Output Specs

From EMK Wiki
Revision as of 08:59, 13 November 2012 by Sisep (talk | contribs)
Jump to navigation Jump to search
Example OutputSpec Window

An Output specification (OS) Resource allows you to define custom Reports in a tabular form using Run Output data. Reports generated using OS Resources are in text based, comma separated (csv) form.


The Output Specs window has the following components:

  • The 'OS Details Box:' Used to identify (Name) and describe (Description) the OS Resource.
  • Two 'Formatting Check Boxes:' Repeat Column headings and Repeat Row headings - which determine whether the parent column and row headings appear once per column or row (Boxes unchecked), or for every column and row of the columns they apply to (Boxes checked) respectively.
  • The 'OS Partition Box:' Specifies how the results data will be summarised and presented.

Note: OS Reports can be produced from previously generated data from the 'Results window' or 'Results Menu'.

The Output Specs Details Box

OS Details Box Fields

Name OS Resource name - used to reference the OS in other Resources.
Description Free text field for supplementary information.'
Prefilters specifies a date range that the OS will only process data for - this allows the OS to be used on multiple Results sets covering disparate date ranges and only extract results for a common period.

Formatting Check Boxes

The Formatting Check Boxes are used to control the output of headers in columns and rows in the output. If the OS Resource is used when both boxes are left unchecked, then a heading only appears once in the output. For example a parent row heading will only appear with the first child row heading as in the table below:

Parent Row Heading 1 Child Row Heading 1
Child Row Heading 2
Child Row Heading 3
Parent Row Heading 2 Child Row Heading 1
Child Row Heading 2
Child Row Heading 3

Running the same OS with the 'Repeat Row Headings' box checked would produce a heading configuration as below:

Parent Row Heading 1 Child Row Heading 1
Parent Row Heading 1 Child Row Heading 2
Parent Row Heading 1 Child Row Heading 3
Parent Row Heading 2 Child Row Heading 1
Parent Row Heading 2 Child Row Heading 2
Parent Row Heading 2 Child Row Heading 3

Note: Repeating the headers is useful for automatic post-processing and when viewing large output files with multiple row partitions.


Output Specification Partitions

An Output Specification Partition is a concept used in structuring the contents of a Report. Partitions are user-defined and must be one of the following types:

Partitions Type Purpose
Entity Describes type of data in the results set that is to be processed with the OS.
Function Describes the processing to be carried out on the data defined by an Entity partition.
Version Allows Output to be broken down by versions in the Volatility Matrix.
Date/Time Allows data to be aggregated by specified time periods.

Partitions can be applied to both columns and rows as they appear in the Output. Column Partitions determine which data that will appear in the Output summary. The contents of a column are described by two characteristics:

  1. The data element (Entity.Trait)
  2. The function to be applied to the data element

All Entity.Traits can be processed in an OS Report, provided they were output by the Run to the Results Database.

Warning: Only Results data that has been associated with a defined Entity Partition can appear in the Output. Partitions can be nested inside each other to provide lower levels of detail.



Back to Outputs