mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity
autopsy-flatpak/docs/doxygen/design.dox
adam-m d4989dde08 doc updates
2012-07-05 13:08:02 -04:00

103 lines
5.7 KiB
Plaintext
Raw Blame History

/*! \page design_page General Design
\section design_overview Overview
This section outlines Autopsy design from the typical analysis work flow perspective.
A typical Autopsy work flow consists of the following steps:
- Wizards are used to create a case and add images (org.sleuthkit.autopsy.casemodule),
- TSK database is created,
- Ingest modules are executed (org.sleuthkit.autopsy.ingest),
- Ingest modules post results to the blackboard and ingest inbox,
- Directory tree displays blackboard contents,
- Data is encapsulated into nodes and passed to table and content viewers,
- Reports can be generated.
\subsection design_overview_sub1 Creating a case
The first step in Autopsy work flow is creating a case.
User is guided with the case creation wizard to enter the case name, base directory and optional case information.
Autopsy creates the case directory (named after the case name), where all the case data is stored.
An empty TSK database is created and initialized.
For more information on the case module refer to the org.sleuthkit.autopsy.casemodule documentation.
\subsection design_overview_sub2 Adding an image
After case is created, one or more disk images can be added to the case, using the Add Image Wizard.
The process invokes internally the native sleuthkit library.
The library reads the image and populates the TSK database with the image meta-data.
For more information on the add image internals, refer to org.sleuthkit.autopsy.casemodule documentation.
\subsection design_overview_sub4 Running ingest modules
After image has been added to the case, user can select one or more ingest modules to be executed on the image.
Most ingest modules can be configured before the run using simple or advanced configuration panels (or both).
The work of ingest services is performed in the background and ingest progress is indicated by progress bars.
Autopsy provides ingest module framework in the ingest package and custom modules can be developed and added to Autopsy.
For more information refer to the org.sleuthkit.autopsy.ingest package documentation and ingest.dox
\subsection design_overview_sub5 Ingest modules posting results
Ingest services, when running, produce data and write the data to the blackboard
in form of blackboard artifacts and associated blackboard attributes.
The services notify listeners of the availability of the data.
The default listener is the Autopsy directory tree UI component.
The component displays data currently saved in the blackboard and it also
refreshes the data view in real-time in response to service events.
Ingest services post interesting messages about the incoming data to Ingest Inbox.
\subsection design_overview_sub6 Result viewers (directory tree, table viewers, content viewers)
The directory tree (in the left-hand panel of the Autopsy viewer)
is the results viewer for the results saved in the database during ingest process.
The component is by default registered with the ingest manager as an ingest event listener.
The viewer first loads all the viewer-supported data currently in the blackboard when Autopsy starts.
During the ingest process the viewer receives events from ingest services
(relayed by ingest manager) and it selectively refreshes parts of the tree providing real-time updates to the user.
When ingest is completed, the viewer responds to the final ingest data event generated by the ingest manager,
and performs a final refresh of all viewer-supported data in the blackboard.
Data presented is encapsulated in node objects (org.openide.nodes.Node) before it is displayed in the UI.
Nodes use property sheets to encapsulate data (blackboard attributes) and are modeled in a parent-child hierarchy with other nodes.
The hierarchy is used to visually represent the data and to trigger child node updates when the parent node is selected.
Node child factories are invoked by the Netbeans framework at the time of parent node selection to populate and refresh the child node view.
User normally initiates result navigation in the directory tree.
When a node is selected, it is passed in to the table result viewer (top-right).
When a node is selected in the table result viewer, it is passed in to the content viewers (bottom-right).
Node content support capabilities are registered in the node's Lookup.
Multiple content viewers (such as strings, hex, extracted text, media) can support the node content.
If multiple content viewers are supported, a preferred (default) content viewer is chosen.
For more information refer to org.sleuthkit.autopsy.corecomponents, org.sleuthkit.autopsy.corecomponentsinterfaces
and org.sleuthkit.autopsy.directorytree
\subsection design_overview_sub7 Report generation
When ingest is complete, user can generate reports (user can generate reports also during ingest - such report might not contain all results).
There are several types of reports implemented as submodules that are shipped with Autopsy core: generic html, xml and Excel reports.
Each reporting submodule implements org.sleuthkit.autopsy.report.ReportModule interface and registers itself in layer.xml
Reporting submodule typically interacts with 3 components:
- org.sleuthkit.autopsy.report.ReportConfiguration - to read current reporting configuration set by the user,
- Blackboard API in org.sleuthkit.datamodel.SleuthkitCase class - to traverse and read blackboard artifacts and attributes,
- an API (possibly external/thirdparty API) to convert blackboard artifacts data structures to the desired reporting format.
Autopsy reporting module is present in org.sleuthkit.autopsy.report package.
Please refer to report.dox and org.sleuthkit.autopsy.report package API documentation for more details on how to implement a custom reporting submodule.
*/
Reference in New Issue View Git Blame Copy Permalink