Dear all,
I am currently working on a case and gave Autopsy a try due to advanced
content extracter regarding recent activities. Using this feature I have
found a high amount of relevant web searches which are listed under
"Results -> Extracted Content -> Web Searches".
The case includes several different computers that were used by various
different windows users. The relevance of a search depends on the user
that queried the search. Therefore, I do not only need to know the
search query, browser and evidence file but also the „Full Path“ to the
file that contained the web search. As far as I have searched, Autopsy
only provides this information in the metadata or result pane but not in
the table view. But I need to have this information in the table view so
that I can easily filter the result set.
Therefore, I have taken a look at the database layout. I have figured
out that joining the tables blackboard_artifacts and tsk_files and
filtering on artifacte_type_id 15 will give me the file path inside the
volume for each search query. But I am still missing the partition ID
and the evidence file.
Can somebody help me how I can query all necessary information?
And an additional request: Is there a reason why this information is not
displayed by default in the table view?
Best regards
Dennis
|
