Autopsy 3

Autopsy 3

2015/7/29 Autopsy User Documentation: Autopsy User's Guide

Autopsy User's Guide

Overview

This is the User's Guide for the open source Autopsy platform. Autopsy allows you to examine a hard
drive or mobile device and recover evidence from it. This guide should help you with using Autopsy.
The developer's guide will help you develop your own Autopsy modules.

Autopsy 3 is a complete rewrite from Autopsy 2, and none of this document is relevant to Autopsy 2.

Help Topics

The following topics are available here: 1/2

• Installation
• Quick Start Guide
• Autopsy Workflow
• Cases and Adding Data Sources

o Cases
o Data Sources
o UI Layout
• Automated Analysis (Modules)
o Ingest Modules
o Recent Activity Module
o Hash Database Lookup Module
o File Type Identification Module
o Embedded File Extraction Module
o EXIF Parser Module
o Keyword Search Module
o Email Parser Module
o Extension Mismatch Detector Module
o E01 Verifier Module
o Android Analyzer Module
o Interesting Files Identifier Module
o PhotoRec Carver Module
• Manual Analysis
o Tree Viewer
o Result Viewer
o Content Viewer
o File Search
o Timeline
o STIX
• Reporting
o Tagging

http://www.sleuthkitorg/autopsy/docs/user-docs/3.1/

2015/7/29 Autopsy User Documentation: Autopsy User's Guide

0 Reporting
• Installing 3rd-Party Modules

If the topic you need is not listed, refer to the Autopsy Wiki or join the SleuthKit User List at
SourceForge.

Copyright © 2012-2015 Basis Technology. Generated on Wed Jul 29 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

hap://www.steuthkit.org/autopsy/docs/user-docs/3.1/ 2/2

2015f7/29 Autopsy User Documentation: Quick Start Guide

M easel - Autopsy 3.1.2 Gene ate Report t.*. . 0 • Keyword Lists Ck• Keywor

File view Tools Window Help
Close Case + Add Data Source

+ Directory Listng Path Date/Tole Data S
kecent Docunents
0 Data Sources 2014-02 10 12:14:52 EN Dane F
Table ;1rxnlbrW 1.
Views
E: Results Source Fie
.2: • Extracted Content a howdy.bd.hk

Call Logs (159 a 100_6259.W( 2,14-02-14 1E:50:44 EDT Gera F
'11 Contacts (90) C'tETC_,
CI Devices Attached (17) a 1978871_10152107173663113_206070859k '..Autc:p2c1,::•2242.22pI1-17:12071 _1015 u 204-012 1.2 14:20236 EDT
Ib EXIF Metadata (63)
. • Extension frismatch Detected (103) a 890951_1.Ink 2:I1JsersIA0p2psy1042,21to01.6404511:1P0 2014-03, 19 17:23:06 EDT

• ActweSYnclok E:\Mobile Device Forensic 11211engekSECE63-Capstone-VOndowsNobil... 2019-03-1016:31:50 EDT

"sd Instated Programs (38) Alooette El \ PlCble Depice Fu'erPic Challenge 1 SELIF02-Paccpcne-Noha-06101,11 '01 4 0:: IP 15:31:50 EDT C:err:cfr
Calendar.ht upers Appcpcp1DesItopIDCodecul 020-tu Id 4 02 09+05 :1p 2614 03-10 15:32122 EDT C:errpi-
Messages Dm DCode-v9.02a-buld-9.02.0.9306.Wc 2.014415 10 16:35:00 EDT Demo _4
a 02.14 2014-03P IL 12:11:06 EDI
Operating System Information (2) E3.Ink 2014.03-N 1211:21 EDT

"r..- Operating System User Account (9)
- a Recent Documents (18)

* Web Bookmarks (20)

(id Web Cookies (210) a My Videos.Ink ElMobIe eFceml. Challenge15E2563-CepsIprie rido;w1,10101 2014 00-10 16:11:16 EDT Derae±
a. Web Downloads (1) Nokia 6610 KRY Reportink 2014-0S 1012:11:01 EDT
Cce Dec-p±
E Web History (21) s ()pen-earth* Demo r
a Removable Disk (E),Ink
. • Web Search (4)

• Keyword Hits

• Single Literal Keyword Sear& (395) 2' SEC563-Capstone44oloa-6610Ank E:III2b1e De e r ecsic Challen3eIPEC562-Capp0.cie-Nolua-651u 2014.031101632:10 EDT Demo Y
▪ • Single Regular boxession Search (0)
▪ • Phone arnbers (S) a What is Second life Second Ufeink
• • IP Addresses (3700)
▪ • Email Addresses (549) a )(ACT Log.,* E.Wobile De, 0,2 Fez uPst2 21:01120g41,3E_ppcpuerstpci- No1Pa 601001 2014 CP 1016:02:10 EDT Eemcpt
▪ • Superheros (43)
" --
Hashset Hits
Hex Strings I Metadata {Res•its I Text I

Page: 1 of 1 Page Go to Page:

•.‘ E-Mail Messages 0200000000. 4C 00 00 00 01 14 02 00 00 00 00 00 CO 00 00 00 L
* interesting Items 0x00000010: 00 00 00 46 83 00 20 00 40 01 SO 05
N Tags 0x00000020: 39 98 CD 01 00 58 69 57 10 00 00 00 00 9D DD OC 9 .1112 .. 11
L. Reports 0200000030; 39 9e CD 01 00 00 00 00 C6 97 CD 01 01 00 00 00 9
0200000040: 00 00 00 00 00 00 00 00 95 01. 14 00
0200000050: 19 50 20 4F 00 00 00 00 00 00 25 30 _P.O......+0
0200000060: 30 91) 19 00 DO 20 EA 3A 00 00 00 00 00 00 00 00 0. /E:
0x00000070: 00 00 00 00 2F 45 3A SC 69 10 A2 De 00 31 00 00
0200000080: 00 00 00 35 00 00 00 00 00 00 00 00 49 4C 45 /2 1
0200000090: 31 00 GO 72 41 58 3.4 10 00 00 00 8A 41 58 A4 35
0290000020, 41 00 38 22 00 09 00 04 00 4D 4F 42 00 00 00 00 1r SA..5
02000000b0: 00 00 00 00 00 00 00 60 00 EF 82 35 00 00 00 00 A.0
0200000020: 00 4D 00 67 00 00 00 00 DC 03 00 00 00 20 00 44
0200000090: 00 65 00 76 00 62 00 69 00 00 00 00 00 46 00 6F 1 56.
0209000040: 00 72 00 65 00 69 00 63 00 6C 00 65 00 20 00 43 SA 5A e.
0200000010: 00 68 00 61 00 62 00 73 00 65 00 20 00 67 00 65
0200000199: 00 00 00 le 00 6C 00 6C 00 69 00 63 00 35 41 58
0200000110: 2.4 10 00 53 00 84 00 31 00 65 00 6E 00 6C 00 09
0209000120: 00 04 00 EF 45 43 35 36 00 00 00 00 38 22 00 00
0x00000130: 00 SO 10 04 82 35 41 50 33 72 31 00 00 00 00 00
00 00 00 00 A4 35 41 00
00 00 00 00

You will start all of your analysis techniques from the tree on the left.

The Data Sources root node shows all data in the case.
a The individual image nodes show the file system structure of the disk images or local disks in the case.
a The LogicalFileSel nodes show the logical files in the case.

• The Mews node shows the same data from a file type or timeline perspective.
• The Results node shows the output from the ingest modules.

When you select a node from the tree on the left, a list of files will be shown in the upper right. You can use the Thumbnail view in the upper right to view the pictures.
When you select a file from the upper right, its contents will be shown in the lower right. You can use the tabs in the lower right to view the text of the file, an image, or
the hex data.

If you are viewing files from the Mews and Results nodes, you can right-click on a file to go to its file system location. This feature is useful to see what else the user
stored in the same folder as the file that you are currently looking at. You can also right click on a file to extract it to the local system.

If you want to search for single keywords, then you can use the search box in the upper right of the program. The results will be shown in a table in the upper right.

You can tag (bookmark) arbitrary files so that you can more quickly find them later or so that you can include them specifically in a report.

Ingest Inbox

As you are going through the results in the tree, the ingest modules are running in the background. The results are shown in the tree as soon as the ingest modules
find them and report them,

The Ingest Inbox receives messages from the ingest modules as they find results. You can open the inhox to see what has been recently found. It keeps track of what
messages you have read.

The intended use of this inbox is that you can focus on some data for a while and then check back on the inbox at a time that is convenient for them. You can then see
what else was found while you were focused on the previous task. You may learn that a known bad file was found or that a file was found with a relevant keyword and
then decide to focus on that for a while.

http:/Mrww.sleuthkitorg/autopsykinos/user-docs/3.1/quick_start_guidahtml 2/3

2015/7/29 Autopsy User Documentation: Quick Start Guide

Quick Start Guide

Adding a Data Source (image, local disk, logical files)

Data sources are added to a case. A case can have a single data source or it can have multiple data sources. Currently, a single report is generated for an entire
case, so if you need to report on individual data sources, then you should use one data source per case. If there are many drives/phones/other data sources for one
investigation, then your case should have multiple data sources.

Creating a Case

To create a case, use either the "Create New Case" option on the Welcome screen or from the "File" menu. This will start the New Case Wizard. You will need to
supply it with the name of the case and a directory to store the case results into. You can optionally provide case numbers and reviewer names.

Adding a Data Source

The next step is to add an input data source to the case The Add Data Source Wizard will start automatically after the case is created or you can manually start it
from the "File" menu or toolbar. You will need to choose the type of input data source to add (image, local disk, or logical files and folders). Next, supply it with the
location of the source to add.

• For a disk image, browse to the first file in the set (Autopsy will find the rest of the files). Autopsy currently supports E01 and raw (dd) files.
• For local disk, select one of the detected disks. Autopsy will add the current view of the disk to the case (i.e. snapshot of the meta-data). However, the individual

file content (not meta-data) does get updated with the changes made to the disk. Note, you may need run Autopsy as an Administrator to detect all disks.
• For logical files (a single file or folder of files), use the "Add" button to add one or more files or folders on your system to the case Folders will be recursively

added to the case.

There are a couple of options in the wizard that will allow you to make the ingest process faster. These typically deal with deleted files. It will take longer if unallocated
space is analyzed and the entire drive is searched for deleted files. In some scenarios, these recovery steps must be performed and in other scenarios these steps are
not needed and instead fast results on the allocated files are needed. Use these options to control how long the analysis will take.

Autopsy will start to analyze these data sources and add them to the case and the internal database. While it is doing that, it will prompt you to configure the Ingest
Modules.

Ingest Modules

You will next be prompted to configure the Ingest Modules. Ingest modules will run in the background and perform specific tasks. The Ingest Modules analyze files in a
prioritized order so that files in a user's directory are analyzed before files in other folders. Ingest modules can be developed by third-parties. The standard ingest
modules included with Autopsy are:

• Recent Activity Module extracts user activity as saved by web browsers and the OS. Also runs Regripper on the registry hive.
• Hash Database Lookup Module uses hash databases to ignore known files from the NIST NSRL and flag known bad files. Use the "Advanced" button to add

and configure the hash databases to use during this process. You will get updates on known bad file hits as the ingest occurs. You can later add hash databases
via the Tools -> Options menu in the main Ul. You can download an index of the NIST NSRL from http://sourceforgemet/projects/autopsy/files/NSRL/
• File Type Identification Module determines file types based on signatures and reports them based on MIME type. It stores the results in the Blackhoard and
many modules depend on this. It uses the Tika open source library. You can define your own custom file types in Tools, Options, File Types.
• Embedded File Extraction Module opens ZIP, RAR, other archive formats, Doc, Docx, PPT, PPTX, XLS, and XLSX and sends the derived files from those files
back through the ingest pipeline for analysis.
• EXIF Parser Module extracts EXIF information from JPEG files and posts the results into the tree in the main UI.
• Keyword Search Module uses keyword lists to identify files with specific words in them. You can select the keyword lists to search for automatically and you can
create new lists using the "Advanced" button. Note that with keyword search, you can always conduct searches after ingest has finished. The keyword lists that
you select during ingest will be searched for at periodic intervals and you will get the results in real-time. You do not need to wait for all files to be indexed before
performing a keyword search, however you will only get results from files that have already been indexed when you perform your search.
• Email Parser Module identifies Thunderbird MBOX files and PST format files based on file signatures, extracting the e-mails from them, adding the results to
the Blackboard.
• Extension Mismatch Detector Module uses the results from the File Type Identification and flags files that have an extension not traditionally associated with
the file's detected type. Ignores 'known' (NSRL) files. You can customize the MIME types and file extensions per MIME type in Tools, Options, File Extension
Mismatch.
• E01 Verifier Module computes a checksum on E01 files and compares with the E01 file's internal checksum to ensure they match.
• Android Analyzer Module allows you to parse common items from Android devices. Places artifacts into the BlackBoard.
• Interesting Files Identifier Module searches for files and directories based on user-specified rules in Tools, Options, Interesting Files. It works as a "File
Alerting Module". It generates messages in the inbox when specified files are found.
• PhotoRec Carver Module carves files from unallocated space and sends them through the file processing chain.

