mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity
autopsy-flatpak/docs/doxygen/design.dox
adam-m 0b6dc8f6cf doc updates
2012-07-05 12:51:40 -04:00

102 lines
5.6 KiB
Plaintext
Raw Blame History

/*! \page design_page General Design
\section design_overview Overview
This section outlines Autopsy design from the typical analysis work flow perspective.
A typical Autopsy work flow consists of the following steps:
- Wizards are used to create a case and add images (org.sleuthkit.autopsy.casemodule),
- TSK database is created,
- Ingest modules are executed (org.sleuthkit.autopsy.ingest),
- Ingest modules post results to the blackboard and ingest inbox,
- Directory tree displays blackboard contents,
- Data is encapsulated into nodes and passed to table and content viewers,
- Reports can be generated.
\subsection design_overview_sub1 Creating a case
The first step in Autopsy work flow is creating a case.
User is guided with the case creation wizard to enter the case name, base directory and optional case information.
Autopsy creates the case directory (named after the case name), where all the case data is stored.
An empty TSK database is created and initialized.
For more information on the case module refer to the org.sleuthkit.autopsy.casemodule documentation.
\subsection design_overview_sub2 Adding an image
After case is created, one or more disk images can be added to the case, using the Add Image Wizard.
The process invokes internally the native sleuthkit library.
The library reads the image and populates the TSK database with the image meta-data.
For more information on the add image internals, refer to org.sleuthkit.autopsy.casemodule documentation.
\subsection design_overview_sub4 Running ingest modules
After image has been added to the case, user can select one or more ingest modules to be executed on the image.
Most ingest modules can be configured before the run using simple or advanced configuration panels (or both).
The work of ingest services is performed in the background and ingest progress is indicated by progress bars.
Autopsy provides ingest module framework in the ingest package and custom modules can be developed and added to Autopsy.
For more information refer to the org.sleuthkit.autopsy.ingest package documentation and ingest.dox
\subsection design_overview_sub5 Ingest modules posting results
Ingest services, when running, produce data and write the data to the blackboard
in form of blackboard artifacts and associated blackboard attributes.
The services notify listeners of the availability of the data.
The default listener is the Autopsy directory tree UI component.
The component displays data currently saved in the blackboard and it also
refreshes the data view in real-time in response to service events.
Ingest services post interesting messages about the incoming data to Ingest Inbox.
\subsection design_overview_sub6 Result viewers (directory tree, table viewers, content viewers)
The directory tree (in the left-hand panel of the Autopsy viewer)
is the results viewer for the results saved in the database during ingest process.
The component is by default registered with the ingest manager as an ingest event listener.
The viewer first loads all the viewer-supported data currently in the bloackboard when Autopsy starts.
During the ingest process the viewer receives events from ingest services
(relayed by ingest manager) and it selectively refreshes parts of the tree providing real-time updates to the user.
When ingest is completed, the viewer responds to the final ingest data event generated by the ingest manager,
and performs a final refresh of all viewer-supported data in the blackboard.
Data presented is encapsulated in node objects org.openide.nodes.Node before it is displayed in the UI.
Nodes contain property sheets to store data and are organized in a parent-child hierarchy with other nodes.
The hierarchy is used to visually represent the data and to trigger child node updates whenever the parent node is selected by the user.
Node child factories are invoked by the Netbeans framework at the time of parent node selection to populate and refresh the child node view.
User normally initiates result navigation in the directory tree.
When a node is selected, it is passed in to the table result viewer (top-right).
When a node is selected in the table result viewer, it is passed in to the content viewers (bottom-right).
Multiple content viewers (such as strings, hex, extracted text, media) may support the node content (the node content support capabilities are registered in the node's Lookup).
If multiple content viewers are supported, a preferred (default) content viewer is chosen.
For more information refer to org.sleuthkit.autopsy.corecomponents, org.sleuthkit.autopsy.corecomponentsinterfaces
and org.sleuthkit.autopsy.directorytree
\subsection design_overview_sub7 Report generation
After ingest is run, user can generate reports.
There are several types of reports implemented as submodules that are shipped with Autopsy core: generic html, xml and Excel reports.
Each reporting submodule implements org.sleuthkit.autopsy.report.ReportModule interface and registers itself in layer.xml
Reporting submodule typically interacts with 3 components:
- org.sleuthkit.autopsy.report.ReportConfiguration - to read current reporting configuration set by the user,
- Blackboard API in org.sleuthkit.datamodel.SleuthkitCase class - to traverse and read blackboard artifacts and attributes,
- an API (possibly external/thirdparty API) to convert blackboard artifacts data structures to the desired reporting format.
Autopsy reporting module is present in org.sleuthkit.autopsy.report package.
Please refer to report.dox and org.sleuthkit.autopsy.report package API documentation for more details on how to implement a custom reporting submodule.
*/
Reference in New Issue View Git Blame Copy Permalink