From d7e98c5295eeebe91b0278489e5c60ee825a1014 Mon Sep 17 00:00:00 2001 From: Ann Priestman Date: Thu, 18 Apr 2019 14:01:31 -0400 Subject: [PATCH 1/2] Switch to forward slashes for images --- docs/doxygen-user/auto_ingest.dox | 12 +++++------ .../auto_ingest_administration.dox | 20 +++++++++---------- docs/doxygen-user/auto_ingest_setup.dox | 10 +++++----- 3 files changed, 21 insertions(+), 21 deletions(-) diff --git a/docs/doxygen-user/auto_ingest.dox b/docs/doxygen-user/auto_ingest.dox index 246d1efe22b..9674249f6fd 100644 --- a/docs/doxygen-user/auto_ingest.dox +++ b/docs/doxygen-user/auto_ingest.dox @@ -22,11 +22,11 @@ The general workflow is as follows: An Automated Processing Deployment could have an architecture, such as this: -\image html AutoIngest\overview_pic1.png +\image html AutoIngest/overview_pic1.png Another illustration, including the network infrastructure, is shown below: -\image html AutoIngest\overview_pic2.png +\image html AutoIngest/overview_pic2.png \section auto_ingest_setup_section Configuration @@ -38,7 +38,7 @@ An examiner node in an auto ingest environment is generally the same as any norm The examiner can open the auto ingest dashboard through the Tools menu. This allows the user to see what cases and data sources are scheduled, in progress, or done. -\image html AutoIngest\examiner_dashboard.png +\image html AutoIngest/examiner_dashboard.png \section auto_ingest_ain_usage Auto Ingest Node Usage @@ -46,7 +46,7 @@ The examiner can open the auto ingest dashboard through the Tools menu. This all Users will manually copy images to the source images folder (using subfolders if desired) and schedule them to be ingested by creating one file in the folder alongside the image to be ingested. This file is a manifest file describing the image. This file's name must end in "_Manifest.xml." -\image html AutoIngest\manifest_file_in_file_explorer.png +\image html AutoIngest/manifest_file_in_file_explorer.png The following is an example of an Autopsy manifest file. Line breaks/spaces are not required, but are shown here for better human readability. \verbatim @@ -69,7 +69,7 @@ Manifest files can be automatically generated by using the \ref manifest_tool_pa When auto ingest mode is enabled, Autopsy will open with a different UI than normal, allowing the user to see what cases are being processed, which are done, and which are next in the queue. You can also change the priority of cases and reprocess cases that may have had an error. -\image html AutoIngest\auto_ingest_in_progress.png +\image html AutoIngest/auto_ingest_in_progress.png The user must press the "Start" button to being the auto ingest process. Note that if the computer running Autopsy in auto ingest mode is restarted, someone must log into it to restart Autopsy. It does not start by itself. When "Start" is pressed, the node will scan through the Shared Images folder looking for manifest files. This scan happens periodically when ingest is running. It can also be started manually using the "Refresh" button. @@ -83,7 +83,7 @@ If an error occurs while processing a job, or if a job was set up incorrectly, t The "Auto Ingest Metrics" button displays processing data for all of the auto ingest nodes in the system from a user-entered starting date. -\image html AutoIngest\metrics.png +\image html AutoIngest/metrics.png \section auto_ingest_administration_section Auto Ingest Node Administration diff --git a/docs/doxygen-user/auto_ingest_administration.dox b/docs/doxygen-user/auto_ingest_administration.dox index 972ef510bdd..158b2fb4e36 100644 --- a/docs/doxygen-user/auto_ingest_administration.dox +++ b/docs/doxygen-user/auto_ingest_administration.dox @@ -23,37 +23,37 @@ The admin panel is enabled by creating the file "admin" in the user config direc For an installed copy of Autopsy, the file will go under \c "C:\Users\\AppData\Roaming\Autopsy\config". -\image html AutoIngest\admin_file.png +\image html AutoIngest/admin_file.png \section auto_ingest_admin_jobs_panel Auto Ingest Jobs Panel With the admin file in place, the user can right-click on jobs in each of the tables of the jobs panel to perform different actions. In the Pending Jobs table, the context menu allows cases and individual jobs to be prioritized. -\image html AutoIngest\admin_jobs_panel.png +\image html AutoIngest/admin_jobs_panel.png In the Running Jobs tables, the ingest progress can be viewed and the current job can be cancelled. Note that cancellation can take some time. -\image html AutoIngest\admin_jobs_cancel.png +\image html AutoIngest/admin_jobs_cancel.png In the Completed Jobs table, the user can reprocess a job (generally useful when a job had errors), delete a case (if no other machines are using it) and view the case log. -\image html AutoIngest\admin_jobs_completed.png +\image html AutoIngest/admin_jobs_completed.png \section auto_ingest_admin_nodes_panel Auto Ingest Nodes Panel The Nodes panel displays the status of every online auto ingest node. Additionally, an admin can pause or resume a node, or