You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/doxygen-user/auto_ingest.dox
+6-6Lines changed: 6 additions & 6 deletions
Original file line number
Diff line number
Diff line change
@@ -22,11 +22,11 @@ The general workflow is as follows:
22
22
23
23
An Automated Processing Deployment could have an architecture, such as this:
24
24
25
-
\image html AutoIngest\overview_pic1.png
25
+
\image html AutoIngest/overview_pic1.png
26
26
27
27
Another illustration, including the network infrastructure, is shown below:
28
28
29
-
\image html AutoIngest\overview_pic2.png
29
+
\image html AutoIngest/overview_pic2.png
30
30
31
31
\section auto_ingest_setup_section Configuration
32
32
@@ -38,15 +38,15 @@ An examiner node in an auto ingest environment is generally the same as any norm
38
38
39
39
The examiner can open the auto ingest dashboard through the Tools menu. This allows the user to see what cases and data sources are scheduled, in progress, or done.
40
40
41
-
\image html AutoIngest\examiner_dashboard.png
41
+
\image html AutoIngest/examiner_dashboard.png
42
42
43
43
\section auto_ingest_ain_usage Auto Ingest Node Usage
44
44
45
45
\subsection auto_ingest_manifest_creation Preparing Data for Auto Ingest
46
46
47
47
Users will manually copy images to the source images folder (using subfolders if desired) and schedule them to be ingested by creating one file in the folder alongside the image to be ingested. This file is a manifest file describing the image. This file's name must end in "_Manifest.xml."
48
48
49
-
\image html AutoIngest\manifest_file_in_file_explorer.png
49
+
\image html AutoIngest/manifest_file_in_file_explorer.png
50
50
51
51
The following is an example of an Autopsy manifest file. Line breaks/spaces are not required, but are shown here for better human readability.
@@ -69,7 +69,7 @@ Manifest files can be automatically generated by using the \ref manifest_tool_pa
69
69
70
70
When auto ingest mode is enabled, Autopsy will open with a different UI than normal, allowing the user to see what cases are being processed, which are done, and which are next in the queue. You can also change the priority of cases and reprocess cases that may have had an error.
71
71
72
-
\image html AutoIngest\auto_ingest_in_progress.png
72
+
\image html AutoIngest/auto_ingest_in_progress.png
73
73
74
74
The user must press the "Start" button to being the auto ingest process. Note that if the computer running Autopsy in auto ingest mode is restarted, someone must log into it to restart Autopsy. It does not start by itself. When "Start" is pressed, the node will scan through the Shared Images folder looking for manifest files. This scan happens periodically when ingest is running. It can also be started manually using the "Refresh" button.
75
75
@@ -83,7 +83,7 @@ If an error occurs while processing a job, or if a job was set up incorrectly, t
83
83
84
84
The "Auto Ingest Metrics" button displays processing data for all of the auto ingest nodes in the system from a user-entered starting date.
85
85
86
-
\image html AutoIngest\metrics.png
86
+
\image html AutoIngest/metrics.png
87
87
88
88
\section auto_ingest_administration_section Auto Ingest Node Administration
Copy file name to clipboardExpand all lines: docs/doxygen-user/auto_ingest_administration.dox
+10-10Lines changed: 10 additions & 10 deletions
Original file line number
Diff line number
Diff line change
@@ -23,37 +23,37 @@ The admin panel is enabled by creating the file "admin" in the user config direc
23
23
24
24
For an installed copy of Autopsy, the file will go under \c "C:\Users\<user name>\AppData\Roaming\Autopsy\config".
25
25
26
-
\image html AutoIngest\admin_file.png
26
+
\image html AutoIngest/admin_file.png
27
27
28
28
\section auto_ingest_admin_jobs_panel Auto Ingest Jobs Panel
29
29
30
30
With the admin file in place, the user can right-click on jobs in each of the tables of the jobs panel to perform different actions. In the Pending Jobs table, the context menu allows cases and individual jobs to be prioritized.
31
31
32
-
\image html AutoIngest\admin_jobs_panel.png
32
+
\image html AutoIngest/admin_jobs_panel.png
33
33
34
34
In the Running Jobs tables, the ingest progress can be viewed and the current job can be cancelled. Note that cancellation can take some time.
35
35
36
-
\image html AutoIngest\admin_jobs_cancel.png
36
+
\image html AutoIngest/admin_jobs_cancel.png
37
37
38
38
In the Completed Jobs table, the user can reprocess a job (generally useful when a job had errors), delete a case (if no other machines are using it) and view the case log.
