Autopsy File Extension Mismatch Module

From SleuthKitWiki
Jump to: navigation, search

The file extension mismatch module was released with Autopsy 3.1 and detects files that may have had their extension changed to make them less obvious. Autopsy has a configuration file that maps file types to extensions are are OK.

Adding Extensions

The UI has a panel (in Tools -> Options) to update the list of extensions. This will update a copy of the configuration file in your home directory. You can find this location by going to the Help -> About window.

To add a new extension into the official distribution, use the UI to update your copy of the file. It will be stored in a location such as "C:\Users\jdoe\AppData\Roaming\.autopsy\dev\config\mismatch_config.xml". To get it updated in the official distribution, you can do one of the following:

  • Make a fork of the github repository, copy the new file into the src\org\sleuthkit\autopsy\fileextmismatch folder and submit a pull request
  • Attach the entire mismatch_config.xml file to a github issue.