I ran Autopsy against a USB stick I had… it had a few files, a few images, and one jpg image I renamed renamedjpg.dat
In the output, it listed under “Extracted Content”, a “User Content Suspected” branch. I searched everywhere both in the docs, and generally online, for this, but could not find an explanation of what this means… what is “Suspected”. I then figured there out to be a way to see what Ingest module was responsible for what “Extracted Content” but could not find that either.
You can see what module created any result by selecting it and then going to the “Results” tab (this should have been automatically selected for User Content Suspected results). If you have a slightly older version of Autopsy it’ll say “EXIF Parser” instead - the module was recently renamed.
For User Content Suspected results, the “comment” field gives a short description of why it may be user created. In this case it is because the image contains EXIF metadata. There isn’t any further documentation on this.
Thanks for replying. I guess I was more confused by the fact that it refers to EXIF data as “User Content”, although I know that programs such as exiftool do allow you to modify the EXIF data.
I am such a noob that I just have some USB sticks to look at, but soon I hope to get an old PC disk that I have, and also go to the NIST website where it says there are test images for learning DFIR.
