Autopsy User Documentation  4.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
Extension Mismatch Detector Module

What Does It Do

Extension Mismatch Detector module uses the results from the File Type Identification and flags files that have an extension not traditionally associated with the file's detected type. It ignores 'known' (NSRL) files. You can customize the MIME types and file extensions per MIME type in "Tools", "Options", "File Extension Mismatch".

This detects files that someone may be trying to hide.

Configuration

One can add and remove MIME types in the "Tools", "Options", "File Extension Mismatch" dialog box, as well as add and remove extensions to particular MIME types.

extension-mismatch-detected-configuration.PNG


Using the Module

Note that you can get a lot of false positives with this module. You can add your own rules to Autopsy to reduce unwanted hits.

Ingest Settings

In the ingest settings, the user can choose if the module should skip files without extensions and skip text files. Both of these options are enabled by default.

extension-mismatch-detected-ingest-settings.PNG

Seeing Results

Results are shown in the Results tree under "Extension Mismatch Detected".

extension-mismatch-detected.PNG

Copyright © 2012-2016 Basis Technology. Generated on Tue Oct 25 2016
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.