Autopsy User Documentation
4.9.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
|
The Common Properties Search feature allows you to search for multiple copies of a property within the current case or within the Central Repository.
To start a search, go to Tools->Find Common Properties to bring up the main dialog. Searching requires at least one of the following to be true:
If both conditions are false, then the menu item will be disabled. If only one is false then part of the search dialog will be disabled.
Different parameters are needed for setting up the two types of searches. These will be described below.
This type of search looks for files that are in multiple data sources within the current case. It does not require the Central Repository to be enabled, and currently only searches for common files. You must run the Hash Lookup Module to compute MD5 hashes on each data source prior to performing the search. The search results will not include any files that have been marked as "known" by the hash module (ex: files that are in the NSRL).
By default, the search will find matching files in any data sources. If desired, you can change the search to only show matches where one of the files is in a certain data source by selecting it from the list:
You can also choose to show any type of matching files or restrict the search to pictures and videos and/or documents.
Finally, if you have the Central Repository enabled you can choose to hide matches that appear with a high frequency in the Central Repository.
This type of search looks for files that contain common properties between the current case and other cases in the Central Repository. You must run the Correlation Engine ingest module on each case with the property you want to search for enabled, along with the ingest modules that produce that property type (see Manage Correlation Properties).
You can restrict the search to only include results where at least one of the matches was in a specific case.
In the example above, any matching properties would have to exist in the current case and in Case 2. Note that matches in other cases will also be included in the results, as long as the property exists in the current case and selected case.
You can select the type of property to search for in the menu below:
Restricting a file search to only return images or documents is currently disabled.
You can choose to hide matches that appear with a high frequency in the Central Repository. Finally you can choose how to display the results, which will be described below.
Each search displays its results in a new tab. The title of the tab will include the search parameters.
This is how all results from searches within the current case are displayed, and an option for displaying the results of a search between the current case and the Central Repository. The top tree level of the results shows the number of matching properties. The results are grouped by how many matching properties were found and then grouped by the property itself.
This option is only available when searching between the current case and the Central Repository. The top level shows each case with matching properties, then you can select which data source to view. Every matching property will be displayed under the data source.
Copyright © 2012-2018 Basis Technology. Generated on Tue Dec 18 2018
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.