Autopsy User Documentation  4.19.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
Auto Ingest Administration

Table of Contents

Overview

Examiner nodes in an Automated Ingest environment can be given a type of administrator access. This allows an admin to:

Setup

The admin panel is enabled by creating the file "admin" in the user config directory. Note that the name must be exactly that with no extension. It also works to make a folder named "admin" instead of a file which can be easier on machines where the file extension is hidden. No restart is needed; simply reopen the Auto Ingest Dashboard after creating the file.

For an installed copy of Autopsy, the file will go under "C:\Users\<user name>\AppData\Roaming\Autopsy\config".

admin_file.png

Auto Ingest Jobs Panel

With the admin file in place, the user can right-click on jobs in each of the tables of the jobs panel to perform different actions. In the Pending Jobs table, the context menu allows cases and individual jobs to be prioritized.

admin_jobs_panel.png

You can also selectively enable optical character recognition (OCR) on a case-by-case basis. This will override the normal Keyword Search settings for every job in the case. Jobs in progress will not be affected. To enable OCR for a case, right-click on a job from that case in the Pending Jobs table and select "Enable OCR For This Case".

admin_jobs_ocr1.png

Once enabled, a green checkmark will appear in the OCR column next to every pending job for that case.

admin_jobs_ocr2.png

In the Running Jobs tables, the ingest progress can be viewed and the current job can be cancelled. Note that cancellation can take some time. You can also generate a thread dump if you suspect ingest may be stuck.

admin_jobs_cancel.png

In the Completed Jobs table, the user can reprocess a job (generally useful when a job had errors), delete a case (if no other machines are using it) and view the case log.

admin_jobs_completed.png

Auto Ingest Nodes Panel

The Nodes panel displays the status of every online auto ingest node. Additionally, an admin can pause or resume a node, generate a thread dump, or shut down a node entirely (i.e., exit the Autopsy app).

admin_nodes_panel.png

Cases Panel

The Cases panel shows information about each auto ingest case - the name, creation and last accessed times, the case directory, and flags for which parts of the case have been deleted.

cases_panel.png

If you right-click on a case, you can open it, see the log, delete the case, or view properties of the case.

cases_context_menu.png

Note that you can select multiple cases at once to delete. If you choose to delete a case (or cases), you'll see the following confirmation dialog:

case_delete_confirm.png

Health Monitor

The health monitor shows timing stats and the general state of the system. The Health Monitor is accessed from the Auto Ingest Nodes panel. To enable health monitoring, click on the Health Monitor button to get the following screen and then press the "Enable monitor" button.

health_monitor_disabled.png

This will enable the health monitor metrics on every node (both auto ingest nodes and examiner nodes) that is using this PostgreSQL server. Once enabled, the monitor will display the collected metrics.

health_monitor.png

By default, the graphs will show all metrics collected in the last day.

The Timing Metrics area shows how long various tasks took to perform. There are several options in the Timing Metrics section:

The User Metrics section shows open cases and logged on nodes. For the open cases section, the count is the number of distinct cases open. If ten nodes have the same case open, the count will be one. The logged in users section shows the total number of active nodes, with auto ingest nodes on the bottom in green and examiner nodes on top in blue. The User Metrics section only has one option:

Auto Ingest Metrics

The Auto Ingest Metrics can be accessed the Auto Ingest Nodes panel and shows data about the jobs completed in a selected time frame.

metrics.png

Copyright © 2012-2021 Basis Technology. Generated on Fri Aug 6 2021
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.