Autopsy 3 Design

From SleuthKitWiki
Revision as of 13:48, 25 October 2011 by Carrier (Talk | contribs)

Jump to: navigation, search

Nodes

Autopsy 3 uses NetBeans Nodes to pass data around. The Sleuth Kit comes with Java datamodel classes in org.sleuthkit.datamodel and it contains classes for files, directories, file systems, volumes, and other data types that can be found in a disk image. These classes are not NetBeans specific.

The org.sleuthkit.autopsy.datamodel package contains classes that are NetBeans-specific and map to classes in the Sleuth Kit datamodel. For example org.sleuthkit.autopsy.datamodel.DirectoryNode is the Node class for the org.sleuthkit.datamodel.Directory class.

See the JavaDocs for the org.sleuthkit.autopsy.datamodel for more details (ADD LINK WHEN IT IS POSTED)

Autopsy Zones

There are three major zones in the Autopsy UI. The left hand side has the Data Explorer area. This area is where you can search for data. It has all of the analysis smarts. An example of a data explorer is the Directory tree that shows the hierarchy of directories (and hides the files from view).

The Data Explorer area identifies a subset of the data to show the user and passes the data to the Data Results area in the upper right. In the previous example, the contents of a specific folder would be passed to this area and displayed in a table or thumbnail form.

When a file or object is selected in the Data Results area, it is passed to the Data Content zone in the lower right. This is where file content can be viewed in hex form, strings, etc.

Data Flow

Creating Nodes in DataExplorer

The data explorer modules create the NetBeans nodes. They query the SQLite database or do whatever they want to identify the set of files that are of interest. They create the NetBeans nodes based on Sleuthkit data model objects.

Getting Nodes to DataResult

Each Data Explorer TopComponent is responsible for creating its own Data Result TopComponent to display its results. It can choose to re-use the same TopComponent for multiple searches (as DirectoryTree does) or it can choose to make a new one each time (as FileSearch does). The setNode() method on the DataResult object is used to set the root node to display. A dummy root node must be created as the parent if a parent does not already exist.

NEED TO ADD INFO ABOUT SETTING ACTIONS

Getting Nodes to DataContent