Autopsy User Documentation
4.8.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
|
The Content Viewer lives in the lower right-hand side of the Autopsy main screen and shows pictures, video, hex, text, extracted strings, metadata, etc. The Content Viewer is enabled when you select an entry in the Result Viewer.
The Content Viewer is context-aware, meaning different tabs will be enabled depending on the type of content selected and which ingest modules have been run. It will default to what it considers the "most specific" tab. For example, selecting a JPG will cause the Content Viewer to automatically select the "Application" tab and will display the image there. If you instead would like the Content Viewer to stay on the previously selected tab when you change to a different content object, go to the View Options panel through Tools->Options->Application Tab and select the "Stay on the same file viewer" option.
When a Result type is selected in the Result Viewer (as opposed to a file), most of the tabs will correspond to the file associated with the result and not the result itself. For example, when selecting a Keyword Hit, the "Hex", "Strings", and "File Metadata" tabs will show data from the file where the keyword was found. The descriptions below will generally assume a file has been selected, but most also apply when we have a file associated with a selected result.
The Hex tab is nearly always available and shows the contents of the file.
The Strings tab shows all text strings found in the file. Different scripts can be chosen from the drop-down menu to display results for non-Latin alphabets.
For certain file types, the Application tab can display the contents in a user friendly format. The following screenshots show some examples of what the Application tab will display.
It will display most image types:
It also allows you to browse SQLite tables and export their contents as CSV:
And plist file data will be shown and can be exported:
The Indexed Text tab shows the text that has been indexed by the Keyword Search module. You can switch the "Text Source" Field to "Result Text" to see which text has been indexed for associated results.
The Message tab shows details of emails and SMS messages.
The File Metadata tab displays basic information about the file, such as type, size, and hash. It also displays the output of the Sleuth Kit istat tool.
The Results tab is active when selecting entries that are part of the Results tree, such as keyword hits, call logs, and messages. It is also active when looking at a file that has results associated with it. The exact fields displayed depend on the type of entry. The two images below show the Results tab for a call log and a web bookmark.
The Annotations tab shows information added by an analyst about a file or result. It displays any tags and comments associated with the file or result, and if the Central Repository is enabled it will also display any comments saved to the Central Repository.
The Other Occurrences tab shows other instances of this file or result. Enabling the Central Repository adds additional functionality to this tab. See the Content Viewer section for more information.
Copyright © 2012-2018 Basis Technology. Generated on Thu Oct 4 2018
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.