Autostart image analysis when imaging is completed

With TaskForce 2, you can track the status of the started imaging sessions using /check-task API request. It reports the imaging progress enabling you (or your code) to notice when the task gets completed. Once this notification is received, it makes perfect sense to automatically start the forensic analysis of the target image.

Powershell script below shows how one can create this kind of automation flow:

Start imaging a source drive on TaskForce SATA port 4 to the target folder \\Vitaliy\Share.
Wait for imaging completion using /check-task.
Launch Autopsy Ingest via command-line when the target image is ready.

Important: Instead of Autopsy, you are free to use any Magnet Forensics products, X-Ways Forensics, or any other forensic analysis toolkit that supports console launch with arguments.


try {
    $r = Invoke-WebRequest "http://10.0.0.65/api/start-image?source=SATA4&targetFolder=\\Vitaliy\Share"
}
catch {
    Write-Output "$($_.Exception.Message)"
    exit $_.Exception.Response.StatusCode
}

$taskKey = $r.Content
do {
    $check = (Invoke-WebRequest "http://10.0.0.65/api/check-task?taskKey=$taskKey").Content | ConvertFrom-Json
    Start-Sleep -s 1
} while ($check.state -eq "progress")

$windowsPath = "C:\Share\" + ($check.target -replace '[\/]', '\' | Split-Path -leaf)
$caseName = "Case123"
$autopsyArguments = '" --createCase --caseName="' + $caseName + ' --caseBaseDir="C:\Work\Cases"' 
                  + ' --addDataSource --dataSourcePath="' + $windowsPath + '" --runIngest --generateReports' 

Start-Process -FilePath "C:\Program Files\Autopsy\bin\autopsy64.exe" -ArgumentList $autopsyArguments

The script works in Windows with Powershell. To run it, please perform the following actions:

Install Autopsy.
Create C:\Share folder.
Save the script into image.ps1 file.
Replace 10.0.0.65 with IP address of your TaskForce 2.
Replace \\Vitaliy\Share with your shared network folder path.
Execute the script in the console: powershell -ExecutionPolicy ByPass -File image.ps1.

Autopsy Ingest v4.11 does not work with network file paths from the command line. That’s why this example shows a shared folder located at PC where PowerShell script is executed. Therefore \\Vitaliy\Share points to C:\Share folder.

For more information about these and other commands, see API specification that we made available to public.