Autopsy User Documentation  4.5.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
Interesting Files Identifier Module

What Does It Do

The Interesting Files module allows you to search for files or directories in a data source and generate alerts when they are found. You configure rules for the files that you want to find.

Use this to be notified when certain things are found. There are examples below that generate alerts when VMWare images are found or when iPhone backup files are found. This module is useful for file types that will frequently have a consistent name and that may not be part of the standard checklist that you look for, or if you simply want to automate your checklist.

Configuration

Add rules using "Tools", "Options", "Interesting Files".

All rules need to be part of a set. Select "New set" on the left side panel to create a new set. Sets need to have the following defined:

Sets can be renamed, edited, copied, and imported and exported from the left side panel.

Rules specify what to look for in a data source. Each rule specifies:

interesting_files_configuration.PNG

VMWare Example

This set of rules is to detect VMWare Player or vmdk files. This would help to make sure you look into the virtual machines for additional evidence.

NOTE: This is not extensive and is simply a minimal example:

iPhone Backups Example

This set of rules is to detect a folder for iPhone Backups. These are typically in a folder such as "%AppData%\Roaming\Apple Computer\MobileSync\Backup" on Windows. Here is a rule that you could use for that.

Using the Module

When you enable the Interesting Files module, you can choose what rule sets to enable. To add rules, use the "Advanced" button from the ingest module panel.

When files are found, they will be in the Interesting Files area of the tree. You should see the set and rule names with the match.

Ingest Settings

When running the ingest modules, the user can choose which interesting file rules to enable .

interesting_files_ingest_settings.PNG

Seeing Results

The results show up in the tree under "Results", "Interesting Items".

interesting_files_results.PNG

Copyright © 2012-2016 Basis Technology. Generated on Mon Dec 11 2017
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.