mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity
autopsy-flatpak/docs/QuickStartGuide/index.html
Brian Carrier ae43d3dc70 renamed quick start file
2012-09-28 22:07:43 -04:00

221 lines
9.6 KiB
HTML
Raw Blame History

<html>
<head>
<style>
h1 { font-size: 145%; color: #666666; text-align: left; }
h2 { font-size: 120%; color: #666666; text-align: left; }
body {
line-height: 1.25;
font-family: Helvetica, Tahoma, Arial, sans-serif;
}
</style>
<title>Autopsy 3 Quick Start Guide</title>
</head>
<body>
<div align=center style="font-size: 145%; font-weight: bold">Autopsy 3 Quick Start Guide</div><br />
<div align=center style="font-size: 110%">June 2012</div> <br />
<div align=center><a href="http://www.sleuthkit.org/autopsy/">www.sleuthkit.org/autopsy/</a></div>
<h1>Installation</h1>
<p >The current version of Autopsy 3 runs only on Microsoft Windows.
We have gotten it to run on other platforms, such as Linux and OS X, but we do not have it in a state that makes it easy to distribute and find the needed libraries. </p>
<p>The Windows installer will make a directory for Autopsy and place all of the needed files inside of it.
The installer includes all dependencies, including Sleuth Kit and Java.</p>
<p>Note that Autopsy 3 is a complete rewrite from Autopsy 2 and none of this document is relevant to Autopsy 2.</p>
<h1>Adding a Disk Image</h1>
<p>Disk images are added to a <b>case</b>. A case can have a single
image or it can have multiple images if they are related. Currently,
a single report is generated for an entire case, so if you need to
report on individual images, then you should use one image per case.
</p>
<h2>Creating a Case</h2>
<p>To create a case, use either the &quot;Create New Case&quot; option on
the Welcome screen or from the &quot;File&quot; menu. This will start the <b>New Case
Wizard</b>. You will need to supply it with the name of the case and a
directory to store the case results into. You can optionally provide case
numbers and other details. </p>
<h2>Adding an Image</h2>
<p>The next step is to add a disk image to the case. The <b>Add
Image Wizard</b> will start automatically after the case is created
or you can manually start it from the &quot;File&quot; menu or
toolbar. You will need to supply it with the location of the disk
image to add. Autopsy currently supports E01 and raw (dd) files.
You need to specify only the first file in an image set (i.e. the
E01 file) and Autopsy will find the rest of the files.</p>
<p>It may take a few minutes to add the disk image. During this
time, an internal database is being created of the file system
contents. </p>
<p>There are a couple of options in the wizard that will allow you
to make the ingest process faster. These typically deal with deleted
files. It will take longer if unallocated space is analyzed and
the entire drive is searched for deleted files. In some scenarios,
these recovery steps must be performed and in other scenarios these
steps are not needed and instead fast results on the allocated files
are needed. Use these options to control how long the analysis
will take.</p>
<h2>Ingest Modules</h2>
<p>You will next be prompted to configure the Ingest Modules. Ingest
modules will run in the background and perform specific tasks. The
Ingest Modules analyze files in a prioritized order so that files
in a user's directory are analyzed before files in other folders.
Ingest modules can be developed by third-parties and here are some
of the standard ingest modules that come with Autopsy:</p>
<ul>
<li><b>Recent Activity</b> extracts user activity as saved by web browsers and the OS.</li>
<li><b>Hash Lookup</b> uses hash databases to ignore known files from the NIST NSRL and flag known bad files. Use the "Advanced" button to configure the hash databases to use during this process. You will get updates on known bad file hits as the ingest occurs.</li>
<li><b>Keyword Search</b> uses keyword lists to identify files with specific words in them. You can select the keyword lists to search for automatically and you can create new lists using the "Advanced" button. Note that with keyword search, you can always conduct searches after ingest has finished. The keyword lists that you select during ingest will be searched for at periodic intervals and you will get the results in real-time. You do not need to wait for all files to be indexed. </li>
</ul>
<p>When you select a module, you will have the option to change its settings.
