Autopsy User Documentation
4.16.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
|
Autopsy can store and organize account information based on personas, which represent an online identity. A person may have several online identities and therefore several personas. As an example, a single person may have a set of accounts that post online about loving cats and another set of accounts that appear unrelated that post about hating cats.
Here are some basic concepts about persona:
Personas are stored in the Central Repository based on accounts that were found in results. These results are generated by various ingest modules such as the Recent Activity Module and Android Analyzer Module.
Autopsy provides a dedicated tool, Personas Editor, to create, view, edit, and delete personas.
The Personas Editor is loaded through the Tools -> Personas menu item.
The left panel in the Personas Editor is a table that lists personas, based on the selected criteria. The right panel displays the details of selected persona.
By default, when the Personas Editor is launched, all the personas in the Central Repository are listed in the table. You may filter this list by checking the "Filter personas by Keyword" checkbox. Type in either a persona name or an account identifier in the textbox and select the "Name" or "Account" radio button appropriately. Then click the "Show" button to show only the personas that match the filtering criteria.
To create a new persona, click the "New Persona" button. A "Create Persona" dialog box will pop up. The following is a description of each field:
Each persona needs at least one account associated with it. These accounts must have been previously saved to the central repository. Clicking "Add" under "Accounts" will bring up another dialog with four fields, all required:
When finished adding at least one account and filling in the required fields, click on OK to create the persona. A persona with the specified name will be created and associated with the specified account(s).
To edit a persona, click the "Edit Persona" button. You'll be able to edit all the data about the persona.
To delete a persona, select the persona in the table and click on the "Delete Persona" button. Click "Yes" on confirmation dialog to delete the selected persona.
All personas must be associated with at least one account. Normally these account will be added to the central repository by various ingest modules, but you can also create them manually with the "Create Account" button.
Autopsy shows persona associated with accounts, where applicable. When viewing contact, call log and message results, Autopsy shows the personas associated with accounts in these panels. If no persona exists for an account, Autopsy provides a button for the user to create one.
As shown below, when viewing a contact result you may see persona data. When one or more personas are found associated with the accounts in the result then the Persona name is shown in the contact content viewer. There will be a "View" button to see the details of the persona.
If no matching persona is found, a "Create" button is shown to create a persona for the account(s). This will bring you to the Create Personas panel with the account(s) already added.
Personas are integrated similarly in the content viewers for call logs and messages/e-mail.
Personas are integrated with the Communications Visualization Tool. When viewing accounts in the Accounts browsers in the Communications Visualization Tool, associated persona information is shown in the tooltip if you hover over the account.
As in the Autopsy main window, you may also create or view personas when examining contacts, call logs, and messages in the Communications Visualization Tool.
Copyright © 2012-2020 Basis Technology. Generated on Tue Sep 22 2020
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.