Autopsy User Documentation  4.10.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
Portable Cases

Overview

A portable case is a partial copy of a normal Autopsy case that can be opened from anywhere. The general use case is as follows:

  1. Alice is analyzing one or more data sources using Autopsy. She tags files and results that are of particular interest.
  2. Alice wants to share her findings with Bob but is unable to send him the original data sources.
  3. Alice creates a portable case which will contain only her tagged files and results, plus any files associated with those results, and sends it to Bob.
  4. Bob can open the portable case in Autopsy and view all files and results Alice tagged, and run any of the normal Autopsy features.

For example, Alice's original case could look like this:

portable_case_original_version.png

The portable version could like this:

portable_case_portable_version.png

Alice only tagged eight files and results, so most of the original content is no longer in the case. Some of the data sources had no tagged items so they're not included at all. The file structure of any tagged files is preserved - you can see that the tagged image in the screenshot is still in the same location, but the non-tagged files are gone. Note that although the original images (such as "image1.vhd") appear in the tree, their contents are not included in the portable case.

Creating a Portable Case

First you'll want to make sure that all the files and results you want included in the portable case are tagged - see the Tagging page for more details. You can see what tags you've added in the Tree Viewer.

portable_case_tags.png

Portable cases are created through the Reporting feature. The Generate Report dialog will display a list of all tags that are in use in the current case and you can choose which ones you would like to include. At the bottom you can select the output folder for the new case. By default it will be placed in the "Reports" folder in the current case.

portable_case_report_panel.png

Here you can see the new portable case. It will be named with the original case name plus "(Portable)". The portable case is initially missing many of the normal Autopsy folders - these will be created the first time a user opens it. The portable case folder can be zipped and sent to a different user.

portable_case_folder.png

Using a Portable Case

Portable cases generally behave like any other Autopsy case. You can run ingest, do keyword searches, use the timeline viewer, etc. One point to note is that while the original data source names appear in the case, the data sources themselves were not copied into the portable case.

portable_case_empty_image.png

This may cause warning or error messages when using ingest modules that run on the full image, such as the Data Source Integrity Module. You will also not be able to view the data sources in the content viewer.

You can also add additonal data sources to the portable case if you wish. The case will no longer be portable, but if desired you could generate a new portable case that will include tagged files and results from the new data sources as well as the original case.


Copyright © 2012-2019 Basis Technology. Generated on Fri Mar 22 2019
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.