shut down a node entirely (i.e., exit the Autopsy app). -\image html AutoIngest\admin_nodes_panel.png +\image html AutoIngest/admin_nodes_panel.png \section auto_ingest_admin_cases_panel Cases Panel The Cases panel shows information about each auto ingest case - the name, creation and last accessed times, the case directory, and flags for which parts of the case have been deleted. -\image html AutoIngest\cases_panel.png +\image html AutoIngest/cases_panel.png If you right-click on a case, you can open it, see the log, delete the case, or view properties of the case. -\image html AutoIngest\cases_context_menu.png +\image html AutoIngest/cases_context_menu.png Note that you can select multiple cases at once to delete. If you choose to delete a case (or cases), you'll see the following confirmation dialog: @@ -63,11 +63,11 @@ Note that you can select multiple cases at once to delete. If you choose to dele The health monitor shows timing stats and the general state of the system. The Health Monitor is accessed from the Auto Ingest Nodes panel. To enable health monitoring, click on the Health Monitor button to get the following screen and then press the "Enable monitor" button. -\image html AutoIngest\health_monitor_disabled.png +\image html AutoIngest/health_monitor_disabled.png This will enable the health monitor metrics on every node (both auto ingest nodes and examiner nodes) that is using this PostgreSQL server. Once enabled, the monitor will display the collected metrics. -\image html AutoIngest\health_monitor.png +\image html AutoIngest/health_monitor.png By default, the graphs will show all metrics collected in the last day. @@ -86,6 +86,6 @@ The User Metrics section shows open cases and logged on nodes. For the open case The Auto Ingest Metrics can be accessed the Auto Ingest Nodes panel and shows data about the jobs completed in a selected time frame. -\image html AutoIngest\metrics.png +\image html AutoIngest/metrics.png */ \ No newline at end of file diff --git a/docs/doxygen-user/auto_ingest_setup.dox b/docs/doxygen-user/auto_ingest_setup.dox index 48d33d67fe3..35000028c68 100644 --- a/docs/doxygen-user/auto_ingest_setup.dox +++ b/docs/doxygen-user/auto_ingest_setup.dox @@ -24,7 +24,7 @@ Follow the instructions on the \ref install_multiuser_page page to set up the ne While Examiner nodes only require multi-user cases to be set up, the auto ingest nodes need additional configuration. To start, go to the "Auto Ingest" tab on the Options menu and select the "Auto Ingest mode" radio button. If you haven't saved your multi-user settings there will be a warning message displayed here - if you see it, go back to the "Multi-User" tab and make sure you've entered all the required fields and then hit the "Apply" button. -\image html AutoIngest\auto_ingest_mode_setup.png +\image html AutoIngest/auto_ingest_mode_setup.png \subsection auto_ingest_config_folders Folder Configuration @@ -33,13 +33,13 @@ The first thing to do is to set two folder locations. The shared images folder i \subsection auto_ingest_config_ingest_settings Ingest Module Settings The "Ingest Module Settings" button is used to configure the \ref ingest_page you want to run during auto-ingest. One note is that on auto-ingest nodes, we recommend that you configure the Keyword Search module to not perform periodic keyword searches. When a user is in front of the computer, this feature exists to provide frequent updates, but it is not needed on this node. To configure this, choose the Keyword Search item in the Options window. Select the "General" tab and choose the option for no periodic search. -\image html AutoIngest\no_periodic_searches.png +\image html AutoIngest/no_periodic_searches.png \subsection auto_ingest_advanced_settings Advanced Settings The "Advanced Settings" button will bring up the automated ingest job settings. As expressed in the warning statement, care must be used when making changes on this panel. -\image html AutoIngest\advanced_settings.png +\image html AutoIngest/advanced_settings.png The Automated Ingest Job Settings section contains the following options:
@@ -70,7 +70,7 @@ When using multiple auto ingest nodes, configuration can be centralized and shar On the computer that is going to be the configuration master automated ingest node, follow the configuration steps described in above to configure the node. If you would like every automated ingest node to share the configuration settings, check the first checkbox in the Shared Configuration section of the Auto Ingest settings panel. Next select a folder to store the shared configuration in. This folder must be a path to a network share that the other machines in the system will have access to. Use a UNC path if possible. Next, check the "Use this node as a master node that can upload settings" checkbox which should enable the "Save & Upload Config" button. If this does not happen, look for a red error message explaining what settings are missing. -\image html AutoIngest\master_node.png +\image html