mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity
autopsy-flatpak/docs/QuickStartGuide/index.html
adam-m 129acbef95 fix quick guide typo
2013-06-04 20:46:52 -04:00

219 lines
13 KiB
HTML
Raw Blame History

<html>
<head>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<style>
h1 { font-size: 145%; color: #666666; }
h2 { font-size: 120%; color: #666666; }
</style>
<title>Autopsy 3 Quick Start Guide</title>
</head>
<body>
<p align="center" style="font-size: 145%;"><strong>Autopsy 3 Quick Start Guide</strong></p>
<p align="center" style="font-size: 120%;">June 2012</p>
<p align="center"><a href="http://www.sleuthkit.org/autopsy/">www.sleuthkit.org/autopsy/</a></p>
<h1>Installation</h1>
<p>
The current version of Autopsy 3 runs only on Microsoft Windows.
We have gotten it to run on other platforms, such as Linux and OS X, but we do not have it in a state that makes it easy to distribute and find the needed libraries.
</p>
<p>
The Windows installer will make a directory for Autopsy and place all of the needed files inside of it.
The installer includes all dependencies, including Sleuth Kit and Java.
</p>
<p>Note that Autopsy 3 is a complete rewrite from Autopsy 2 and none of this document is relevant to Autopsy 2.</p>
<h1>Adding a Data Source (image, local disk, logical files)</h1>
<p>
Data sources are added to a <strong>case</strong>. A case can have a single data source or it can have multiple data source if they are related.
Currently, a single report is generated for an entire case, so if you need to report on individual data sources, then you should use one data source per case.
</p>
<h2>Creating a Case</h2>
<p>
To create a case, use either the &quot;Create New Case&quot; option on the Welcome screen or from the &quot;File&quot; menu.
This will start the <strong>New Case Wizard</strong>. You will need to supply it with the name of the case and a directory to store the case results into.
You can optionally provide case numbers and other details.
</p>
<h2>Adding a Data Source</h2>
<p>
The next step is to add input data source to the case.
The <strong>Add Data Source Wizard</strong> will start automatically after the case is created or you can manually start it from the &quot;File&quot; menu or toolbar.
You will need to choose the type of input data source to add (image, local disk or logical files and folders).
Next, supply it with the location of the source to add.
</p>
<ul>
<li>For image, point to location of disk image on your system. Autopsy currently supports E01 and raw (dd) files.
For multi-part/split images, you will need to specify only the first file in an image set (i.e. the E01 file) and Autopsy will find the rest of the files.
</li>
<li>
For local disk, select one of the detected disks.
Autopsy will add the current view of the disk to the case (i.e. snapshot of the meta-data).
However, the individual file content (not meta-data) does get updated with the changes made to the disk.
Note, you may need run Autopsy as an Administrator to detect all disks.
</li>
<li>For logical files, add one or more local files or folders on your system.</li>
</ul>
<p>
It may take a few minutes to add the data source to the case.
During this time, an internal database is being created of the file system contents.
</p>
<p>
There are a couple of options in the wizard that will allow you to make the ingest process faster.
These typically deal with deleted files.
It will take longer if unallocated space is analyzed and the entire drive is searched for deleted files.
In some scenarios, these recovery steps must be performed and in other scenarios these steps are not needed and instead fast results on the allocated files are needed.
Use these options to control how long the analysis will take.
</p>
<h2>Ingest Modules</h2>
<p>
You will next be prompted to configure the Ingest Modules.
Ingest modules will run in the background and perform specific tasks.
The Ingest Modules analyze files in a prioritized order so that files in a user's directory are analyzed before files in other folders.
Ingest modules can be developed by third-parties and here are some of the standard ingest modules that come with Autopsy:
</p>
<ul>
<li><strong>Recent Activity</strong>
extracts user activity as saved by web browsers and the OS.
</li>
<li><strong>Hash Lookup</strong>
uses hash databases to ignore known files from the NIST NSRL and flag known bad files.
Use the "Advanced" button to configure the hash databases to use during this process.
You will get updates on known bad file hits as the ingest occurs.
</li>
<li><strong>Keyword Search</strong>
uses keyword lists to identify files with specific words in them.
You can select the keyword lists to search for automatically and you can create new lists using the "Advanced" button.
Note that with keyword search, you can always conduct searches after ingest has finished.
The keyword lists that you select during ingest will be searched for at periodic intervals and you will get the results in real-time.
You do not need to wait for all files to be indexed.
</li>
</ul>
<p>
When you select a module, you will have the option to change its settings.
For example, you can configure which keyword search lists to use during ingest and which hash databases to use.
Refer to the help system inside of Autopsy for details on configuring each module.