When you select a module, you will have the option to change its settings. For example, you can configure which keyword search lists to use during ingest and which
hash databases to use. Refer to the individual module help for details on configuring each module.

\Mile ingest modules are running in the background, you will see a progress bar in the lower right. You can use the GUI to review ncoming results and perform other
tasks while ingesting at the same time.

Analysis Basics

http://www.sleuthkitorg/autopsy/docs/user-docs13.1/quick_start_guide.html 1/3

2015/7/29 Autopsy User Documentation: Quick Start Guide

When you select a message, you can then jump to the Results tree where more details can be found or jump to the file's location in the filesystem.

Timeline

There is a basic timeline view that you can access via the "Tools", "Make Timeline" feature. This will take a few minutes to create the timeline for analysis. Its features
are still in development.

Example Use Cases

In this section, we will provide examples of how to do common analysis tasks.

Web Artifacts

If you want to view the user's recent web activity, make sure that the Recent Activity ingest module was enabled. You can then go to the "Results " node in the tree on
the left and then into the "Extracted Data" node. There, you can find bookmarks, cookies, downloads, and history.

Known Bad Hash Files

If you want to see if the data source had known bad files, make sure that the Hash Lookup ingest module was enabled. You can then view the "Hashset Hits" section in
the "Results" area of the tree on the left. Note that hash lookup can take a long time, so this section will be updated as long as the ingest process is ongoing. Use the
Ingest Inbox to keep track of what known bad files were recently found.

When you find a known bad file in this interface, you may want to right click on the file to also view the file's original location. You may find additional files that are
relevant and stored in the same folder as this file.

Media: Images and Videos

If you want to see all images and video on the disk image, then go to the 'Views" section in the tree on the left and then "File Types". Select either "Images" or
"Videos". You can use the thumbnail option in the upper right to view thumbnails of all images.

Note: We are working on making this more efficient when there are lots of images. We are also working on the feature to display video thumbnails.

You can select an image or video from the upper right and view the video or image in the lower right. Video will be played with sound.

Reporting

A final report can be generated that will include all analysis results. Use the "Generate Report" button to create this. It will create an HTML or XLS report in the Reports
folder of the case folder. If you forgot the location of your case folder, you can determine it using the "Case Properties" option in the "File" menu. There is also an
option to export report files to a separate folder outside of the case folder.

Copyright ©2012-2015 Basis Technology. Generated on Wed Jul 29 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

http://m/ww.sleuthkitorg/autopsy/docs/user-docs/3.1/quick_start_guide.html 3/3

2015/7/29 Autopsy User Documentation: Autopsy Workflow

Autopsy Workflow

Analyzing data in Autopsy uses the following workflow:

1. Create a Case: A case is a container for one or more data sources. One must be created before
data is analyzed. See Cases for more details.

2. Adding a Data Source: One or more data sources are added to the case. Data sources include
disk images and local files. See Data Sources for more details.

3. Analyze with Ingest Modules: After the data source is added, ingest modules operate in the
background to analyze the data. Results are posted to the interface in real time and provide
alerts as necessary. Example ingest modules include hash calculation and lookup, keyword
searching, and web artifact extraction. 3rd-party modules can be developed and added to the
pipelines. See Ingest Modules.

4. Manual Analysis: The user navigates the interface, file contents, and ingest module results to
identify the evidence. Interesting items can be tagged for later reporting and analysis.

5. Report Generation: The user initiates a final report based on selected tags or results.

Copyright © 2012-2015 Basis Technology. Generated on Wed Jul 29 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

http://www.sleuthkit.org/autopsy/docs/user-docs/3.1/workflow_page.htm I 1/1

2015/7/29 Autopsy User Documentation: Cases

Cases

You need to create a case before you can analyze data in Autopsy. A case can contain one or more data
sources (disk images, disk devices, logical files). The data sources can be from multiple drives in a single
computer or from multiple computers. It's up to you.

Each case has its own directory that is named based on the case name. The directory will contain configuration
files, a database, reports, and other files that modules generates. The main Autopsy case configuration file has
an ".aut" extension.

Creating a Case

Welcome golE3fte

Create New Case

Open Recent Case
41

Autopsy® Open Existing Case

OPEN I EXTENSIBLE FAST Iti

Close

4

There are several ways to create a new case:

• The opening splash screen has a button to create a new case.
• The "File", "Create New Case" menu item

The New Case wizard dialog will open and you will need to enter the case name and base directory. A directory
for the case will be created inside of the "base directory". If the directory already exists, you will need to either
delete the existing directory or choose a different combination of names.

http://www.sleuthkitorg/autopsy/docs/user-docs/3.1/cases_page.html 1/2

2015/7/29 Autopsy User Documentation' Cases

at New Case Information Case Info maw

Steps Browse
1. Case Info
2. Additional Information

Enter New Case Information:

Case Name: myCaseName

Base Directory: C: \data

Case data will be stored in the following directory:
C: \datanyCaseName

I

Next > I Cancel _z.

1. 4

You will also be prompted for optional information, such as investigator name and case number.

After you create the case, you will be prompted to add a data source, as described in Adding a Data Source.

Opening a Case

To open a case, either:

• Choose "Open Existing Case" or "Open Recent Case" from the opening splash screen.
• Choose the "File", "Open Case" menu item or "File", "Open Recent Case"

Navigate to the case directory and select the ".aut" file.

Copyright © 2012-2015 Basis Technology. Generated on Wed Jul 29 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

http://www.sleuthkitorg/autopsy/does/user-docs/3.1/cases_page.html 2/2

2015/7/29 Autopsy User Documentation: Data Sources

Data Sources

A data source the thing you want to analyze. It can be a disk image, some logical files, a local drive, etc. You must open a case
prior to adding a data source to Autopsy.

Autopsy supports three types of data sources:

• Disk Image: A file (or set of files) that is a byte-for-byte copy of a hard drive or media card. (see Adding a Disk Image)
• Local Drive: Local storage device (local drive, USB-attached drive, etc.). (see Adding a Local Drive)

Logical Files: Local files or folders. (see Adding a Logical File)

Adding a Data Source

You can add a data source in several ways:

• After you create a case, it automatically prompts you to add a data source.
• There is a toolbar item to add a Data Source when a case is open.
• The "File, "Add Data Source" menu item when a case is open.

The data source must remain accessible for the duration of the analysis because the case contains a reference to the data
source. It does not copy the data source into the case folder.

Regardless of the type of data source, there are some common steps in the process:

1) You will be prompted to specify the data source to add (details are provided below)

at Add Data Source ter,

Steps Enter Data Source Information wizard (Step 1 of 3) Browse

1. Enter Data Source
Information

2. Configure Ingest Modules
3. Add Data Source

Select source type to add: Image File

Browse for an image file: ocal Disk

C: \data \ Logical Files

Please select the input bmezone: (GMT-5:00) America/New York

Ignore orphan files in FAT file systems
(faster results, although some data will not be searched)

Press 'Next to analyze the input data, extract volume and file system data, and populate a local database.

Cancel elp •

2) Autopsy will perform a basic examination of the data source and populate an embedded database with an entry for each file in
the data source. No content is analyzed in the process, only the files are enumerated.

3) While it is examining the data source, you will be prompted with a list of ingest modules to enable.

http://www.sleuthkitiorg/autopsy/docskiser-docs/ands_page.html 1/3

2015(//29 Autopsy User Documentation: Data Sources saw

jit. Add Data Source Configure Ingest Modules wizard (Step 2 of 3)

Steps Configure the ingest modules you would like to run on this data source.

1. Enter Data Source Information • Recent Activity
2. Configure Ingest Modules I Hash Lookup
3. Add Data Source • File Type Identification
J Archive Extractor
J Exif Parser

Keyword Search
J. Email Parser
Ci Extension Mismatch Detector
IJ E01 Verifier
J Android Analyzer
J Interesting Ales Identifier
▪ PhotoRec Carver

7/ Process Unallocated Space

Next >

4) After you configure the ingest modules, you may need to wait for Autopsy to finish its basic examination of the data source.

e ailler
cit. Add Data Source

Steps Add Data Source wizard (Step 3 of 3)
Processing data source and adding it to a local database. File analysis will start when this finishes.
I. Enter Data Source Information
2. Configure Ingest Modules
3. Add Data Source

NI

Status
Adding: Windows/System32/DriverStore/FileRepository/

*Ills process may take some time for large data sources.

r: ....Cancel

5) After the ingest modules have been configured and the basic examination of the data source is complete, the ingest modules
will begin to analyze the file contents.

You cannot remove a data source from a case.

Adding a Disk Image

Autopsy supports disk images in the following formats:

http://www.sleuthkitorg/autopsy/dacs/user-docs/3.1/ds_page.html 2/3

2015/1/29 Autopsy User Documentation: Data Sources

• Raw Single (For example: *.img, *.dd, *saw, etc)
• Raw Split (For example: *.001, ".002, *.aa, ".ab, etc)
• EnCase (For example: ".e01, *e02, etc)

To add a disk image:

1. Choose "Image File from the pull down.

2. Browse to the first file in the disk image. You need to specify only the first file and Autopsy will find the rest.
3. Choose the timezone that the disk image came from. This is most important for when adding FAT file systems because it

does not store timezone information and Autopsy will not know how to normalize to UTC.
4. Choose to perform orphan file finding on FAT file systems. This can be a time intensive process because it will require that

Autopsy look at each sector in the device.

Adding a Local Drive

Autopsy can analyze a local drive without needing to first make an image copy of it. This is most useful when analyzing a USB-
attached device through a write blocker.

Note that if you are analyzing a local drive that is being updated, then Autopsy will not see files that are added after you add it as
a data source.

You will need to be running Autopsy as an Administrator to view all devices.

To add a local drive:

1. Choose "Local Drive" from the pull down.
2. Choose the device from the pull down list.
3. Choose to perform orphan file finding. See comment in Adding a Disk Image about this setting.

Adding a Logical File

You can add files or folders that are on your local computer (or on a shared drive) without putting them into a disk image. This is
useful if you have only a collection of files that you want to analyze.

Some things to note when doing this:

Autopsy ignores the time stamps on files that it adds this way because they could be the timestamps when they were
copied onto your examination device.
If you have a USB-attached device that you are analyzing and you choose to add the device's contents using this method,
then note that it will not look at unallocated space or deleted files. Autopsy will only be able to see the allocated files. You
should add the device as a "Logical Drive" to analyze the unallocated space.

To add logical files:

1. Choose "Logical Files' from the pull down.
2. Press the "Add" button and navigate to a folder or file to add. Choosing a folder will cause all of its contents (including sub-

folders) to be added.
3. Continue to press "Add" until all files and folders have been selected.

All of the files that you added in the panel will be grouped together into a single data source, called "LogicalFileSet" in the main
UI.

Copyright © 2012-2015 Basis Technology. Generated on Wed Jul 29 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

http://www.sleuthkitorg/autopsy/docs/user-docs/3.1/ds_page.html 3/3

2015/7/29 Autopsy User Documentation: UI Layout

UI Layout

Overview

The major areas in the Autopsy User Interface (UI) are:

• Tree Viewer, shown outlined in green below
• Result Viewer, shown outlined in blue below
• Content Viewer, shown outlined in red below
• Keyword Search, shown outlined in yellow below
• Status Area, shown in solid purple below

Tree Viewer

More...
The tree on the left-hand side is find saved results from automated procedures (ingest). The tree has four main areas:

Data Sources: This shows the directory tree hierarchy of the file systems in the images. You can navigate to a specific file or directory here. Each data source
added is represented as a drive. If you add a data source multiple times, it shows up multiple times.
Views: Specific types of files from the data sources are shown here, aggregated by type or other properties. Files here can come from more than one data
source. Look here for files of a specific type or properly.
Results: Where you can see the results from the background ingest tasks and you can see your previous search results. Go here to see what was found by the
ingest modules and to find your previous search results.
Reports: References to reports that you have generated or that ingest modules have created show up here

Data Sources

The Data Sources section shows each data source that has been added to the case, in order added (top one is first). Right clicking on the various nodes in the Data
Sources section of the tree will allow you to get more options for each data source and its contents.

Unallocated space is chunks of the file system that is currently not being used for anything. Unallocated space can store deleted files and other interesting artifacts. On
the actual image, Unallocated space is stored in blocks with distinct locations on the system. However, because of the way various carving tools work, it is more ideal to
feed them a single, large unallocated file. Autopsy provides access to both methods of looking at unallocated space.

Individual blocks in a volume There is a folder named "Unalloc". This folder contains all the individual unallocated blocks as the image is storing them. You
can right click and extract them the same way you can extract any other type of file in the Directory Tree.
Single files Right click on a volume and select "Extract Unallocated Space as Single File" to concatenate all the unallocated files in the volume into a single,
continuous file. (If desired, you can right click on an image, and select "Extract Unallocated Space to Single Files" which will do the same thing, but once for each
volume in the image).

An example of the single file extraction option is shown below. Image Details
Extract Unallocated Spaceto Single Files
- 8 Images Open File Search by Attributes
Restart Ingest Modules
xP-sialv4. Collapse All
volt (Ur
volt Oct
vol3 fir

• Mews
- r Results

Extracted C

Views

Views filter all the files in the case by some external property of the file, not by any internal analysis of the file.

• File Type Sorts files by file extension, and shows them in the appropriate group. For example, .mp3 andway both end up in the "Audio" group.
• Recent Files Displays files that are accessed within the last seven days the user had the device.
• Deleted Files Displays files that have been deleted but the names have been recovered.
• File Size Sorts files based upon size. This can give you an idea where to look for files you are interested in.

Results

• Extracted Content: Many ingest modules will place results here; EXIF data, GPS locations, or Web History for example
• Keyword Hits: Keyword search hits show up here
• Hashset Hits: Hashset hits show up here
• E-Mail Messages: Email messages show up here
• Interesting Items: Things deemed interesting show up here

http://www.sleuthkiturg/autopsy/docs/user-docs/3.1/uilayout_page.htm140 tree 1/6

2015/7/29 Autopsy User Documentation: UI Layout

• Tags: My item you tag shows up here so you can find it again easily

Reports

Reports can be added by Ingest Modules or created using the Reporting tool.

Result Viewer

More...

The Result Viewer windows are in the upper right area of the interface and display the results from selecting something in the tree. You will have the option to display
the results in a variety of formats.

Right Click Functions

Viewers in Result Viewers have certain right-click functions built-in into them that can be accessed when a node a certain type is selected (a file, directory or a result).
Here are some examples that you may see:

• Open File in External Viewer: Opens the selected file in an "external" application as defined by the local OS. For example, HTML files may be opened by IE or
Firefox, depending on what the local system is configured to use.

• View in New Wndow Opens the content in a new internal Content Viewer (instead of in the default location in the lower right).
• Extract: Make a local copy of the file or directory for further analysis.
• Search for files with the same MD5 Hash: Searches the entire file-system for any files with the same MD5 Hash as the one selected.

Thumbnail Result Viewers

Thumbnail Results Viewer displays the data catalog as a table of thumbnail images in adjustable sizes. This viewer only supports picture files (Currently, only supports
JPG, GIF, and PNG formats). Click the Thumbnail tab to select this view. Note that for a large number of images in a directory selected in the Data Explorer, or for a
Mew selected that contains a large number of images, it might take a while to populate this view for the first time before the images are cached.

Example
Below is an example of "Thumbnail Results Viewer" window:

Rrectory Listing

‘pictores.001kvol0
Table View Thumbnai View

o es por tcOVO r• Prig welcome.orig device.prie aisies.pro Lighthouse.pg ZA-wpS.jpc Iiier- doxygen_bgo.gif Wrinkled_

default_thumbilloo 3560p-0 Mod

Table Result Viewers

Table Results Viewer (Directory Listing) displays the data catalog as a table with some details (properties) of each file. The properties that it shows are: name, time
(modified, changed, accessed, and created), size, flags (directory and meta). mode, user ID, group ID, metadata address, attribute address. and type (directory and
meta). Click the Table Viewer tab to select this view.

The Results Viewer can be also activated for saved results and it can show a high level results grouped, or a results at a file level, depending on which node on the
Directory Tree is selected to populate the Table Results Viewer.

http://www.sleuthkitorg/autopsy/docs/user-docs/3.1/uilayout_page.htmlkii tree 2/6

2015/7/29 Autopsy User Documentation: UI Layout

Example
Below is an example of a 'Table Results Viewer" window

Directory Listing Modified Time Changed Time Access Time Created Time Size Flags (Director Y)

octuries.ciot \voia
Table View Th,umbriad view

Name r
SFAT I
SPAT2
$MBR
SOrphanFiles

2.prig
8560p-014.gif
Clip_4130_5secfirnbps 11764.mp4

Lightbouse.7p9
WelcomeFax.Of
WrinHed_PaPer.glf
ZAN,P5.3Pg
daisies.png
default thumb.jpg
devicerpng
doxygenjOgo.gif
passportcover.Png
usechle21.bmp
userblen.bnip
userble23.bmp
weicome.png

Content Viewer

More...

The Content Viewer area is in the lower right area of the interface. This area is used to view a specific file in a variety of formats. There are different tabs for different
viewers. Not all tabs support all file types, so only some of them will be enabled. To display data in this area, a file must be selected from the Result Viewer window.
The Content Viewer area is pad of a plug-in framework. You can install modules that will add more viewer types. This section describes the viewers that come by
default with Autopsy.

Result Content Viewer

Content Viewer shows the artifacts (saved results) associated with the item selected in the Result Viewer.
Example Below is an example of "Result Content Viewer" window:

http://www.s I euthkitorg/autopsy/docs/user-docs/3.1 /ui I ayout_page.htm 1#ui _tree 3/6

2015/7/29 Autopsy User Documentation: UI Layout

arecbry LsOng Modified Time Changed Time AccezThe Created lime Size Hags(Drectcry) Flags(Meta) Mode User ID C
.
testing \vol3
Table View Thumbnail View
Name A

SFAT1
SFAT2
SKR
sOrphanFiles

FAT Recover (Volume Labd Envy)
allocated
deleted
frag-hold.txt
over, bit

Hex Content Viewer

Hex Content Viewer shows you the raw and exact contents of a file. In this Hex Content Viewer, the data of the file is represented as hexadecimal values grouped in 2
groups of 8 bytes, followed by one group of 16 ASCII characters which are derived from each pair of hex values (each byte). Non-printable ASCII characters and
characters that would take more than one character space are typically represented by a dot (".") in the following ASCII field.

Example
Below is an example of "Hex Content Viewer" window:

sestammvoistanocateatresident.txt

Hex View I Sling View

Page: 1 of 1 Page I Example of Hex Content Viewer Tab

0x000000: 42 72 41 64 79 23 51 73 69 61 65 20 53 65 EC ES Brady Quinn Sale
0x000010: 63 74 66 64 20 61 73 20
0x000020: 20 41 6C 6C 2D 41 ED 65 43 69 61 67 75 EC 61 72 cted as Singular
0x000030: 79 ES 72 20 6F 66 20 74
72 69 63 El 20 50 6C 61 All-America Pit
x000040, OA OD OA 51 75 69 6E El
0x000050: 64 20 4F 68 69 EF 20 53 65 65 20 59 ES 61 72 OD yer of the Year_
0x000060: 72 74 65 72 62 61 63 69
0x000070: 69 74 68 2C 20 52 75 74 20 64 65 66 65 El 74 6S ..Chinn defeate

Ox000060, 6E 0 63 67 20 62 61 63 74 61 74 ES 20 71 75 61 d Ohio State qua
0x000090: 63 65 20 61 61 64 20 49
Ox0000a0: 61 72 74 65 72 62 61 63 20 54 72 EF 79 20 53 6D rterback Troy Sm
Ox0000b0: 72 65 6F GE 61 E2E OD
Ox0000c0: 39 2C 20 32 30 30 37 OD 67 65 72 73 20 72 75 51 ith, Rutgers run
Ox0000d0: 54 41 20 2D 20 41 20 72
Ox0000e0: 74 74 69 6E 67 20 4! 75 63 20 S2 61 79 20 52 69 uing back Ray Ri

x0000E0: 63 68 6C 6C CS 67 65 20 El 77 61 69 69 20 71 75 re and Hawaii cu
0x000100: 20 66 61 6E 73 20 68 61
0x000110: 74 62 65 69 72 20 62 61 EH 20 43 EF EC 74 20 42 arterback Colt 2
0x000120: EE 64 20 GE EF 72 20 74
0x000130: 20 73 74 72 61 69 67 62 OA OD OA 4P_ 61 EE 2E 20 rennan Jan.
0x000140: 62 65 69 72 20 76 61 69
0x000193: 72 73 20 66 72 ET 6D 20 OA OD OA 41 54 40 41 41
9X090.160:_51.. 29 65 7,a, 29 _cs 12 74
65 63 6F 72 64 20 73 ES TA - A record se

6D 62 65 72 20 6F 66 20 fling nurber of

66 6F EF 74 52 61 EC EC college football

76 65 20 63 El 73 74 20 fans have cast

EC EC 6F 74 73 2C 20 61 their ballots, a

6E 65 20 74 68 69 72 64 nd for the third

74 20 79 65 61 72 20 74 straight year t

63 ES 20 64 69 66 66 ES heir voice diffe

74 66 45 20 ED 65 64 69 rs from the medi

73 _ZE OD QAOalCIA 1.1?exotrze.- N

Media Content Viewer

The Media Content Viewer will show a picture or video file. Video files can be played and paused. The size of the picture or video will be reduced to fit into the screen.
If you want more complex analysis of the media, then you must export the file.

If you select an non-picture file or an unsupported picture format on the "Result Viewers", this tab will be disabled.

Example
Here's one of the example of the "Media Content Viewer":

http://www.sleuthkitorg/autopsy/docs/user-docs/3.1/uilayout_page.html&i_tree 4/6

2015/7/29 Autopsy User Documentation: U I Layout

1131c-tures 001Wo101doxygen jogo.gif
Hex view Picture View String view]

String Content Viewer

The String Content Viewer scans (potentially binary) data of the file / folder and searches it for data that could be text. When appropriate data is found, the String
Content Viewer shows data strings extracted from binary, decoded, and interpreted as UTF 8/16 for the selected script/language.

Note that this is different from the Text Content Viewer, which displays the text for a file that is stored in the keyword search index. The results may be the same or
they could be different, depending how the data is interpreted by the indexer.

Example
Below is an example of "String Content Viewer" window:

HeflIew String View [ Page GOWPage: script: Late - Basc
Page: 1 of 4

bjbs

STEEM

IA) KEY PSPFORMANCE INDICATOR (MT,

KEY FERFORMANCS INDICATOR BASED ON KEY OBJECTIVES/TASKS )SMART)-TEMMICAL SHILLS

FOR THE FY-2009-10 101.07.09 to 09.03.10) )601 Aggregate Weightage)

Name: Muhammad Bashi": Job Title: Dy. chief Engineer:DI, Lahore Area Grade

Vt-HO Department, Management

Specific task 'What is task or objective? Attach details if appropriate)

Measures )Standards if parameters) KPI

Agreed :is

Realistic ;islit?)

Tidings (Start/ finish dates'

Neightage

Corm

GIG related activities

To supervise job of above ground leakage recification of 234 SMSs 1972 T3Ss for reduction in CMG

To supervise job of above ground leakage rectification of SEM industrial CMS' for reduction in OFF
To study monthly' gamconsusvcion pattern of industrial consumers including CMGs whose meters were

replaced by regions on observation of Transmission Teak Force.

Miscellaneous

To coordinate with HOD, / Aegional Heads for preparation of outstanding completion reports.

To record minutes of meeting, of Distribution Development, 010 Control, Projects Capitalisation and

GIG Review Committee.

To prepare annual budget and ensure that DJO / TA to DIM budget is not overrun_

Text Content Viewer

Text Content Viewer uses the keyword search index that may have been populated during Image Ingest. If a file has text stored in the index, then this tab will be
enabled and it will be displayed to the user if a file or a result associated with a file is selected.

This tab may have more text on it than the "String View", which relies on searching the file for text-looking data. Some files, like PDF, will not have text-looking data at
the byte-level, but the keyword indexing process knows how to interpret a PDF file and produce text. For the files the indexer knows about, there may be the
METADATA section at the end of the displayed extracted text. If an indexed document contains any metadata (such as creation date, author, etc), it will be displayed
there. Note that, unlike the "String View", the Text View does not have its built-in settings for the script/language to use for extracted strings. This is because the
script/language is used at indexing time, and that setting is associated with the Keyword Search indexer, not the viewer.

If this tab is not enabled, then either the file has no text or you did not enable Keyword Search as an ingest module. Note that this viewer is also used to display
highlighted keyword hits when operated in the "Search Matches" mode, selected on the right-hand side of the viewer's toolbar.

http://www.sleuthkitorgrautopsy/docs/user-docs/3.1/uilayout_page.htmliMiiree 5/6

2015/7/29 Autopsy User Documentation: UI Layout

Result View I Hex Inewi String View Text View 3, Page: 39 of 68 Page Search Matches m
Matches on page; 1 of 49 Matth

Morphball Bomb double jump

When in Morph Ball mode, lc is possible to do a double jump with •
little innovation. Deploy a bomb, wait about asecond, then deploy
a second bomb. The first bomb you deployed should mend you into
the air. While in the air, immediately before the peak of your
jump, deploy your third and final boob. As you descend again, the
second boob you deployed should once again send you airborne,
while the third bomb that is in the air should send you up even
higher. With some practice, this should come naturally. Remember
that timing is key.
Get Baby Metroids to do your dirty work

Keyword Search

Keyword Search allows the user to search for keywords in the data source. It is covered in more detail here: Keyword Search Module

Status Area

The Status area will show progress bars while ingest is occuring. This visually indicates to the user what portion of the processing is already complete. The user can
click on the progress bars to see further detail or to cancel ingest jobs.

Copyright © 2012-2015 Basis Technology. Generated on Wed Jul 29 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

http://www.sleuthkitorg/autopsy/docs/user-docs/3.1/uilayout_page.html#ui_tree 6/6

2015/7/29 Autopsy User Documentation: Ingest Modules

Ingest Modules

Ingest modules analyze the data in a data source. They perform all of the analysis of the files and
parse their contents. Examples include hash calculation and lookup, keyword searching, and web
artifact extraction.

Immediately after you add a data source to a case (see Data Sources), you will be presented with a
dialog to configure the ingest modules to run on it. Once configured, they will run in the background
and provide you real-time results when they find relevant information.

This page covers the use of ingest modules. Specific pages will cover the configuration of specific
modules. See Installing 3rd-Party Modules for details on installing 3rd-party ingest modules.

Multi-threaded and Priority

Ingest modules are configured to find user content quickly. The ingest modules are grouped into
pipelines and each file goes down the pipeline, module by module. A pipeline may have modules in the
following order:

MDWSHAt Hash File Type Open ZIP EXIF Add Text to •••
Hash Lookup ID Files Extraction Keyword
Index
Calculation

Multiple pipelines may be running at the same time. By default, two pipelines are running, but you can
add more depending on how many cores you have on your system. You can configure the number of
pipelines to make in the "Tools", "Options", "General" area.

Autopsy prioritizes user content over other types of files and will send data from the "Documents and
Settings" folder or "Users" folder into the pipelines before the "Windows" folder. It prioritizes each folder
in the system to ensure that user content is analyzed before other content.

Running Ingest Modules

There are two ways to start ingest modules:

1. Immediately after you add a data source
2. By right-clicking on a data source from the tree in the main interface and choosing "Run Ingest

Modules"

Once ingest is started, you can review the currently running ingest tasks in the task bar on the bottom-
right corner of the main window. The ingest tasks can be canceled by the user if so desired.

Note: sometimes the cancellation process may take several seconds or more to complete
cleanly, depending on what the ingest module was currently doing.

Configuring Ingest Modules

http://www.sleuthkit.org/autopsy/docs/user-docs/3.1/ingest_page.html 1/3

2015/7/29 Autopsy User Documentation: Ingest Modules

You will be presented with an interface to configure the ingest modules. From here, you can choose to

enable or disable each module and some modules will have further configuration settings.

[.:select-ingest-modules.png

There are two places to configure ingest modules. When you select the module name, you may have
some "run time" options to configure in the panel to the right. These are generally settings that you
may want to change from image to image.

There may also be an "Advanced" button that is enabled in the lower corner. Pressing this button
allows you to change global settings that are not specific to a single image. This advanced
configuration panel can often be found in the "Tools", "Options" menu too.

As an example, the hash lookup module will allow you to enable or disable hash databases in the "run
time" options panel, but requires you to go to the "Advanced" dialog to add or remove hash databases
from the Autopsy configuration.

Viewing Ingest Module Results

Ingest modules run in the background. An ingest module can provide you results in a variety of ways,
but we recommend specific methods:

1. If they post results to the Blackboard, then you will find them in the "Results" area of the tree in
the main interface.

2. They can send a message to the Ingest Inbox so that you get a message each time something
really important is found.

O - Keyword Lists Q.

g
1 Results

Module Num New, Subject Timestamp

ra=,1 itelf , -,_ 13:48:03

Recent Activity Started Demo liD.E01

Recent Activity 1 • Hnished Demo H1)211 - Ho emirs rep... 13:49:43

Recent Activity 1 • Demo HD-E01- Browser Results 13:49A3

: Vii ' I I.:Lai _ CL;---4,`..4.11 f t.. 1,,,,,tra) _

Recent Activity Started Demo ilD.E01 14:0320

Recent Activity 1 • tithed Demo 1111)..H11 - No cirors rep... 14:05:31

Recent Activity I Desna 1M.E01 - Browser Results 14:0531

Sort by: Time Total: 8 Unique: S

http://www.sleuthkitorg/autopsy/docs/user-doos/3.1/ingest_page.html A

2/3

2015/7/29 Autopsy User Documentation: Ingest Modules

3. If the module is a wrapper around another forensics tool, they may simply provide a link to the

output of that tool, in which case you will see a new entry in the "Reports" area of the tree.

All of the official Autopsy modules send results to the blackboard, but if you install third-party apps, then
they may choose any approach — including a pop-up window each time they find something.

Copyright © 2012-2015 Basis Technology. Generated on Wed Jul 29 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

http://www.sleuthkitorg/autopsy/docs/user-docs/3.1ringest_page.html 3/3

2015f7/29 Autopsy User Documentation: Recent Activity Module

Recent Activity Module

What Does It Do

The Recent Activity module extracts user activity as saved by web browsers (including web searches),
installed programs, and the operating system. It also runs Regripper on the Registry hive.
This allows you to see what activity has occured in the last seven days of usage, what web sites were
vistied, what the machine did, and what it connected to.

Configuration

There is nothing to configure for this module.

Using the Module

Ingest Settings

There are no run-time settings for this module.

Seeing Results

Results show up in the tree under "Extracted Content".

is.extracted_content.png

Copyright © 2012-2015 Basis Technology. Generated on Wed Jul 29 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

http://www.sleuthkitorg/autopsy/docs/user-docs/3.1/recent_activity_pageihtml 1/1

2015f7/29 Autopsy User Documentation: Hash Database Lookup Module

Hash Database Lookup Module

What Does It Do

The Hash Database Lookup Module calculates MD5 hash values for files and looks up hash values in a
database to determine if the file is known bad, known (in general), or unknown.

Configuration

The Hash Database Management window is where you can set and update your hash database
information. Hash databases are used to identify files that are 'known'.

• Known good files are those that can be safely ignored. This set of files frequently includes
standard OS and application files. Ignoring such uninteresting-to-the-investigator files, can
greatly reduce image analysis time.

• Known bad (also called notable) files are those that should raise awareness. This set will vary
depending on the type of investigation, but common examples include contraband images and
malware.

Notable / Known Bad Hashsets

Autopsy allows for multiple known bad hash databases to be set. Autopsy supports the following
formats:

• EnCase: An EnCase hashset file.
• MD5sum: Output from running the md5, md5sum, or md5deep program on a set of files.
• NSRL: The format of the NSRL database.
• HashKeeper: Hashset file conforming to the HashKeeper standard.

Adding Hashsets

Autopsy needs an index of the hashset to actualy use a hash database. It can create the index if you
import only the hashset. When you select the database from within this window, it will tell you if the
index needs to be created. Autopsy uses the hash database management system from The Sleuth Kit.
You can manually create an index using the 'hfind' command line tool or you can use Autopsy. If you
attempt proceed without indexing a database, Autopsy will offer to automatically produce an index for
you. You can also specify only the index file and not use the full hashset - the index file is sufficient to
identify known files. This can save space. To do this, specify the .idx file from the Hash Database
Management window.

Using Hashsets

There is an ingest module that will hash the files and look them up in the hashsets. It will flag files that

http://www.sleuthkitorg/autopsy/docs/user-docs/3.1/hash_db_page.html 1/3

2015/7/29 Autopsy User Documentation: Hash Database Lookup Module

were in the notable hashset and those results will be shown in the Results tree of the Tree Viewer.

Other ingest modules are able to use the known status of a file to decide if they should ignore the file or

process it. You can also see the results in the File Search window. There is an option to choose the

'known status'. From here, you can do a search to see all 'known bad' files. From here, you can also

choose to ignore all 'known' files that were found in the NSRL. You can also see the status of the file in
a column when the file is listed.

NIST NSRL

Autopsy can use the NIST NSRL to detect 'known files'. The NSRL contains hashes of 'known files' that
may be good or bad depending on your perspective and investigation type. For example, the existence
of a piece of financial software may be interesting to your investigation and that software could be in
the NSRL. Therefore, Autopsy treats files that are found in the NSRL as simply 'known' and does not
specify good or bad. Ingest modules have the option of ignoring files that were found in the NSRL.

To use the NSRL, you may download a pre-made index from
http://sourceforge.net/projects/autopsy/files/NSRL. Download the NSRL-XYZm-autopsy.zip (where
'XYZ' is the version number. As of this writing, it is 247) and unzip the file. Use the "Tools", "Options"
menu and select the "Hash Database" tab. Click "Import Database" and browse to the location of the
unzipped NSRL file. You can change the Hash Set Name if desired. Select the type of database
desired, choosing "Send ingest inbox message for each hit" if desired, and then click "OK".

Lr.insrl_import_process.PNG

The screenshot below shows an imported NSRL.
imported.PNG

Using the Module

Ingest Settings

When hashsets are configured, the user can select the hashsets to use during the ingest process.
[eiiash-lookup.png

Seeing Results

Results show up in the tree as "Hashset Hits", grouped by the name of the hash set.

http://www.sleuthkitorg/autopsy/docs/user-docs/3.1/hash_db_page.htm I 2/3

2015/7/29 Autopsy User Documentation: Hash Database Lookup Module

1.11hashset-hits.png

Copyright © 2012-2015 Basis Technology. Generated on Wed Jul 29 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

http://www.sleuthkitorg/autopsy/docs/user-docs/3.1/hash_db_page.html 3/3

2015/7/29 Autopsy User Documentation: File Type Identification Module

File Type Identification Module

What Does It Do

The File Type ID module identifies files based on their internal signatures and does not rely on file
extensions. Autopsy uses the Tika library to do its primary file ID detection and that can be customized
with user-defined rules.

You should enable this module because many other modules depend on its results to determine if they
should analyze a file. Some examples include:

• Extension Mismatch Detector Module
• Keyword Search Module

Configuration

You do not need to configure anything with this module unless you want to define your own types. To
define your own types, go to "Tools", "Options", "File Type Id" panel.

From there, you can define rules based on the offset of the signature and if the signature is a byte
sequence of an ASCII string.

Lirifiletype.png

Using the Module

Ingest Settings

There are no run-time settings for this module when you run it on a data source. All user-defined and
Tika rules are always applied.

Seeing Results

This module does not have obvious impacts in the user interface, though it is used by many other
modules.

To see the file type of an individual file, view the "Results" tab in the lower right when you navigate to
the file. You should see a page in there that mentions the file type.

The Views area of the tree does not take the results of this module into account. That part of the tree
relies on extension. We will be upating it in the future to rely on extension when there is no output from
this module for the file.

Copyright © 2012-2015 Basis Technology. Generated on Wed Jul 29 2015 1/1
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

http://wwwsleuthkit.org/autopsy/docs/user-docs/3.1/file_type jdentificationpage.html

2015/7/29 Autopsy User Documentation: Extension Mismatch Detector Module

Extension Mismatch Detector Module

What Does It Do

Extension Mismatch Detector module uses the results from the File Type Identification and flags files that have an extension not traditionally associated
with the files detected type. It ignores 'known' (NSRL) files. You can customize the MIME types and file extensions per MIME type in "Tools". "Options",
"File Extension Mismatch".

This detects files that someone may be trying to hide.

Configuration

One can add and remove MIME types in the "Tools", "Options", "File Extension Mismatch" dialog box, as well as add and remove extensions to particular

MIME types. 142.1.1
c$ Options

(Cfr'+F)

Autopsy Keyword Search Hash Database Hie Extension Msmatch FileTypeld Interesting Pies eti
General

Fie Types: Allowed Extensions fontideo/mPe9:
Extension
MIME Type mlv
image/tiff 2v
imagehnd.adobe.photoshap Pe
tinage/x4con mpeg
image/mils-Imp mpg
image/xi-ow -nikon mPV
text/html
textiplam Add Extension
video/39PP Remove Selected Extension
mdeolmo4
videctiblPeg
video/pidctime
Indeo/x-flv
video/x-m4v
video/x-ms 9sf

Add Type

Remove Selected Type

difinurd,

Cancel 1

Using the Module

Note that you can get a lot of false positives with this module. You can add your own rules to Autopsy to reduce unwanted hits.

Ingest Settings

In the ingest settings, the user can choose if the module should skip files without extensions and skip text files. Both of these options are enabled by
default.

http://www.sleuthkitorg/autopsy/docs/usendocs/3.1/extension_mismatch_detector_page.html 1/2

2015/7/29 Autopsy User Documentation: Extension Mismatch Detector Module

Ingest Modules

D Recent Activity V Skip files without extensions
Hash Lookup
E Fie Type Identification 7 Skip text files
Ardive Extractor
D CAE Parser
Keyword Search
7ti1t Email Parser
Li Extension Mismatch Detector
EOltierrfier
E Android Andyzer
Intewsting Files Identifier
r2 PhotoRec Carver
Li
L•—_Li
D

E

7 Process Unallocated Space Flags rtes that have a non-standard ex... Advanced

Start Close

Seeing Results

Results are shown in the Results tree under 'Extension Mismatch Detected".

easel - Autopsy 3.12

File View Tools Window Help

4 Close Case slos Add Data Source Is, Generate Report 8

F„ Data Sources Directory Listing
Extension Msmatch Detected
:3 Demo HD.E01 ' I Table I Thumbnail

• [1] LograrideSet1 (1) Source Fie
IX- a smaI2.rmg -- login.js
iitt smatl2rmg
• ,S11 small2img skype.mki[1].js
x a thunderbwd small mage.dd rs=AI1RSTPVeculs7OulGLthrh6EQdVlvfbQ
ti ouiook.dd dapmsn[1].js
▪ co Veils 01110s
,tt Ci Results 0(2).js
1:- Exracted Content SignUpDone(1).htm
SetSID[1].htm
Devices Attached (17) - IcluerY 81111.1S
EGF Metadata (63) - trtspecilet[I].js
Extenson Sksmatth Detected (103) - FinishSign1n(1].htrn
Installed Programs (38) went-1[118s
Operating System Information (2) I - skypenin[1].$
dt Operabrg System User Account (4) rs=AltFt5TOTby2v600YSuGyjFIQL-OTGPSUc
Recent Documents (13) - NenSerOceAccount[1].htrn
* Web Bookmarks (20) • modernin[1].js
4 Web Cookies (240) js_nWM043nndAx0.XRZNIeuPOTO7RN11ren
4 Web Downloads (1)
I Web History (21)
ia Web Search (4)
h. Kentordlits

Copyright 02012-2015 Basis Technology. Generated on Wed Jul 29 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

http://www.sleuthkit.org/autopsy/docs/user-docs/3.1/extension_mismatch detector_page.html 2/2

2015/7/29 Autopsy User Documentation: Keyword Search Module

Keyword Search Module

What Does It Do

The Keyword Search module facilitates both the ingest portion of searching and also supports manual text searching after ingest has completed_ It extracts text from
the files being ingested and adds them to a Solr index that can then be searched.

Autopsy tries its best to extract the maximum amount of text from the files being indexed. First, the indexing will try to extract text from supported file formats, such as
pure text file format, MS Office Documents, PDF files, Email, and many others. If the file is not supported by the standard text extractor, Autopsy will fall back to a string
extraction algorithm. String extraction on unknown file formats or arbitrary binary files can often extract a sizeable amount of text from a file, often enough to provide
additional clues to reviewers. String extraction will not extract text strings from encrypted files.

Configuration

Autopsy ships with some built-in lists that define regular expressions and enable the user to search for Phone Numbers, IP addresses, URLs and E-mail addresses.
However, enabling some of these very general lists can produce a very large number of hits, and many of them can be false-positives. Regular expressions involving
backtracking can potentially take a long time to complete.

Once files are placed in the Solr index, they can be searched quickly for specific keywords, regular expressions, or keyword search lists that can contain a mixture of
keywords and regular expressions. Search queries can be executed automatically during the ingest run or at the end of the ingest, depending on the current settings
and the time it takes to ingest the image.

Keyword Search Configuration Dialog

The keyword search configuration dialog has three tabs, each with it's own purpose:

• The Lists tab is used to add, remove, and modify keyword search lists.
• The String Extraction tab is used to enable language scripts and extraction type.
• The General tab is used to configure the ingest timings and display information.

To create a list, select the 'New List' button and choose a name for the new Keyword List. Once the list has been created, keywords can be added to it. Regular
expressions are supported using Java Regex Syntax. Lists can be added to the keyword search ingest process; searches will happen at regular intervals as content is
added to the index.

List Import and Export
Autopsy supports importing Encase tab-delimited lists as well as lists created previously With Autopsy. For Encase lists, folder structure and hierarchy is currently
ignored. This will be fixed in a future version. There is currently no way to export lists for use with Encase. This will also be added in future releases.

Lists tab

cit Options

Q Eller ;.Chl+F)

Autopsy Keyword Search Hash Database File Extension Mismatch FileTypetd Interesting Flee General
RegEx
Lists String Extraction Weneral Keywords:

Keyword List: Keyword
Superheros
gangs
violence
terronsts

Keyword Options

r Add

I.!Regular Expression

r Remove Selected

List Options -
./. Send ingest inbox messages for each hit

* Export List LEI Copy use x Delete List

New List * Import List

String extraction setting Cancel
http://www.sleuthkit.org/autopsy/docs/user-docs/3.1/keyword_search_page.html 1/5

2015/7/29 Autopsy User Documentation: Keyword Search Module

The string extraction setting defines how strings are extracted from files from which text cannot be extracted because their file formats are not supported. This is the
case with arbitrary binary files (such as the page file) and chunks of unallocated space that represent deleted files. 1A/hen we extract strings from binary files we need
to interpet sequences of bytes as text differently, depending on the possible text encoding and scripVlanguage used. In many cases we don't know in advance what the
specific encoding/language the text is encoded in. However, it helps if the investigator is looking for a specific language, because by selecting less languages the
indexing performance will be improved and the number of false positives will be reduced.

The default setting is to search for English strings only, encoded as either UTFB or UTF16. This setting has the best performance (shortest ingest time). The user can
also use the String Viewer first and try different script/language settings, and see which settings give satisfactory results for the type of text relevant to the investigation.
Then the same setting that works for the investication can be applied to the keyword search ingest.
String Extraction tab

4 Options • Hash Database File Extension Mismatch FileTypeld Interesting Res d)it)
Keyword Search bareL
5 General

Autopsy

Lists1 string Extraction General

Ingest settings for shing extraction Com taiknown file types (changes effective on next irgese:
yt_ Enable UTE 161E and UTF 168E string extracton
', Enable uTF8 text extraction

Enabled scripts Bancuages):

Lath - Basc (Engish)
Lath Ext.pdal (European)
Arabic (Arabic)

— Cyrillic (Russian, &Agahan, Serbian, Mddovar)
Han (Chinese, Japanese, Korean)
Hragana (Japanese)
!Catalonia (Japanese)
Hangul (Korean)
Armenian (Armenian)

E Bengal (Bengal)
▪ Khmer (Cambodan)
▪ Ethiopic (Etboopx)

Georgian (Georgian)
— Hebrew (Hebrew)
7_ Lacher, (Laotian)

Mongdian (Mongoian)

1 — Thai (Thai)

Cancel

General Settings

NIST NSRL Support
The hash database ingest service can be configured to use the NIST NSRL hash database of known files. The keyword search advanced configuration dialog
"General tab contains an option to skip keyword indexing and search on files that have previously marked as "known" and uninteresting files. Selecting this option can
greatly reduce size of the index and improve ingest performance. In most cases, user does not need to keyword search for "known" files.

Result update frequency during Ingest
To control how frequently searches are executed during ingest, the user can adjust the timing setting available in the keyword search advanced configuration dialog
"General" fah. Setting the number of minutes lower will result in more frequent index updates and searches being executed and the user will be able to see results
more in real-time. However, more frequent updates can affect the overall performance, especially on lower-end systems, and can potentially lengthen the overall time
needed for the ingest to complete.

One can also choose to have no periodic searches. This will speed up the ingest. Users choosing this option can run their keyword searches once the entire keyword
search index is complete.

General tab

http://www.sleuthkitiorg/autopsy/docs/user-docs/3.1/keyword_search_page.html 2/5

2015/7/29 Autopsy User Documentation: Keyword Search Module
. Options

Autopsy Keyword Starch Flash Database File Extension Msmatch FileTypeld Interesting Files 192,i 7-)
r.a4,0

General

lists I String Exracboj General',

Settings

J. Do not add files n NSRL ((mown files) to keyword index during ingest
Show Keyword Preview in Keyword Search Results (wil result in longer search

Results update frequency during ingest:
20 minutes (slowest feedback, fastest Nest)
10 minutes (dower feecbadc, faster ingest)
minutes (detail°

j 1 innute (faster feecback, longest hoes°
No periodic searches

Information

Files in keyword index: 60110

Chunks in keyword index: 44235

L (:41 CancelJ

Using the Module

Search queries can be executed manually by the user at any time, as long as there are some files already indexed and ready to be searched. Searching before
indexing is complete will naturally only search indexes that are already compiled.
See Ingest for mare information on ingest in general.
Once there are files in the index, the Keyword Search Bar will be available for use to manually search at any time.

Ingest Settings

The Ingest Settings for the Keyword Search module allow the user to enable or disable the specific built-in search expressions, Phone Numbers, IP Addresses, Email
Addresses, and URLs. Using the Advanced button (covered below), one can add custom keyword groups.

Ingest Modules Select keyword lists to enable during nest:
J Phone Numbers
I Recent Activity P Addresses
[ Hash Looki_p Email Addresses
Uas
File Type Identification . • OS
[ j Archive Extractor
Scripts enabled for sting extraction from unknown file types:
! Eat Parser
yword Search Latin -Basic

[I_ Emai Parser Encodngs: UTFB, UTF16
[ Extension Mismatch Detector

E01 Yeller
Android Analyzer
r Interesting files Identifier
I I PhotoRec Carver

K jProcess Unallocated Space LPerforms file indexn and pew& sear... Advanced

r Close

Keyword Search Bar

The keyword search bar is used to search for keywords in the manual mode (outside of ingest). The existing index will be searched for matching words, phrases, lists,
or regular expressions.

Individual Keyword Search
Individual keyword or regular expressions can quickly be searched using the search text box widget. You can select "Exact Match", "Substring Match" and "Regular

http://www.sleuthkit.org/autopsy/docs/user-doc.s/3.1/keyword search_page.html 3/5

201517/29 Autopsy User Documentation: Keyword Search Module
Expression" match.

0 • Keyword Lists ck. Keyword Search

television Substreg Match Search
a Exact Matth Reglar BspressTon

Results will be opened in a separate Results Viewer for every search executed and they will also be saved in the Directory Tree as shown in the screenshot below.

cti casel - Autopsy 3.1.2 • O- Keyword List Oc. Keyword

File View Tools Window Help Dvecbary Labia ch I - Car a Keyword search z -Television se Keyword sear dI 3 - u
Keyword
410 Close Case + Add Data Scarce k Generate Report - Telewaon
• ' Table Thumbnali :
Extension Mismatch Detected (103)
1d Installed Programs (38) I Source He Keyword Preview
cu, Operating System Information (2) ,
at Operating System User Account (9)
-1/2 Recent Dcoirnents (18) medeinfo.d1
if Web Bookmarks (20)
• vleb Cookies (210) 3rd Intematr.nal ICSTConf on rY' are) Cyber. from the ctelewsion. shovers 'The Moppets' and 'Illuccet Babes'
4 Web Downloads (1)
S' Web Hstory (21) , OE EnKientDb.edb That Jr.
• Web Search (4)
Keyword Hit DDORes.dll.mui

&role Literal Keyword Search (395) Hex I Stores Mebdata 1 Remits T Sear[
Car (97) Matches on page: 1 of 3 Match 9 Page: 1 of 1 Page
Movie (234)
Television (12) Figg.. 3: Identify Adult versus Child- Major League and Little League Baseball logos.
now (46) Ill The television, movie, and advertising industries have a savvy awareness of market demograj
victor (4)
and of viewer psychology and perception_ Though the puppet and cartoon characters are obv
4 Single Regular Expression Search (0) not human, their facial characteristics and proportions, body proportions, and other viana.
tee Hashset Hits allow viewers to distinguish the characters es either adults or juveniles based upon visua.
4. be,E-Mal Messages
T * Interesting Items and with television upon additional audible cues

Tags This is an image depicting a child sitting on an adult's lap. How accurate do yo
Reports k the depictions of the adult as an adult and the child as a child is, and why?

Keyword List Search
Lists created using the Keyword Search Configuration Dialog can be manually searched by the user by pressing on the 'Keyword Lists' button, selecting the check
boxes corresponding to the lists to be searched, and pressing the 'Search' button.

Name O - Keyword Lists
superman RegEx
renown
batman

8202
thor
told
veer
colons Prim

Files Indexed: 60,110 Manage Lists
Search

The results of the keyword list search are shown in the tree, as shown below.

http://www.sleuthkitorg/autopsy/doosiuser-docs/alikeyword_search_page.html 4/5

2015/7/29 Autopsy User Documentation: Keyword Search Module

easel - Autopsy 11.2
file Mice :fools Window Help

Close Case + Add Data Source L Generate Report '4

' Directory Listing ad search 5 -SuPerraan Farm...
Reswith Hits
Web Search-(4) ISuperheros
et . Keyword Flits I
ttt I

I Table

. Single Literal Keyword Sear& (395) List Name
. So* Regular Expression Search (0) . R2)2(t)
. batman (8)
s (5) . hulk (8)
. IP Addresses (3700)
. Ernai Addresses (549)

&aro; (43) ironman (1)

. R202 (I) . lob (7)
. batman (8) . superman (1)
. hulk (8) . thor (4)
. Forman (1) . viper (13)
. lob (7)

. superman (1)

. thor (4)
. viper (13)

Searching during ingest
Manual search for individual keywords or regular expressions can be executed while ingest is ongoing, using the current index. Note however, that you may miss some
results if the entire index has not yet been populated. Autopsy enables you to perform the search on an incomplete index in order to retrieve some preliminary results
in real-lime.

During the ingest, the manual search by keyword list is deactivated. A newly selected list can instead be added, and it will be searched in the background instead.

Keywords and lists can be managed during ingest.

Seeing Results

The Keyword Search module will save the search results regardless whether the search is performed by the ingest process, or manually by the user. The saved results
are available in the Directory Tree in the left hand side panel.

To see keyword search results in real-time while ingest is running, add keyword lists using the Keyword Search Configuration Dialog and select the "Use during
ingest" check box. You can select "Send messages to inbox during ingest" per list, if the hits on that list should be reported in the Inbox, which is recommended for very
specific searches.

Copyright t2012-2015 Basis Technology. Generated on Wed Jul 29 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

ht1p://www.sleuthkitiorg/autopsy/docs/user-docs/3.1/keyword_search_page.html 5/5

2015/7/29 Autopsy User Documentation: Embedded File Extraction Module

Embedded File Extraction Module

What Does It Do

The Embedded File Extractor module opens ZIP, RAR, other archive formats, Doc, Docx, PPT, PPTX, XLS, and XLSX and sends the
derived files from those files back through the ingest pipeline for analysis.
This module expands archive files to enable Autopsy to analyze all files on the system. It enables keyword search and hash lookup to
analyze files inside of archives
NOTE: Certain media content embedded inside Doc, Docx, PPT, PPTX, XLS, and XLSX might not be extracted.

Configuration

There is no configuration required.

Using the Module

Select the checkbox in the Ingest Modules settings screen to enable the Archive Extractor.

Ingest Settings

There are no runtime ingest settings required.

Seeing Results

Each file extracted shows up in the data source tree view as a child of the archive containing it,

http://www.sleuthkit.org/autopsy/docs/user-docs/3.1/embedded_file extractor_page.html 1/3

2015/7/29 Autopsy User Documentation- Embedded File Extraction Module

Mozilla Maintenance Service (5) Directory Listing
1! Real (4) Log Demo_HD.E01/vol_vol2/Program Files (x86)/Rea

▪ ,1 RealPlayer (83) Table Thumbnail

CDBurning (10) Name Location
• Codecs (25)
_MACOSX Senn HD.
42, Common (18)
btn_up.png !Imo emo _HO
_t, DataCache (28)
Degices (30) bth_upgraY.Png jimg_Cienlo_HO
devices.vs (13) ,0 footer_cdburn.png
t cdburning (29)
crt• 1 images (18) gr icitcancelburn.png limg_Lierno_HD
• IL sidebar (58)
icn_newdevice.png
rE• stdebar.zip (27)
im_pd_editoptions.png frng_Cierno_HD.
MACOSX (18)
icitremovedevice.png ing_Lieri10±D,
.4„ status (21)
icon addremove.png )img_Derno_HO.
Filters (4) hmg_Derno
1 Flash (4) fir icon_addtocd.png

library (3) g icon addtodevice • png frrEgfiemcpHD.
mpaplugins (22) s icon_addtodvd.png ThIg_DemoHD.
Netscape6 (5)
LI j Plugins (80) icon_burnanother.png rdn~_Demo HD.
Producer (3)
▪ rcaplugins (17) 0: icon_burnanothercopy.png DerrioHO.

rOPlugins (36) icon_canceltransfer.png pmg_De 100_HO.
c )2. Setup (7)
0 icon cdburner.bmp 'trig De mo_HO,
templates (3)
$ 1, Update (17) icon cdburner.png

11. Visualizations (8) icon_cdeditopions.png frrigDemo_HD.
converter.vs (184)
0 icon cdtasks.png
RI normal.vs (770)
sharemecha.vs (33) icon_devicetasks.png
ssmages.vs (21)
0 icon_ejectdevice.png
▪ RealUograde (6)
If RealNetworks (4) icon_howto.png ItngSerno_HL

Skype (8) -_0icon newplayrist.png
Windows Defender (8)
b Windows Mail (10) icon_printjewelcase.png
Windows Media Player (18)
11 Windows Multimedia Platform (3) icon_syncdevice.png iimg_Deroo_HD
Windows MT (4)
taskbody_dev.png gDe rao_HD,

• taskheader dev.png

and as an archive under 'Mews", "File Types", "Archives".

http://www.sleuthkit.org/autopsy/docs/user-docs/3.1/embedded_file_extractor_page.html 2/3

2015/7/29 Autopsy User Documentation: Embedded File Extraction Module

-t• 12 Data Sources id Directory Listing
at. Views Archives
- File Types
le Images (7233) Table Thumbnail
111 Videos (117)
Name Location
h Audio (152)
h Archives (20) Login.cab

Documents stubinst_pkg_en-us(1).cab
Executable
4. a Recent Files Qa DCode-v4.02a-build-4.02.0.9306, an
% Deleted Files
MB File Size ntpont.inf_x86_64a5c2d136933c8f.cab
Results
:• El Extracted Content a pmms003.inf_x86_44d40e16732ceBee.cab
a ntprint.inf amd64_64a5c2d136933c8f.cab
ri Devices Attached (17)
oemprint.inf_amd64_1c6lbabacbbile90.cab r 32. II
EXIF Metadata (63)
- Extension Mismatch Detected (103) oemprint.inf_amd64_eb 780 5 57355f0 7b 5.cab - _f rni
'aj Installed Programs (38)
as prnms00lanf amd64_4fal863520b2418e.cat
Operating System Information (2) a pmms002.tnf amd64_77839a7cc2b8a037.cat
Of Operating System User Account (4) a prnms003.mf amd64_02291d7288731918.cal -

Recent Documents (18) sls.cab
* Web Bookmarks (20)
• Web Cookies (240) sls.cab

a Wall rIewinInAAc (11 Windows6.2-HyperVIntegrationServices-x64.,

a Windows6A-HyperVIntegrationServices-x64.1

igt Windows6.2-HyperVIntegrabonServices-x86.. [Fit ,

a Windows6A-HyperVIntegrationServices-x86.1

Copyright © 2012-2015 Basis Technology. Generated on Wed Jul 29 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

http://www.sleuthkitorg/autopsy/docs/user-docs/3.1/embedded_file_extractor_page.html 3/3

2015/7/29 Autopsy User Documentation: EXIF Parser Module

EXIF Parser Module

What Does It Do

The EXIF Parser module extracts EXIF (Exchangeable Image File Format) information from ingested pictures. This information can contain geolocation data for the
picture. time. date, camera model and settings (exposure values. resolution. etc) and other information. The discovered attributes are added to the BlackBoard.

This can tell you where and when a picture was taken, and give clues to the camera that took

Configuration

There is no configicabon required.

Using the Module

Select the cheohbox in the Ingest Modules settings screen to enable the EXIF Parser.

Ingest Settings

There are no runtime ingest settings required.

Seeing Results

Results are shown in the Results tree.

['rectal, Let., I
COT Metadata
f p Emu sane:
t s Vie. Thwteal

- UExtracted ccotent Sarce Fie
la Dentin Attedied (17)
can Replan. test Nu lea 6290.1.4
pension mivratdi retested pea) Si 100_6159.PG
q, Instated Proems (M)
ev OPerebn System Inforennon (o) 100_6228.)PG
it cocaina spree user Acco-nt tat S. 100_62233PG
Recent Docrents ti 1.00_6192.)PG
Web Bodanris (20) I% 12-191241 LG. ‘55350 San
4, Web !Conlon (240) 24 12-193241 LC ‘X.9350 Lip;
• weeD0ark•CIS (I) Pa IMG0057.PG

Copyright S 2012-2015 Basis Technology. Generated on Wed Jul 29 2015
This work is licensed under a Creative Commons Attribution-Share Alike 2 0 United States License.

http://www.sleuthkit.org/autopsy/docs/user-docs/3.1/_e_x_i_f_parser_page.html 1/1

2015/7/29 Autopsy User Documentation: Keyword Search Module

Keyword Search Module

What Does It Do

The Keyword Search module facilitates both the ingest portion of searching and also supports manual text searching after ingest has completed. It extracts text from
the files being ingested and adds them to a SoIr index that can then be searched.

Autopsy tries its best to extract the maximum amount of text from the files being indexed. First, the indexing will try to extract text from supported file formats, such as
pure text file format, MS Office Documents, PDF files, Email, and many others. If the file is not supported by the standard text extractor, Autopsy will fall back to a string
extraction algorithm. String extraction on unknown file formats or arbitrary binary files can often extract a sizeable amount of text from a file, often enough to provide
additional clues to reviewers. String extraction will not extract text strings from encrypted files.

Configuration

Autopsy ships with some built-in lists that define regular expressions and enable the user to search for Phone Numbers, IP addresses, URLs and E-mail addresses.
However, enabling some of these very general lists can produce a very large number of hits, and many of them can be false-positives. Regular expressions involving
backtracking can potentially take a long time to complete.

Once files are placed in the SoIr index, they can be searched quickly for specific keywords, regular expressions, or keyword search lists that can contain a mixture of
keywords and regular expressions. Search queries can be executed automatically during the ingest run or at the end of the ingest, depending on the current settings
and the time it takes to ingest the image.

Keyword Search Configuration Dialog

The keyword search configuration dialog has three tabs, each with it's own purpose:

• The Lists tab is used to add, remove, and modify keyword search lists.
• The String Extraction tab is used to enable language scripts and extraction type.
• The General tab is used to configure the ingest timings and display information.

To create a list, select the 'New List' button and choose a name for the new Keyword List. Once the list has been created, keywords can be added to it. Regular
expressions are supported using Java Regex Syntax. Lists can be added to the keyword search ingest process; searches will happen at regular intervals as content is
added to the index.

List Import and Export
Autopsy supports importing Encase tab-delimited lists as well as lists created previously with Autopsy. For Encase lists, folder structure and hierarchy is currently
ignored. This will be fixed in a future version. There is currently no way to export lists for use with Encase. This will also be added in future releases.

Lists tab

del op

F.Ver (CVI

Autopsy Keyword Search Hash Database Fie Extension Mismatch FileTypeld Interesting Files 41
General

Lists String Extraction I General Keywords: RegEx

Keyword Lists: Keyword
,Superherps
Bad things hugs
gangs
violence •
terrorists

Keyword Options

Add 1

Regular Expression

Remove Selected j

List opbons

J. Send ingest itox messages for each hit

L egaort List ki Copy List j t x Delete List

New List • !Mort List

String extraction setting Cancel
htlp://www.sleuthkit.org/autopsy/does/user-docs/3.1/keyword_search_page.html 1/5

2015/7/29 Autopsy User Documentation: Keyword Search Module

The string extraction setting defines how strings are extracted from files from which text cannot be extracted because their file formats are not supported. This is the
case with arbitrary binary files (such as the page file) and chunks of unallocated space that represent deleted files. Mien we extract strings from binary files we need
to interpet sequences of bytes as text differently, depending on the possible text encoding and script/language used. In many cases we don't know in advance what the
specific encoding/language the text is encoded in. However, it helps if the investigator is looking for a specific language, because by selecting less languages the
indexing performance will be improved and the number of false positives will be reduced.

The default setting is to search for English strings only, encoded as either UTF8 or UTF16. This setting has the best performance (shortest ingest time). The user can
also use the String Viewer first and try different script/language settings, and see which settings give satisfactory results for the type of text relevant to the investigation.
Then the same setting that works for the investigation can be applied to the keyword search ingest.
String Extraction tab

W. Options 101

‘99 4I
hzi:D
151 Keyword Search Hash Database Ale Extension Mismatch EkTyperd Interesting Fies General
Autopsy

Lists i String Extraction Genera)

Ingest settings for sting extraction from unknownfie types (changes effective on next ngest);
Enable 111716LE and tnF I68E string extradnon

7 Enable WEB text extracbon

Enabled scripts (languages):

Latin - Basic (English)
Latin - Extended (European)
Arabic (Arabic)
Cynic (Russian, Bt avian, Serbian, Moldova))
- Han (Chinese, Japanese, Korean)
Kragana (Japanese)
_! Katakana (Japanese)
Hangul (Korean)
Armenian (Armenian)
— Bengali (Bengal)
lthmer (Cambocian)
▪ Ethiopic (Ethoopc)
Georgian (Georgian)
— Hebrew (Hebrew)
Laotian (Laotian)
n Mongo)ian (Mongolian)
.T Thai (Thai)

General Settings

NISI NSRL Support
The hash database ingest service can be configured to use the NIST NSRL hash database of known files. The keyword search advanced configuration dialog
"General" tab contains an option to skip keyword indexing and search on files that have previously marked as "known" and uninteresting files. Selecting this option can
greatly reduce size of the index and improve ingest performance. In most cases, user does not need to keyword search for "known" files.

Result update frequency during ingest
To control how frequently searches are executed during ingest, the user can adjust the timing setting available in the keyword search advanced configuration dialog
"General" tab. Setting the number of minutes lower will result in more frequent index updates and searches being executed and the user will be able to see results
more in real-time. However, more frequent updates can affect the overall performance, especially on lower-end systems, and can potentially lengthen the overall time
needed for the ingest to complete.

One can also choose to have no periodic searches. This will speed up the ingest. Users choosing this option can run their keyword searches once the entire keyword
search index is complete.

General tab

http://mvwsleuthkitorg/autopsy/docs/user-docs/3.11}ceyword_search_page.html 2/5

2015/7/29 Autopsy User Documentation: Keyword Search Module

M Options

Autopsy Keyword Search Flash Database File Extension Mismatth FileTypeld Interesting Hes General

Lists! etn—n:i—g Exbacboneneral

tbngs

[-/: Do not add files in I‘LSRI. (known files) to keyword index during ingest
Show Keyword Preview in Keyword Search Results (ml result in longer search times)

Results update frequency during ingest:
20 minutes (dowest feedbadc, fastest noes()

10 mnutes (dower feedback, faster ingest)
minutes (defiede

- 1 minute (faster feedback, longest ingest)

o No periodc searches

Information -

Files in keyword index: 60110

Chunks in keyword index: 94235

OK Cancel

Using the Module

Search queries can he executed manually by the user at any time, as long as there are some files already indexed and ready to be searched. Searching before
indexing is complete will naturally only search indexes that are already compiled.

See Ingest for more information on ingest in general.

Once there are files in the index, the Keyword Search Bar will be available for use to manually search at any time.

Ingest Settings

The Ingest Settings for the Keyword Search module allow the user to enable or disable the specific built-in search expressions, Phone Numbers, IP Addresses, Email
Addresses, and URLs. Using the Advanced button (covered below), one can add custom keyword groups.

Ingest Modules Select keyword lists to enable during ingest:
4' Phone Numbers
Recent Adhity J. W Addresses
,-/j Email Addresses
l i Hash Lookup
1-27:i urns
File Type Identification
verlieros
r Archive Extractor
I edf Parser Saipts enabled for string extraction from unknown file types:

et Keyword Search Latin - Basic

Email Parser Encockngs: UTES, U1FI6
Extension Mismatch Detector
E01 Verifier

L Android Analyzer
f 1 Interesting Files Identifier

I PhotoRec Carver

it Process Unalocated Space Performs file indenno and periodic Advanced

Start Close

Keyword Search Bar

The keyword search bar is used to search for keywords in the manual mode (outside of ingest). The existing index will be searched for matching words, phrases, lists,
or regular expressions.

Individual Keyword Search
Individual keyword or regular expressions can quickly be searched using the search text box widget. You can select "Exact Match", "Substring Match" and "Regular

http://www.sleuthkit.org/autopsy/docs/user-docs/3.1/keyword_search_page.html 3/5

2015/7/29 Autopsy User Documentation: Keyword Search Module
Expression" match.

Ce - KeWmrd Lists C1.- Keyword Search

television Subsbig Match Cl. Search
e Exact Matdn Regiar Egression

Results will be opened in a separate Results Viewer for every search executed and they will also be saved in the Directory Tree as shown in the screenshot below.

ad. case Autopsy 2 - Keyword Lets C. Keyword

File View 'look Window Help Drectory Listng dseardh 1 - Car is Keyword search 2-Televisionel Keywced search 3 - f
= Television
• Close Case gig Add Data Sauce ill, Generate Report 3
Table Thumb,/
4.
Source File Keyword Preview Keyword
- Extension Mgmatch Detected (103) x
1.1 Installed Programs (38) medainfosTh VCIArglog • te!e...;sicr.-Lgte.1
T. Operating System Information (2) Searc
te. Operating System User Account (4) 3rd International ICSTOrif on OF and Cyber from the television shows *The Mtrpets" and 'Moppet Babes"

Recent Documents (18) EntaientDb.edb
* Web Bookmarks (20)
4. Web Cooties (290) DOCResAlimU
e Web Downloads (1)
4I ' '
Web History (21) Page
. a Web Search (9) Hex I Sams f MetadatafResIts Text T

Keyword lits Matches on page: 1 of 3 Match j Page: t of
Single Liberal Keyword Search (395)
Car (97) Fig. 3: Identify Adult versus Child- Major League and Little League Baseball logos.
▪ Movie (234) The television, movie, and advertising industries have a savvy awareness of market demogral
• Television (12) li and of viewer psychology and perception. Though the puppet and cartoon characters are obv:
• cow (48) not huomn, their facial characteristics and proportions, body proportions, and other visa.:
• victor (4) allow viewers co distinguish she characters as either adult] or juveniles based upon vizua:
Single Regular Expression Search (0)
and with television upon additional audible cues.
▪ Hashset Hits
T. re` E-Mail Messages This is an image depicting a child Bitting on an adult's lap. How accurate do yo
k the depictions of the adult as an adult and the child as a child is, and why?
* Interesting Items
-E Ca Tags
L Reports

Keyword List Search
Lists created using the Keyword Search Configuration Dialog can be manually searched by the user by pressing on the 'Keyword Lists' button, selecting the check
boxes corresponding to the lists to be searched, and pressing the 'Search' button.

Phone Numbers Name C. • Keyword Lists
IP Addresses RegEx

Email Addresses Oman

trEs
batman

6=:1 2M111.

hut

R202

Cptinus Prime

Res Indexed: 60,110 Manage Lists
Search

The results of the keyword list search are shown in the tree, as shown below.

http://www.sleuthkit.org/autopsy/docs/user-docs/3.1/keyword_search_page.html 4/5

2015/7/29 Autopsy User Documentation: Keyword Search Module

M easel - Autopsy 3.1.2

Ale View Tools '.Vmdcw Help

4.Close Case Add Data Source L Generate Report r,

ti Web Search (4) Directory Ldtn9 Keyword search 5- stcennan row,
-e[ . Keyword tits 4p•rheros Fles with Hits

• Single literal Keyword Search (395) Table rhumbni
• . Smolt Regular Expression Seardi (0)
4 . Phone Numbers (5) ust Name
4i, IP Addresses (3700) 0.202(1)

♦Errol Adtresses (549) • babnan (8)
• Suparheros (43) . hulk (8)

• R2D2 (1) tronman (1)
• batman (8) fold (7)
. superman (1)
kit (a) • lhor (4)
• viper (13)
. woriman (1)
. lole (7)
. superman (1)
. Mar (4)

. weer (13)

Searching during ingest
Manual search for individual keywords or regular expressions can be executed while ingest is ongoing, using the current index. Note however, that you may miss some
results if the entire index has not yet been populated. Autopsy enables you to perform the search on an incomplete index in order to retrieve some preliminary results
in real-lime.

During the ingest, the manual search by keyword list is deactivated. A newly selected list can instead be added, and it will be searched in the background instead.

Keywords and lists can he managed during ingest.

Seeing Results

The Keyword Search module will save the search results regardless whether the search is performed by the ingest process, or manually by the user. The saved results
are available in the Directory Tree in the left hand side panel.

To see keyword search results in real-time while ingest is running, add keyword lists using the Keyword Search Configuration Dialog and select the "Use during
ingest" check box. You can select "Send messages to inbox during ingest" per list, if the hits on that list should be reported in the Inbox, which is recommended for very
specific searches.

Copyright @ 2012-2015 Basis Technology. Generated on Wed Ju129 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

htlp://vwwtsleuthkit.org/autopsy/docs/user-docs/3.1/keyword_search_page.h1m1 5/5

2015/7/29 Autopsy User Documentation: Email Parser Module

Email Parser Module

What Does It Do

The Email Parser module identifies Thunderbird MBOX files and PST format files based on file
signatures, extracting the e-mails from them, adding the results to the Blackboard. This module skips
known files and creates a Blackboard artifact for each message. It adds email attachments as derived
files.
This allows the user to identify email-based communications from the system being analyzed.

Configuration

There is no configuration required.

Using the Module

Explore the "Results", "E-Mail Messages" portion of the tree to review the results of this module.

Ingest Settings

There are no runtime ingest settings required.

