Autopsy User Documentation  4.19.2
Graphical digital forensics platform for The Sleuth Kit and other tools.
Updating the Official Interesting File Sets

The Interesting Files Identifier Module contains several official rule sets. You can select a rule set to display the rules it contains in the middle of the right side of the panel.

if_official_rule_details.png

If you have one or more rules that you think should be included in an official rule set you can submit your new rules using the process below. Consult the Configuration section for general instructions on creating and editing interesting file sets.

  1. Create a new interesting file set. Give it a name similar to the set you wish to update to make it clear which set your new rules belong to. Do not copy the existing rule set.

    if_create_set.png

  2. Create your rule(s). Make sure each rule has a "Rule Name" that identifies the application it is detecting. Click the "Apply" button on the main panel when done.

    if_new_rule.png

  3. Export the set as XML.

    if_export.png

  4. Create an Autopsy Github issue that identifes the set to update and what applications were added, and attach the XML. Go to: https://github.com/sleuthkit/autopsy/issues

Copyright © 2012-2021 Basis Technology. Generated on Tue Feb 22 2022
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.