Generating an Annotated Features Report

From BitCurator
Jump to: navigation, search

The Annotated Features tab in the BitCurator Reporting Tool matches the "features"[1] found by bulk_extractor with their corresponding file on the disk image. This step is necessary because bulk_extractor locates features by scanning the bit stream, not the file system. The annotated features report acts as a bridge between the bulk_extractor output and the fiwalk DFXML report to create a report that not only locates a feature, but also identifies the specific file in which it can be found.

If you'd prefer following video instructions, check out the screencast version of this tutorial in our video gallery.

Generating an Annotated Features Report

Step 1

Open the BitCurator Reporting Tool by double clicking on the "Forensics Tools" folder on the BitCurator desktop and then double clicking on the "BitCurator Reporting Tool" icon.

Step 2

Once the BitCurator Reporting Tool finishes opening, choose the "Annotated Features" tab in the options along the top (see Figure 1).

Step 3

Type or navigate to the location of the following files or directories (see Figure 1):

  • Image File: The location of the forensics disk image being analyzed.
  • Bulk Extractor Feature Directory: The directory containing the bulk_extractor results corresponding to the disk image above.
  • Annotated Feature Files Directory (new): A new directory the BitCurator Reporting Tool will create to contain the annotated features report you are currently generating. Note: if you use the navigation button to choose this directory, type the name of the new directory in the "Name:" field on the top left of the window. Do not use the "Create Folder" button on the right to create this new directory (see Figure 2).
  • Bulk Extractor Python Directory (optional): location of any additional python scripts--generally left blank
Figure 1: The Annotate Features tab in the BitCurator Reporting Tool.
Figure 2: Type the name of the new directory in the "Name" field.

Step 4

Once each of the file and directory fields above are properly filled out, click the "Run" button. The activity bar on the bottom left will indicated the annotation process is still ongoing. Once complete, a success or error message will appear in the "Command Line Output" window (see Figure 3).

Figure 3: The annotated features report has been successfully created.

Notes

  1. Bulk_extractor uses the term "feature" to describe any items it finds while scanning a disk image. A social security number or email address would be examples of a bulk_extractor feature. See this page for more information on what features bulk_extractor can locate.