mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity
autopsy-flatpak/docs/doxygen-user/triage.dox
Ann Priestman 100761be13 Changed slashes
2019-04-18 14:13:37 -04:00

85 lines
5.2 KiB
Plaintext
Raw Blame History

/*! \page triage_page Triage
\section triage_overview Overview
Intro here.
\section triage_features Triage-related Features
There are many features of Autopsy that can come into play in a triage situation. Some help you process the files most likely to be relevant earlier, and others allow you to continue analyzing the data after disconnecting from the target system.
\subsection triage_prioritization Prioritization/Filtering
The goal is to find the most important files first when there is limited time to analyze a system. Autopsy always runs on the user folders first (if present), since in many situations they are the most likely folders to contain data of interest.
\image html triage/pipelineFolders.png
For a particular scenario, you may know specific file types that you are interested in. For example, if you are only concerned with finding images, you could save time by not analyzing any non-image files. This will allow a system to be processed far faster than if you analyzed every file.
\image html triage/fileFilterImage.png
File filters allow you to limit which types of files will be processed. The \ref file_filters section of \ref ingest_page page shows how to create a file filter. You can filter on file name/extension, path, or how recently the file was modified. Once saved, your new file filter can be selected when configuring ingest modules.
\image html triage/fileFilter.png
Another way to speed up analysis is to only run some of the ingest modules. For example, if we're only interested in images, there may be no point in running the \ref keyword_search_page or the \ref encryption_page. You can manually select and configure the modules you want to run each time, but since many sessions are similar it may be easier to set up an ingest profile. An ingest profile allows you to store which file filter you want to run, which ingest modules should be enabled, and your configuration for each ingest module. See the \ref ingest_profiles section of the \ref ingest_page page for information on how to set up and use an ingest profile.
\image html triage/ingestProfile.png
\subsection triage_no_image Running on Live Systems and Devices
In a triage situation, there is generally not time to make a full image of the system in question. There are a few ways to process live systems and devices with Autopsy:
<ul>
<li> Devices such as USB drives can be analyzed as local disks without needing to create an image file. See the \ref ds_local section for more details.
<li> A live triage drive can be created that will allow you to run Autopsy from a USB drive on a live system. All case data will be saved to the USB drive with minimal changes to the system being analyzed. See \ref live_triage_page for more details.
<li> Whatever Paladin is
</ul>
With any of these methods there is still the problem that your Autopsy case won't be very useful after you disconnect from the drive. To solve this problem you can choose to make a "sparse VHD" as Autopsy is processing the device. This is a file format used by Microsoft Virtual Machines that is readable by Windows and other forensic tools. Instead of copying each sector of sequentially, sparse VHDs allow us to copy sectors in any order. This lets us copy each sector as Autopsy reads it, so the sparse VHD will contain all of the files that have been processed so far. We will also have the data associated with volumes and file systems since Autopsy has to process those in the course of analyzing the system.
To create a sparse VHD, check the box for "Make a VHD image..." when selecting the disk to analyze.
\image html createVHD.png
\section triage_scenarios Scenarios
\subsection triage_scen1 Scenario: Previewing computer for child exploitation material
In this scenario, you are trying to answer whether child exploitation images exist in a knock and talk type situation where you will have a limited amount of time with the target system.
<b>Preparaton at the office:</b>
<ul>
<li> Create a \ref live_triage_page "live triage drive" on your USB drive
<li> Launch Autopsy from that USB drive and create an \ref ingest_profiles "ingest profile" that:
<ul>
<li> Uses a \ref file_filters "file filter" that runs on only picture and ZIP extensions
<li> Runs only the \ref hash_db_page "Hash Lookup Module", \ref EXIF_parser_page \ref file_type_identification_page, and \ref embedded_file_extractor_page
<li> Uses known child exploitation hash sets, following the instructions in \ref live_triage_hash_db to copy them to the USB drive
</ul>
</ul>
<b>At the house:</b>
<ul>
<li>Start the analysis:
<ul>
<li>Plus the live triage drive you made at the office into their laptop
<li>Launch Autopsy from the .bat file
<li>\ref cases_page "Create a case" (saving to your USB drive)
<li>Add a \ref ds_local "local drive data source"
<ul>
<li>"C:"
<li>Choose to make VHD and keep default location
</ul>
</ul>
<li>As the automated analysis continues:
<ul>
<li>Choose View->File Types->Images in the \ref tree_viewer_page "tree viewer" and review the thumbnails
<li>Wait for hash set hits
<li>Review EXIF fles
<li>\ref tagging_page "Tag" any notable files found
</ul>
<li>You can stop the analysis at any time. All data read so far will be in the VHD file.
</ul>
*/
Reference in New Issue View Git Blame Copy Permalink