39
39
40
-
\image html AutoIngest\admin_jobs_completed.png
40
+
\image html AutoIngest/admin_jobs_completed.png
41
41
42
42
\section auto_ingest_admin_nodes_panel Auto Ingest Nodes Panel
43
43
44
44
The Nodes panel displays the status of every online auto ingest node. Additionally, an admin can pause or resume a node, or shut down a node entirely (i.e., exit the Autopsy app).
The Cases panel shows information about each auto ingest case - the name, creation and last accessed times, the case directory, and flags for which parts of the case have been deleted.
51
51
52
-
\image html AutoIngest\cases_panel.png
52
+
\image html AutoIngest/cases_panel.png
53
53
54
54
If you right-click on a case, you can open it, see the log, delete the case, or view properties of the case.
55
55
56
-
\image html AutoIngest\cases_context_menu.png
56
+
\image html AutoIngest/cases_context_menu.png
57
57
58
58
Note that you can select multiple cases at once to delete. If you choose to delete a case (or cases), you'll see the following confirmation dialog:
59
59
@@ -63,11 +63,11 @@ Note that you can select multiple cases at once to delete. If you choose to dele
63
63
64
64
The health monitor shows timing stats and the general state of the system. The Health Monitor is accessed from the Auto Ingest Nodes panel. To enable health monitoring, click on the Health Monitor button to get the following screen and then press the "Enable monitor" button.
65
65
66
-
\image html AutoIngest\health_monitor_disabled.png
66
+
\image html AutoIngest/health_monitor_disabled.png
67
67
68
68
This will enable the health monitor metrics on every node (both auto ingest nodes and examiner nodes) that is using this PostgreSQL server. Once enabled, the monitor will display the collected metrics.
69
69
70
-
\image html AutoIngest\health_monitor.png
70
+
\image html AutoIngest/health_monitor.png
71
71
72
72
By default, the graphs will show all metrics collected in the last day.
73
73
@@ -86,6 +86,6 @@ The User Metrics section shows open cases and logged on nodes. For the open case
86
86
87
87
The Auto Ingest Metrics can be accessed the Auto Ingest Nodes panel and shows data about the jobs completed in a selected time frame.
Copy file name to clipboardExpand all lines: docs/doxygen-user/auto_ingest_setup.dox
+5-5Lines changed: 5 additions & 5 deletions
Original file line number
Diff line number
Diff line change
@@ -24,7 +24,7 @@ Follow the instructions on the \ref install_multiuser_page page to set up the ne
24
24
25
25
While Examiner nodes only require multi-user cases to be set up, the auto ingest nodes need additional configuration. To start, go to the "Auto Ingest" tab on the Options menu and select the "Auto Ingest mode" radio button. If you haven't saved your multi-user settings there will be a warning message displayed here - if you see it, go back to the "Multi-User" tab and make sure you've entered all the required fields and then hit the "Apply" button.
The "Ingest Module Settings" button is used to configure the \ref ingest_page you want to run during auto-ingest. One note is that on auto-ingest nodes, we recommend that you configure the Keyword Search module to not perform periodic keyword searches. When a user is in front of the computer, this feature exists to provide frequent updates, but it is not needed on this node. To configure this, choose the Keyword Search item in the Options window. Select the "General" tab and choose the option for no periodic search.
The "Advanced Settings" button will bring up the automated ingest job settings. As expressed in the warning statement, care must be used when making changes on this panel.
41
41
42
-
\image html AutoIngest\advanced_settings.png
42
+
\image html AutoIngest/advanced_settings.png
43
43
44
44
The Automated Ingest Job Settings section contains the following options:
45
45
<dl>
@@ -70,7 +70,7 @@ When using multiple auto ingest nodes, configuration can be centralized and shar
70
70
On the computer that is going to be the configuration master automated ingest node, follow the configuration steps described in above to configure the node.
71
71
If you would like every automated ingest node to share the configuration settings, check the first checkbox in the Shared Configuration section of the Auto Ingest settings panel. Next select a folder to store the shared configuration in. This folder must be a path to a network share that the other machines in the system will have access to. Use a UNC path if possible. Next, check the "Use this node as a master node that can upload settings" checkbox which should enable the "Save & Upload Config" button. If this does not happen, look for a red error message explaining what settings are missing.
72
72
73
-
\image html AutoIngest\master_node.png
73
+
\image html AutoIngest/master_node.png
74
74
75
75
After saving and uploading the configuration, hit the "Save" button to exit the Options panel.
76
76
@@ -98,7 +98,7 @@ On an auto ingest node, we also strongly recommend that you configure the system
98
98
Disabling the error messages is done by setting the following registry key to "1", as shown in the screenshot below.
