autopsy-flatpak/docs/doxygen-user/uilayout.dox

/*! \page uilayout_page UI Layout


<br>
\section ui_overview Overview

The major areas in the Autopsy User Interface (UI) are:
- \ref ui_tree, shown outlined in green below
- \ref ui_results, shown outlined in blue below
- \ref ui_content, shown outlined in red below
- \ref ui_keyword, shown outlined in yellow below
- \ref ui_status, shown in solid purple below

\image html ui-layout-1.PNG

<br>
<br>
<br>
\section ui_tree Tree Viewer
\subpage tree_viewer_page "More..."
<br>


The tree on the left-hand side is where you can browse the files in the image and find saved results from automated procedures (ingest). The tree has five main areas:
- <b>Data Sources:</b> This shows the directory tree hierarchy of the file systems in the images. You can navigate to a specific file or directory here. Each data source added is represented as a drive. If you add a data source multiple times, it shows up multiple times.
- <b>Views:</b> Specific types of files from the data sources are shown here, aggregated by type or other properties. Files here can come from more than one data source. Look here for files of a specific type or property.
- <b>Results:</b> Where you can see the results from the background ingest tasks and you can see your previous search results. Go here to see what was found by the ingest modules and to find your previous search results.
- <b>Tags:</b> Where files and results that have been \ref tagging_page "tagged" are shown
- <b>Reports:</b> References to reports that you have generated or that ingest modules have created show up here

You can also use the "Group by Data Source" option at the upper left of the tree display to move the views, results, and tags subtrees under their corresponding data sources. This can be helpful on very large cases to reduce the size of each node.

\image html ui_layout_group_tree.PNG

\subsection ui_tree_ds Data Sources

The Data Sources section shows each data source that has been added to the case, in order added (top one is first).
Right clicking on the various nodes in the Data Sources section of the tree will allow you to get more options for each data source and its contents. 

Unallocated space is chunks of the file system that is currently not being used for anything. Unallocated space can store deleted files and other interesting artifacts. On the actual image, Unallocated space is stored in blocks with distinct locations on the system. However, because of the way various carving tools work, it is more ideal to feed them a single, large unallocated file. Autopsy provides access to both methods of looking at unallocated space.
\li <b>Individual blocks in a volume</b>  There is a folder named "Unalloc". This folder contains all the individual unallocated blocks as the image is storing them. You can right click and extract them the same way you can extract any other type of file in the Directory Tree.
\li <b>Single files</b>  Right click on a volume and select "Extract Unallocated Space as Single File" to concatenate all the unallocated files in the volume into a single, continuous file. (If desired, you can right click on an image, and select "Extract Unallocated Space to Single Files" which will do the same thing, but once for each volume in the image).

An example of the single file extraction option is shown below.
\image html extracting-unallocated-space.PNG

\subsection ui_tree_views Views

Views filter all the files in the case by some external property of the file, not by any internal analysis of the file. 
- <b>File Type</b>  Sorts files by file extension or MIME type, and shows them in the appropriate group. For example, .mp3 and .wav both end up in the "Audio" group. 
- <b>Recent Files</b>  Displays files that are accessed within the last seven days the user had the device.
- <b>Deleted Files</b>  Displays files that have been deleted but the names have been recovered.
- <b>File Size</b>  Sorts files based upon size. This can give you an idea where to look for files you are interested in.


\subsection ui_tree_results Results
- <b>Extracted Content:</b> Many ingest modules will place results here; EXIF data, GPS locations, or Web History for example
- <b>Keyword Hits:</b> Keyword search hits show up here
- <b>Hashset Hits:</b> Hashset hits show up here 
- <b>E-Mail Messages:</b> Email messages show up here
- <b>Interesting Items:</b> Things deemed interesting show up here
- <b>Accounts:</b> Credit card accounts show up here
- <b>Tags:</b> Any item you tag shows up here so you can find it again easily

\subsection ui_tree_reports Reports

Reports can be added by \subpage ingest_page or created using the \subpage reporting_page tool.

<br>
<br>
<br>
\section ui_results Result Viewer
\subpage result_viewer_page "More..."
<br>

The Result Viewer windows are in the upper right area of the interface and display the results from selecting something in the tree. You will have the option to display the results in a variety of formats.

\subsection right_click_functions Right Click Functions
Viewers in Result Viewers have certain right-click functions built-in into them that can be accessed when a node a certain type is selected (a file, directory or a result).
Here are some examples that you may see:
\li Open File in External Viewer: Opens the selected file in an "external" application as defined by the local OS or through the External Viewer tab on the Options menu. For example, HTML files may be opened by IE or Firefox, depending on what the local system is configured to use.
\li View in New Window: Opens the content in a new internal Content Viewer (instead of in the default location in the lower right).
\li Extract: Make a local copy of the file or directory for further analysis.
\li Search for files with the same MD5 Hash: Searches the entire file-system for any files with the same MD5 Hash as the one selected.

