rr.exe
index a96bba5daa..889b971889 100755
Binary files a/thirdparty/rr/rr.exe and b/thirdparty/rr/rr.exe differ
diff --git a/thunderbirdparser/nbproject/project.xml b/thunderbirdparser/nbproject/project.xml
index 52e915e2f3..4eebb3d2f4 100644
--- a/thunderbirdparser/nbproject/project.xml
+++ b/thunderbirdparser/nbproject/project.xml
@@ -36,7 +36,7 @@
10
- 10.17
+ 10.18