Autopsy User Documentation  4.9.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
File Type Identification Module

What Does It Do

The File Type ID module identifies files based on their internal signatures and does not rely on file extensions. Autopsy uses the Tika library to do its primary file ID detection and that can be customized with user-defined rules.

You should enable this module because many other modules depend on its results to determine if they should analyze a file. Some examples include:

Configuration

You do not need to configure anything with this module unless you want to define your own types. To define your own types, go to "Tools", "Options", "File Type Id" panel.

From there, you can define rules based on the offset of the signature and if the signature is a byte sequence of an ASCII string.

filetype.PNG

Using the Module

Ingest Settings

There are no run-time settings for this module when you run it on a data source. All user-defined and Tika rules are always applied.

Seeing Results

The results can be seen in the views area of the tree, under Views->File Types->By MIME Type.

mime-type-tree.PNG

Note that only user-defined MIME types of the form (media type)/(media subtype) will be displayed in the tree.

To see the file type of an individual file, view the "Results" tab in the lower right when you navigate to the file. You should see a page in there that mentions the file type.


Copyright © 2012-2018 Basis Technology. Generated on Tue Dec 18 2018
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.