Skip to content
Permalink
Browse files

Merge pull request #4737 from APriestman/switchSlashes

Switch to forward slashes for images
  • Loading branch information...
bcarrier committed Apr 18, 2019
2 parents 90ffdb4 + dbf13e6 commit e61d51953881c8c447e780c9a35589d7a86a6479
@@ -22,11 +22,11 @@ The general workflow is as follows:

An Automated Processing Deployment could have an architecture, such as this:

\image html AutoIngest\overview_pic1.png
\image html AutoIngest/overview_pic1.png

Another illustration, including the network infrastructure, is shown below:

\image html AutoIngest\overview_pic2.png
\image html AutoIngest/overview_pic2.png

\section auto_ingest_setup_section Configuration

@@ -38,15 +38,15 @@ An examiner node in an auto ingest environment is generally the same as any norm

The examiner can open the auto ingest dashboard through the Tools menu. This allows the user to see what cases and data sources are scheduled, in progress, or done.

\image html AutoIngest\examiner_dashboard.png
\image html AutoIngest/examiner_dashboard.png

\section auto_ingest_ain_usage Auto Ingest Node Usage

\subsection auto_ingest_manifest_creation Preparing Data for Auto Ingest

Users will manually copy images to the source images folder (using subfolders if desired) and schedule them to be ingested by creating one file in the folder alongside the image to be ingested. This file is a manifest file describing the image. This file's name must end in "_Manifest.xml."

\image html AutoIngest\manifest_file_in_file_explorer.png
\image html AutoIngest/manifest_file_in_file_explorer.png

The following is an example of an Autopsy manifest file. Line breaks/spaces are not required, but are shown here for better human readability.
\verbatim<?xml version="1.0" encoding="UTF-8" standalone="no"?>
@@ -69,7 +69,7 @@ Manifest files can be automatically generated by using the \ref manifest_tool_pa

When auto ingest mode is enabled, Autopsy will open with a different UI than normal, allowing the user to see what cases are being processed, which are done, and which are next in the queue. You can also change the priority of cases and reprocess cases that may have had an error.

\image html AutoIngest\auto_ingest_in_progress.png
\image html AutoIngest/auto_ingest_in_progress.png

The user must press the "Start" button to being the auto ingest process. Note that if the computer running Autopsy in auto ingest mode is restarted, someone must log into it to restart Autopsy. It does not start by itself. When "Start" is pressed, the node will scan through the Shared Images folder looking for manifest files. This scan happens periodically when ingest is running. It can also be started manually using the "Refresh" button.

@@ -83,7 +83,7 @@ If an error occurs while processing a job, or if a job was set up incorrectly, t

The "Auto Ingest Metrics" button displays processing data for all of the auto ingest nodes in the system from a user-entered starting date.

\image html AutoIngest\metrics.png
\image html AutoIngest/metrics.png

\section auto_ingest_administration_section Auto Ingest Node Administration

@@ -23,37 +23,37 @@ The admin panel is enabled by creating the file "admin" in the user config direc

For an installed copy of Autopsy, the file will go under \c "C:\Users\<user name>\AppData\Roaming\Autopsy\config".

\image html AutoIngest\admin_file.png
\image html AutoIngest/admin_file.png

\section auto_ingest_admin_jobs_panel Auto Ingest Jobs Panel

With the admin file in place, the user can right-click on jobs in each of the tables of the jobs panel to perform different actions. In the Pending Jobs table, the context menu allows cases and individual jobs to be prioritized.

\image html AutoIngest\admin_jobs_panel.png
\image html AutoIngest/admin_jobs_panel.png

In the Running Jobs tables, the ingest progress can be viewed and the current job can be cancelled. Note that cancellation can take some time.

\image html AutoIngest\admin_jobs_cancel.png
\image html AutoIngest/admin_jobs_cancel.png

In the Completed Jobs table, the user can reprocess a job (generally useful when a job had errors), delete a case (if no other machines are using it) and view the case log.

\image html AutoIngest\admin_jobs_completed.png
\image html AutoIngest/admin_jobs_completed.png

\section auto_ingest_admin_nodes_panel Auto Ingest Nodes Panel

The Nodes panel displays the status of every online auto ingest node. Additionally, an admin can pause or resume a node, or shut down a node entirely (i.e., exit the Autopsy app).

