Autopsy User Documentation  4.19.2
Graphical digital forensics platform for The Sleuth Kit and other tools.
Tree Viewer

Table of Contents

The tree on the left-hand side of the main window is where you can browse the files in the data sources in the case and find saved results from automated analyis (ingest). The tree has seven main areas:

You can also use the "Group by Person/Host" option available through the View Options to move the Views, Results, and Tags tree nodes under their corresponding person and host. This can be helpful on very large cases to reduce the size of each sub tree.

Persons / Hosts / Data Sources

By default, the top node of the tree viewer will contain all data sources in the case. The Data Sources node is organized by host and then the data source itself. Right clicking on the various nodes in the Data Sources area of the tree will allow you to get more options for each data source and its contents.

ui_tree_top_ds.png

If the "Group by Person/Host" option has been selected in the View Options, the hosts and data sources will be organized under any persons that have been associated with the hosts. Additionally, the rest of the nodes (Views, Results, etc) will be found under each data source.

ui_tree_top_persons.png

Persons

If the "Group by Person/Host" option in the View Options has been set, the top level nodes will display persons. Persons are manually created and can be associated with one or more hosts. To add or remove a person from a host, right-click on the host and select the appropriate option.

ui_person_select.png

You can edit and delete persons by right-clicking on the node.

Hosts

All data sources are organized under host nodes. See the hosts page for more information on using hosts.

Data Sources

Under the hosts are the nodes for each data source.

Unallocated space is the chunks of a file system that are currently not being used for anything. Unallocated space can hold deleted files and other interesting artifacts. In an image data source, unallocated space is stored in blocks with distinct locations in the file system. However, because of the way carving tools work, it is better to feed these tools a single, large unallocated space file. Autopsy provides access to both methods of looking at unallocated space.

An example of the single file extraction option is shown below.

extracting-unallocated-space.PNG

File Views

Views filter all the files in the case by some property of the file.

Data Artifacts

This section shows the data artifacts created by running ingest. In general, data artifacts contain concrete information extracted from the data source. For example, call logs and messages from communication logs or web bookmarks extracted from a browser database.

Analysis Results

This section shows the analysis results created by running ingest. In general, analysis results contain information that the user has indicated they are interested in. For example, if the user sets up a list of notable hashes, any hash set hits will appear here.

OS Accounts

This section shows the OS accounts found in the case. See OS Accounts for an example.

Tags

Any item you tag shows up here so you can find it again easily. See Tagging and Commenting for more information.

Reports

Reports can be added by Ingest Modules or created using the Reporting tool.


Copyright © 2012-2021 Basis Technology. Generated on Thu Oct 21 2021
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.