mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity
autopsy-flatpak/docs/doxygen-user/reporting.dox

117 lines
5.3 KiB
Plaintext
Raw Blame History

/*! \page reporting_page Reporting
[TOC]
\section reporting_overview Overview
The report modules allow the user to extract key information from a case in a variety of formats. This includes
making an HTML or Excel report containing all the extracted content, keyword hits, etc. from a case, or creating a KML file out
of any coordinates found to load into software like Google Earth.
\image html reports_select.png
Most report types will allow you to select which data sources to include in the report. Note that the names of excluded data sources may still be present in the report. For example, the \ref report_html will list all data sources in the case on the main page but will not contain results, tagged files, etc. from the excluded data source(s).
\image html reports_datasource_select.png
The different types of reports will be described below. The majority of the report modules will generate a report file which
will be displayed in the case under the "Reports" node of the \ref tree_viewer_page.
\image html reports_result_viewer.png
If the report type has an associated viewer (such as a web browser for an HTML report), you can double-click the report to open it
in an external application. Alternately you can browse to the "Reports" folder in the case folder and open the report from there.
\image html reports_folder.png
\section report_types Report Types
\subsection report_html HTML Report
For HTML reports, you can first choose to enter a header and footer that will be displayed in your results. For example, you might want to add a classification banner.
\image html reports_html_header.png
There are two options when generating a report - include all results or only include tagged results.
\image html reports_html_all_results.png
If you choose "All Results", you can then optionally use the "Data Types" button to choose which types of data to include in the report.
\image html reports_html_art_select.png
If you choose "Tagged Results", you can restrict the files and results that appear in the report to only those tagged with the tags you select.
Note that you can't filter on data type when using this option.
\image html reports_html_tagged.png
The completed report will look similar to this:
\image html reports_html_display.png
You can use the links on the left side to see the results for each data type.
\subsection report_excel Excel Report
Generating an Excel report is very similar to an \ref report_html. You select which tags or data types to export and Autopsy will create a .xlsx file.
\image html reports_excel.png
\subsection report_tagged_hashes Add Tagged Hashes
This is one of the report modules that doesn't generate an actual report. The purpose of this module is to easily add the hashes
of some/all tagged files to an Autopsy hash set that can be used by the \ref hash_db_page. You can use the "Configure Hash Sets" button to create a new
hash set to write to, or use an existing hash set.
\image html reports_hashes_config.png
After running this module, if you use the same hash set on future cases then everything that was tagged with one of the selected tags in this case will
show up as Hashset Hits.
\subsection report_case_uco CASE-UCO
This module creates a JSON output file in <a href="https://github.com/ucoProject/CASE/wiki">CASE-UCO</a> format for a single data source.
\image html reports_case.png
\subsection report_files Files - Text
This report module allows you create a tab or comma delimited text file report of all of the files in the current case. Start by selecting which delimiter you would like to use.
\image html reports_files_delimiter.png
You can then select which fields should be reported.
\image html reports_files_config.png
<br>
\image html reports_files_results.png
\subsection report_kml Google Earth KML
This report module generates a KML file from any GPS data in the case. This file can then be used with Google Earth.
\image html reports_kml.png
\subsection report_portable_case Portable Case
This report module generates a new Autopsy case that includes tagged and/or interesting items. See the \ref portable_case_page page for additional information.
\subsection report_stix STIX
The STIX module allows you to generate a report and Interesting File artifacts by running a STIX file (or files) against the data sources in the case.
For more information see the \ref stix_page page.
\subsection report_body_file TSK Body File
This module generates a <a href="https://wiki.sleuthkit.org/index.php?title=Body_file">TSK Body File</a> from the files in your case, which looks similar to the following:
<pre>7ff498a44e45e77374cc7c962b1b92f2|/img_image1.vhd/vol_vol2/$UpCase|10|rr-xr-xr-x|0|0|131072|1498757218|1498757218|1498757218|1498757218
d41d8cd98f00b204e9800998ecf8427e|/img_image1.vhd/vol_vol2/$Volume|3|rr-xr-xr-x|48|0|0|1498757218|1498757218|1498757218|1498757218
43fffda5c5edd8e9c647f1df476717de|/img_image1.vhd/vol_vol2/0000/0000_a.txt|63|rrwxrwxrwx|0|0|11|1498757454|1498176989|1498757454|1498757454
411c8024a7c38ee3843ba8a07d048ec2|/img_image1.vhd/vol_vol2/0000/0000_b.txt|64|rrwxrwxrwx|0|0|11|1498757454|1498176990|1498757454|1498757454
fcc958c5096889a222785ddb8c4bff80|/img_image1.vhd/vol_vol2/0000/0000_c.txt|65|rrwxrwxrwx|0|0|11|1498757454|1498176990|1498757454|1498757454
b7cde263cc1b5df5a13aeec742637a89|/img_image1.vhd/vol_vol2/0000/0000_d.txt|66|rrwxrwxrwx|0|0|11|1498757454|1498176990|1498757454|1498757454</pre>
*/
Reference in New Issue View Git Blame Copy Permalink