AutoIngest/master_node.png After saving and uploading the configuration, hit the "Save" button to exit the Options panel. @@ -98,7 +98,7 @@ On an auto ingest node, we also strongly recommend that you configure the system Disabling the error messages is done by setting the following registry key to "1", as shown in the screenshot below. \verbatim HKCU\Software\Microsoft\Windows\Windows Error Reporting\DontShowUI\endverbatim -\image html AutoIngest\error_suppression.png +\image html AutoIngest/error_suppression.png */ \ No newline at end of file From dbf13e6d05eda230f691dd9a9b6a2742ff5f1c84 Mon Sep 17 00:00:00 2001 From: Ann Priestman Date: Thu, 18 Apr 2019 14:14:54 -0400 Subject: [PATCH 2/2] Changed more slashes --- docs/doxygen-user/file_export.dox | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/doxygen-user/file_export.dox b/docs/doxygen-user/file_export.dox index 84502c00cc1..3541b0c08d9 100644 --- a/docs/doxygen-user/file_export.dox +++ b/docs/doxygen-user/file_export.dox @@ -8,7 +8,7 @@ If enabled, the File Exporter will run after each \ref auto_ingest_page job and After enabling the file exporter, the first thing to do is set two output folders. The "Files Folder" is the base directory for all exported files, and the "Reports Folder" is the base directory for reports (lists of every file exported for each data source). If possible, it is best to use UNC paths. -\image html AutoIngest\file_exporter_main.png +\image html AutoIngest/file_exporter_main.png Next you'll make rules for the files you want to export. Each rule must have a name and at least one condition set. If more than one condition is set, then all conditions must be true to export the file. When you're done setting up your rule, press the "Save" button to save it. You'll see the new rule in the list on the left side. @@ -20,13 +20,13 @@ You'll need to run at the \ref hash_db_page and \ref file_type_identification_pa The first condition is based on MIME type. To enable it, check the box before "MIME Type", then select a MIME type from the list and choose whether you want to match it or not match it. Multiple MIME types can not be selected at this time. The following shows a rule that will match all PNG images. -\image html AutoIngest\file_export_png.png +\image html AutoIngest/file_export_png.png \subsection file_exporter_size File Size The second condition is based on file size. You can choose a file size (using the list on the right to change the units) and then select whether files should be larger, smaller, equal to, or not equal to that size. The following shows a rule that will match plain text files that are over 1kB. -\image html AutoIngest\file_export_size.png +\image html AutoIngest/file_export_size.png \subsection file_exporter_attributes Attributes @@ -34,25 +34,25 @@ The third condition is based on blackboard artifacts and attributes, which is ho To make an attribute condition, select the artifact type and then the attribute type that you are interested in. On the next line you can enter a value and set what relation you want the attribute to have to it (equals, not equals, greater/less than). Not all options will make sense with all data types. Then use the "Add Attribute" button to add it to the attribute list. If you make a mistake, use the "Delete Attribute" button to erase it. The following shows a rule that will export any files that had a keyword hit for the word "bomb" in them. -\image html AutoIngest\file_export_keyword.png +\image html AutoIngest/file_export_keyword.png It's possible to do more general matching on the artifacts. Suppose you wanted to export all files that the \ref encryption_page flagged as "Encryption Suspected". These files will have a TSK_ENCRYPTION_SUSPECTED artifact with a single "TSK_COMMENT" attribute that contains the entropy calculated for the file. In this case we can use the "not equals" operator on a string that we wouldn't expect to see in the TSK_COMMENT field to effectively change the condition to "has an associated TSK_ENCRYPTION_SUSPECTED artifact." -\image html AutoIngest\file_export_encrypton.png +\image html AutoIngest/file_export_encrypton.png \section file_export_output Output The exported files are found under the files folder that was specified in the \ref file_export_setup step and then organized at the top layer by the device ID of the data source. -\image html AutoIngest\file_export_dir_structure.png +\image html AutoIngest/file_export_dir_structure.png Exported files are named with their hash and stored in subfolders based on parts of that hash, to prevent any single folder from becoming very large. -\image html AutoIngest\file_export_file_loc.png +\image html AutoIngest/file_export_file_loc.png The report files are also found in subfolders under the device ID and then the rule name. -\image html AutoIngest\file_export_json_loc.png +\image html AutoIngest/file_export_json_loc.png This json file will contain information about the file, and any associated artifact that was part of the rule's conditions. \verbatim