[sleuthkit-users] [Autopsy] Extracted Content - Web Searches: Full Path in table view?
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] [Autopsy] Extracted Content - Web Searches: Full Path in table view?
|
From: <in...@ba...> - 2015-03-09 11:22:13
|
Dear all, I am currently working on a case and gave Autopsy a try due to advanced content extracter regarding recent activities. Using this feature I have found a high amount of relevant web searches which are listed under "Results -> Extracted Content -> Web Searches". The case includes several different computers that were used by various different windows users. The relevance of a search depends on the user that queried the search. Therefore, I do not only need to know the search query, browser and evidence file but also the „Full Path“ to the file that contained the web search. As far as I have searched, Autopsy only provides this information in the metadata or result pane but not in the table view. But I need to have this information in the table view so that I can easily filter the result set. Therefore, I have taken a look at the database layout. I have figured out that joining the tables blackboard_artifacts and tsk_files and filtering on artifacte_type_id 15 will give me the file path inside the volume for each search query. But I am still missing the partition ID and the evidence file. Can somebody help me how I can query all necessary information? And an additional request: Is there a reason why this information is not displayed by default in the table view? Best regards Dennis |
