mirror of
https://github.com/overcuriousity/autopsy-flatpak.git
synced 2025-07-06 21:00:22 +00:00
22 lines
1.8 KiB
Plaintext
22 lines
1.8 KiB
Plaintext
/*! \page data_source Data Source
|
|
\section about_data_source About Data Sources
|
|
Autopsy supports 3 types of data sources that can be added to the Case:
|
|
\li Disk Image (raw, Encase, etc). "Image" refers to a byte-for-byte copy of a hard drive or other storage media.
|
|
\li Disk Device (physical or logical disk partition, plugged in the user machine and detected by Autopsy). Note: to correctly detect all devices, Autopsy needs to run as Administrator.
|
|
\li Logical Files (files and folders on the user machine file system)
|
|
User needs to select the data source type from the pull down menu in the Add Data Source wizard.
|
|
To analyze a Data Source, user should use the Add Data Source Wizard to add it to a case.
|
|
Autopsy populates an embedded database for each data source (image, disk device, logical files) that it imports. This database is a SQLite database and it contains all of the file system metadata from the input data source. The database is stored in the case directory, but the data source will stay in its original location. The data source must remain accessible for the duration of the analysis because the database contains only basic file system information (meta-data, not the actual content). The image / files are needed to retrieve file content.
|
|
\section supported_image_formats Supported Image Formats
|
|
Currently, Autopsy supports these image formats:
|
|
\li Raw Single (For example: *.img, *.dd, *.raw, etc)
|
|
\li Raw Split (For example: *.001, *.002, *.aa, *.ab, etc)
|
|
\li EnCase (For example: *.e01, *e02, etc)
|
|
\section adding_a_data_source_subsection Adding a Data Source
|
|
\subpage adding_a_data_source There are two ways to add an data source to the currently opened case.
|
|
\section removing_a_data_source Removing a Data Source
|
|
You cannot currently remove an data source from a case.
|
|
|
|
|
|
|
|
*/ |