Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
AUTOPSY(1)		    General Commands Manual		    AUTOPSY(1)

NAME
       autopsy - Autopsy Forensic Browser

SYNOPSIS
       autopsy	[-c]  [-C]  [-d	 evid_locker ] [-i device filesystem mnt ] [-p
       port ] [addr]

DESCRIPTION
       By default, autopsy starts the Autopsy Forensic Browser server on  port
       9999  and  and  accepts	connections from the localhost.	 If -p port is
       given, then the server opens on that port and if	addr  is  given,  then
       connections  are	only accepted from that	host.  When the	-i argument is
       given, then autopsy goes	into live analysis mode.

       The arguments are as follows:

       -c     Force the	program	to use cookies even for	localhost.

       -C     Force the	program	to not use cookies even	for remote hosts.

       -d evid_locker
	      Directory	where cases and	hosts are stored.  This	overrides  the
	      LOCKDIR  value  in  conf.pl.  The	path must be a full path (i.e.
	      start with /).

       -i device filesystem mnt
	      Specify the information for the live analysis mode.  This	can be
	      specified	 as many times as needed.  The device field is for the
	      raw file system device, the filesystem field  is	for  the  file
	      system  type, and	the mnt	field is for the mounting point	of the
	      file system.

       -p port
	      TCP port for server to listen on.

       addr   IP address or host name of where investigator  is	 located.   If
	      localhost	is used, then 'localhost' must be used in the URL.  If
	      you use the actual hostname or IP, it will be rejected.

       When started, the program will display a	URL  to	 paste	into  an  HTML
       browser.	  The  browser	must  support  frames and forms.   The Autopsy
       Forensic	Browser	will allow an investigator to analyze images generated
       by dd(1)	for evidence.  The program allows the images to	be analyzed by
       browsing	files, blocks, inodes, or by searching the blocks.   The  pro-
       gram  also  generates Autopsy reports that include collection time, in-
       vestigators name, and MD5 hash values.

VARIABLES
       The following variables can be set in conf.pl.

       USE_STIMEOUT
	      When set to 1 (default is	0), the	server will exit after	STIME-
	      OUT  seconds  of	inactivity (default is 3600).  This setting is
	      recommended if cookies are not used.
       BASEDIR
	      Directory	where cases and	forensic images	are located.  The  im-
	      ages  must  have	simple	names with only	letters, numbers, '_',
	      '-', and '.'.  (See FILES).
       TSKDIR
	      Directory	where The Sleuth Kit binaries are located.
       NSRLDB
	      Location of the NIST National Software Reference Library (NSRL).
       INSTALLDIR
	      Directory	where Autopsy was installed.
       GREP_EXE
	      Location of grep(1) binary.
       STRINGS_EXE
	      Location of strings(1) binary.

FILES
       Evidence	Locker
	      The Evidence Locker is where all cases and hosts will  be	 saved
	      to.  It is a directory that will have a directory	for each case.
	      Each case	directory will have a directory	for each host.

       _CASE_DIR_/case.aut
	      This file	is the case configuration file for the case.  It  con-
	      tains the	description of the case	and default subdirectories for
	      the hosts.

       _CASE_DIR_/investigators.txt
	      This file	contains the list of investigators that	will use  this
	      case.  These are used for	logging	only, not authentication.

       _HOST_DIR_/host.aut
	      This file	is where the host configuration	details	are saved.  It
	      is similar to the	'fsmorgue' file	from previous versions of  Au-
	      topsy.   It  has an entry	for each file in the host and contains
	      the host description.

       md5.txt
	      Some directories will have this file in  it.   It	 contains  MD5
	      values for important files in the	directory.  This makes it easy
	      to validate the integrity	of images.

EXAMPLE
       # ./autopsy -p 8888 10.1.34.19

SEE ALSO
       dd(1), fls(1), ffind(1),	ifind(1), grep(1), icat(1) md5(1), strings(1),

REQUIREMENTS
       The   Autopsy   Forensic	   Browser    requires	  The	 Sleuth	   Kit
       <www.sleuthkit.org/sleuthkit>

HISTORY
       autopsy first appeared in Autopsy v1.0.

LICENSE
       This software is	distributed under the GNU Public License.

AUTHOR
       Brian Carrier <carrier at sleuthkit dot org>

       Send documentation updates to <doc-updates at sleuthkit dot org>

User Manuals			   MAR 2005			    AUTOPSY(1)

NAME | SYNOPSIS | DESCRIPTION | VARIABLES | FILES | EXAMPLE | SEE ALSO | REQUIREMENTS | HISTORY | LICENSE | AUTHOR

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=autopsy&sektion=1&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help