The Export option exports the entire file to an external file on the Linux system. The Add Note option brings up a window that lets you add a note about this particular file. The Written (i.e., modification), Accessed, and Created times, which appear in the upper right pane, are added to that note. Correlating these times can help trace the path of an intrusion.
Besides File Analysis, the toolbar at the top of Figure 5 contains several other items: Keyword Search, File Type, Image Details, Meta Data, and Data Unit. The Keyword Search function is fairly self-explanatory. You can specify whether to search the original image or the unallocated space by selecting the Load Original option or the Load Unallocated option, respectively. You can use grep regular expressions in your searches. For the experienced investigator, these expressions provide an excellent method for quickly obtaining pertinent results. Clicking grep cheat sheet gives you a quick rundown of possible regular expressions. You can also obtain information about grep regular expressions by running the command
man grep
The File Type function lets you sort all the files in the image by their file type. You simply click Sort Files by Type to bring up a series of check boxes outlining your options. I recommend that you keep the Extension and File Type Validation check box selected because Autopsy will then verify that the file signatures match their file types. When picture files (e.g., .jpg files) are renamed to .doc files, there tends to be an illicit reason. For searches against pictures, you can use the Thumbnail option, which can save a lot of time. Autopsy 1.75 displays the results of such a search in an alternative HTML file. Thus, to see the results, you need to copy the provided URL into your browser. . . .
Register