</p>
<p>
When selecting the ingest modules, you will also need to choose the update frequency.
This setting configures how often you will get updates from the ingest modules when they are running in the background.
The more frequent the updates, the longer the overall process will take.
</p>
<p>
While ingest modules are running in the background, you will see a progress bar in the lower right.
You can use the GUI to review incoming results and perform other tasks while ingest at that time.
</p>
<h1>Analysis Basics</h1>
<img src="screenshot.png" alt="Autopsy Screenshot" />
<p>You will start all of your analysis techniques from the tree on the left.</p>
<ul>
<li>The Data Sources root node shows all data in the case.</li>
<li>The individual image nodes show the file system structure of the disk images or local disks in the case.</li>
<li>The LogicalFileSet nodes show the logical files in the case.</li>
<li>The Views node shows the same data from a file type or timeline perspective.</li>
<li>The Results node shows the output from the ingest modules.</li>
</ul>
<p>
When you select a node from the tree on the left, a list of files will be shown in the upper right.
You can use the Thumbnail view in the upper right to view the pictures.
When you select a file from the upper right, its contents will be shown in the lower right.
You can use the tabs in the lower right to view the text of the file, an image, or the hex data.
</p>
<p>
If you are viewing files from the Views and Results nodes, you can right-click on a file to go to its file system location.
This feature is useful to see what else the user stored in the same folder as the file that you are currently looking at.
You can also right click on a file to extract it to the local system.
</p>
<p>
If you want to search for single keywords, then you can use the search box in the upper right of the program.
The results will be shown in a table in the upper right.
</p>
<h2>Ingest Inbox</h2>
<p>
As you are going through the results in the tree, the ingest modules are running in the background.
The results are shown in the tree as soon as the ingest modules find them and report them.
</p>
<p>
The Ingest Inbox receives messages from the ingest modules as they find results.
You can open the inbox to see what has been recently found.
It keeps track of what messages you have read.
</p>
<p>
The intended use of this inbox is that you can focus on some data for a while and then check back on the inbox at a time that is convenient for them.
You can then see what else was found while you were focused on the previous task.
You may learn that a known bad file was found or that a file was found with a relevant keyword and then decide to focus on that for a while.
</p>
<p> When you select a message, you can then jump to the Results tree where more details can be found or jump to the file's location in the filesystem.</p>
<h1>Example Use Cases</h1>
<p>In this section, we will provide examples of how to do common analysis tasks.</p>
<h2>Web Artifacts</h2>
<p>
If you want to view the user's recent web activity, make sure that the Recent Activity ingest module was enabled.
You can then go to the &quot;Results &quot; node in the tree on the left and then into the &quot;Extracted Data&quot; node.
There, you can find bookmarks, cookies, downloads, and history.
</p>
<h2>Known Bad Hash Files</h2>
<p>
If you want to see if the data source had known bad files, make sure that the Hash Lookup ingest module was enabled.
You can then view the &quot;Hashset Hits&quot; section in the &quot;Results&quot; area of the tree on the left.
Note that hash lookup can take a long time, so this section will be updated as long as the ingest process is occurring.
Use the Ingest Inbox to keep track of what known bad files were recently found.
</p>
<p>
When you find a known bad file in this interface, you may want to right click on the file to also view the file's original location.
You may find additional files that are relevant and stored in the same folder as this file.
</p>
<h2>Media: Images and Videos</h2>
<p>
If you want to see all images and video on the disk image, then go to the &quot;Views&quot; section in the tree on the left and then &quot;File Types&quot;.
Select either &quot;Images&quot; or &quot;Videos&quot;.
You can use the thumbnail option in the upper right to view thumbnails of all images.
</p>
<ul class="note">
<li><strong>Note</strong>:
We are working on making this more efficient when there are lots of images and we are working on the feature to display video thumbnails.
</li>
</ul>
<p>You can select an image or video from the upper right and view the video or image in the lower right. Video will be played with sound.</p>
<h1>Reporting</h1>
<p>
A final report can be generated that will include all analysis results.
Use the &quot;Generate Report&quot; button to create this.
It will create an HTML or XLS report in the Reports folder of the case folder.
If you forgot the location of your case folder, you can determine it using the &quot;Case Properties&quot; option in the &quot;File&quot; menu.
There is also an option to export report files to a separate folder outside of the case folder.
</p>
<hr>
<p><i>Copyright &#169; 2012 Basis Technology.</i></p>
<p><i>
This work is licensed under a
<a rel="license" href="http://creativecommons.org/licenses/by-sa/3.0/us/">Creative Commons Attribution-Share Alike 3.0 United States License</a>.
</i></p>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink