2015/7/29 Autopsy User Documentation: PhotoRec Carver Module
example, to detect a file foo.bar which has header signature - 0x4141414141414141, add an expression
bar 0 0x4141414141414141
in photorec.sig where bar is the file extension, 0 is the signature offset, and 0x4141414141414141 is the signature. Add another
expression on a new line to detect another custom file based on its signature.
Copyright 02012-2015 Basis Technology. Generated on Wed Jul 29 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.
http://www.sleuthkitorg/autopsy/docs/user-docs/3.1/photorec_carver_page.html 2/2
2015/7/29 Autopsy User Documentation: Tree Viewer
Tree Viewer
The Tree Viewer shows the discovered folders by the data sources they come from, as well as a list of
files in the folders. It is located on the left side of the Autopsy screen.
Each folder in the tree on the left shows how many items are contained within it in parenthesis after the
directory name. See the picture below.
3-case! - Autopsy arinnin
File View Tools Window Help
ai Data Sources Directory Listing
j-i• h Demo_HD.E01 /img_Demo_HD.E01/vol_vol2/L.
voll (Unallocated: 0-1043575) Table Thumbnail
volt (NITS / exFAT (0x07): 2048-64422414335)
Name
SExtend (8)
gi [current folder]
sOrphanFiles (0) j' [parent folder]
SRecyde.Bin (3) desktop.ini
44:4 SUnalloc (2)
IL Boot (46) RecordedTV.library-ms
;L;I Documents and Settings (2)
PerfLogs (2)
Program Files (18)
Program Files (x86) (21)
ProgramData (14)
Recovery (3)
ii System Volume Information (9)
g.,.; Users (8)
All Users (2)
Autopsy (31)
Ef--r Default (29)
Default User (2)
A. Public (10)
Desktop (6)
Documents (6)
g' Downloads (3)
Libraries (4)
L Music (3)
Pictures (3)
„b Videos (3)
Windows (96)
sCarvedFiles (1188)
grai-in n netrIttel7 \
Copyright ©2012-2015 Basis Technology. Generated on Wed Jul 29 2015 1/2
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.
http://www.sleuthkiturg/autopsy/docs/user-docs/3.1/tree viewer_page htmI
2015/7/29 Autopsy User Documentation: Result Viewer
Result Viewer
The Result Viewer is located on the lop right of the Autopsy screen. It shows lists of files and their corresponding attributes such as time, path, size, checksum, etc.
Directory listng Et Modified Time Changed Time Access Tote Created Time Size Flags (Directory) Flags (Meta) Mode User 113 C
Ttestarng yea ILI 1'110,1'11 ' Orene Fi_ tt.-J
Table View Tthrebnal Yew
Name A
SFATI
$FAT2
$MBR
SOrphanFies
FAT Recover (Volume Label Entry) T ."-n4 I :r a: co o rio no ci Afice:9ted
HI - e yed
i. allocated jc.0?-1:1:1-14I
deleted
fraghtiold.bit
over.txt eL i f.d.e0L1.00 eeee7 c 1;I 14 ?3eI4 e A:e:etei
You can also switch it to Thumbnail view to see thumbnails of the content in the selected folder.
Prectory Listing F-7 T1S
IF Metadata 150 Res
Taller Thumbnail
Page: I of 1 Page Go to Page: Images: 1-150 Small Thenbnails
83656d01 080AFd01
ID5F4d01 BF2A6d0 1 AD6FEd01
F3805d0 I D2AA7d01 ED5C0d01 65A2I1d01 llama& as
4C1i.Ed01
6003-601 flit 04514601 EIEDCSd01 A9E0d01
The Result Viewer is context-aware, meaning it will show applicable columns for the data type selected.
http://www.sleuthkit.orgrautopsy/docsiuser-docs/3.1/result_viewer_page.html 1/3
2015/7/29 Autopsy User Documentation: Result Viewer
Directory Llatkig Date Created Device Model Device Make HolEE
ECF Metadata _t 101.d-1'025 _3' EI E: - LAMS' ':S
GL [,:cg 150 Result
Table Thumbnail 51:‘n
Nil I', Data Source g
Source Fle Dena HL.EJI fr
Si 04544d01
ibEEDC5c401
A9E41)d01
E 1FC2d01
DOF43d01
5D29Ad01
Si 100 6418.)PG
Si 1006192.3PG
id 100_659.4.pg
Si 100 6342.3PG
lb 100_6228.3PG
Si 100 6184.3PG
Si 1006290.3PG
100 6223.3PG
Si 12-19824116 VX8350 5.jp9
Si 12-1982.41LO 518350 1.p0
The Result Viewer is located on the top right of the Autopsy screen. It shows lists of files and their corresponding attributes such as time, path, size, checksum, etc.
Directory Using 11 Modified Time Changed Time Access Tme Created Time Size Flags (Directory) Flags (Meta) Made User ID C
00 101:1400-00 00•01003 0
test.Wng vd 3 020-00-00 114:00:01 :Dui:0-39-03 04:00:00 40443 A2:22944 Aitcr51
Allocated 0
l TaMe Viery Thumbnail View! 0
•Name A
SAT!
5FAT2
e-
sorphannes
FAT Recover (Volume Label Entry) 209 7.04-Lt 3,29,4 nip- 09.00 0049100 :099-04-19 10:0059-, ,ni-,7.:.4 - 1313.21:26 0 nE:::ated Ako,f.ed i cr
C4403-00-22100409:10 2:0' :1 4-1M"In.00 1. n0.5-4-1E. 13 _5:16 :.:043 An:d. ..... Afdd3ted
Al alloceted 2007-04-19 571910
4000-00-00 oftLeft -909-04-1.2 00930.00 2104-14-14 14. 33:44 1 1: 22E4ed
IC. deleted
fragbold.bct e.Es.:!'..e i
over.txt
2507-04-14 d-: 4;,44
You can also switch it to Thumbnail view to see thumbnails of the content in the selected folder. 2/3
http://www.sleuthkit.org/autopsy/docs/user-docs/3.1/result_yiewer_page.html
2015/7/29 Autopsy User Documentation: Result Viewer
Directory Listing I
X1F Metadata
I Tat*1-Tbordrai 150 Res
Page: 1 of 1
Pages: Go to Page: Images: 1-150 Smarrhumbned
1D5F1601 83656601 D8OAF601
BF2A6.301 AD6FEd0
F3,205d01 02AA7601 ED5C0601 65A213d01 Ilail 7ralS0
EDCEEd01 EEDC5601 4C11Ed01
mil
ASECd01
045-14d01
The Result newer is context-aware, meaning it will show applicable columns for the data type In selected.
Directory Listing Date Created Device Model Device Make 771 E
Metadata 3i:111-04.-70 10:2 r.: 51 El T 0t1-1-114j0 SA6LLAPI
1010 00 05 I i6:13 El I DR Oar 21 Motorola 150 Result
Table fiknynai 2012-07-11 17:11 10 El I f hcne rIS Apple
yData Source
Source Fie
IN 04544631 DernoHEr.E01 •
Ibi EEDC5d01 De to J1C7I01
A9E90d01 011-0 1- 17 1-7 : E: 1,.-1•4:4rn J7 De -: Dior E1:
EIFC2d01
DOF43d01 L011-10-75115 00E rDArr-ltIO Erj,c11C :14Or-EPA EAST:1411 pen:0±10 F.01
Si 5029AdO EAST:1411 [1 ' -011PAP4t Corro1-1
Ns 100_6418.3PG 20111n 2- 17 ISLEE DC A/ 1-150- : 711c: l:TOL 7A1r1EPA EAST11-1111 '-CAL
Si 100 6192.3PG 11 le IT 06 1- 71 El ',DT') : : ' ::71011 7.1.1 rp:- A EA5T11?'11 IC bJIPAI D•riv jol
Si 100 6594.1log [401- 14'1: 1[4
18m 100 6342.JPG EATT: 14'1r 1:
It 100_6228.3PG
Si 100_6184.3PG 4:4'14'1 rF 1117.414
Si 100 6290.3PG
Si 100 6223.3PG (canon
Si 12-198241LG VX8350 5.jpg
Si 12-198241LG VX8350 'Jog
Copyright 2012-2015 Basis Technology. Generated on Wed Jul 29 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.
http://www.sleuthkit.org/autopsy/docs/user-docs/3.1/result_viewer_page.html 3/3
2015M29 Autopsy User Documentation: Content Viewer
Content Viewer
The Content Viewer lives in the lower right-hand side of the Autopsy main screen and show pictures, video, hex, text, extracted strings, metadata, etc. They are
enabled when you select a file in the file list above it.
The Content Viewer is context-aware, meaning it will present different views of the content based on the type of file selected. For example, a .JPG would show up as a
picture, a text file would show up as text, and a .bin file would show up as hex output.
The screenshots below show some examples of content viewers in action.
easel - Autopsy 3.1.2 CP Keweord Lists
File Yiew Tools Window Help
4 Cose Case + Add Dab Scarce L Generate Report r.
+ Directory Listing
Ft, fa Data Sources IF Metadata
Views Thurobna2 i
Resit Source Fie Date Created Device Model Device Make Data Saute
1191100_641S.JPG EASTMAN 1 ,0C:01 !-00104110 CiroFICEE01
i9c Extracted Content iful 100 6192.3PG I L. :At ELLELD 30, 1,11 010.11E4 EASTMAN DA! C001FAIL0
OS 100 6594.jpg Dern:, l-ID.E01
V,‘ Cal Logs (155) Oa 100_6342.3PG 11i5-12-113 00 L'Ec13 EET L ODA! ECLELL 101 Jr LE011ERA
_011 10-27 1.1 ; EDT
a Contacts (40)
Devices Attached (51)
lg DIF Metadats (150)
Extension Mismatch Detected ( Id100 6228.3PG
• 12 InsiaBed Programs (114) Mu 100 6184.3PG
t' Messages (210) Ms 100_6290.3PG Lu:1- I CI-Ee; 10; e0;19 ECLIF DAL Ee00 ELI :011-01:1101 1500
Operating System Infonnabon 100_6223.3PG :::111 It -35113:24,-le ESTI CLDAI: 33E0 10-ELLI MI:CAL EA:1000
• Operating System User Accoun its 12498241 LG VX8350 5.jpg .:011-2-0.E. 23:15, '52 EDI Ceriv; PoLver Stot ID E
▪ Recent Documents (54) UT
4I
* Web bookmarks (60) •
ip Web Cooties (720) Flex [ Strings [ Metadata 1- Restt I Text Melia
a web Downloads (3)
51 Web History (63)
Web Search (24)
• Keyword Hits
hashset Fits
V EMad Messages
• 11( Interesting Items
; RI Tags
• Reports
http://www.sleuthkit.org/autopsy/docs/user-docs/3.1/content_viewer_page.html 1/3
2015/7/29 Autopsy User L)ocurnentation:Content\fievver
Hex l spivs Methdata !Resits TextFlecfsal .
! Name Amg_DemoilD.E01/yolito12/Users/Autopsy/Music/100_6594.jpg
Type File System
! Size 1085579
File Name Allocation Allocated
Metadata Allocation Allocated
Modified 2011-12-09 10:04:10 EST
Accessed 2014-03-14 16:47:22 EDT
Created 2014-03-14 16:47:22 EDT
Changed 2014-03-14 16:50:25 EDT
MD5 60993815ee9912a087bC3b41166875C16
Hash Lookup Results UNKNOWN
nenn.
Hez StringsjPetwiataIResuRLITertIMecial
Page: 1 of 67 Page 3 Go to Page:
0x00000000: FF DB FF 50 00 10 4A 46 49 46 00 01 01 01 00 48 JFIF
0300000010: 00 48 00 00 YE 12 OC 58 49 43 43 56 50 52 4% 46
0x00000020: 49 4C 45 00 01 01 00 00 OC 49 4C 69 61 6F 02 10 XIC0.020F
0x00000030: 00 00 6D 65 74 72 62 4/ 42 20 58 59 5A 20 07 CE
0x00000040: 00 02 00 09 00 OE 00 31 00 00 61 63 73 70 40 53 II:v HLino..
0x00000050: 46 54 00 00 00 00 49 45 43 20 73 52 47 42 00 00
0x00000060: 00 00 00 00 00 00 00 00 00 00 00 CO 16 DE 00 01 ..mntrACE XYZ --
0x00000070: 00 00 00 00 D3 2D 46 50 20 20 00 00 00 00 00 00
0300000080: 00 00 00 00 00 00 00 00 00 00 00 CO 00 00 00 00 1 *sepal:6
0x00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Ox000000a0: 00 00 00 00 00 00 00 00 00 11 63 70 72 74 00 00 -HP
0x000000b0: 01 50 00 00 00 33 64 65 73 63 00 CO 01 94 00 00
Gx000000c0: 00 CC 7] /4 70 74 00 00 01 20 00 00 00 14 62 69 .e 3desc bk
Ox000000d0: 70 74 00 00 02 04 00 00 00 14 72 58 59 5A 00 00 lwrpt
Ox000000e0: 02 18 00 00 00 14 67 59 59 SA 00 00 02 2C 00 00
Ox00000060: 00 14 62 58 59 SA 00 00 02 40 00 00 on
0300000100: EE 64 00 00 02 54 00 00 00 70 64 6D 00 14 64 CD 0XYZ
nennrinniln- rin f4 nn 00 1.5 A4 nn nn
PP 79 ,1 64 64 00 00 tried 1.
nn 40 nn nil
I
Hex, stringsMethdataIRRSURSITextIMedial
Page: 1 of 67 Page 3 Go W Page:
XY2
dese
/EC http://Pww-i•P-PP
IEC http://www.iec.ch
deer
.IEC 619E6-2.1 Default PCB colour space - ERGO
.IEC 61966-2.1 Default 003 colour space - ERGO
deed
:Reference Viewing Condition in IEC61966-2.1
,Reference Viewing Condition in IEC61966-2.1
view
XYZ
meat
Si;
COT cut,
http://www.sleuthkitorg/autopsy/docs/user-does/3.1/content_viewer_page.html 2/3
2015/7/29 Autopsy User Documentation: Content Viewer
Lilex I Stings I Metadab 1 I Video Triage [
00:00:00 00:00:04 00:00:09 00:00:14
00:00:19 00:00:23 00:00:28 00:00:33
00:00:38 00:00:42 00:00:41 00:00:52
Copyright C)2012-2015 Basis Technology Generated on Wed Jul 29 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.
http://www.sleuthkitorg/autopsy/docs/user-docs/3.1/content_viewer_page.html 3/3
2015/7129 Autopsy User Documentation: File Search
File Search
About File Search
The File Search tool can be accessed either from the Tools menu or by right-clicking on a data source
node in the Data Explorer / Directory Tree. By using File Search, you can specify, filter, and show the
directories and files that you want to see from the images in the currently opened case. The File
Search results will be populated in a brand new Table Result viewer on the right-hand side. Currently,
Autopsy only supports 4 categories in File Search: Name, Size, Date, and Known Status based search.
Note: Currently File Search doesn't support regular expressions. The Keyword Search feature of
Autopsy does support regular expressions and can be used for to search for files and/or directories by
name.
How To Open File Search
To open the File Search, you can do one of the following thing: Right-click a data source and choose
"Open File Search by Attributes".
easel - Autops inegill a
File View Tools Window Help
Close Case + Add Data Source its, Generate Report ti
1-1-.Q Data Source Directory Listing
14+ Amg_Demo HD.E01
{Table I Thumbnail
FiEr LogicalFileS
14:1 smalllimg I Image Details
, Extract Unallocated Space to Single Files
14+ Open File Search by Attributes
3; thunderbirdj Run Ingest Modules
t-if , .74 outiook.dd I
Collapse All
or select the "Tools", "File Search by Attributes".
-o.e 1 - Ttioi ry 311.1n.
Eile View Tools Window Help
1-0 Clos Generate Report Gel
Timeline
ja File Search by Attributes -
Plugins
H <9) Python Plugins
Options
iT4
http://www.sleuthkitorgiautopsy/docs/user-docs/3.1/file_search_pagahtml 1 /3
2015/7/29 Autopsy User Documentation: File Search
How To Use File Search
Currently, there are 4 categories that you can use to filter and show the directories and files within the
images in the current opened case. The categories are:
• Name: Search for all files and directory whose name contains the pattern given. Note: it doesn't
support regular expression and keyword matching.
• Size: Search for all files and directory whose size matches the pattern given. The pattern can be
"equal to", "greater than", and "less than". The unit for the size can be "Byte(s)", "KB", "MB",
"GB", and "TB".
• Date: Search for all files and directory whose "date property" is within the date range given. The
"date properties" are "Modified Date", "Accessed Date", "Changed Date", and "Created Date".
You must also specify the timezone for the date given.
• Known Status: Search for all files and directory whose known status is recognized as either
Unknown, Known, or Known Bad. For more on Known Status, see Hash Database Management.
To use any of these filters, check the box next to the category and click "Search" button to start
the search process. The result will show up in the "Result Viewer".
Here's an example where we try to get all the directories and files whose name contains "hello", has a
size greater than 1000 Bytes,was created between 06/15/2010 and 06/16/2010 (in GMT-5 timezone),
and is an unknown file:
http://www.sleuthkiturg/autopsy/docs/user-docs/3.1Thle_search_page.htm I 2/3
2015/7/29 Autopsy User Documentation: File Search
File Search by Attributes
Search for files that match the following criteria:
Ei. Name: hello
*Note: Name match is case insensitive and matches
any part of the file name. Regular expressions are
not currently supported.
I I Size: greater than . 1,000 Byte(s)
J Date: 06/15/2010 WA to ,06/16/2010 .m..
Timezone: (GMT-5:00) America/New York .
H Modified ] Accessed
H Changed .1 Created
*Empty fields mean 'No Limit'
*The date format is mm/dd/yyyy
L.iljt Known Status:
Ltd Unknown
• Known (NSRL)
HKnown bad
Search
Copyright © 2012-2015 Basis Technology. Generated on Wed Jul 29 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.
hftp://www.sleuthkitorg/autopsy/docs/user-docs/3.1/fi le_search_page.htm I 3/3
201511/29 Autopsy User Documentation: Timeline
Timeline
Overview
This document outlines the use of the Timeline feature of Autopsy. This feature was funded by DHS
S&T to help provide free and open source digital forensics tools to law enforcement. This document
assumes basic familiarity with Autopsy.
Quick Start
1. Create a case as normal and add a disk image (or folder of files) as a data source. To get the
most out of the timeline, ensure that you have the hash lookup module enabled with NSRL (to
ignore known files) and have the EXIF and recent activity modules enabled to collect additional
temporal data.
2. After the image has been added, click "Tools", "Timeline" in the menu. This will open the
Timeline tool in a new window. You can do this while ingest is running, but you will not have
access to the temporal data that will be found after you create the timeline, unless you re-open
the timeline tool.
Use Case Details
• In addition to the basic ideas presented in the previous section, here are some hints on use
cases that were designed into the tool.
• When did major web activity occur on a system?
• When were external devices plugged into the system?
• When were pictures with EXIF information added?
• What websites were accessed that resulted in file system modifications immediately after?
Basic Concepts
This section covers some basic concepts of the interface.
Events
The timeline tool is organized around events. An Event has a timestamp, a type, and a description.
Note: all Events are discrete, but might be grouped together to form clusters with a duration in the
Details View depending on the level of Description that is enabled in the UI.
The timeline collects data from multiple sources and organizes the events into the following taxonomy:
• File System 1/6
• Modified
o Access
o Created
o Changed
http://www.sleuthkitorg/autopsy/docs/user-docs/3.1/timel inepage.htm I
2015/7/29 Autopsy User Documentation: Timeline
• Web Activity
O Web Downloads
o Web Cookies
o Web Bookmarks (creation)
O Web History
o Web Searches
• Miscellaneous
o Messages
o GPS Routes
o Location History
o Calls
o Email
o Recent Documents
o Installed Programs
o Exif metadata
o Devices Attached
Visualization Types
There are two different graph types that the Autopsy viewer provides. Each is better suited for a
different type of question that the investigator is trying to answer. You can change between the two
types in top part of the interface (see previous section for a screen shot).
The Counts View shows a stacked bar chart. Use this type of graph to show how much activity
occurred in a given time frame. It won't show you specific events though. It can be helpful to determine
when the computer was last used or how often it was used. When you open a timeline, it will open in
this style of graph.
The Details View shows individual or groups of related events. Date/time is represented horizontally
along the x-axis, but the vertical axis does not represent any specific units. You would use this interface
to answer questions about what specific events happened in a given time frame or what events
occurred before or after a given event. You would generally use this type of interface after using the
Counts View to identify a period of time that you wanted details on. There can be a lot of details in this
view and we have introduced zooming concepts, as described in the next section, to help with this.
Visualization settings
The toolbar above the visualization area shows settings specific to the active visualization. These
settings affect the way events are displayed and/or the layout of the visualization.
Zooming
A common challenge with timeline analysis is information overload. To help with this, the Autopsy
interface has three ways of zooming that will help you identify the correct data. These can be controlled
from a single area in the upper left of the interface.
http://vom.sleuthkitorg/autopsy/docs/user-docs/3.1ttimeline_page.html 2/6
2015/7/29 Autopsy User Documentation: Timeline
• Time Units: This level of zooming controls the temporal detail shown on the X-axis. It dictates if
there will be markers at the scale of years or seconds. As you want more details about what
happened in a given time range, you will zoom in more with this control.
• Event Type: This level of zooming controls what level of event type you see. As an example,
there is a top-level type of "File System" event with sub-types for modified times, accessed times,
and created times. If you want more details about a given type, then you will zoom in more with
this control.
• Description Detail: This level of zooming is most unique to Autopsy and groups similar events
together based on their description. As an example, it will group file system events together if
they are in the same root folder when you are zoomed all of the way out. This allows you to
generally see where there is activity without seeing each individual file.
For the quick start approach to things, you should keep this in mind: Double clicking on something will
change only one of these levels of zooming. We have tried to choose what would be most intuitive for
most use cases. If you want to choose a different zooming approach, use the sliders in the upper left or
right click on the chart.
History
If at any time you want to back out to something you saw before, use the back and forward history
buttons in the upper left , or the keyboard shortcut Alt + Left/Right.
Timeline Interaction and Configuration Details
Filters / Events
This area allows the user to apply filters to limit what events are shown in the visualization. When the
Details View is active, a tab in this area also enables navigating the visualization by event descriptions
see the Details View section for more on this)
When the Hide Known Files filter is active, files with known hashes will not be included in any way in
the rest of the timeline tool (except for the Histogram which shows all events). In order for this filter to
work, the Hash Lookup ingest module must have been run with a Known hash database enabled.
When the Text Filter is active, only events with descriptions containing the supplied string as a
substring will be shown. Note: this filter users the full description in its search even if not displayed.
The Event Types filter allows the user to select which event types should be shown. Right clicking an
event type brings up a context menu with options to select different sets of types.
The Event Type hierarchy displayed in the filter tab also functions as the legend for the visualizations.
Events are color-coded to match their type, and have the corresponding icon displayed in several
places.
Time Range Selection
The time range selection area provides several means of adjusting the displayed time range.
http://www.sleuthkitorg/autopsy/docs/user-does/3.1/ti melinepage.htm I 3/6
2015/7/29 Autopsy User Documentation: Timeline
Date/Time fields show the exact date and time of the start(left) and end(right) of the displayed range.
The user can type directly into these fields or use a graphical date/time chooser to modify the start or
end time. The minus and plus hour glass buttons(/) zoom the visible time range out and in a set
percentage. The drop down menu to the right allows selecting a preset time range. These methods will
adjust the visible time range around its center. The last method to adjust the visible time range is via
the range slider. The user can position each end independently to adjust the start and end time
respectively or drag the highlighted blue section to move the visible range without changing its length.
In both visualizations, the user can also right-drag (starting in empty space) a time span, represented
by a pale blue box, and then double click it to zoom the visible time range. Right clicking the blue time
span box clears it.
Histogram
Behind the time range slider is a histogram of all events in the case. The histogram can help to put the
main visualization in perspective by showing a high level summary of all events in the case, with a
representation of the visible time range superimposed via the time range slider. The histogram divides
the entire time span of all events in the case into equal intervals and shows the number of events in
each interval via the height of the corresponding bar. The histogram should only be used for relative
comparison and context and not for determining exact numbers or times of events. Note: This
histogram is not affected by filters or zooming.
Time Zone
The user can choose between viewing events in their local time zone or in Universal Coordinated Time.
Visualization Area: Counts View
The Counts View shows a stacked bar chart with time periods along the x-axis and event counts along
the y-axis. The height of each bar represents the number of events that occurred in that time period.
The different colored segments represent different event types. Right clicking the bars brings up a
context menu with selection and zooming actions.
The only setting specific to the Counts View is what kind of vertical scale to use. The default linear
scale is good for many use cases. When this scale is selected, the height of the bars represents the
counts in a linear, one-to-one fashion, and the y-axis is labeled with values. When the range of count
values is very large, date ranges with relatively low counts have a bar that may be too small to see. To
help avoid the misperception of this as no events, the labels for time periods with events are bold
relative to the labels for time periods with no events. To see the events when the bar for a period is too
small, there are three options: adjust the window size so that the visualization area has more vertical
space, adjust the time range shown so that time periods with relatively much larger bars are excluded,
or adjust the scale setting to square root or logarithmic. The square root and logarithmic scales
represent the number of events in a non linear way that compresses the difference between very large
and very small numbers. Note that even with the logarithmic scale, an extremely large difference in
counts may still produce bars too small to see. In this case the only option may be to exclude events to
reduce the difference in counts. Because the square root and logarithmic scales are applied to each
event type separately, the height of the combined bar is not very meaningful, and to emphasize this, no
http://www.sleuthkit.org/autopsykiocs/user-docs/3.1/timeline_page.htm I 4/6
2015/7/29 Autopsy User Documentation: Timeline
labels are shown on the y-axis. The non-linear scales should be used to quickly compare the counts
relative across time within a type, or across types for one time period, but not both. The exact numbers
(available in tooltips or the result viewer) should be used for absolute comparisons. Use the non-linear
scales with care.
Visualization Area: Details View
The Details View shows events clustered by their description. Date/time is represented horizontally
along the x-axis, but the vertical axis does not represent anything and is only used as a space to layout
overlapping events. Events with the same type and description that occur close together in time may be
clustered together. The Time Unit, Event Type and Description Detail sliders control how events are
clustered. When the Description Detail level is at full, it is likely that very few events will be clustered,
resulting in an enormous amount of detail being displayed. This can cause significant UI lag, and so it
is not recommended to use the full description unless the time range has been narrowed
and/or filters applied to reduced the number of events shown. Projections of the selected clusters
are displayed on the x-axis to help visualize the temporal relationships between them.
The Details View has four settings that affect the visible information and the layout of the event
clusters. The four settings are independent and can be combined to achieve a variety of effects with
different densities of information and layout patterns.
Band by Type: If Band by type is not selected, all the event clusters of different types will be
intermixed, in a compact layout. If Band by Type is selected, each event type will have a horizontal
band reserved for it and events of different types will not be intermixed. Band by Type is useful when
the user wants to compare events of the same type primarily.
One event per Row: If one event per row is selected no event clusters will ever overlap vertically, this
will make the visualization more like a Gantt chart but uses much more vertical space.
Truncate Descriptions: The user can select 'truncate descriptions' and choose a length (in pixels) to
truncate the text label shown with each cluster. This is useful if the descriptions are long and preventing
a compact layout.
Description Visibility: The user may choose a description visibility level of 'show', 'counts only', or
'hide'. Show is the default. If Counts only is selected, only the count in parenthesis is shown, if hide is
selected the entire text label is hidden. Counts only and hide are useful if the user wants to get a less
cluttered view, focussed more on when event clusters occurred and their type, and is not interested in
the descriptions.
Clicking the small green [+] button in a cluster will expand it with the next level of detail. The events in
the cluster will be displayed clustered at a time scale appropriate for their extent and the detail level
chosen. This can be repeated for the subclusters, to create a nested hierarchy of clusters. Clicking the
red [-] button collapses a cluster to a lower level of detail. As with the global description level, care
should be used when fully expanding large clusters, as this may cause an enormous amount of detail
to be shown, slowing the tool down.
When the Detail View is active, the Events tab next to the Filters tab is enabled. This tab shows a list of
http://www.sleuthkit.orgrautopsy/docs/user-docs/3.1ttimeline_page.htm I 5/6
2015/7/29 Autopsy User Documentation: Timeline
all the descriptions presented in the visualization. Selecting a description in the list highlights all the
event clusters with that description.
Copyright @ 2012-2015 Basis Technology. Generated on Wed Jul 29 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.
http://www.sleuthkit.org/autopsy/docs/user-docs/3.1/timeline_page.html 6/6
2015/7/29 Autopsy User Documentation: STIX
STIX
Overview
This document outlines the use of the STIX feature of Autopsy. This feature allows one or more
Structured Threat Information Exchange (STIX) files to be run against a data source, reporting which
indicators were found in the data source. More information about STIX can be found at
https://stix.mitre.org/. This document assumes basic familiarity with Autopsy.
Quick Start
1. Create a case as normal and add a disk image (or folder of files) as a data source. To get the
most out of the STIX module, ensure that the following ingest modules are selected:
o Recent Activity
o Hash Lookup (Check box to calculate MD5 hashes even with no database selected)
o File Type Identification
o Keyword Search (URL, IP, and Email addresses)
o Email Parser
o Extension Mismatch Detector
2. After the image has been added and ingest is complete, click the Report button then select STIX.
Next choose either a single STIX file or a directory of STIX files to run against the image. It is
possible to do this while ingest is running but the results will be incomplete.
3. Once the STIX report module is complete, there will be two sets of results:
o Entries will be created under Interesting Items in the Autopsy tree, under a subheading for
each indicator.
o A log of which indicators/observables were found is generated by the report module
(Follow the link on the Report Generation Progess window)
Supported CybOX Objects
• Address Object
o Address Value
• Domain Name Object
o Value
• Email Message Object
o To
o CC
o From
o Subject
• File Object
o Size _In_Bytes
• File Name
o File Path
Mtp://www.sleuthkiturg/autopsy/docs/user-docs/3.1/stix_page.htm I 1/3
2015/7/29 Autopsy User Documentation: STIX
o File Extension
o Modified Time
o Accessed Time
o Created Time
o Hashes (MD5 only)
o File Format
o is_masqueraded
• URI Object
o Value
• URL History Object
• Browser_Information (Name)
o URL
o Hostname
o Referrer URL
o Page_Title
o User_Profile_Name
• User Account Object
o Home_Directory
o Username
• Win Executable File Object
o Time_Date_Stamp
• Windows Network Share Object
o Local Path
o Netname
• Win Registry Key Object
o Key (Required)
o Hive
o Values
System Object
o Hostname
o Processor Architecture
• Win System Object
o Product ID
o Product Name
o Registered_Owner
o Registered_Organization
o Windows_System_Directory
o Windows_Temp_Directory
• Win User Account Object
o SID
See http://cybox.mitre.org for more information on CybOX Objects.
Limitations
http://www.sleuthkUorg/autopsy/docs/user-docs/3.1/stix_page.html 2/3
2015/7/29 Autopsy User Documentation: STIX
• As shown in the list above, not all CybOX objects/fields are currently supported. When an
unsupported object/field is found in an observable, its status is set to "indeterminate" instead of
true or false. These indeterminate fields will not change the result of the observable composition
(i.e., if the rest is true, the overall result will stay as true).
Not all ConditionTypeEnum values are supported. It varies by field, but generally on String fields
the following work: EQUALS, DOES_NOT_EQUAL, CONTAINS, DOES_NOT_CONTAIN,
STARTS_WITH, ENDS_WITH. If a condtion type is not supported there will be a warning in the
log file.
• Related objects are not processed
Copyright @ 2012-2015 Basis Technology. Generated on Wed Jul 29 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.
http://www.sleuthkit.org/autopsy/docs/user-docs/3.1/stix_page.htm I 3/3
2015/7/29 Autopsy User Documentation: Tagging
Tagging
Tagging (or Bookmarking) allows you to create a reference to a file or object and easily find it later.
When an interesting item is discovered, the user can tag it by right-clicking the item and selecting one
of the tag options.
When you tag a Blackboard artifact result, you have the choice to either:
• Tag File - use this when the file itself is of interest
• Tag Result - use this when the result is of interest
Which to choose depends upon the context and what you desire in the final report.
Directory Listing
atrnan
Table Thumbnail
Source File Keyword Preview
• Places.sqlite 6 '1, DE \ 481F-*Batmaryx6 DEY,481D981E8Dnal;711,2C{104 52CFR
• en-un-I.-, --0-1---'660-E-k—raJattlenatuillBaudelairelM
Garrij Properties !Lanced"! <Marne > <Ratings>
edb. View File in Directory is Content: Xbox SmartGla
EntC View in New Window s Content: :;box SmartGla
Open in External Viewer
4 raid, t Announce Trailer - "Father
Extract File(s)
• SRN Search for files with the same MD5 hash -a wealth of information
4 PlacE
:EATONBATTAMBANGFOBATTIPAGLIA
Tag File Quick Tag ►
Tag Result
Tag and Comment...
Add file to hash database
Once you have choosen to tag the file or the result, there are two more options:
• Quick Tag - use this if you just want the tag
• Tag and Comment - use this if you need to add a comment about this tag
at Create Tag
Tag: rabbit
Comment: Some comment about this item,...1
New Tag OK Cancel
http://www.sleuthkitorgiautopsy/docs/user-does/3.1/tagging_page.htmI 1/3
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Autopsy 3
Discover the best professional documents and content resources in AnyFlip Document Base.
Search