Autopsy User Documentation  4.13.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
Common Properties Search

Overview

The Common Properties Search feature allows you to search for multiple copies of a property within the current case or within the Central Repository.

To start a search, go to Tools->Find Common Properties to bring up the main dialog. Searching requires at least one of the following to be true:

If both conditions are false, then the menu item will be disabled. If only one is false then part of the search dialog will be disabled.

Common Properties Search Scope

Different parameters are needed for setting up the two types of searches. These will be described below.

Scope - between data sources in the current case

This type of search looks for files that are in multiple data sources within the current case. It does not require the Central Repository to be enabled, and currently only searches for common files. You must run the Hash Lookup Module to compute MD5 hashes on each data source prior to performing the search. The search results will not include any files that have been marked as "known" by the hash module (ex: files that are in the NSRL).

common_properties_intra_case.png

By default, the search will find matching files in any data sources. If desired, you can change the search to only show matches where one of the files is in a certain data source by selecting it from the list:

common_properties_select_ds.png

You can also choose to show any type of matching files or restrict the search to pictures and videos and/or documents.

Finally, if you have the Central Repository enabled you can choose to hide matches that appear with a high frequency in the Central Repository.

Scope - between current case and cases in the Central Repository

This type of search looks for files that contain common properties between the current case and other cases in the Central Repository. You must run the Correlation Engine ingest module on each case with the property you want to search for enabled, along with the ingest modules that produce that property type (see Manage Correlation Properties).

common_properties_cr.png

You can restrict the search to only include results where at least one of the matches was in a specific case.

common_properties_cr_case_select.png

In the example above, any matching properties would have to exist in the current case and in Case 2. Note that matches in other cases will also be included in the results, as long as the property exists in the current case and selected case.

You can select the type of property to search for in the menu below:

common_properties_cr_property.png

Restricting a file search to only return images or documents is currently disabled.

You can choose to hide matches that appear with a high frequency in the Central Repository. Finally you can choose how to display the results, which will be described below.

Search Results

Each search displays its results in a new tab. The title of the tab will include the search parameters.

Sort by number of data sources

common_properties_result.png

This is how all results from searches within the current case are displayed, and an option for displaying the results of a search between the current case and the Central Repository. The top tree level of the results shows the number of matching properties. The results are grouped by how many matching properties were found and then grouped by the property itself.

Sort by case

This option is only available when searching between the current case and the Central Repository. The top level shows each case with matching properties, then you can select which data source to view. Every matching property will be displayed under the data source.

common_properties_result_case_sort.png

Copyright © 2012-2019 Basis Technology. Generated on Thu Nov 21 2019
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.