Autopsy User Documentation
4.4.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
|
The File Type ID module identifies files based on their internal signatures and does not rely on file extensions. Autopsy uses the Tika library to do its primary file ID detection and that can be customized with user-defined rules.
You should enable this module because many other modules depend on its results to determine if they should analyze a file. Some examples include:
You do not need to configure anything with this module unless you want to define your own types. To define your own types, go to "Tools", "Options", "File Type Id" panel.
From there, you can define rules based on the offset of the signature and if the signature is a byte sequence of an ASCII string.
There are no run-time settings for this module when you run it on a data source. All user-defined and Tika rules are always applied.
The results can be seen in the views area of the tree, under Views->File Types->By MIME Type.
Note that only user-defined MIME types of the form (media type)/(media subtype) will be displayed in the tree.
To see the file type of an individual file, view the "Results" tab in the lower right when you navigate to the file. You should see a page in there that mentions the file type.
Copyright © 2012-2016 Basis Technology. Generated on Fri Sep 29 2017
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.