Autopsy User Documentation  4.19.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
Tree Viewer

Table of Contents

The tree on the left-hand side of the main window is where you can browse the files in the data sources in the case and find saved results from automated analyis (ingest). The tree has seven main areas:

  • Persons / Hosts / Data Sources: This shows the directory tree hierarchy of the data sources. You can navigate to a specific file or directory here. Each data source added to the case is represented as a distinct sub tree. If you add a data source multiple times, it shows up multiple times.
  • File Views: Specific types of files from the data sources are shown here, aggregated by type or other properties. Files here can come from more than one data source.
  • Data Artifacts: This isone of the main places where results from running Ingest Modules appear.
  • Analysis Results: This is the other main place where results from running Ingest Modules appear.
  • OS Accounts: This is where you can see the results from both the automated analysis (ingest) running in the background and your search results.
  • Tags: This is where files and results that have been tagged are shown.
  • Reports: Reports that you have generated, or that ingest modules have created, show up here.

You can also use the "Group by Person/Host" option available through the View Options to move the Views, Results, and Tags tree nodes under their corresponding person and host. This can be helpful on very large cases to reduce the size of each sub tree.

Persons / Hosts / Data Sources

By default, the top node of the tree viewer will contain all data sources in the case. The Data Sources node is organized by host and then the data source itself. Right clicking on the various nodes in the Data Sources area of the tree will allow you to get more options for each data source and its contents.

ui_tree_top_ds.png

If the "Group by Person/Host" option has been selected in the View Options, the hosts and data sources will be organized under any persons that have been associated with the hosts. Additionally, the rest of the nodes (Views, Results, etc) will be found under each data source.

ui_tree_top_persons.png

Persons

If the "Group by Person/Host" option in the View Options has been set, the top level nodes will display persons. Persons are manually created and can be associated with one or more hosts. To add or remove a person from a host, right-click on the host and select the appropriate option.

ui_person_select.png

You can edit and delete persons by right-clicking on the node.

Hosts

All data sources are organized under host nodes. See the hosts page for more information on using hosts.

Data Sources

Under the hosts are the nodes for each data source.

Unallocated space is the chunks of a file system that are currently not being used for anything. Unallocated space can hold deleted files and other interesting artifacts. In an image data source, unallocated space is stored in blocks with distinct locations in the file system. However, because of the way carving tools work, it is better to feed these tools a single, large unallocated space file. Autopsy provides access to both methods of looking at unallocated space.

  • Individual blocks in a volume For each volume, there is a "virtual" folder named "$Unalloc". This folder contains all the individual unallocated blocks in contiguous runs (unallocated space files) as the image is storing them. You can right click and extract any unallocated space file the same way you can extract any other type of file in the Data Sources area.
  • Single files Right click on a volume and select "Extract Unallocated Space as Single File" to concatenate all of the unallocated space files in the volume into a single, continuous file. (If desired, you can right click on an image, and select "Extract Unallocated Space to Single Files" which will do the same thing, but once for each volume in the image).

An example of the single file extraction option is shown below.

extracting-unallocated-space.PNG

File Views

Views filter all the files in the case by some property of the file.

  • File Types Sorts files by file extension or by MIME type, and shows them in the appropriate group. For example, files with .mp3 and .wav extensions end up in the "Audio" group.
  • Deleted Files Displays files that have been deleted, but the names have been recovered.
  • File Size Sorts files based on size.

Data Artifacts

This section shows the data artifacts created by running ingest. In general, data artifacts contain concrete information extracted from the data source. For example, call logs and messages from communication logs or web bookmarks extracted from a browser database.

Analysis Results

This section shows the analysis results created by running ingest. In general, analysis results contain information that the user has indicated they are interested in. For example, if the user sets up a list of notable hashes, any hash set hits will appear here.

OS Accounts

This section shows the OS accounts found in the case. See OS Accounts for an example.

Tags

Any item you tag shows up here so you can find it again easily. See Tagging and Commenting for more information.

Reports

Reports can be added by Ingest Modules or created using the Reporting tool.

Copyright © 2012-2021 Basis Technology. Generated on Fri Aug 6 2021
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

AltStyle によって変換されたページ (->オリジナル) /