Re: [sleuthkit-users] Reporting, Autopsy Customization
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Reporting, Autopsy Customization
|
From: John T. H. <joh...@gm...> - 2005-03-18 22:00:43
|
On Fri, 18 Mar 2005 16:35:11 -0500, Brian Carrier <ca...@sl...> wrote: > I'm not quite sure if I understand what you are looking for. Are you > looking to make a timeline of only image files and have the thumbnail > in each timeline entry? If so, that is actually a lot of work given > the current design. The timeline tool and file type sorting tool are > completely separate. > > It is fairly trivial to make the sorting output contain the MAC times > next to the picture though. The pictures would not be sorted by time. > Is that what you are looking for? > > brian Sort of, yes. Bear with me...I'll explain what *I'm* trying to do, then what I was talking about below. What I have done is this: I've gone through extracted images/thumbnails, copied & pasted references to each image (i.e. /mnt/evidence/case/host/output/sort-graphics../images/dd-filename.dat2-58389-128-4.jpg) and will (when done) strip up to /dd-filename... (or use a regex) to get just the filename. I'll then run this file through a script a coworker and I have been working on which will extract entries from images.html (the file containing Linux, Windows paths, image data, etc.) for only the images I specify and output these to a new file. We then ran the autopsy-generated timeline file through a script that put the date/time next to each individual MAC time in the file so each line indicates the date/time of each activity. We'll then run these two files through another script that is nearly working to make a new HTML table that will copy the info block for each image in chronological order (so there will be multipe copies of each image's entry). In addition, we're going to parse through some proxy logs to see if we can find this activity in them. Ultimately, I want a document that allows me to show that the browsing/image-viewing habits of an individual known to look at material of this individual's computer. This guy spent a lot of time looking at mundane stuff of one specific type (we'll say puppies here...) and we found some adult materials as well. I want to link the adult stuff to him in arbitration by denying him the chance to say it was someone else looking at the adult stuff, he just looked at puppies. This document should be able to do that. So, it might show the following (with a screenshot of each): Jan 01 14:30 puppy3.jpg Jan 01 14:30 cute-puppy4.jpg Jan 01 14:31 puppy5.jpg Jan 01 14:32 naked-lady21.jpg Jan 01 14:33 puppy6.jpg Jan 01 14:34 puppy7.jpg Jan 01 14:34 naked-lady17.jpg Jan 01 14:35 puppy8.jpg And then, to make this more usable for me, I'd include file location info off to the right of this. So each entry might be: [thumbnail] [date/time] [filename] [path to file] [proxy log entry] ---- So what I'm trying to ask: Has anyone done something similar? Is there a way, in autopsy, to add an "interesting" checkbox which flags it for filtering somewhere? That way I don't have to copy/paste each individual image reference for my scripts. It's time-intensive enough that I have to look through 600 pages of images to do this... This if this was done, I could just run that output list of image-names and find each relevant entry in the timeline. That, or include that information in the generated images.html file that you already generate. That way, I can at least see what/why this guy did something to gerneate six entries of the same image in a relatively short amount of time. Does that make sense? Perhaps I need to wait til Monday morning to explain this stuff... |
