mirror of
https://github.com/overcuriousity/autopsy-flatpak.git
synced 2025-07-06 21:00:22 +00:00
118 lines
6.2 KiB
Plaintext
118 lines
6.2 KiB
Plaintext
/*! \page content_viewer_page Content Viewer
|
|
|
|
[TOC]
|
|
|
|
|
|
The Content Viewer lives in the lower right-hand side of the Autopsy main screen and shows pictures, video, hex, text, extracted strings, metadata, etc. The Content Viewer is populated when you select an entry in the \ref ui_results.
|
|
|
|
The Content Viewer is context-aware, meaning different tabs will be enabled depending on the type of content selected and which ingest modules have been run. It will default to what it considers the "most specific" tab. For example, selecting a JPG will cause the Content Viewer to automatically select the "Application" tab and will display the image there. If you instead would like the Content Viewer to stay on the previously selected tab when you change to a different content object, go to the \ref view_options_page panel through Tools->Options->Application Tab and select the "Stay on the same file viewer" option.
|
|
|
|
\image html content_viewer_options_panel.png
|
|
|
|
When a result item is selected in the Result Viewer (as opposed to a file), most of the tabs will correspond to the file associated with the result and not the result itself. For example, when selecting a keyword hit, the "Hex", "Strings", and "File Metadata" tabs will show data from the file where the keyword was found. The descriptions below will generally assume a file has been selected, but most also apply when we have a file associated with a selected result.
|
|
|
|
\section cv_hex Hex
|
|
|
|
The Hex tab is nearly always available and shows you the raw and exact contents of a file. In this tab, the data of the file is represented as hexadecimal values grouped in 2 groups of 8 bytes, followed by one group of 16 ASCII characters which are derived from each pair of hex values (each byte). Non-printable ASCII characters and characters that would take more than one character space are typically represented by a dot (".") in the following ASCII field.
|
|
|
|
\image html content_viewer_hex.png
|
|
|
|
If desired, you can open the file in an external hex editor. This is configured through the \ref config_ext_viewer tab on the options panel. HxD has been verified to work with Autopsy, but alternate hex editors may also be compatible.
|
|
|
|
Note that this process saves the file to disk before launching the hex editor. A progress indicator will be displayed in the lower right corner of the application. If you wish to cancel the file export, click the 'X' to the right of the progress bar.
|
|
|
|
\image html content_viewer_hxd_progress.png
|
|
|
|
\section cv_text Text
|
|
|
|
The Text tab has three sub tabs for displaying the text contained in the selected item.
|
|
|
|
\subsection cv_strings Strings
|
|
|
|
The Strings tab shows all text strings found in the file for the given script selected in the upper right. By default Latin text is used.
|
|
|
|
\image html content_viewer_strings_latin.png
|
|
|
|
Different scripts can be chosen from the drop-down menu to display results for non-Latin alphabets.
|
|
|
|
\image html content_viewer_strings_cyrillic.png
|
|
|
|
\subsection cv_indexed_text Indexed Text
|
|
|
|
The Indexed Text tab shows the text that has been indexed by the \ref keyword_search_page. You can switch the "Text Source" field to "Result Text" to see the text that has been indexed for the results associated with a file.
|
|
|
|
\image html content_viewer_indexed_text.png
|
|
|
|
\subsection cv_translation Translation
|
|
|
|
If you have a translation service enabled, the Translation tab allows you to translate the text. See the \ref machine_translation_page page for more information.
|
|
|
|
\section cv_app Application
|
|
|
|
For certain file types, the Application tab can display the contents in a user friendly format. The following screenshots show some examples of what the Application tab will display.
|
|
|
|
It will display most image types, which can be scaled and rotated:
|
|
|
|
\image html content_viewer_app_image.png
|
|
|
|
It displays video files, allowing you to move play/pause, move forward or backward 30 seconds, adjust the volume, and change the playback speed.
|
|
|
|
\image html content_viewer_video.png
|
|
|
|
It also allows you to browse SQLite tables and export their contents as CSV:
|
|
|
|
\image html content_viewer_app_sqlite.png
|
|
|
|
And plist file data will be shown and can be exported:
|
|
|
|
\image html content_viewer_app_plist.png
|
|
|
|
HTML files can be displayed closer to their original form:
|
|
|
|
\image html content_viewer_html.png
|
|
|
|
Registry hive files can be viewed in a format similar to a registry editor.
|
|
|
|
\image html content_viewer_registry.png
|
|
|
|
\section cv_metadata File Metadata
|
|
|
|
The File Metadata tab displays basic information about the file, such as type, size, and hash. It also displays the output of the Sleuth Kit istat tool.
|
|
|
|
\image html content_viewer_metadata.png
|
|
|
|
\section cv_os_account OS Accounts
|
|
|
|
The OS Accounts tab displays information on the OS account associated with a given result, if present. It is also used to give details on accounts listed under the OS Accounts node in the tree.
|
|
|
|
\image html content_viewer_os_account.png
|
|
|
|
\section cv_results Results
|
|
|
|
The Results tab is active when selecting items with associated results such as keyword hits, call logs, and messages. The exact fields displayed depend on the type of result. The two images below show the Results tab for a call log and a web bookmark.
|
|
|
|
\image html content_viewer_results_call.png
|
|
<br>
|
|
\image html content_viewer_results_bookmark.png
|
|
|
|
\section cv_context Context
|
|
|
|
The Context tab shows information on where a file came from and allows you to navigate to the original result. For example, it can show the the URL for downloaded files and the email message a file was attached to. In the image below you can see the context for an image that was sent as an email attachment.
|
|
|
|
\image html content_viewer_context.png
|
|
|
|
\section cv_annotations Annotations
|
|
|
|
The Annotations tab shows information added by an analyst about a file or result. It displays any tags and comments associated with the file or result, and if the \ref central_repo_page is enabled it will also display any comments saved to the Central Repository.
|
|
|
|
\image html content_viewer_annotations.png
|
|
|
|
\section cv_other_occurrences Other Occurrences
|
|
|
|
The Other Occurrences tab shows other instances of this file or result. Enabling the \ref central_repo_page adds additional functionality to this tab. See the \ref cr_content_viewer section for more information.
|
|
|
|
\image html content_viewer_other_occurrences.png
|
|
|
|
|
|
*/
|