Autopsy User Documentation  4.11.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
Reporting

Overview

The report modules allow the user to extract key information from a case in a variety of formats. This includes making an HTML or Excel report containing all the extracted content, keyword hits, etc. from a case, or creating a KML file out of any coordinates found to load into software like Google Earth.

reports_select.png

The different types of reports will be described below. The majority of the report modules will generate a report file which will be displayed in the case under the "Reports" node of the Tree Viewer.

reports_result_viewer.png

If the report type has an associated viewer (such as a web browser for an HTML report), you can double-click the report to open it in an external application. Alternately you can browse to the "Reports" folder in the case folder and open the report from there.

reports_folder.png

Report Types

HTML Report

For HTML reports, you can first choose to enter a header and footer that will be displayed in your results. For example, you might want to add a classification banner.

reports_html_header.png

There are two options when generating a report - include all results or only include tagged results.

reports_html_all_results.png

If you choose "All Results", you can then optionally use the "Data Types" button to choose which types of data to include in the report.

reports_html_art_select.png

If you choose "Tagged Results", you can restrict the files and results that appear in the report to only those tagged with the tags you select. Note that you can't filter on data type when using this option.

reports_html_tagged.png

The completed report will look similar to this:

reports_html_display.png

You can use the links on the left side to see the results for each data type.

Excel Report

Generating an Excel report is very similar to an HTML Report. You select which tags or data types to export and Autopsy will create a .xlsx file.

reports_excel.png

Add Tagged Hashes

This is one of the report modules that doesn't generate an actual report. The purpose of this module is to easily add the hashes of some/all tagged files to an Autopsy hash set that can be used by the Hash Lookup Module. You can use the "Configure Hash Sets" button to create a new hash set to write to, or use an existing hash set.

reports_hashes_config.png

After running this module, if you use the same hash set on future cases then everything that was tagged with one of the selected tags in this case will show up as Hashset Hits.

CASE-UCO

This module creates an JSON output file in CASE-UCO format from a single data source.

reports_case.png

Files - Text

This report module allows you create a tab delimited text file from all files in the current case. You can select which fields should be exported.

reports_files_config.png


reports_files_results.png

Google Earth KML

This report module generates a KML file from any GPS data in the case. This file can then be used with Google Earth.

reports_kml.png

Portable Case

This report module generates a new Autopsy case from any tagged files and results. See the Portable Cases page for additional information.

STIX

The STIX module allows you to generate a report and Interesting File artifacts by running a STIX file (or files) against the data sources in the case. For more information see the STIX page.

TSK Body File

This module generates a TSK Body File from the files in your case, which looks similar to the following:

7ff498a44e45e77374cc7c962b1b92f2|/img_image1.vhd/vol_vol2/$UpCase|10|rr-xr-xr-x|0|0|131072|1498757218|1498757218|1498757218|1498757218
d41d8cd98f00b204e9800998ecf8427e|/img_image1.vhd/vol_vol2/$Volume|3|rr-xr-xr-x|48|0|0|1498757218|1498757218|1498757218|1498757218
43fffda5c5edd8e9c647f1df476717de|/img_image1.vhd/vol_vol2/0000/0000_a.txt|63|rrwxrwxrwx|0|0|11|1498757454|1498176989|1498757454|1498757454
411c8024a7c38ee3843ba8a07d048ec2|/img_image1.vhd/vol_vol2/0000/0000_b.txt|64|rrwxrwxrwx|0|0|11|1498757454|1498176990|1498757454|1498757454
fcc958c5096889a222785ddb8c4bff80|/img_image1.vhd/vol_vol2/0000/0000_c.txt|65|rrwxrwxrwx|0|0|11|1498757454|1498176990|1498757454|1498757454
b7cde263cc1b5df5a13aeec742637a89|/img_image1.vhd/vol_vol2/0000/0000_d.txt|66|rrwxrwxrwx|0|0|11|1498757454|1498176990|1498757454|1498757454

Copyright © 2012-2019 Basis Technology. Generated on Fri Jun 21 2019
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.