How does Autopsy know to use Sleuth Kit?

A place for general discussion of sleuthkit.org projects or other open source forensics software.

Moderator: carrier

How does Autopsy know to use Sleuth Kit?

Postby apchampa » Wed Apr 01, 2015 9:16 pm

I have installed Autopsy and downloaded the Sleuth Kit. How do I tell Autopsy to use the Sleuth Kit functions? Your assistance is greatly appreciated.
apchampa
 
Posts: 2
Joined: Wed Apr 01, 2015 9:14 pm

Re: How does Autopsy know to use Sleuth Kit?

Postby Hoyt » Fri Apr 17, 2015 4:11 am

Think of Autopsy as the front end to The Sleuth Kit, as well as other tools (such as Photorec), modules, etc. You didn't say which version of Autopsy you've installed or on which OS, but it's the same regardless even if installation and usage differs. Assuming you're talking about Autopsy 3 installed on Windows, the installer pulls in all dependencies, including The Sleuth Kit, and is written to use those tools as you progress through the case. You get to use graphical options while Java does the back end heavy-lifting calling the individual tools for you.
Hoyt Harness, CFCE
Hoyt
 
Posts: 74
Joined: Thu Dec 11, 2014 4:02 am
Location: Little Rock, AR

Re: How does Autopsy know to use Sleuth Kit?

Postby apchampa » Thu Apr 23, 2015 9:12 pm

Yes, I have Autopsy 3.1.2 running on Windows 7 Pro 64Bit

I see my setup has 6 plugins installed and I don't get any others to pull up so I'm assuming I have everything then.

I guess I just need to learn how to use the tool.

I don't see how to create a timeline for example or use some of the other items that appear to be part of the Sleuth Kit from within the Autopsy GUI.
apchampa
 
Posts: 2
Joined: Wed Apr 01, 2015 9:14 pm

Re: How does Autopsy know to use Sleuth Kit?

Postby Hoyt » Wed May 13, 2015 4:27 am

Timelining is done from the menu bar under "Tools > Timeline". The other modules can be ran by right-clicking items listed under "Data Sources" located on the left tree and selecting "Run Ingest Modules". Try not to duplicate any modules you've already ran as these can add to your results by duplicating them. De-select any you've previously ran and only select new ones.

Here's a link to the Online Documentation, which is also available through the "Help" menu if your machine is Internet connected (shouldn't be, but that's a different thread).
Hoyt Harness, CFCE
Hoyt
 
Posts: 74
Joined: Thu Dec 11, 2014 4:02 am
Location: Little Rock, AR

Re: How does Autopsy know to use Sleuth Kit?

Postby robmac » Thu Oct 22, 2015 6:07 pm

I have the same question. The plugins made available on Autopsy all seem to be Java/Python plugins.
If I may add to the OP's question:

How can we select a Sleuthkit framework module for execution?

If we build our own module, where to do we copy it to? (Sleuthkit modules folder? or Autopsy? path?)

Autopsy being a shell for Sleuthkit, I would imagine we should also have access to some form of pipeline or framework configuration files? This would allow us to set paths to our modules, right?

The BUILDING.txt file mentions a TSK_HOME environment, how could we set it up for use within Autopsy?
I tried setting it up as an environment variable, but no luck.

I'm running Windows 10, JDK 1.8, Autopsy 3.1.3 & Sleuthkit 4.1.3.
robmac
 
Posts: 1
Joined: Thu Oct 22, 2015 3:42 pm


Return to General

Who is online

Users browsing this forum: No registered users and 1 guest