sleuthkit / autopsy

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
http://www.sleuthkit.org/autopsy/
2.41k stars 597 forks source link

Change display name of datasource #4793

Open arruw opened 5 years ago

arruw commented 5 years ago

Is it possible to change display name of datasource?

I would like to have more descriptive name, a could probably just renamed the file and re-create the case, but I don't want to do that, since ingestion takes really long. image

arruw commented 5 years ago

I tried to rename disk_0.vmdk into somethink like somename_0.vmdk, but after that I couldn't added disk as data source?

I calculated sha512 and hash was still the same.

image

bcarrier commented 5 years ago

The backend concept exists to change the display name for your exact use case. We just didn't yet add the ability for a user to do it from the UI (we have some modules that do it when a data source is added). We'll try to add a right click option for the next release.

arruw commented 5 years ago

@bcarrier Do you maybe have some idea about what happen in my second comment?

bcarrier commented 5 years ago

Not sure. If you rename it back, does it work?

arruw commented 5 years ago

@bcarrier If I remember correct it doesn't, however sha256 was still the same, hm?

rcordovano commented 5 years ago

@matjazmav, I may be misunderstanding, but the hash of a file is independent of the file name.

Autopsy uses libvmdk to open and process VMWare data sources - perhaps there is something in the file format that references the file name? I do not know anything about vmdk format files, but I am with @bcarrier , wondering if you can ingest the file successfully if you restore its name.

arruw commented 5 years ago

@rcordovano I just tried again, after renaming it back to original name image can be added to datasource. logs.zip

APriestman commented 5 years ago

I ran a test on a single-file vmdk and it seemed to work fine after renaming. I did notice that the file name is stored inside the vmdk (it's in a block starting at byte 0x200) but it doesn't seem to be causing problems.

On Thu, May 16, 2019 at 3:47 AM Matjaž Mav notifications@github.com wrote:

@rcordovano https://github.com/rcordovano I just tried again, after renaming it back to original name image can be added to datasource.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/sleuthkit/autopsy/issues/4793?email_source=notifications&email_token=AAYWAIBECLPUD2DSKEJECGLPVUGRLA5CNFSM4HMIGVVKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVQ7AZY#issuecomment-492957799, or mute the thread https://github.com/notifications/unsubscribe-auth/AAYWAIGCEPRH22ZPL4WTTQDPVUGRLANCNFSM4HMIGVVA .