mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity
autopsy-flatpak/docs/doxygen-user/live_triage.dox

49 lines
2.3 KiB
Plaintext
Raw Blame History

/*! \page live_triage_page Creating a Live Triage Drive
[TOC]
\section live_triage_overview Overview
The Live Triage feature allows you to load Autopsy onto a removable drive to run on target systems while making minimal changes to that target system. This will currently only work on Windows systems.
\section live_triage_create_drive Creating a live triage drive
To create a live triage drive, go to Tools->Make Live Triage Drive to bring up the main dialog.
\image html live_triage_dialog.png
Select the drive you want to use - any type of USB storage device will work. For best results use the fastest drive available. Once the process is complete the root folder will contain an Autopsy folder and a RunFromUSB.bat file.
\section live_triage_usage Running Autopsy from the live triage drive
Insert the drive into the target machine and browse to it in Windows Explorer. Right click on RunFromUSB.bat and select "Run as administrator". This is necessary to analyze the local drives.
\image html live_triage_script.png
Running the script will generate a few more directories on the USB drive. The configData directory stores all the data used by Autopsy - primarily configuration files and temporary files. You can make changes to the Autopsy settings and they will persist between runs. The cases directory is created as a recommended place to save your case data. You will need to browse to it when creating a case in Autopsy.
Once Autopsy is running, proceed to create a case as normal, making sure to save it on the USB drive.
\image html live_triage_case.png
Then choose the Local Disk data source and select the desired drive.
\image html live_triage_ds.png
See the \ref ds_local page for more information on local disk data sources.
\section live_triage_hash_db Using hash sets
Follow these steps to import a hash set to use with the \ref hash_db_page :
<ol>
<li> Run Autopsy from the live triage drive, as described earlier
<li> Go to Tools->Options and then the "Hash Set" tab
<li> Import the hash set as normal (using a "Local" destination) but check the "Copy hash set into user configuration folder" option at the bottom
\image html live_triage_import_hash.png
</ol>
This will allow the hash set to be used regardless of the drive letter assigned to the live triage drive.
*/
Reference in New Issue View Git Blame Copy Permalink