/*! \page platform_page Platform Concepts
\section platform_basics Basic Concepts
These are the basic concepts that you should be aware of before writing a module:
- Phases: The platform has been design to support different phases in the investigation process:
- Case Creation: Use wizards to create a new case.
- File Extraction: Where files are identified and the basic metadata are added to the central database. This happens in the Add Image Wizard.
- Ingest Modules: A variety of analysis modules then run on the extracted files to perform specific tasks.
- Browsing and searching: User can manually browse and search the data using the user interface.
- Report: A final report is generated at the end of the case.
- Central Database: All data except for the disk image is stored in a SQLite database. This includes information about what files exist in the disk image and the output from modules. Access to this database can be found from the SleuthKitCase class, but you'll probably never need to directly interact with it.
- Utilities: There are core utilities that the platform provides to modules. See the \ref mod_dev_other_utilities section for more details.
- Services: There are services provided by the platform. See the \ref mod_dev_other_services section for more details.
- Blackboard: The platform uses the blackboard to enable modules to communicate with each other and to display data in the GUI. See the \ref platform_blackboard section for more details.
- Single tree: Results from the various modules can generally be found in a single tree. This makes it easy for users to find their results.
\section platform_frameworks Frameworks in the Platform
There are several places in the platform where plug-in modules can be applied.
- Ingest Modules: These modules are run when a new data source is added to a case (and can be re-run afterwards too). See \ref mod_ingest_page for details on building these modules. These modules come in two forms:
- File Ingest Modules are called for every file in the image. Use this type of module if you want to examine the contents of all or most of the files. Examples include hash calculation, hash lookup, file type identification, and entropy calculation.
- Data Source Ingest Modules are called once for every image or set of logical files. These modules can use the database to query for one or more files and perform analysis on them. Examples include web artifact analysis and searches that can rely only file names and extensions.
- Content Viewers: These modules show information about a specific file. These are the modules in the lower right of the interface. The platform comes with viewers to view the file in hexadecimal, extract the strings from the file, and view images and movies. See \ref mod_content_page for details on creating these modules.
- Result Viewers: These modules show information about a set of files. These modules are in the upper right of the interface. The platform comes with viewers to view the set of files in a table and thumbnails. See \ref mod_result_page for details on creating these modules.
\section platform_blackboard The Blackboard
The blackboard allows modules to communicate. It has three main uses in Autopsy:
- Ingest modules can communicate with each other. For example, one module can calculate a MD5 hash of a file and post it to the blackboard. Then another module can retrieve the hash value from the blackboard and not need to calculate it again.
- The tree in the right-hand side of the UI uses the blackboard to populate its Results section. The bookmarks, hashset hits, etc. are all populated from Ingest modules that created blackboard entries.
- The report modules query the blackboard to identify what they should report on.
For more details on the blackboard, refer to the TSK Framework documentation at http://sleuthkit.org/sleuthkit/docs/framework-docs/mod_bbpage.html. These documents are about the C++ implementation of the blackboard, but it is the same concepts.
For details on the Java API, refer to the JNI docs:
http://sleuthkit.org/sleuthkit/docs/jni-docs/
*/