Autopsy User Documentation  4.8.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
Common Properties Search

Overview

The Common Properties Search feature allows you to search for multiple copies of a property within the current case or within the Central Repository.

To start a search, go to Tools->Common Properties Search to bring up the main dialog. Searching requires at least one of the following to be true:

A message will be displayed if both of these conditions are false.

Common Properties Search Scope

Different parameters are needed for setting up the two types of searches. These will be described below.

Scope - between data sources in the current case

This type of search looks for files that are in multiple data sources within the current case. It does not require the Central Repository to be enabled, and currently only searches for common files. You must run the Hash Lookup Module to compute MD5 hashes on each data source prior to performing the search. The search results will not include any files that have been marked as "known" by the hash module (ex: files that are in the NSRL).

common_properties_intra_case.png

By default, the search will find matching files in any data sources. If desired, you can change the search to only show matches where one of the files is in a certain data source by selecting it from the list:

common_properties_select_ds.png

You can also choose to show any type of matching files or restrict the search to pictures and videos and/or documents.

Finally, if you have the Central Repository enabled you can choose to hide matches that appear with a high frequency in the Central Repository.

Scope - between current case and cases in the Central Repository

This type of search looks for files that contain common properties between the current case and other cases in the Central Repository. You must run the Correlation Engine ingest module on each case with the property you want to search for enabled, along with the ingest modules that produce that property type (see Manage Correlation Properties).

common_properties_cr.png

You can restrict the search to only include results where at least one of the matches was in a specific case.

common_properties_cr_case_select.png

In the example above, any matching properties would have to exist in the current case and in Case 2. Note that matches in other cases will also be included in the results, as long as the property exists in the current case and selected case.

You can select the type of property to search for in the menu below:

common_properties_cr_property.png

Restricting a file search to only return images or documents is currently disabled.

Finally, you can choose to hide matches that appear with a high frequency in the Central Repository.

Search Results

Each search displays its results in a new tab. The title of the tab will include the search parameters.

common_properties_result.png

The top tree level of the results shows the number of matching files. The results are grouped by how many matching files were found and then grouped by the property itself.


Copyright © 2012-2018 Basis Technology. Generated on Thu Oct 4 2018
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.