mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-09 14:49:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
autopsy-flatpak/docs/doxygen-user/content_viewer.dox

91 lines
5.1 KiB
Plaintext
Raw Blame History

/*! \page content_viewer_page Content Viewer
The Content Viewer lives in the lower right-hand side of the Autopsy main screen and shows pictures, video, hex, text, extracted strings, metadata, etc. The Content Viewer is enabled when you select an entry in the \ref ui_results.
The Content Viewer is context-aware, meaning different tabs will be enabled depending on the type of content selected and which ingest modules have been run. It will default to what it considers the "most specific" tab. For example, selecting a JPG will cause the Content Viewer to automatically select the "Application" tab and will display the image there. If you instead would like the Content Viewer to stay on the previously selected tab when you change to a different content object, go to the \ref view_options_page panel through Tools->Options->Application Tab and select the "Stay on the same file viewer" option.
\image html content_viewer_options_panel.png
When a Result type is selected in the Result Viewer (as opposed to a file), most of the tabs will correspond to the file associated with the result and not the result itself. For example, when selecting a Keyword Hit, the "Hex", "Strings", and "File Metadata" tabs will show data from the file where the keyword was found. The descriptions below will generally assume a file has been selected, but most also apply when we have a file associated with a selected result.
\section cv_hex Hex
The Hex Content Viewer is nearly always available and shows you the raw and exact contents of a file. In this content viewer, the data of the file is represented as hexadecimal values grouped in 2 groups of 8 bytes, followed by one group of 16 ASCII characters which are derived from each pair of hex values (each byte). Non-printable ASCII characters and characters that would take more than one character space are typically represented by a dot (".") in the following ASCII field.
\image html content_viewer_hex.png
If desired, you can open the file in an external hex editor. This is configured through the "External Viewer" tab on the options panel. HxD has been tested to work, but alternate hex editors may also be compatible.
\image html content_viewer_hex_editor_setup.png
Note that this process saves the file to disk before launching the hex editor. A progress indicator will be displayed in the lower right corner of the application. If you wish to cancel the file export, click the 'X' to the right of the progress bar.
\image html content_viewer_hxd_progress.png
\section cv_strings Strings
The Strings tab shows all text strings found in the file. Different scripts can be chosen from the drop-down menu to display results for non-Latin alphabets.
\image html content_viewer_strings_cyrillic.png
\section cv_app Application
For certain file types, the Application tab can display the contents in a user friendly format. The following screenshots show some examples of what the Application tab will display.
It will display most image types, which can be scaled and rotated:
\image html content_viewer_app_image.png
It also allows you to browse SQLite tables and export their contents as CSV:
\image html content_viewer_app_sqlite.png
And plist file data will be shown and can be exported:
\image html content_viewer_app_plist.png
HTML files can be displayed closer to their original form:
\image html content_viewer_html.png
\section cv_indexed_text Indexed Text
The Indexed Text tab shows the text that has been indexed by the Keyword Search module. You can switch the "Text Source" Field to "Result Text" to see which text has been indexed for associated results.
\image html content_viewer_indexed_text.png
\section cv_message Message
The Message tab shows details of emails and SMS messages.
\image html content_viewer_message.png
\section cv_metadata File Metadata
The File Metadata tab displays basic information about the file, such as type, size, and hash. It also displays the output of the Sleuth Kit istat tool.
\image html content_viewer_metadata.png
\section cv_results Results
The Results tab is active when selecting entries that are part of the Results tree, such as keyword hits, call logs, and messages. It is also active when looking at a file that has results associated with it. The exact fields displayed depend on the type of entry. The two images below show the Results tab for a call log and a web bookmark.
\image html content_viewer_results_call.png
<br>
\image html content_viewer_results_bookmark.png
\section cv_annotations Annotations
The Annotations tab shows information added by an analyst about a file or result. It displays any tags and comments associated with the file or result, and if the \ref central_repo_page is enabled it will also display any comments saved to the Central Repository.
\image html content_viewer_annotations.png
\section cv_other_occurrences Other Occurrences
The Other Occurrences tab shows other instances of this file or result. Enabling the \ref central_repo_page adds additional functionality to this tab. See the \ref cr_content_viewer section for more information.
\image html content_viewer_other_occurrences.png
*/
Reference in New Issue View Git Blame Copy Permalink