Autostart image analysis when imaging is completed

With TaskForce, you can track the status of the started imaging sessions using /check-task API request. It reports the imaging progress enabling you (or your code) to notice when the task gets completed. Once this notification is received, it makes perfect sense to automatically start the forensic analysis of the target image.

Powershell script below shows how one can create this kind of automation flow:

  1. Start imaging a source drive on TaskForce SATA port 4 to the target folder \\Vitaliy\Share.
  2. Wait for imaging completion using /check-task.
  3. Launch Autopsy Ingest via command-line when the target image is ready.

try {
    $r = Invoke-WebRequest "\\Vitaliy\Share"
catch {
    Write-Output "$($_.Exception.Message)"
    exit $_.Exception.Response.StatusCode

$taskKey = $r.Content
do {
    $check = (Invoke-WebRequest "$taskKey").Content | ConvertFrom-Json
    Start-Sleep -s 1
} while ($check.state -eq "progress")

$windowsPath = "C:\Share\" + ($ -replace '[\/]', '\' | Split-Path -leaf)
$caseName = "Case123"
$autopsyArguments = '" --createCase --caseName="' + $caseName + ' --caseBaseDir="C:\Work\Cases"' 
                  + ' --addDataSource --dataSourcePath="' + $windowsPath + '" --runIngest --generateReports' 

Start-Process -FilePath "C:\Program Files\Autopsy\bin\autopsy64.exe" -ArgumentList $autopsyArguments

The script works in Windows with Powershell. To run it, please perform the following actions:

  1. Install Autopsy.
  2. Create C:\Share folder.
  3. Save the script into image.ps1 file.
  4. Replace with IP address of your TaskForce.
  5. Replace \\Vitaliy\Share with your shared network folder path.
  6. Execute the script in the console: powershell -ExecutionPolicy ByPass -File image.ps1.

For more information about these and other commands, see API specification that we made available to public.

Back to Manual start page