\image html AutoIngest\admin_nodes_panel.png
\image html AutoIngest/admin_nodes_panel.png

\section auto_ingest_admin_cases_panel Cases Panel

The Cases panel shows information about each auto ingest case - the name, creation and last accessed times, the case directory, and flags for which parts of the case have been deleted.

\image html AutoIngest\cases_panel.png
\image html AutoIngest/cases_panel.png

If you right-click on a case, you can open it, see the log, delete the case, or view properties of the case.

\image html AutoIngest\cases_context_menu.png
\image html AutoIngest/cases_context_menu.png

Note that you can select multiple cases at once to delete. If you choose to delete a case (or cases), you'll see the following confirmation dialog:

@@ -63,11 +63,11 @@ Note that you can select multiple cases at once to delete. If you choose to dele

The health monitor shows timing stats and the general state of the system. The Health Monitor is accessed from the Auto Ingest Nodes panel. To enable health monitoring, click on the Health Monitor button to get the following screen and then press the "Enable monitor" button.

\image html AutoIngest\health_monitor_disabled.png
\image html AutoIngest/health_monitor_disabled.png

This will enable the health monitor metrics on every node (both auto ingest nodes and examiner nodes) that is using this PostgreSQL server. Once enabled, the monitor will display the collected metrics.

\image html AutoIngest\health_monitor.png
\image html AutoIngest/health_monitor.png

By default, the graphs will show all metrics collected in the last day.

@@ -86,6 +86,6 @@ The User Metrics section shows open cases and logged on nodes. For the open case

The Auto Ingest Metrics can be accessed the Auto Ingest Nodes panel and shows data about the jobs completed in a selected time frame.

\image html AutoIngest\metrics.png
\image html AutoIngest/metrics.png

*/
@@ -24,7 +24,7 @@ Follow the instructions on the \ref install_multiuser_page page to set up the ne

While Examiner nodes only require multi-user cases to be set up, the auto ingest nodes need additional configuration. To start, go to the "Auto Ingest" tab on the Options menu and select the "Auto Ingest mode" radio button. If you haven't saved your multi-user settings there will be a warning message displayed here - if you see it, go back to the "Multi-User" tab and make sure you've entered all the required fields and then hit the "Apply" button.

\image html AutoIngest\auto_ingest_mode_setup.png
\image html AutoIngest/auto_ingest_mode_setup.png

\subsection auto_ingest_config_folders Folder Configuration

@@ -33,13 +33,13 @@ The first thing to do is to set two folder locations. The shared images folder i
\subsection auto_ingest_config_ingest_settings Ingest Module Settings
The "Ingest Module Settings" button is used to configure the \ref ingest_page you want to run during auto-ingest. One note is that on auto-ingest nodes, we recommend that you configure the Keyword Search module to not perform periodic keyword searches. When a user is in front of the computer, this feature exists to provide frequent updates, but it is not needed on this node. To configure this, choose the Keyword Search item in the Options window. Select the "General" tab and choose the option for no periodic search.

\image html AutoIngest\no_periodic_searches.png
\image html AutoIngest/no_periodic_searches.png

\subsection auto_ingest_advanced_settings Advanced Settings

The "Advanced Settings" button will bring up the automated ingest job settings. As expressed in the warning statement, care must be used when making changes on this panel.

\image html AutoIngest\advanced_settings.png
\image html AutoIngest/advanced_settings.png

The Automated Ingest Job Settings section contains the following options:
<dl>
@@ -70,7 +70,7 @@ When using multiple auto ingest nodes, configuration can be centralized and shar
On the computer that is going to be the configuration master automated ingest node, follow the configuration steps described in above to configure the node.
If you would like every automated ingest node to share the configuration settings, check the first checkbox in the Shared Configuration section of the Auto Ingest settings panel. Next select a folder to store the shared configuration in. This folder must be a path to a network share that the other machines in the system will have access to. Use a UNC path if possible. Next, check the "Use this node as a master node that can upload settings" checkbox which should enable the "Save & Upload Config" button. If this does not happen, look for a red error message explaining what settings are missing.

\image html AutoIngest\master_node.png
\image html AutoIngest/master_node.png

After saving and uploading the configuration, hit the "Save" button to exit the Options panel.

