Autopsy User Documentation
4.19.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
|
The report modules allow the user to extract key information from a case in a variety of formats. This includes making an HTML or Excel report containing all the extracted content, keyword hits, etc. from a case, or creating a KML file out of any coordinates found to load into software like Google Earth.
Most report types will allow you to select which data sources to include in the report. Note that the names of excluded data sources may still be present in the report. For example, the HTML Report will list all data sources in the case on the main page but will not contain results, tagged files, etc. from the excluded data source(s).
The different types of reports will be described below. The majority of the report modules will generate a report file which will be displayed in the case under the "Reports" node of the Tree Viewer.
If the report type has an associated viewer (such as a web browser for an HTML report), you can double-click the report to open it in an external application. Alternately you can browse to the "Reports" folder in the case folder and open the report from there.
For HTML reports, you can first choose to enter a header and footer that will be displayed in your results. For example, you might want to add a classification banner.
There are two options when generating a report - include all results or only include tagged results.
If you choose "All Results", you can then optionally use the "Data Types" button to choose which types of data to include in the report.
If you choose "Tagged Results", you can restrict the files and results that appear in the report to only those tagged with the tags you select. Note that you can't filter on data type when using this option.
The completed report will look similar to this:
You can use the links on the left side to see the results for each data type.
Generating an Excel report is very similar to an HTML Report. You select which tags or data types to export and Autopsy will create a .xlsx file.
This is one of the report modules that doesn't generate an actual report. The purpose of this module is to easily add the hashes of some/all tagged files to an Autopsy hash set that can be used by the Hash Lookup Module. You can use the "Configure Hash Sets" button to create a new hash set to write to, or use an existing hash set.
After running this module, if you use the same hash set on future cases then everything that was tagged with one of the selected tags in this case will show up as Hashset Hits.
This report module allows you to export all unique "words" found in a case. These words come from the Solr index that was created by the Keyword Search Module.
This module creates a JSON output file in CASE-UCO format for a single data source.
This report module allows you create a tab or comma delimited text file report of all of the files in the current case. Start by selecting which delimiter you would like to use.
You can then select which fields should be reported.
This report module generates a KML file from any GPS data in the case. This file can then be used with Google Earth.
This report module generates a new Autopsy case that includes tagged and/or interesting items. See the Portable Cases page for additional information.
The STIX module allows you to generate a report and Interesting File artifacts by running a STIX file (or files) against the data sources in the case. For more information see the STIX page.
This module generates a TSK Body File from the files in your case, which looks similar to the following:
7ff498a44e45e77374cc7c962b1b92f2|/img_image1.vhd/vol_vol2/$UpCase|10|rr-xr-xr-x|0|0|131072|1498757218|1498757218|1498757218|1498757218 d41d8cd98f00b204e9800998ecf8427e|/img_image1.vhd/vol_vol2/$Volume|3|rr-xr-xr-x|48|0|0|1498757218|1498757218|1498757218|1498757218 43fffda5c5edd8e9c647f1df476717de|/img_image1.vhd/vol_vol2/0000/0000_a.txt|63|rrwxrwxrwx|0|0|11|1498757454|1498176989|1498757454|1498757454 411c8024a7c38ee3843ba8a07d048ec2|/img_image1.vhd/vol_vol2/0000/0000_b.txt|64|rrwxrwxrwx|0|0|11|1498757454|1498176990|1498757454|1498757454 fcc958c5096889a222785ddb8c4bff80|/img_image1.vhd/vol_vol2/0000/0000_c.txt|65|rrwxrwxrwx|0|0|11|1498757454|1498176990|1498757454|1498757454 b7cde263cc1b5df5a13aeec742637a89|/img_image1.vhd/vol_vol2/0000/0000_d.txt|66|rrwxrwxrwx|0|0|11|1498757454|1498176990|1498757454|1498757454
Copyright © 2012-2021 Basis Technology. Generated on Fri Aug 6 2021
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.