\subsection thumbnail_result_viewer Thumbnail Result Viewers
Thumbnail Results Viewer displays the data catalog as a table of thumbnail images in adjustable sizes. This viewer only supports picture files (Currently, only supports JPG, GIF, and PNG formats). Click the Thumbnail tab to select this view. Note that for a large number of images in a directory selected in the Data Explorer, or for a View selected that contains a large number of images, it might take a while to populate this view for the first time before the images are cached.

<b>Example</b>\n
Below is an example of "Thumbnail Results Viewer" window:
\image html thumbnail-result-viewer-tab.PNG

\subsection table_result_viewer Table Result Viewers
Table Results Viewer (Directory Listing) displays the data catalog as a table with some details (properties) of each file. The properties that it shows are: name, time (modified, changed, accessed, and created), size, flags (directory and meta), mode, user ID, group ID, metadata address, attribute address, and type (directory and meta). Click the Table Viewer tab to select this view.

The Results Viewer can be also activated for saved results and it can show a high level results grouped, or a results at a file level, depending on which node on the Directory Tree is selected to populate the Table Results Viewer.

<b>Example</b>\n
Below is an example of a "Table Results Viewer" window:
\image html table-result-viewer-tab.PNG 

<br>
<br>
<br>
\section ui_content Content Viewer
\subpage content_viewer_page "More..."
<br>

The Content Viewer area is in the lower right area of the interface. This area is used to view a specific file in a variety of formats. There are different tabs for different viewers. Not all tabs support all file types, so only some of them will be enabled. To display data in this area, a file must be selected from the Result Viewer window.

The Content Viewer area is part of a plug-in framework. You can install modules that will add more viewer types. This section describes the viewers that come by default with Autopsy.

\subsection result_content_viewers Result Content Viewer
Content Viewer shows the artifacts (saved results) associated with the item selected in the Result Viewer.

<b>Example</b>
Below is an example of "Result Content Viewer" window:
\image html result-viewer-example-1.PNG

\subsection hex_content_viewer Hex Content Viewer
Hex Content Viewer shows you the raw and exact contents of a file. In this Hex Content Viewer, the data of the file is represented as hexadecimal values grouped in 2 groups of 8 bytes, followed by one group of 16 ASCII characters which are derived from each pair of hex values (each byte). Non-printable ASCII characters and characters that would take more than one character space are typically represented by a dot (".") in the following ASCII field.

<b>Example</b> \n
Below is an example of "Hex Content Viewer" window:
\image html hex-content-viewer-tab.PNG

\subsection media_content_viewer Media Content Viewer

The Media Content Viewer will show a picture or video file. Video files can be played and paused. The size of the picture or video will be reduced to fit into the screen. If you want more complex analysis of the media, then you must export the file.

If you select an non-picture file or an unsupported picture format on the "Result Viewers", this tab will be disabled.

<b>Example</b> \n
Here's one of the example of the "Media Content Viewer":
\image html picture-content-viewer-tab.PNG

\subsection string_content_viewer String Content Viewer
    
The String Content Viewer scans (potentially binary) data of the file / folder and searches it for data that could be text. When appropriate data is found, the String Content Viewer shows data strings extracted from binary, decoded, and interpreted as UTF8/16 for the selected script/language.

Note that this is different from the Text Content Viewer, which displays the text for a file that is stored in the keyword search index. The results may be the same or they could be different, depending how the data is interpreted by the indexer.

<b>Example</b> \n
Below is an example of "String Content Viewer" window:
\image html string-content-viewer-tab.PNG

\subsection text_content_viewer Text Content Viewer

Text Content Viewer uses the keyword search index that may have been populated during Image Ingest. If a file has text stored in the index, then this tab will be enabled and it will be displayed to the user if a file or a result associated with a file is selected.

This tab may have more text on it than the "String View", which relies on searching the file for text-looking data. Some files, like PDF, will not have text-looking data at the byte-level, but the keyword indexing process knows how to interpret a PDF file and produce text. For the files the indexer knows about, there may be the METADATA section at the end of the displayed extracted text. If an indexed document contains any metadata (such as creation date, author, etc), it will be displayed there. Note that, unlike the "String View", the Text View does not have its built-in settings for the script/language to use for extracted strings. This is because the script/language is used at indexing time, and that setting is associated with the Keyword Search indexer, not the viewer.

If this tab is not enabled, then either the file has no text or you did not enable Keyword Search as an ingest module. Note that this viewer is also used to display highlighted keyword hits when operated in the "Search Matches" mode, selected on the right-hand side of the viewer's toolbar.
 
\image html text-view.PNG


<br>
<br>
<br>
\section ui_keyword Keyword Search
Keyword Search allows the user to search for keywords in the data source. It is covered in more detail here: \subpage keyword_search_page
<br>
<br>
<br>
\section ui_status Status Area
The Status area will show progress bars while ingest is occuring. This visually indicates to the user what portion of the processing is already complete. The user can click on the progress bars to see further detail or to cancel ingest jobs.
<br>

*/