Re: [sleuthkit-users] Autopsy Case Management Gripes

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Even as a completely new user to Autopsy I found the
case management side simple enough to understand and
use.

What I found a little tricky was the actual imaging
process itself.  What would have been useful would
have been a utility that provided a 'suggested' dd
command line for imaging a disk.  In other words, take
the simple but very common situation of an
investigator just hanging a copy of the drive to be
investigated onto his system - in Autopsy you could
browse or pick the physical drive or partition and
Autopsy would  suggest a suitable command line for
making an image of it and provide a suitable mount
command line for it.

I know there are quite a few imaging tools out there
but for someone completely new to this area this 
facility would help to get things moving. This stage
of course is really one step before case management as
 defined in Autopsy at the moment, but data gleaned at
 this stage eg paths to image files, image filenames,
mount commands etc could obviously be automatically 
incorporated into the case management side of Autopsy.

On the issue of whether to have a database at the
backend of the case management I think it would depend
on what database you had in mind.  Ideally you would 
want a db that was transparent to the user,  ie no
maintenance or setup.  Something like mysql might add
quite a hit to the installation / maintenance overhead
 for the user and of course it is something else that
could potentially go wrong.

One other suggestion (not to do with case management) 
that would have saved me loads of time recently is 
having an extra button on the key word search results 
screen in Autopsy.  The extra button would begin a 
batch process that would look up the filename (and
extension) of every hit and put the filename next to
each hit.  This would save loads of time because if
you are most interested in say Word Docs you could in
the first instance only look at those hits that are
word documents.  Taking it a stage further the results
could be displayed in a navigable tree form with each
branch representing a different file type.  At the
moment you have to visit every hit and manually
'click' the MFT link to get the filename and type.  I
know there would be a time overhead in a batch process
like this but at least it would all be done non
interactively (ie you  can go for some lunch while
it's all happening). 

One other thing, a facility whereby you could do a
second (and perhaps a third, fourth ..) keyword search
but only just the results of an initial keyword search
would be useful.  It would get round those situations
where you want to find files that have word1 AND word2
And possibly word3 in them (which I don't know whether
it is possible to set up as a regular expression).

PS, I am not griping :), I think it is a great
programme.

Cheers,
Paul.

 --- Brian Carrier <ca...@sl...> wrote: 
> I'm looking for input and suggestions.   TSK v2 now
> supports disk 
> images, split images, and will soon support other
> formats.  It also 
> autodetects the file system and partition types (I
> really should have 
> done that a long time ago).  Now I need to redo the
> case management 
> part of autopsy to work these features in.  While I
> am at it, I want to 
> know what people hate about the case management or
> any suggestions that 
> people have to make it better.
> 
> The new basic design will be that you give the path
> to the 
> disk/partition image and Autopsy will identify the
> image type and what 
> file systems are in a disk image.  You can change
> the settings and add 
> a known MD5 and then the image will be imported.  
> You will also be 
> able to manually define the locations of partitions.
> 
> I am planning on having a "recent" list on the front
> page that allows 
> you to bypass the Case and Host opening.
> 
> Any ideas, suggestions, or opinions?
> 
> brian
> 
> 
> 
>
-------------------------------------------------------
> The SF.Net email is sponsored by: Beat the
> post-holiday blues
> Get a FREE limited edition SourceForge.net t-shirt
> from ThinkGeek.
> It's fun and FREE -- well,
> almost....http://www.thinkgeek.com/sfshirt
> _______________________________________________
> sleuthkit-users mailing list
>
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>  

___________________________________________________________ 
ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com