Autopsy User Documentation  4.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
File Type Identification Module

What Does It Do

The File Type ID module identifies files based on their internal signatures and does not rely on file extensions. Autopsy uses the Tika library to do its primary file ID detection and that can be customized with user-defined rules.

You should enable this module because many other modules depend on its results to determine if they should analyze a file. Some examples include:

Configuration

You do not need to configure anything with this module unless you want to define your own types. To define your own types, go to "Tools", "Options", "File Type Id" panel.

From there, you can define rules based on the offset of the signature and if the signature is a byte sequence of an ASCII string.

filetype.PNG

Using the Module

Ingest Settings

There are no run-time settings for this module when you run it on a data source. All user-defined and Tika rules are always applied.

Seeing Results

This module does not have obvious impacts in the user interface, though it is used by many other modules.

To see the file type of an individual file, view the "Results" tab in the lower right when you navigate to the file. You should see a page in there that mentions the file type.

The Views area of the tree does not take the results of this module into account. That part of the tree relies on extension. We will be updating it in the future to rely on extension when there is no output from this module for the file.


Copyright © 2012-2016 Basis Technology. Generated on Tue Oct 25 2016
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.