Seeing Results

The results of this show up in the "Results", "E-Mail Messages" portion of the tree.

http://www.sleuthkit.org/autopsy/docs/user-docs/3.1/email_parser_page.html 1/2

2015/7/29 Autopsy User Documentation: Email Parser Module

easel : Autopsy 3.1,2 -111111a

File Vieo: Toole Window Help

LClose Case + Add Data Source Generate Report

la Data Sources Directory Listing E-ME
Default 4 2 siA
e Views 42sixt
LE Results Table Thumbnail 42sb,j.
it a Extracted Content Source File 42scit
ativer
Keyword Hits Inbox ariver
Hashset Hits U Inbox debdi.
"L' :4" E-Mail Messages anver
V. Inbox louth
fl Default aDefault])
4*, Inbox ;earl@
t GO Sent iearas
* Interesting Items WI: Sent
! Sent
Tags V. Sent
a Reports e Sent

U outlookipst

outiooklpst
outlook2.ost

Copyright © 2012-2015 Basis Technology. Generated on Wed Jul 29 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

http:/Awndvsleuthkitorg/autopsy/docs/user-docs/3.1/email_parser_page.html 2/2

2015/7/29 Autopsy User Documentation: E01 Verifier Module

E01 Verifier Module

What Does It Do

The E01 Verifier module computes a checksum on E01 files and compares with the E01 file's internal
checksum to ensure they match. This can detect if the E01 module is corrupted.

Configuration

There is no configuration required.

Using the Module

Select the checkbox in the Ingest Modules list to use this module.

Ingest Settings

There are no runtime ingest settings required.

Seeing Results

You only see results from this module if the E01 is corrupted. A failure to load is shown below.

Lr-e01-verifier.png

Copyright © 2012-2015 Basis Technology. Generated on Wed Jul 29 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

http://www.sleuthkitorg/autopsy/docs/user-does/3.1/e01_verifier_page.html 1/1

2015/7/29 Autopsy User Documentation: Android Analyzer Module

Android Analyzer Module

What Does It Do

The Android Analyzer module allows you to analyze SQLite and other files from an Android device. It
works on Physical dumps from most Android devices (note that we do not provide an acquisition
method). Autopsy will not support older Android devices that do not have a volume system. These
devices will often have a single physical image file for them and there is no information in the image
that describes the layout of the file systems. Autopsy will therefore not be able to detect what it is.

The module should be able to extract the following:

• Text messages / SMS / MMS
• Call Logs
• Contacts
• Tango Messages
• Words with Friends Messages
• GPS from the browser and Google Maps
• GPS from cache.wifi and cache.cell files

NOTE: These database formats vary by version of OS and different vendors can place the databases
in different places. Autopsy may not support all versions and vendors.

NOTE: This module is not exhaustive with its support for Android. It was created as a starting point for
others to contribute plug-ins for 3rd party apps. See the Developer docs for information on writing
modules.

Configuration

There is no configuration required.

Using the Module

Simply add your physical images or file system dumps as data sources and enable the Android
Analyzer module.

Ingest Settings

There are no runtime ingest settings required.

Seeing Results

The results show up in the tree under "Results", "Extracted Content".

http://www.sleuthkiturg/autopsy/docs/user-does/3.1/android_analyzer_page.h1m1 1/2

2015029 Autopsy User Documentation: Android Analyzer Module

r-1.-11.--1 Results P mmssms,db Incomind +1585:

Extracted Content mmssms,db Outgoing
9" mmssms.db
Call Logs (93) outgOing
mmssms.db
IContacts (24) Incoming +1585.
P mmssms.db
fl Devices Atlached (17) Outgoing

EXIF Metadata (63)

Extension Mismatch Detected (103) 9" mmssms,db Outgoing
*9 Installed Programs (38)
P mmssms.db Outgoing
Messages (126)
Operating System Information (2) e mmssms.db Incoming +1847
of. Operating System User Account (4)
mmssms.db Outgoing

Recent Documents (18) P mmssms.db Outgoing

* Web Bookmarks (20) mmssms.db Outgoing 411
l Web Cookies (240) mmssms.db Incoming
s Web Downloads (1) mmssms.db
014 mmssms.db Outgoing
Web History (21)
Web Search (4) Outgoing

Copyright © 2012-2015 Basis Technology. Generated on Wed Jul 29 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

htlp://www.sleuthkit.org/autopsy/docs/user-docs/3.1/android_analyzer_page.html 2/2

2015/7/29 Autopsy User Documentation: Interesting Files Identifier Module

Interesting Files Identifier Module

What Does It Do

The Interesting Files module allows you to search for files or directories in a data source and generate alerts when they are found. You configure rules
for the files that you want to find.

Use this to be notified when certain things are found. There are examples below that generate alerts when VMWare images are found or when iPhone
backup files are found. This module is useful for file types that will frequently have a consistent name and that may not be part of the standard checklist
that you look for, or if you simply want to automate your checklist.

Configuration

Add rules using "Tools', "Options", "Interesting Files".
All rules need to be part of a set. Sets need to have the following defined:

• Set Name (required)
• Set Description (optional)

Rules specify what to look for in a data source. Each rule specifies:

• Type: If the rule should be applied to only files, only directories, or both files and directories.
• Name Pattern: String to match the file name against.
• Name Pattern Type: Should the pattern be matched against the full file type or just the extension.
• Path Pattern: A substdng of the parent path that must be matched. This allows you to restrict generic names to a specific structure (such as an

application name). A substring match is performed.
• Rule Name: Additional details that are displayed in the UI when that rule is matched. This allows you to determine which rule in the set matched.

M. Options fiz) 4'I
Autopsy
Keyword Search Hash Database File Extension Mismatch FileTypeld Interesting Pies ;0
General

This module allows you to find flee that match spedfied criteria. Set Details
Each set has a list of rules, which will match on file name and Description:
parent path patterns. These files end with 'mg".

Rule Sets

r _ Ignore Kilo,. Files
Rules:

flying (flying)
surfing (surfing)

Fi. + New Rule TTEdit Rule x Delete Rule
Files and Oirectones
New Set Edt Set at Delete Set Rule Detads
File Type
. Fires D:rectones

Name Pattern .ing$ Extenror On:y Rage,.
F, e Name

Path Pattern:

Regex

r Ga[ 0)±_i aH

VMWare Example 1/2

This set of rules is to detect VMWare Player or vmdk files. This would help to make sure you look into the virtual machines for additional evidence.
NOTE: This is not extensive and is simply a minimal example:

• Set Name: VMWare
http://www.sleuthkit.org/autopsy/docs/user-docs/3.1n nteresting_files identitier_page.html

2015/7/29 Autopsy User Documentation: Interesting Files Identifier Module

Rule 1:
o Type: Files
o Full Name: vmplayer.exe
o Name: Program EXE

Rule 2:
o Type: Files
o Extension: vmdk
o Name: VMDK File

iPhone Backups Example

This set of rules is to detect a folder for iPhone Backups. These are typically in a folder such as "%AppData%\ Roaming \Apple
ComputerWobileSync\ Backup" on Windows. Here is a rule that you could use for that.

• Set Name: iPhone Backups
• Rule 1:

o Type: Directory
o Name: Backup
o Path: Apple Computer/MobileSync

Using the Module

When you enable the Interesting Files module, you can choose what rule sets to enable. To add rules, use the "Advanced" button from the ingest module
panel.

When files are found, they will be in the Interesting Files area of the tree. You should see the set and rule names with the match.

Ingest Settings

When running the ingest modules, the user can choose which interesting file rules to enable .

Ingest Modules 11110/11

E Rent Activity Select interesting files sets to enable during ingest:
!L-i- Ham lookup Ri ends_wittung
File Type Identification
0 Archive Extractor rz1 starts with _z
Emf Parser
D[Ti 'Keyword Search
Email Parser
E Extension Mismatch Detector
E01 Verifier
0 Android Analyzer
Interesting Wes Identifier
J PhotoRec Carver
DE

1511

ri

.4 Process Unalloalted Space Identifies interesting items as defined b... Advanced

Start Close

4

Seeing Results Pti zoomOut_hover.contrast-white
zoomOut hover.png
The results show up in the tree under "Results", "Interesting Items". zoornOut normal.contrast-bladc
zoornOut nonnal.contrast-whitt
7-1 r I Results zoomOut_normal.png
Extracted Content zoomOut_press.png

N Keyword Hits 2 zoom bar.png
T.- Hashset lit k zoom bar.png
k zoom minus.png
E-Mat Messages
* Interesting Items zoom_minus.png
zoom_plus.png
* ends with aug (1351)
* starts with _z (545)
130 Tags
Reports

Copyright @ 2012-2015 Basis Technology. Generated on Wed Jul 29 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

http://www.sleuthkit.orgrautopsy/docs/user-docs/3.1/interesting_files jdentifier_page.html 2/2

2015/7/29 Autopsy User Documentation: PhotoRec Carver Module

PhotoRec Carver Module

What Does It Do

The PhotoRec Carver module carves files from unallocated space in the data source and sends the files found through the ingest
processing chain.

This can help a reviewer discover more information about files that used to be on the device and were subsequently deleted.
These are simply extra files that were found in "empty' portions of the device storage.

Configuration

There is nothing to configure for this module.

Using the Module

Select the checkbox in the Ingest Modules settings screen to enable the PhotoRec Carver. Ensure that "Process Unallocated
Space" is selected.

Ingest Settings

There are no run-time settings for this module, but the global setting to "Process Unallocated Space" needs to be selected to
make this work.

Seeing Results

The results of carving show up on the tree under the appropriate data source with the heading "$CarvedFiles".

jcasel - Autopsy 3.1

File View Tools Window Help

LaClose Case + Add Data Source Generate Report

.D... irectory Listing L

a al Data Sources img Demo_HD.E01/vol_vo121$CarvedFile - —

Demo HD.E01 Table I Thumbnail!
vol 1 (Unallocated: 0-1048575)
volt (NTFS / exFAT (0x07): 2048-64422414335) Name Location
*Extend (8) M000016.tixt Pmg_Demo HD.E01/vol_vol2/$CarvedFilesif0000016.txt
$OrphanFiles (0) f0000264.png lirog_Derno_HD, ED I tiolipp121$CarvedFiles,10000264 .png
$Recyde.Bin (3) f0000272.png frfg_Derno_HD. EDI ivol_vol2trarvedFilesif 0000272.ring
$Unalloc (2) f0000280 png ing_Dercio_HD.Eutf v ol_vol2j$ CdrvedFil esit u000280 prig
10000288.png limg_Demo jiD.E01,i'vol_vol2aCervedFilesif 0000238. prFig
ji,j, Boot (46) frig_Demo_HD,E01tio120123Cervedrilesi10000992.doi:
)A, Documents and Settings (2) 'I f0000992.doc fing_Deroo_HD ED I f,,:ol_vol2i$CarvedFiles00001046.ttf
f0001048.ttf Ping _Derno_HEJ. ED ivolso121$Car vedFilesi10001648 ?:t
Pertogs (2) f0001648.txt liropiiemo_HD.E01/volzol2iffEwvedFilesiF0001992.jpg
4,.1 Program Files (18) f0001992.jpg iirog_Derno_HD. ED I Nolso123CarvedFile,500002544 .java
;1„, Program Fies (x86) (21) f0002544.)ava lirrog_Derno_HD. ED ivol_yo123Car vedFilesf t 0002606 ,t
f0002608.bct iirrig_Derno_HD.E0 1 ivol_vol2f$CarvedFilesif 00026 I 6 rxr
. ProgramData (14) f0002616.txt iinig_Derio_HD.E01,(vol20121$CarvedFilesit0002624.txt
f0002624.txt
-A, Recovery (3)
f0002632.htitil limg_DerrioilD.E011vol_voi2f CarvedFilesif 0002632. html
it} Ail System Volume Information (9)
Users (8)

Bt. A__ Windows (96)

$CarvedFies (1188)

vol3 (Unallocated: 125827072-126875647)

Applicable types also show up in the "Views", "File Types" portion of the the tree, depending upon the file type.

Custom File Signatures

To add custom file signatures, create a file (if it does not exist) photorec.sig in the user home directory (for example - 1 /2
/home/john/photorec.sig, or CAUsers\john photorec.sig). The photorec.sig file should contain one expression per line. For

http://www.sleuthkitorg/autopsy/docs/user-docs/3.1/photoreO Carver_page.html