Autopsy User Documentation  4.16.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
Interesting Files Identifier Module

Overview

The Interesting Files module allows you to automatically flag files and directories that match a set of rules. This can be useful if you always need to check whether files with a given name or path are in the data source, or if you are always interested in files with a certain type.

This module allows you to make sets of rules that will be run against each file as it is processed. If a file matches any of the rules, you will see an entry for it in the Tree Viewer. You can share your rules with other users, and import sets made by others into your copy of Autopsy.

Terminology

Configuration

To create and edit your rule sets, go to "Tools", "Options" and then select the "Interesting Files" tab. The area on the left side will show you a list of all the rule sets that are currently available. This will include the official rule sets that are included with Autopsy and any rule sets that you create. Selecting a rule set will display its description and information about each of its rules on the right side of the panel.

main.png

The buttons on the bottom of the left side of the panel control the rule sets.

Note that the predefined rule sets can not be deleted or edited. If you believe you have additions that would be useful to the community, see the Updating the Official Interesting File Sets page for instructions on submitting updates.

Selecting a rule set will display its description, whether it ignores known files, and the rules contained in the set. Selecting a rule will display the conditions for that rule in the "Rule Details" section.

The buttons under the list of rules allow you to create new rules and edit or delete existing rules. Selecting "New Rule" will bring up a new window to create the rule.

new_rule.png

The top line allows you to choose whether you want to match only files, only directories, or both. If you select directories or both, some of the condition types will be unavailable since they only apply to files.

Each rule must have at least one condition. To create conditions, check the box to the left of the condition you want to enable. The following is a description of each condition, with some full examples after.

Finally you can optionally enter a name for the rule. This will be displayed in the UI for each match.

Examples

Here are a few examples of rules being created.

This is a rule that matches any file with "bomb" in the name that also has an "image/png" MIME type.

bomb_png.png

This is a rule that matches folders named "Private".

private_folder.png

This rule is looking for archives in the user download directory. It requires "Users" and "Downloads" in the file's path, and an extension of .zip, .rar, or .7z.

download_archive.png

This is a rule that matches files with size at least 50MB that have been modified in the last week.

new_large_files.png

Running the Module

At runtime, you can select which rule sets you would like to run on your data source.

ingest.png

Viewing Results

Files that match any of the rules in the enabled rule sets will be shown in the Results section of the Tree Viewer under "Interesting Items" and then the name of the rule set that matched. Note that other modules besides Interesting Files put results in this section of the tree, so there may be more than just what matched your rule sets. Selecting the "Interesting Files" node under one of your rule sets will display all matching files in the Result Viewer.

results.png

You can see which rule matched in the "Category" column. You can export some or all of the files for further analysis. To do this, first use the standard Windows file selection methods to highlight the files you want to export in the Result Viewer :

Once you have your desired files selected, right click and select “Extract Files” to save copies of them.


Copyright © 2012-2020 Basis Technology. Generated on Tue Sep 22 2020
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.