Sorting files

Inspecting the metadata of each file may not be practical with large evidence files. For such an instance, the FILE TYPE feature can be used. This feature allows for the examination of existing (allocated), deleted (unallocated), and hidden files. Click on the FILE TYPE tab to continue:

Click Sort files into categories by type (leave the default-checked options as they are) and then click OK to begin the sorting process:

Once sorting is complete, a results summary is displayed. In the following snippet, we can see that there are five Extension Mismatches:

To view the sorted files, we must manually browse to the location of the output folder, as Autopsy 2.4 does not support viewing of sorted files. To reveal this location, click on View Sorted Files in the left pane:

The output folder locations will vary depending on the information specified by the user when first creating the case, but can usually be found at /var/lib/autopsy/<case name>/<host name>/output/sorter-vol#/index.html.

Once the index.html file has been opened, click on the Extension Mismatch link:

The five listed files with mismatched extensions should be further examined by viewing metadata content, with notes added by the investigator.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset