mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-17 10:17:41 +00:00
Code Issues Packages Projects Releases Wiki Activity
autopsy-flatpak/docs/doxygen-user/reporting.dox
Ann Priestman 234048c8e5 Finished STIX, KML, and body file sections
2018-12-14 15:28:49 -05:00

118 lines
4.5 KiB
Plaintext
Raw Blame History

/*! \page reporting_page Reporting
\section reporting_overview Overview
The report modules primarily allow the user to output some or all of the data from a case into a different format. This includes
making an HTML or Excel report containing all the extracted content, keyword hits, etc. from a case, or creating a KML file out
of any coordinates found to load into software like Google Earth.
\image html reports_select.png
The different types of reports will be described below. The majority of the report modules will generate a report file which
will be displayed in the case under the "Reports" node of the tree.
\image html reports_result_viewer.png
If the report type has an associated viewer (such as a web browser for an HTML report), you can double-click the report to open it
in an external application. Alternately you can browse to the "Reports" folder in the case folder and open the report from there.
\image html reports_folder.png
\section report_types Report Types
\subsection report_html HTML Report
\subsection report_excel Excel Report
Generating an Excel report is very similar to HTML reports - you select which tags and data types to export and Autopsy will create a .xlsx file.
\image html reports_excel.png
\subsection report_tagged_hashes Add Tagged Hashes
This is one of the report modules that doesn't generate an actual report. The purpose of this module is to easily add the hashes
of some/all tagged files to an Autopsy hash set that can be used by the \ref hash_db_page. You can use the "Configure Hash Sets" button to create a new
hash set to write to, or use an existing hash set.
\image html reports_hashes_config.png
After running this module, if you use the same hash set on future cases then everything that was tagged with one of the selected tags in this case will
show up as Hashset Hits.
\subsection report_case_uco CASE-UCO
\subsection report_files Files - Text
This report module allows you create a tab delimited text file from all files in the current case. You can select which fields should be exported.
\image html reports_files_config.png
<br>
\image html reports_files_results.png
\subsection report_kml Google Earth KML
This report module generates a KML file from any GPS data in the case. This file can then be used with Google Earth.
\image html reports_kml.png
\subsection report_stix STIX
The STIX module allows you to generate a report and Interesting File artifacts by running a STIX file (or files) against the data sources in the case.
For more information see the \ref stix_page page.
\subsection report_body_file TSK Body File
This module generates a <a href="https://wiki.sleuthkit.org/index.php?title=Body_file">TSK Body File</a> from the files in your case, which looks similar to the following:
<pre>7ff498a44e45e77374cc7c962b1b92f2|/img_image1.vhd/vol_vol2/$UpCase|10|rr-xr-xr-x|0|0|131072|1498757218|1498757218|1498757218|1498757218
d41d8cd98f00b204e9800998ecf8427e|/img_image1.vhd/vol_vol2/$Volume|3|rr-xr-xr-x|48|0|0|1498757218|1498757218|1498757218|1498757218
43fffda5c5edd8e9c647f1df476717de|/img_image1.vhd/vol_vol2/0000/0000_a.txt|63|rrwxrwxrwx|0|0|11|1498757454|1498176989|1498757454|1498757454
411c8024a7c38ee3843ba8a07d048ec2|/img_image1.vhd/vol_vol2/0000/0000_b.txt|64|rrwxrwxrwx|0|0|11|1498757454|1498176990|1498757454|1498757454
fcc958c5096889a222785ddb8c4bff80|/img_image1.vhd/vol_vol2/0000/0000_c.txt|65|rrwxrwxrwx|0|0|11|1498757454|1498176990|1498757454|1498757454
b7cde263cc1b5df5a13aeec742637a89|/img_image1.vhd/vol_vol2/0000/0000_d.txt|66|rrwxrwxrwx|0|0|11|1498757454|1498176990|1498757454|1498757454</pre>
Reporting
To create a report, go to "Tools", "Generate Report". You can choose several different types of reports. We will go through the HTML report here.
\image html generate-report-1.PNG
<br>
When you have selected a report type, choose between
- All Results
- Tagged Results
<br>
\image html generate-report-2.PNG
<br>
If you select All Results, you can choose the Data Types (Artifact Types) you would like included.
<br>
\image html generate-report-3.PNG
<br>
If you select Tagged Results, you can choose the tags you would like included.
<br>
\image html generate-report-4.PNG
<br>
<br>
In our case, an HTML report is generated.
<br>
<br>
<b>All Results HTML Report:</b>
<br>
\image html generate-report-5.PNG
<br>
<br>
<b>Tagged Results HTML Report:</b>
<br>
\image html generate-report-6.PNG
<br>
There are other types of reports to choose, but they operate on the same principle. Select either All Results or Tagged results to include.
<br>
*/
Reference in New Issue View Git Blame Copy Permalink