For example, you can configure which keyword search lists to use during ingest
and which hash databases to use. Refer to the help system inside of Autopsy
for details on configuring each module.</p>
<p>When selecting the ingest modules, you will also need to choose
the update frequency. This setting configures how often you will
get updates from the ingest modules when they are running in the
background. The more frequent the updates, the longer the overall
process will take. </p>
<p>While ingest modules are running in the background, you will see a progress
bar in the lower right. You can use the GUI to review incoming results
and perform other tasks while ingest at that time. </p>
<h1>Analysis Basics</h1>
<p>
<a href="screenshot.png"><img src="screenshot.png" alt="SCREEN SHOT HERE" width="30%" height="30%" /></a>
<br />(Click on the image for a full-size version)
</p>
<p>You will start all of your analysis techniques from the tree
on the left. </p>
<ul>
<li>The Images node shows the file system structure of the disk
images.</li>
<li>The Views node shows the same data from a file type or timeline
perspective.</li>
<li>The Results node shows the output from the ingest modules.</li>
</ul>
<p>When you select a node from the tree on the left, a list of
files will be shown in the upper right. You can use the Thumbnail view in
the upper right to view the pictures. When you select a file from the
upper right, its contents will be shown in the lower right. You can use
the tabs in the lower right to view the text of the file, an image, or the hex
data.</p>
<p>If you are viewing files from the Views and Results nodes,
you can right-click on a file to go to its file system location. This
feature is useful to see what else the user stored in the same folder as the
file that you are currently looking at. You can also right click on a
file to extract it to the local system.</p>
<p>If you want to search for single keywords, then you can use
the search box in the upper right of the program. The results will be
shown in a table in the upper right. </p>
<h2>Ingest Inbox</h2>
<p>As you are going through the results in the tree, the ingest
modules are running in the background. The results are shown in the tree
as soon as the ingest modules find them and report them. </p>
<p>The Ingest Inbox receives messages from the ingest modules
as they find results. You can open the inbox to see what has been recently
found. It keeps track of what messages you have read. </p>
<p>The intended use of this inbox is that you can focus on some
data for a while and then check back on the inbox at a time that is convenient
for them. You can then see what else was found while you were focused on
the previous task. You may learn that a known bad file was found or that a file
was found with a relevant keyword and then decide to focus on that for a while.
</p>
<p>When you select a message, you can then jump to the Results
tree where more details can be found or jump to the file's location in the file
system.</p>
<h1>Example Use Cases</h1>
<p>In this section, we will provide examples of how to do
common analysis tasks. </p>
<h2>Web Artifacts</h2>
<p>If you want to view the user's recent web activity, make
sure that the Recent Activity ingest module was enabled. You can then go
to the &quot;Results &quot; node in the tree on the left and then into the &quot;Extracted
Data&quot; node. There, you can find bookmarks, cookies, downloads, and
history. </p>
<h2>Known Bad Hash Files</h2>
<p>If you want to see if the image had known bad files, make sure
that the Hash Lookup ingest module was enabled. You can then view
the &quot;Hashset Hits&quot; section in the &quot;Results&quot;
area of the tree on the left. Note that hash lookup can take a long
time, so this section will be updated as long as the ingest process
is occurring. Use the Ingest Inbox to keep track of what known bad
files were recently found. </p>
<p>When you find a known bad file in this interface, you may want
to right click on the file to also view the file's original location. You
may find additional files that are relevant and stored in the same folder as
this file. </p>
<h2>Images and Videos</h2>
<p>If you want to see all images and video on the disk image,
then go to the &quot;Views&quot; section in the tree on the left and then &quot;File
Types&quot;. Select either &quot;Images&quot; or &quot;Videos&quot;. You can use the
thumbnail option in the upper right to view thumbnails of all images.</p>
<p>NOTE: We are working on making this more efficient when there
are lots of images and we are working on the feature to display video
thumbnails.</p>
<p>You can select an image or video from the upper right and
view the video or image in the lower right. Video will be played with sound. </p>
<h1>Reporting</h1>
<p>A final report can be generated that will include all
analysis results. Use the &quot;Generate Report&quot; button to create this. It will
create an HTML or XLS report in the Reports folder of the case folder. If you
forgot the location of your case folder, you can determine it using the &quot;Case
Properties&quot; option in the &quot;File&quot; menu. There is also an option
to export report files to a separate folder outside of the case folder. </p>
<hr>
<p><i>Copyright &#169; 2012 Basis Technology.</br>
This work is licensed under a
<a rel="license" href="http://creativecommons.org/licenses/by-sa/3.0/us/">Creative Commons Attribution-Share Alike 3.0 United States License</a>.
</i></p>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink