search

sleuthkit / autopsy

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
http://www.sleuthkit.org/autopsy/
2.41k stars 597 forks source link

Adding Multiple Images at Command Line #6224

Open MrChris001 opened 4 years ago

MrChris001 commented 4 years ago

Is there a way to add multiple images to Autopsy through the command line ? I have tried variations of the below but with no success whilst the documentation (http://sleuthkit.org/autopsy/docs/user-docs/4.15.0/command_line_ingest_page.html) does not, as far as I can see, provide any examples of doing this.

autopsy64.exe --createCase --caseName="MyCaseName" --caseBaseDir='C:\TMP\' --addDataSource --dataSourcePath='C:\Tools\TestEvidence\SDCard.e01' --addDataSource --dataSourcePath='C:\Tools\TestEvidence\Laptop.e01' --runIngest

Or

autopsy64.exe --createCase --caseName="MyCaseName" --caseBaseDir='C:\TMP\' --addDataSource --dataSourcePath='C:\Tools\TestEvidence\SDCard.e01' --dataSourcePath='C:\Tools\TestEvidence\Laptop.e01' --runIngest

Or autopsy64.exe --createCase --caseName="MyCaseName" --caseBaseDir='C:\TMP\' --addDataSource --dataSourcePath='C:\Tools\TestEvidence\SDCard.e01' --runIngest --dataSourcePath='C:\Tools\TestEvidence\Laptop.e01' --runIngest

Or

autopsy64.exe --createCase --caseName="MyCaseName" --caseBaseDir='C:\TMP\' --addDataSource --dataSourcePath='C:\Tools\TestEvidence\SDCard.e01' --runIngest --addDataSource --dataSourcePath='C:\Tools\TestEvidence\Laptop.e01' --runIngest

The only time I have had success is when I have created a case and with another command added to the case. This does not make things too easy when it comes to automation as the newly created case has a date and time appended so I would have to read this from the file system (it isn't output in the CLI output either) with another line or two of code rather than being able to provide the one line to ingest everything.

eugene7646 commented 4 years ago

@cvaughan79 @rcordovano Hello. Unfortunately there is no way to add several images via single command line run. In order to add multiple images to the case you will have to do what you eventually ended up doing - create a case, and then add the images individually. For example, this is the sequence of command line calls that I have used to add 3 images to a single case:

autopsy64.exe --createCase --addDataSource --runIngest --caseName="TestSU" --caseType=single --caseBaseDir="C:\TEST\DELETE" --dataSourcePath="C:\TEST\Inputs\Small\small2.img"

autopsy64.exe --addDataSource --runIngest --caseDir="C:\TEST\DELETE\TestSU_2020_09_01_14_23_30" --dataSourcePath="C:\TEST\Inputs\fe_test_4.img"

autopsy64.exe --addDataSource --runIngest --caseDir="C:\TEST\DELETE\TestSU_2020_09_01_14_23_30" --dataSourcePath="C:\TEST\Inputs\blue_images.img"

As you pointed out, it does require navigating to the top level case directory and identifying the case output directory, which is comprised of the case name and time stamp in "yyyy_MM_dd_HH_mm_ss" format. If you are using Java, you can use the following String pattern matcher to identify our time stamps:

Pattern TIME_STAMP_PATTERN = Pattern.compile("\\d{4}_\\d{2}_\\d{2}_\\d{2}_\\d{2}_\\d{2}$");