sleuthkit-developers — A list to discuss development of new features of The Sleuth Kit and Autopsy

[sleuthkit-developers] Best method of Contact?

[Tom <cam...@pr...>]

Hi,

I'm wondering what the best method of contact is for Autopsy/Sleuthkit Development?

This is because issues aren't answered on GitHub, the forum etc..

Tom

Sent with [Proton Mail](https://proton.me/) secure email.

[sleuthkit-developers] Questions about module development in Jython

[Labis A. <lab...@pr...>]

Hello,

recently I've started working on making a module for Autopsy in Jython. Currently I am trying to setup a development environment, but without any success.
Following the instructions from the official docs suggesting netbeans and intellij setup, I found them rather outdated.(ex. broken link for netbean's python plugin)
At some point I managed to setup an environment in Eclipse and to successfully add the java libraries from "autopsy/modules" directory but I still had issues importing some libraries from org.sleuthkit.datamodel (importerror: no module datamodel found). Looking into the jar files found in modules directory I didn't find any org.sleuthkit.datamodel package.

Thus, I'd like to ask a few questions:

1. Are there any more up-to-date instructions about how to setup such an environment ?
2. Would it be better to develop in Java ? (Jython seems quite obscure, unless I could set it up right ?)

Any help would be much appreciated. Thank you.

Labis Anargyrou

[sleuthkit-developers] Is Sleuthkit unmaintained?

[Joachim M. <joa...@gm...>]

Who is maintaining the Sleuthkit projects? From the changes in the github
repo changes are being made but it does not look like anyone is addressing
the list of growing issue on the issue tracker.

Should I consider Sleuthkit to be unmaintained?

Re: [sleuthkit-developers] [Sleuth Kit - APFS Filesystem] How to dump from APFS file system to POOL image?

[Hin-Tak L. <ht...@us...>]

 

    On Thursday, 16 July 2020, 09:51:06 GMT+1, 김형찬 <hj1...@aj...> wrote:  
 
 > Very special thanks for your detailed reply.

> As advised, I tried using the dd command.

> There are cases where diskNsM cannot be dumped due to permission issues.

> Also, when the diskNsM dump image is tested on the TSK, it outputs that the file system cannot be determined.

> When I check the raw values, both /dev/diskN image and /dev/diskNsM image start with the apfs_nx_superblock structure implemented in TSK.

> However, on TSK, both images error message that the file system type error cannot be determined.

> I want to know how to create a pool type image to test TSK-APFS

> I look forward to answer.

The permission issue is just standard FAQ - you need admin privilege to do any low-level operations.
You should try fsstat. Also, are you not running the option wrongly? It is "-f apfs" (and "-f list" to get a list). And what version of sleuthkit are you using?

  

Re: [sleuthkit-developers] [Sleuth Kit - APFS Filesystem] How to dump from APFS file system to POOL image?

[김형찬 <hj1...@aj...>]

Very special thanks for your detailed reply.

As advised, I tried using the dd command.

There are cases where diskNsM cannot be dumped due to permission issues.

Also, when the diskNsM dump image is tested on the TSK, it outputs that the
file system cannot be determined.

When I check the raw values, both /dev/diskN image and /dev/diskNsM image
start with the apfs_nx_superblock structure implemented in TSK.

However, on TSK, both images error message that the file system type error
cannot be determined.

I want to know how to create a pool type image to test TSK-APFS

I look forward to answer.

2020년 7월 16일 (목) 오전 6:02, Hin-Tak Leung <hin...@ya...>님이 작성:

>
>
> On Wednesday, 15 July 2020, 09:05:16 BST, 김형찬 via sleuthkit-developers <
> sle...@li...> wrote:
>
> > The first method is to create a partition using macOS's basic disk
> utility, add a volume to the partition, and then use the dd command.
>
> > The second method used the dd command after creating the volume using
> macOS' basic disk utility.
>
> > However, these methods output an error message that the file system type
> error cannot be determined.
>
> > I want to see how to create a pool type image to test TSK-APFS.
>
> > I am waiting for answer.
>
> I am quite sure that you are running dd wrongly - you are dd'ing the whole
> disk (which includes the partition table at the beginning) instead of the
> apfs formatted partition; also historically, apple's formatting utlity puts
> a "driver" partition in front too. So you need to make sure that you are
> dd'ing the correct device. You need to add "sM" to the end of your device,
> to get at the patitions e.g. "/dev/diskNsM" , where N is the disk number
> and M is the partition number.
>

Re: [sleuthkit-developers] [Sleuth Kit - APFS Filesystem] How to dump from APFS file system to POOL image?

[Hin-Tak L. <ht...@us...>]

 On Wednesday, 15 July 2020, 09:05:16 BST, 김형찬 via sleuthkit-developers <sle...@li...> wrote:

> The first method is to create a partition using macOS's basic disk utility, add a volume to the partition, and then use the dd command.

> The second method used the dd command after creating the volume using macOS' basic disk utility.

