mirror of
https://github.com/overcuriousity/autopsy-flatpak.git
synced 2025-07-06 21:00:22 +00:00
164 lines
4.1 KiB
Groff
Executable File
164 lines
4.1 KiB
Groff
Executable File
.TH AUTOPSY 1 "MAR 2005" "User Manuals"
|
|
.SH NAME
|
|
autopsy \- Autopsy Forensic Browser
|
|
.SH SYNOPSIS
|
|
.B autopsy [-c] [-C] [-d
|
|
.I evid_locker
|
|
.B ] [-i
|
|
device filesystem mnt
|
|
.B ] [-p
|
|
.I port
|
|
.B ]
|
|
.I [addr]
|
|
.SH DESCRIPTION
|
|
By default,
|
|
.B autopsy
|
|
starts the Autopsy Forensic Browser server on port 9999 and and accepts
|
|
connections from the localhost. If
|
|
.I -p port
|
|
is given, then the server opens on that port and if
|
|
.I addr
|
|
is given, then connections are only accepted from that host.
|
|
When the
|
|
.I -i
|
|
argument is given, then autopsy goes into live analysis mode.
|
|
|
|
The arguments are as follows:
|
|
.IP "-c"
|
|
Force the program to use cookies even for localhost.
|
|
.IP "-C"
|
|
Force the program to not use cookies even for remote hosts.
|
|
.IP "-d evid_locker"
|
|
Directory where cases and hosts are stored.
|
|
This overrides the
|
|
.B LOCKDIR
|
|
value in
|
|
.I conf.pl.
|
|
The path must be a full path (i.e. start with /).
|
|
.IP "-i device filesystem mnt"
|
|
Specify the information for the live analysis mode. This can be specified
|
|
as many times as needed. The
|
|
.I device
|
|
field is for the raw file system device, the
|
|
.I filesystem
|
|
field is for the file system type, and the
|
|
.I mnt
|
|
field is for the mounting point of the file system.
|
|
.IP "-p port"
|
|
TCP port for server to listen on.
|
|
.IP addr
|
|
IP address or host name of where investigator is located.
|
|
If localhost is used, then 'localhost' must be used in the URL.
|
|
If you use the actual hostname or IP, it will be rejected.
|
|
.PP
|
|
When started, the program will display a URL to paste into an
|
|
HTML browser. The browser must support frames and forms. The
|
|
Autopsy Forensic Browser will allow an investigator to analyze
|
|
images generated by
|
|
.BR dd(1)
|
|
for evidence. The program allows the images to be analyzed by
|
|
browsing files, blocks, inodes, or by searching the blocks.
|
|
The program also generates Autopsy reports that include collection
|
|
time, investigators name, and MD5 hash values.
|
|
.SH VARIABLES
|
|
The following variables can be set in
|
|
.I conf.pl.
|
|
|
|
.I USE_STIMEOUT
|
|
.RS
|
|
When set to 1 (default is 0), the server will exit after
|
|
.B STIMEOUT
|
|
seconds of inactivity (default is 3600). This setting is recommended if
|
|
cookies are not used.
|
|
.RE
|
|
.I BASEDIR
|
|
.RS
|
|
Directory where cases and forensic images are located.
|
|
The images must have simple
|
|
names with only letters, numbers, '_', '-', and '.'. (See FILES).
|
|
.RE
|
|
.I TSKDIR
|
|
.RS
|
|
Directory where The Sleuth Kit binaries are located.
|
|
.RE
|
|
.I NSRLDB
|
|
.RS
|
|
Location of the NIST National Software Reference Library (NSRL).
|
|
.RE
|
|
.I INSTALLDIR
|
|
.RS
|
|
Directory where Autopsy was installed.
|
|
.RE
|
|
.I GREP_EXE
|
|
.RS
|
|
Location of
|
|
.BR grep(1)
|
|
binary.
|
|
.RE
|
|
.I STRINGS_EXE
|
|
.RS
|
|
Location of
|
|
.BR strings(1)
|
|
binary.
|
|
.RE
|
|
.SH FILES
|
|
.I Evidence Locker
|
|
.RS
|
|
The Evidence Locker is where all cases and hosts will be saved to. It
|
|
is a directory that will have a directory for each case. Each case
|
|
directory will have a directory for each host.
|
|
|
|
.RE
|
|
.I <CASE_DIR>/case.aut
|
|
.RS
|
|
This file is the case configuration file for the case. It contains the
|
|
description of the case and default subdirectories for the hosts.
|
|
|
|
.RE
|
|
.I <CASE_DIR>/investigators.txt
|
|
.RS
|
|
This file contains the list of investigators that will use this case. These
|
|
are used for logging only, not authentication.
|
|
|
|
.RE
|
|
.I <HOST_DIR>/host.aut
|
|
.RS
|
|
This file is where the host configuration details are saved. It
|
|
is similar to the 'fsmorgue' file from previous versions of Autopsy.
|
|
It has an entry for each file in the host and contains the host
|
|
description.
|
|
|
|
|
|
.RE
|
|
.I md5.txt
|
|
.RS
|
|
Some directories will have this file in it. It contains MD5 values for
|
|
important files in the directory. This makes it easy to validate the
|
|
integrity of images.
|
|
|
|
.SH EXAMPLE
|
|
# ./autopsy -p 8888 10.1.34.19
|
|
.SH "SEE ALSO"
|
|
.BR dd (1),
|
|
.BR fls (1),
|
|
.BR ffind (1),
|
|
.BR ifind (1),
|
|
.BR grep (1),
|
|
.BR icat (1)
|
|
.BR md5 (1),
|
|
.BR strings (1),
|
|
.SH REQUIREMENTS
|
|
The Autopsy Forensic Browser requires
|
|
.B The Sleuth Kit
|
|
<www.sleuthkit.org/sleuthkit>
|
|
|
|
.SH HISTORY
|
|
.BR "autopsy" " first appeared in " "Autopsy" " v1.0."
|
|
.SH LICENSE
|
|
This software is distributed under the GNU Public License.
|
|
|
|
.SH AUTHOR
|
|
Brian Carrier <carrier at sleuthkit dot org>
|
|
|
|
Send documentation updates to <doc-updates at sleuthkit dot org>
|