Thread: [sleuthkit-users] Reporting, Autopsy Customization
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: John T. H. <joh...@gm...> - 2005-03-18 17:50:53
|
So my foray into Autopsy/Sleuthkit has thus far been fairly successful. This engagement I've been involved in ultimately boils down to working with images found on a few systems. The image extraction was a huge help in this, but part of my work is to turn around and create a report for a client showing browsing activity. I'm modifying the output from image extraction, combined with the timeline output and the image data file to create files that will look something like: image1 thumb - timestamp1 - image1 data image2 thumb - timestamp1 - image2 data image3 thumb - timestamp1 - image3 data image2 thumb - timestamp2 - image2 data image4 thumb - timestamp1 - image4 data etc. Thus far, I've been manually copying names of images that I'll want to have included in this report for input into another script. Has anyone done something similar? How complex would it be to modify autopsy to include a check-box of some sort to generate trimmed thumbnail/data pages for interesting images to manipulate later, rather than my "copy url, paste into file, clean up file, script/filter data" sort of process? In extracting the images, would it be possible to include a reference to each timeline entry that prompted the inclusion of an image? Or in many cases, the repeating of an image? -John |
|
From: Brian C. <ca...@sl...> - 2005-03-18 21:35:25
|
I'm not quite sure if I understand what you are looking for. Are you looking to make a timeline of only image files and have the thumbnail in each timeline entry? If so, that is actually a lot of work given the current design. The timeline tool and file type sorting tool are completely separate. It is fairly trivial to make the sorting output contain the MAC times next to the picture though. The pictures would not be sorted by time. Is that what you are looking for? brian On Mar 18, 2005, at 12:50 PM, John T. Hoffoss wrote: > So my foray into Autopsy/Sleuthkit has thus far been fairly > successful. This engagement I've been involved in ultimately boils > down to working with images found on a few systems. The image > extraction was a huge help in this, but part of my work is to turn > around and create a report for a client showing browsing activity. I'm > modifying the output from image extraction, combined with the timeline > output and the image data file to create files that will look > something like: > > image1 thumb - timestamp1 - image1 data > image2 thumb - timestamp1 - image2 data > image3 thumb - timestamp1 - image3 data > image2 thumb - timestamp2 - image2 data > image4 thumb - timestamp1 - image4 data > etc. > > Thus far, I've been manually copying names of images that I'll want to > have included in this report for input into another script. Has anyone > done something similar? > > How complex would it be to modify autopsy to include a check-box of > some sort to generate trimmed thumbnail/data pages for interesting > images to manipulate later, rather than my "copy url, paste into file, > clean up file, script/filter data" sort of process? > > In extracting the images, would it be possible to include a reference > to each timeline entry that prompted the inclusion of an image? Or in > many cases, the repeating of an image? > > -John > |
|
From: John T. H. <joh...@gm...> - 2005-03-18 22:00:43
|
On Fri, 18 Mar 2005 16:35:11 -0500, Brian Carrier <ca...@sl...> wrote: > I'm not quite sure if I understand what you are looking for. Are you > looking to make a timeline of only image files and have the thumbnail > in each timeline entry? If so, that is actually a lot of work given > the current design. The timeline tool and file type sorting tool are > completely separate. > > It is fairly trivial to make the sorting output contain the MAC times > next to the picture though. The pictures would not be sorted by time. > Is that what you are looking for? > > brian Sort of, yes. Bear with me...I'll explain what *I'm* trying to do, then what I was talking about below. What I have done is this: I've gone through extracted images/thumbnails, copied & pasted references to each image (i.e. /mnt/evidence/case/host/output/sort-graphics../images/dd-filename.dat2-58389-128-4.jpg) and will (when done) strip up to /dd-filename... (or use a regex) to get just the filename. I'll then run this file through a script a coworker and I have been working on which will extract entries from images.html (the file containing Linux, Windows paths, image data, etc.) for only the images I specify and output these to a new file. We then ran the autopsy-generated timeline file through a script that put the date/time next to each individual MAC time in the file so each line indicates the date/time of each activity. We'll then run these two files through another script that is nearly working to make a new HTML table that will copy the info block for each image in chronological order (so there will be multipe copies of each image's entry). In addition, we're going to parse through some proxy logs to see if we can find this activity in them. Ultimately, I want a document that allows me to show that the browsing/image-viewing habits of an individual known to look at material of this individual's computer. This guy spent a lot of time looking at mundane stuff of one specific type (we'll say puppies here...) and we found some adult materials as well. I want to link the adult stuff to him in arbitration by denying him the chance to say it was someone else looking at the adult stuff, he just looked at puppies. This document should be able to do that. So, it might show the following (with a screenshot of each): Jan 01 14:30 puppy3.jpg Jan 01 14:30 cute-puppy4.jpg Jan 01 14:31 puppy5.jpg Jan 01 14:32 naked-lady21.jpg Jan 01 14:33 puppy6.jpg Jan 01 14:34 puppy7.jpg Jan 01 14:34 naked-lady17.jpg Jan 01 14:35 puppy8.jpg And then, to make this more usable for me, I'd include file location info off to the right of this. So each entry might be: [thumbnail] [date/time] [filename] [path to file] [proxy log entry] ---- So what I'm trying to ask: Has anyone done something similar? Is there a way, in autopsy, to add an "interesting" checkbox which flags it for filtering somewhere? That way I don't have to copy/paste each individual image reference for my scripts. It's time-intensive enough that I have to look through 600 pages of images to do this... This if this was done, I could just run that output list of image-names and find each relevant entry in the timeline. That, or include that information in the generated images.html file that you already generate. That way, I can at least see what/why this guy did something to gerneate six entries of the same image in a relatively short amount of time. Does that make sense? Perhaps I need to wait til Monday morning to explain this stuff... |
|
From: Brian C. <ca...@sl...> - 2005-03-19 20:52:38
|
I don't know of any other scripts to do what you are looking for. As I mentioned in the previous e-mail, it is fairly easy to change the thumbnail page so that it includes more metadata, but it would still be sorted by file name and not by MAC time. It is possible to add flagging capabilities to Autopsy, but I don't have it scheduled for a while... brian On Mar 18, 2005, at 5:00 PM, John T. Hoffoss wrote: > On Fri, 18 Mar 2005 16:35:11 -0500, Brian Carrier > <ca...@sl...> wrote: >> I'm not quite sure if I understand what you are looking for. Are you >> looking to make a timeline of only image files and have the thumbnail >> in each timeline entry? If so, that is actually a lot of work given >> the current design. The timeline tool and file type sorting tool are >> completely separate. >> >> It is fairly trivial to make the sorting output contain the MAC times >> next to the picture though. The pictures would not be sorted by time. >> Is that what you are looking for? >> >> brian > > Sort of, yes. Bear with me...I'll explain what *I'm* trying to do, > then what I was talking about below. > > What I have done is this: > > I've gone through extracted images/thumbnails, copied & pasted > references to each image (i.e. > /mnt/evidence/case/host/output/sort-graphics../images/dd- > filename.dat2-58389-128-4.jpg) > and will (when done) strip up to /dd-filename... (or use a regex) to > get just the filename. > > I'll then run this file through a script a coworker and I have been > working on which will extract entries from images.html (the file > containing Linux, Windows paths, image data, etc.) for only the images > I specify and output these to a new file. > > We then ran the autopsy-generated timeline file through a script that > put the date/time next to each individual MAC time in the file so each > line indicates the date/time of each activity. > > We'll then run these two files through another script that is nearly > working to make a new HTML table that will copy the info block for > each image in chronological order (so there will be multipe copies of > each image's entry). In addition, we're going to parse through some > proxy logs to see if we can find this activity in them. > > Ultimately, I want a document that allows me to show that the > browsing/image-viewing habits of an individual known to look at > material of this individual's computer. This guy spent a lot of time > looking at mundane stuff of one specific type (we'll say puppies > here...) and we found some adult materials as well. I want to link the > adult stuff to him in arbitration by denying him the chance to say it > was someone else looking at the adult stuff, he just looked at > puppies. This document should be able to do that. > > So, it might show the following (with a screenshot of each): > Jan 01 14:30 puppy3.jpg > Jan 01 14:30 cute-puppy4.jpg > Jan 01 14:31 puppy5.jpg > Jan 01 14:32 naked-lady21.jpg > Jan 01 14:33 puppy6.jpg > Jan 01 14:34 puppy7.jpg > Jan 01 14:34 naked-lady17.jpg > Jan 01 14:35 puppy8.jpg > > And then, to make this more usable for me, I'd include file location > info off to the right of this. So each entry might be: > > [thumbnail] [date/time] [filename] [path to file] [proxy log entry] > > ---- > So what I'm trying to ask: > > Has anyone done something similar? > > Is there a way, in autopsy, to add an "interesting" checkbox which > flags it for filtering somewhere? That way I don't have to copy/paste > each individual image reference for my scripts. It's time-intensive > enough that I have to look through 600 pages of images to do this... > > This if this was done, I could just run that output list of > image-names and find each relevant entry in the timeline. That, or > include that information in the generated images.html file that you > already generate. That way, I can at least see what/why this guy did > something to gerneate six entries of the same image in a relatively > short amount of time. > > Does that make sense? Perhaps I need to wait til Monday morning to > explain this stuff... |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X