Re: [sleuthkit-users] Reporting, Autopsy Customization
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Reporting, Autopsy Customization
|
From: Brian C. <ca...@sl...> - 2005-03-19 20:52:38
|
I don't know of any other scripts to do what you are looking for. As I mentioned in the previous e-mail, it is fairly easy to change the thumbnail page so that it includes more metadata, but it would still be sorted by file name and not by MAC time. It is possible to add flagging capabilities to Autopsy, but I don't have it scheduled for a while... brian On Mar 18, 2005, at 5:00 PM, John T. Hoffoss wrote: > On Fri, 18 Mar 2005 16:35:11 -0500, Brian Carrier > <ca...@sl...> wrote: >> I'm not quite sure if I understand what you are looking for. Are you >> looking to make a timeline of only image files and have the thumbnail >> in each timeline entry? If so, that is actually a lot of work given >> the current design. The timeline tool and file type sorting tool are >> completely separate. >> >> It is fairly trivial to make the sorting output contain the MAC times >> next to the picture though. The pictures would not be sorted by time. >> Is that what you are looking for? >> >> brian > > Sort of, yes. Bear with me...I'll explain what *I'm* trying to do, > then what I was talking about below. > > What I have done is this: > > I've gone through extracted images/thumbnails, copied & pasted > references to each image (i.e. > /mnt/evidence/case/host/output/sort-graphics../images/dd- > filename.dat2-58389-128-4.jpg) > and will (when done) strip up to /dd-filename... (or use a regex) to > get just the filename. > > I'll then run this file through a script a coworker and I have been > working on which will extract entries from images.html (the file > containing Linux, Windows paths, image data, etc.) for only the images > I specify and output these to a new file. > > We then ran the autopsy-generated timeline file through a script that > put the date/time next to each individual MAC time in the file so each > line indicates the date/time of each activity. > > We'll then run these two files through another script that is nearly > working to make a new HTML table that will copy the info block for > each image in chronological order (so there will be multipe copies of > each image's entry). In addition, we're going to parse through some > proxy logs to see if we can find this activity in them. > > Ultimately, I want a document that allows me to show that the > browsing/image-viewing habits of an individual known to look at > material of this individual's computer. This guy spent a lot of time > looking at mundane stuff of one specific type (we'll say puppies > here...) and we found some adult materials as well. I want to link the > adult stuff to him in arbitration by denying him the chance to say it > was someone else looking at the adult stuff, he just looked at > puppies. This document should be able to do that. > > So, it might show the following (with a screenshot of each): > Jan 01 14:30 puppy3.jpg > Jan 01 14:30 cute-puppy4.jpg > Jan 01 14:31 puppy5.jpg > Jan 01 14:32 naked-lady21.jpg > Jan 01 14:33 puppy6.jpg > Jan 01 14:34 puppy7.jpg > Jan 01 14:34 naked-lady17.jpg > Jan 01 14:35 puppy8.jpg > > And then, to make this more usable for me, I'd include file location > info off to the right of this. So each entry might be: > > [thumbnail] [date/time] [filename] [path to file] [proxy log entry] > > ---- > So what I'm trying to ask: > > Has anyone done something similar? > > Is there a way, in autopsy, to add an "interesting" checkbox which > flags it for filtering somewhere? That way I don't have to copy/paste > each individual image reference for my scripts. It's time-intensive > enough that I have to look through 600 pages of images to do this... > > This if this was done, I could just run that output list of > image-names and find each relevant entry in the timeline. That, or > include that information in the generated images.html file that you > already generate. That way, I can at least see what/why this guy did > something to gerneate six entries of the same image in a relatively > short amount of time. > > Does that make sense? Perhaps I need to wait til Monday morning to > explain this stuff... |
