[sleuthkit-users] Views area of Autopsy Question
Brought to you by:
carrier
From: Brian C. <ca...@sl...> - 2016-11-03 14:11:59
|
Another effort we have underway is to incorporate file type signatures into the Views area of Autopsy and not rely only on extension. This is a frequent request. But like many things, it gets complicated and potentially confusing to the user. Based on Autopsy’s philosophy of providing data as quickly as possible, the basic idea is to use a file’s extension if its MIME type is not yet known. When its MIME type becomes known, then ignore the extension and rely on the file type. A couple of things we’d like feedback on: - When the image is being ingested, we are constantly learning about file types. If we update the set of files under each type (JPEGs for example), then it would be frequently changing and this could get confusing and resource intensive. Would you prefer that it is only updated after ingest is completed or at some periodic interval (say 5 minutes)? - We currently break down executables in the tree into .exe, dll, .com, etc nodes. However, their MIME type is usually the same. Do people use the detailed breakdown of executables or would it be good enough to have a single executable node in the tree? How are people using these nodes? - We currently have a node in the tree for “.txt” files. If we put all files of type “text/plain” in this node, it would have TONS of files. It would almost seem to make this node useless and impossible to find stuff in. Do people ever use this node and, if so, would you like it to stay as just extension-based? Put another way, the current tree was easy to implement and understand when it was only extension-based. It’s not as easy when it is signature-based and we want to know how much of the current tree to keep. What types of files do you want to be able to find from the tree? brian |