@@ -98,7 +98,7 @@ On an auto ingest node, we also strongly recommend that you configure the system
Disabling the error messages is done by setting the following registry key to "1", as shown in the screenshot below.
\verbatim HKCU\Software\Microsoft\Windows\Windows Error Reporting\DontShowUI\endverbatim

\image html AutoIngest\error_suppression.png
\image html AutoIngest/error_suppression.png


*/
@@ -8,7 +8,7 @@ If enabled, the File Exporter will run after each \ref auto_ingest_page job and

After enabling the file exporter, the first thing to do is set two output folders. The "Files Folder" is the base directory for all exported files, and the "Reports Folder" is the base directory for reports (lists of every file exported for each data source). If possible, it is best to use UNC paths.

\image html AutoIngest\file_exporter_main.png
\image html AutoIngest/file_exporter_main.png

Next you'll make rules for the files you want to export. Each rule must have a name and at least one condition set. If more than one condition is set, then all conditions must be true to export the file. When you're done setting up your rule, press the "Save" button to save it. You'll see the new rule in the list on the left side.

@@ -20,39 +20,39 @@ You'll need to run at the \ref hash_db_page and \ref file_type_identification_pa

The first condition is based on MIME type. To enable it, check the box before "MIME Type", then select a MIME type from the list and choose whether you want to match it or not match it. Multiple MIME types can not be selected at this time. The following shows a rule that will match all PNG images.

\image html AutoIngest\file_export_png.png
\image html AutoIngest/file_export_png.png

\subsection file_exporter_size File Size

The second condition is based on file size. You can choose a file size (using the list on the right to change the units) and then select whether files should be larger, smaller, equal to, or not equal to that size. The following shows a rule that will match plain text files that are over 1kB.

\image html AutoIngest\file_export_size.png
\image html AutoIngest/file_export_size.png

\subsection file_exporter_attributes Attributes

The third condition is based on blackboard artifacts and attributes, which is how Autopsy stores most of its analysis results. A file will be exported if it is linked to a matching attribute. Using this type of condition will require some familiarity with exactly how these attributes are being created and what data we expect to see in them. There's some information to get started in the <a href="http://sleuthkit.org/sleuthkit/docs/jni-docs/4.6.0/mod_bbpage.html">Sleuthkit documentation</a>. You will most likely also have to open an Autopsy database file to verify the exact attribute types being used to hold the data you're interested in.

To make an attribute condition, select the artifact type and then the attribute type that you are interested in. On the next line you can enter a value and set what relation you want the attribute to have to it (equals, not equals, greater/less than). Not all options will make sense with all data types. Then use the "Add Attribute" button to add it to the attribute list. If you make a mistake, use the "Delete Attribute" button to erase it. The following shows a rule that will export any files that had a keyword hit for the word "bomb" in them.

\image html AutoIngest\file_export_keyword.png
\image html AutoIngest/file_export_keyword.png

It's possible to do more general matching on the artifacts. Suppose you wanted to export all files that the \ref encryption_page flagged as "Encryption Suspected". These files will have a TSK_ENCRYPTION_SUSPECTED artifact with a single "TSK_COMMENT" attribute that contains the entropy calculated for the file. In this case we can use the "not equals" operator on a string that we wouldn't expect to see in the TSK_COMMENT field to effectively change the condition to "has an associated TSK_ENCRYPTION_SUSPECTED artifact."

\image html AutoIngest\file_export_encrypton.png
\image html AutoIngest/file_export_encrypton.png

\section file_export_output Output

The exported files are found under the files folder that was specified in the \ref file_export_setup step and then organized at the top layer by the device ID of the data source.

\image html AutoIngest\file_export_dir_structure.png
\image html AutoIngest/file_export_dir_structure.png

Exported files are named with their hash and stored in subfolders based on parts of that hash, to prevent any single folder from becoming very large.

\image html AutoIngest\file_export_file_loc.png
\image html AutoIngest/file_export_file_loc.png

The report files are also found in subfolders under the device ID and then the rule name.

\image html AutoIngest\file_export_json_loc.png
\image html AutoIngest/file_export_json_loc.png

This json file will contain information about the file, and any associated artifact that was part of the rule's conditions.
\verbatim

0 comments on commit e61d519

Please sign in to comment.
You can’t perform that action at this time.