Autopsy User Documentation  4.11.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
Central Repository

Overview

The central repository allows a user to find matching artifacts both across cases and across data sources in the same case. It is a combination of an ingest module that extracts, stores, and compares properties against lists of notable properties, a database that stores these properties, and an additional panel in Autopsy to display other instances of each property. The central repository database can either be SQLite or PostgreSQL.

The following are some use cases for the central repository:

Terms and Concepts

Setup

To start, open the main options panel and select the "Central Repository" icon.

central_repo_options.png

Setting up the Database

On the central repository options panel, check the 'Use a Central Repository' option and then click the Configure button to set up a database. There are two options here:

Once a database has been configured, the lower two buttons on the main panel will be enabled, which will be described below.

Setting up PostgreSQL Deployment

If needed, see the Install and Configure PostgreSQL for help setting up your PostgreSQL server.

For PostgreSQL all values are required, but some defaults are provided for convenience.

central_repo_postgres.png

If the database does not exist, you wll be prompted to create it.

Setting Up SQLite Deployment

Select SQLite in the Database Type to set up a SQLite database. SQLite databases should not be used if more than one client will be accessing the central repository.

central_repo_sqlite.png

Enter or browse to a folder for the database. If the database file does not exist in that folder, you will be prompted to create it.

Manage Correlation Properties

The Correlation Engine ingest module can save different types of properties to the database. By default all properties are recorded, but this setting can be changed on the options panel through the Manage Correlation Properties button. Note that these settings are saved to the database, so in a multi-user setting any changes will affect all users.

central_repo_types.png

Descriptions of the property types:

Manage Organizations

Organizations are stored in the central repository and contain contact information for the given organization. Organizations are used for Hash Sets saved in the central repository, and can also be associated with Autopsy cases.

central_repo_orgs.png

One default org, "Not Specified" will always be present in the list. New organizations can be created, edited, and deleted through the appropriate buttons. Note that any organization that is currently in use by a case or hash set can not be deleted. All fields apart from the organization name are optional.

central_repo_new_org.png

Manage Cases

Displays a list of all cases that are in the central repository database and details about each case.

central_repo_details.png

Using the Central Repository

Correlation Engine Module

The Correlation Engine ingest module is responsible for adding properties to the database and comparing each property against the list of notable properties. It is best to run all ingest modules to get the most out of the Correlation Engine. For example, if Hash Lookup is not run then the Correlation Engine module will not put any files into the database. If the Correlation Engine module is not run on a particular case but a central repository is enabled, there will still be some limited functionality. The Content Viewer will still display matching properties from other cases/data sources where the Correlation Engine was run.

central_repo_ingest_settings.png

There are three settings for the Correlation Engine ingest module:

Tagging Files and Artifacts

Tagging a file or artifact with a "notable" tag will change its associated property in the central repository to notable as well. By default, there will be a tag named "Notable Item" that can be used for this purpose. See the Tagging page for more information on creating additional tags with notable status. Any future data source ingest (where this module is enabled) will use those notable properties in a similar manner as a Known Bad hash set, causing matching files and artifacts from that ingest to be added to the Interesting Items list in that currently open case.

central_repo_tag_file.png

If a tag is accidentally added to a file or artifact, it can be removed though the context menu. This will remove its property's notable status in the central repository.

If you would like to prevent the Interesting Items from being created in a particular case, you can disable the flagging through the run time ingest properties. Note that this only disables the Interesting Item results - all properties are still added to the central repository.

central_repo_ingest_settings.png

Viewing Results

Results from enabling a central repository and running the Correlation Engine Ingest Module can be seen in two places:

Content Viewer

The Content Viewer panel is where previous instances of properties are displayed. Without a central repository enabled, this "Other Occurrences" panel will show files with hashes matching the selected file within the current case. Enabling a central repository allows this panel to also display matching properties stored in the database, and adds some functionality to the row. Note that the Correlation Engine Ingest Module does not have to have been run on the current data source to see correlated properties from the central repository. If the selected file or artifact is associated by one of the supported Correlation Types, to one or more properties in the database, the associated properties will be displayed. Note: the Content Viewer will display ALL associated properties available in the database. It ignores the user's enabled/disabled Correlation Properties.

The other occurrences are grouped by case and then data source. The rows in the content viewer have background colors to indicate if they are known to be of interest. Properties that are notable will have a Red background, all others will have a White background. The notable status will also be displayed in the "Known" column.

central_repo_content_viewer.png

The user can click on any column heading to sort by the values in that column.

If the user selects a row and then right-clicks, a menu will be displayed. This menu has several options.

  1. Select All
  2. Export Selected Rows to CSV
  3. Show Case Details
  4. Show Frequency

Select All

This option will select all rows in the Content Viewer table.

Export Selected Rows to CSV

This option will save ALL SELECTED rows in the Content Viewer table to a CSV file. By default, the CSV file is saved into the Export directory inside the currently open Autopsy case, but the user is free to select a different location.

Note: if you want to copy/paste rows, it is usually possible to use CTRL+C to copy the selected rows and then CTRL+V to paste them into a file, but it will not be CSV formatted.

Show Case Details

This option will open a dialog that displays all of the relevant details for the selected case. The details will include:

These details would have been entered by the examiner of the selected case, when creating the case or later by visiting the Case -> Case Properties menu.

Show Frequency

This shows how common the selected file is. The value is the percentage of case/data source tuples that have the selected property.

Add/Edit Comment

If you want instead to edit the comment of a node, it can be done by right clicking on the original item in the result viewer and selecting "Add/Edit Central Repository Comment".

central_repo_comment_menu.png

Interesting Items

In the Results tree of an open case is an entry called Interesting Items. When this module is enabled, all of the enabled Correlatable Properties will cause matching files and artifacts to be added to this Interesting Items tree during ingest.

central_repo_interesting_items.png

As an example, suppose the Files Correlatable Property is enabled and the ingest is currently processing a file "badfile.exe", and the MD5 hash for that file already exists in the database as a notable file property. In this case an entry in the Interesting Items tree will be added for the current instance of "badfile.exe" in the data source currently being ingested.

The same type of thing will happen for each enabled Correlatable Property.

In the case of the phone number correlatable type, the Interesting Items tree will start a sub-tree for each phone number. The sub-tree will then contain each instance of that notable phone number.


Copyright © 2012-2019 Basis Technology. Generated on Fri Jun 21 2019
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.