autopsy-flatpak/docs/doxygen/design.dox

/*! \page design_page General Design 

\section design_overview Overview
This section outlines Autopsy design from the typical analysis work flow perspective.
A typical Autopsy work flow consists of the following steps:

- Wizards are used to create case and images (org.sleuthkit.autopsy.casemodule),
- TSK database is created,
- Ingest modules are run (org.sleuthkit.autopsy.ingest),
- Ingest modules post results to the blackboard and ingest inbox,
- Directory tree displays blackboard contents,
- Data is encapsulated into nodes and passed to table and content viewers,
- Reports can be generated.

\subsection design_overview_sub1 Creating a case

The first step in Autopsy work flow is creating a case.
User is guided with the case creation wizard to enter the case name, base directory and optional case information.
Autopsy creates the case directory (named after the case name), where all the case data is stored.
An empty TSK database is created and initialized.

For more information on the case module refer to the org.sleuthkit.autopsy.casemodule documentation.

\subsection design_overview_sub2 Adding an image

After case is created, one or more disk images can be added to the case, using the Add Image Wizard.
The process invokes internally the native sleuthkit library.  
The library reads the image and populates the TSK database with the image meta-data.

For more information on the add image internals, refer to org.sleuthkit.autopsy.casemodule documentation.

\subsection design_overview_sub4 Running ingest modules

After image has been added to the case, user can select one or more ingest modules to be executed on the image.
Most ingest modules can be configured before the run using basic or advanced configuration panels (or both).

The work of ingest services is performed in the background and ingest progress is indicated by progress bars.   

Autopsy provides ingest module framework in the ingest package.
For more information refer to the org.sleuthkit.autopsy.ingest package documentation and ingest.dox 


\subsection design_overview_sub5 Ingest modules posting results

Ingest services, when running, produce data and write the data to the blackboard
in form of blackboard artifacts and their associated blackboard attributes.

The services then notify listeners of the availability of the data.
The default listener is the Autopsy directory tree UI component.
The component displays data currently saved in the blackboard and it also
refreshes the data view in real-time in response to service events.

Ingest service also post interesting messages about the incoming data to Ingest Inbox.  

For more details on how to ingest modules post results, refer to ingest.dox

\subsection design_overview_sub6 Result viewers (directory tree, table viewers, content viewers) 

The directory tree result viewer (in the left-hand panel of the Autopsy viewer) is the core results viewer for the results saved during the ingest process.

The component is by default registered as an ingest message listener with the ingest manager.

When Autopsy starts, the viewer queries the blackboard data and populates the UI.
During ingest, the viewer responds to data events by refreshing the data nodes corresponding to the artifact type in the data event.
When ingest is completed, the viewer responds to the final ingest data event generated by the ingest manager, 
and performs a final refresh of all data nodes.

For more information refer to org.sleuthkit.autopsy.corecomponents, org.sleuthkit.autopsy.corecomponentsinterfaces
and org.sleuthkit.autopsy.directorytree 

Data is encapsulated in nodes org.openide.nodes.Node before it is displayed in the UI.
A node is an abstraction for a displayable data unit.
The nodes contain property sheets to store data and are organized in a parent-child hierarchy.
The hierarchy is used to visually represent the data and to trigger child view update whenever the parent node is selected by the user.
Node child factories are invoked by the Netbeans framework at the time of parent node selection to create or refresh the child node view.

Once a node is selected, its property sheet is rendered in the default table result viewer in the top-right part of the Autopsy UI.

Nodes containing content can be registered with content viewer (bottom-right part of the Autopsy UI).
Nodes use the node lookup infrastructure org.openide.util.Lookup to register their content viewer capabilities.

When a new node is selected, org.sleuthkit.autopsy.corecomponents.DataContentTopComponent queries registered data content viewers to determine support for the given node content.
The specific content viewers query the node lookup to determine the content capability match and return a number ranking the degree of the viewer support for the node type.
Based on return values of isSupported() and isPreferred() methods, the org.sleuthkit.autopsy.corecomponents.DataContentTopComponent enables or disables content viewers and selects a default active viewer for the node type.


\subsection design_overview_sub7 Report generation

After ingest is run, user can generate reports.
There are several types of reports implemented as submodules that are shipped with Autopsy core: generic html, xml and Excel reports.
Each reporting submodule implements org.sleuthkit.autopsy.report.ReportModule interface and registers itself in layer.xml

Reporting submodule typically interacts with 3 components:
- org.sleuthkit.autopsy.report.ReportConfiguration - to read current reporting configuration set by the user,
- Blackboard API in org.sleuthkit.datamodel.SleuthkitCase class - to traverse and read blackboard artifacts and attributes,
- an API (possibly external/thirdparty API) to convert blackboard artifacts data structures to the desired reporting format.

Autopsy reporting module is present in org.sleuthkit.autopsy.report package.
Please refer to report.dox and org.sleuthkit.autopsy.report package API documentation for more details on how to implement a custom reporting submodule.






*/