mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-08 14:19:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
autopsy-flatpak/docs/doxygen-user/portable_case.dox
Ann Priestman 0cbdf35957 Fixes from review.
2019-03-11 11:40:24 -04:00

48 lines
3.3 KiB
Plaintext
Raw Blame History

/*! \page portable_case_page Portable Cases
\section portable_case_overview Overview
A portable case is a partial copy of a normal Autopsy case that can be opened from anywhere. The general use case is as follows:
<ol>
<li>Alice is analyzing one or more data sources using Autopsy. She tags files and results that are of particular interest.
<li>Alice wants to share her findings with Bob but is unable to send him the original data sources.
<li>Alice creates a portable case which will contain only her tagged files and results, plus any files associated with those results, and sends it to Bob.
<li>Bob can open the portable case in Autopsy and view all files and results Alice tagged, and run any of the normal Autopsy features.
</ol>
For example, Alice's original case could look like this:
\image html portable_case_original_version.png
The portable version could like this:
\image html portable_case_portable_version.png
Alice only tagged eight files and results, so most of the original content is no longer in the case. Some of the data sources had no tagged items so they're not included at all. The file structure of any tagged files is preserved - you can see that the tagged image in the screenshot is still in the same location, but the non-tagged files are gone. Note that although the original images (such as "image1.vhd") appear in the tree, their contents are not included in the portable case.
\section portable_case_creation Creating a Portable Case
First you'll want to make sure that all the files and results you want included in the portable case are tagged - see the \ref tagging_page page for more details.
You can see what tags you've added in the \ref tree_viewer_page.
\image html portable_case_tags.png
Portable cases are created through the \ref reporting_page feature. The Generate Report dialog will display a list of all tags that are in use in the current case and you can choose which ones you would like to include. At the bottom you can select the output folder for the new case. By default it will be placed in the "Reports" folder in the current case.
\image html portable_case_report_panel.png
Here you can see the new portable case. It will be named with the original case name plus "(Portable)". The portable case is initially missing many of the normal Autopsy folders - these will be created the first time a user opens it. The portable case folder can be zipped and sent to a different user.
\image html portable_case_folder.png
\section portable_case_usage Using a Portable Case
Portable cases generally behave like any other Autopsy case. You can run ingest, do keyword searches, use the timeline viewer, etc. One point to note is that while the original data source names appear in the case, the data sources themselves were not copied into the portable case.
\image html portable_case_empty_image.png
This may cause warning or error messages when using ingest modules that run on the full image, such as the \ref data_source_integrity_page. You will also not be able to view the data sources in the content viewer.
You can also add additonal data sources to the portable case if you wish. The case will no longer be portable, but if desired you could generate a new portable case that will include tagged files and results from the new data sources as well as the original case.
*/
Reference in New Issue View Git Blame Copy Permalink