Personas Assistance

Hi guys, I am trying to understand the personas function within Autopsy.

I can see when you add an account it has a type field where you stipulate if it is credit card, username, email etc, If I understand it correctly the whatsapp or app based details will only appear if if you have processed a mobile device, not through detecting a local adb backup on the image or iphone backup on the image.

But how does website work, I have checked in the data and I can see access to bad-site.com in the keyword search result for urls and it displays in the recent activity results for web history. but if i try add this as a persona selecting website I get no hits.

I think I might have this function wrong, hoping someone can set it straight

Hi! A persona needs to have at least one account associated. The easiest way to see a list of accounts is to either look in the Autopsy tree Data Artifacts->Communication Accounts or to open the Communications window.

Do you see the website or an account associated with the website in the list of accounts?

Thanks for the quick reply. I think I may have misinterpreted what this feature was for. I can see you can add an account of type website into autopsy and you can add a identity of type website. but it is not reviewing the internet history logs. it has to be an account. so I am geussing that is pulled from chrome login data etc?

Honestly, I don’t use it that much. But, for example, if you import emails (or if emails are parsed from your data source) you can assign persona to this data. You can also associate personas to data sources.

I’ve never known it to pull persona data from chrome data, only from whatsapp, phone data (messages, calls, contacts) or emails.

I suppose you have already read the documentation.

Not sure if the above helps at all.

Hi Nika,

Thanks for the that, yep I had gone through the docs. Just hadnt found what I was looking for. I can see once I have run the correct modules Autopsy has pulled account information out of login data from chrome. so thats fine.

What I am curious about is some of the data retrieved is labeled web account (for obvious reasons), exanding this we have the username, the domain and url for the account hit.

My assumption is that this would be stored as an account within the central repository but if I try and add a new person using type website with either the url or the domain autopsy reports no hit, if I try the name listed in the username field (ie username or email) autopsy reports no hit.

Checking the database itself it looks like no data for the discovered web accounts has been pushed to the database.

I am really confused how that feature is meant to work.