Copy file name to clipboardExpand all lines: docs/doxygen-user/file_export.dox
+8-8Lines changed: 8 additions & 8 deletions
Original file line number
Diff line number
Diff line change
@@ -8,7 +8,7 @@ If enabled, the File Exporter will run after each \ref auto_ingest_page job and
8
8
9
9
After enabling the file exporter, the first thing to do is set two output folders. The "Files Folder" is the base directory for all exported files, and the "Reports Folder" is the base directory for reports (lists of every file exported for each data source). If possible, it is best to use UNC paths.
10
10
11
-
\image html AutoIngest\file_exporter_main.png
11
+
\image html AutoIngest/file_exporter_main.png
12
12
13
13
Next you'll make rules for the files you want to export. Each rule must have a name and at least one condition set. If more than one condition is set, then all conditions must be true to export the file. When you're done setting up your rule, press the "Save" button to save it. You'll see the new rule in the list on the left side.
14
14
@@ -20,39 +20,39 @@ You'll need to run at the \ref hash_db_page and \ref file_type_identification_pa
20
20
21
21
The first condition is based on MIME type. To enable it, check the box before "MIME Type", then select a MIME type from the list and choose whether you want to match it or not match it. Multiple MIME types can not be selected at this time. The following shows a rule that will match all PNG images.
22
22
23
-
\image html AutoIngest\file_export_png.png
23
+
\image html AutoIngest/file_export_png.png
24
24
25
25
\subsection file_exporter_size File Size
26
26
27
27
The second condition is based on file size. You can choose a file size (using the list on the right to change the units) and then select whether files should be larger, smaller, equal to, or not equal to that size. The following shows a rule that will match plain text files that are over 1kB.
28
28
29
-
\image html AutoIngest\file_export_size.png
29
+
\image html AutoIngest/file_export_size.png
30
30
31
31
\subsection file_exporter_attributes Attributes
32
32
33
33
The third condition is based on blackboard artifacts and attributes, which is how Autopsy stores most of its analysis results. A file will be exported if it is linked to a matching attribute. Using this type of condition will require some familiarity with exactly how these attributes are being created and what data we expect to see in them. There's some information to get started in the <a href="http://sleuthkit.org/sleuthkit/docs/jni-docs/4.6.0/mod_bbpage.html">Sleuthkit documentation</a>. You will most likely also have to open an Autopsy database file to verify the exact attribute types being used to hold the data you're interested in.
34
34
35
35
To make an attribute condition, select the artifact type and then the attribute type that you are interested in. On the next line you can enter a value and set what relation you want the attribute to have to it (equals, not equals, greater/less than). Not all options will make sense with all data types. Then use the "Add Attribute" button to add it to the attribute list. If you make a mistake, use the "Delete Attribute" button to erase it. The following shows a rule that will export any files that had a keyword hit for the word "bomb" in them.
36
36
37
-
\image html AutoIngest\file_export_keyword.png
37
+
\image html AutoIngest/file_export_keyword.png
38
38
39
39
It's possible to do more general matching on the artifacts. Suppose you wanted to export all files that the \ref encryption_page flagged as "Encryption Suspected". These files will have a TSK_ENCRYPTION_SUSPECTED artifact with a single "TSK_COMMENT" attribute that contains the entropy calculated for the file. In this case we can use the "not equals" operator on a string that we wouldn't expect to see in the TSK_COMMENT field to effectively change the condition to "has an associated TSK_ENCRYPTION_SUSPECTED artifact."
40
40
41
-
\image html AutoIngest\file_export_encrypton.png
41
+
\image html AutoIngest/file_export_encrypton.png
42
42
43
43
\section file_export_output Output
44
44
45
45
The exported files are found under the files folder that was specified in the \ref file_export_setup step and then organized at the top layer by the device ID of the data source.
46
46
47
-
\image html AutoIngest\file_export_dir_structure.png
47
+
\image html AutoIngest/file_export_dir_structure.png
48
48
49
49
Exported files are named with their hash and stored in subfolders based on parts of that hash, to prevent any single folder from becoming very large.
50
50
51
-
\image html AutoIngest\file_export_file_loc.png
51
+
\image html AutoIngest/file_export_file_loc.png
52
52
53
53
The report files are also found in subfolders under the device ID and then the rule name.
54
54
55
-
\image html AutoIngest\file_export_json_loc.png
55
+
\image html AutoIngest/file_export_json_loc.png
56
56
57
57
This json file will contain information about the file, and any associated artifact that was part of the rule's conditions.
0 commit comments