> However, these methods output an error message that the file system type error cannot be determined.

> I want to see how to create a pool type image to test TSK-APFS.

> I am waiting for answer.


I am quite sure that you are running dd wrongly - you are dd'ing the whole disk (which includes the partition table at the beginning) instead of the apfs formatted partition; also historically, apple's formatting utlity puts a "driver" partition in front too. So you need to make sure that you are dd'ing the correct device. You need to add "sM" to the end of your device, to get at the patitions e.g. "/dev/diskNsM" , where N is the disk number and M is the partition number.  

Re: [sleuthkit-developers] [Sleuth Kit - APFS Filesystem] How to dump from APFS file system to POOL image?

[Hin-Tak L. <hin...@ya...>]

 

On Wednesday, 15 July 2020, 09:05:16 BST, 김형찬 via sleuthkit-developers <sle...@li...> wrote:

> The first method is to create a partition using macOS's basic disk utility, add a volume to the partition, and then use the dd command.

> The second method used the dd command after creating the volume using macOS' basic disk utility.

> However, these methods output an error message that the file system type error cannot be determined.

> I want to see how to create a pool type image to test TSK-APFS.

> I am waiting for answer.

I am quite sure that you are running dd wrongly - you are dd'ing the whole disk (which includes the partition table at the beginning) instead of the apfs formatted partition; also historically, apple's formatting utlity puts a "driver" partition in front too. So you need to make sure that you are dd'ing the correct device. You need to add "sM" to the end of your device, to get at the patitions e.g. "/dev/diskNsM" , where N is the disk number and M is the partition number.  

[sleuthkit-developers] [Sleuth Kit - APFS Filesystem] How to dump from APFS file system to POOL image?

[김형찬 <hj1...@aj...>]

I am a researcher at ICS Lab, Ajou University in South Korea.

I'm publishing papers with dfrws for forensic research for 2019 and 2020
and I'm interested in using tsk.

I am currently testing APFS, and I have a question on how to create a pool
type image.

I tried to create an APFS file system using two methods and then create an
image using the dd command.

The first method is to create a partition using macOS's basic disk utility,
add a volume to the partition, and then use the dd command.

The second method used the dd command after creating the volume using
macOS' basic disk utility.

However, these methods output an error message that the file system type
error cannot be determined.

I want to see how to create a pool type image to test TSK-APFS.

I am waiting for answer.

Re: [sleuthkit-developers] Documentation relating to AbstractFile

[Derrick K. <dk...@gm...>]

Hello.

Can you provide the page and the link that was failing? Was it the
link off of this tutorial page?

  https://www.autopsy.com/python-autopsy-module-tutorial-2-the-data-source-ingest-module/

If so, is this the documentation you are looking for?

  http://sleuthkit.org/sleuthkit/docs/jni-docs/4.3/classorg_1_1sleuthkit_1_1datamodel_1_1_abstract_file.html

Derrick

On Thu, Jun 4, 2020 at 3:28 AM Chris Sabine
<sab...@gm...> wrote:
>
> Hello,
>
> I'm getting started writing a python module for autopsy, and I'm looking for documentation relating to org.sleuthkit.datamodel.AbstractFile - there is a link in the example code but it just returns a 404 error. Anyone able to advise?
>
> Kind regards,
> Chris
> _______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

[sleuthkit-developers] Documentation relating to AbstractFile

[Chris S. <sab...@gm...>]

Hello,

I'm getting started writing a python module for autopsy, and I'm looking
for documentation relating to org.sleuthkit.datamodel.AbstractFile - there
is a link in the example code but it just returns a 404 error. Anyone able
to advise?

Kind regards,
Chris

[sleuthkit-developers] Framework

[Brian C. <ca...@sl...>]

Is anyone out there using the C/C++ TSK framework?  We've been saying for a
while that we should kill it since all of our efforts are now going into
the Autopsy-based frameworks.

It is about to be deleted from the effort since no code changes have been
made in 7 years!

If you are using it, let me know.

[sleuthkit-developers] Adding Timeline Events for custom ARTIFACT_TYPE

[Dennis K. <inf2060@HS-Worms.DE>]

Hello together,

I am currently trying to modify some plugins to post to the timeline. 
One example is the windows internals plugin by Marc McKinnon 
(https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Windows_Internals). 
For example you could add an event to the timeline for every execution 
of a .exe found in a prefetch file. The way I managed to add an event to 
the timeline is by creating a second artifact of type TSK_TL_EVENT and 
posting it separately, since it seems that only certain artifact types 
get automatically converted into an event (due to their capability of 
generating the description and determining the TimeLineEventType). How 
could you create an event for a custom artifact type so that you can 
right click the event in the normal browser, hit "Show Results in 
Timeline..." and see them from there. Best would be without modification 
of TSK or Autopsy themselves, just by using the plugin.

Best Regards,

Dennis

[sleuthkit-developers] Forensic Image acquisition for Solaris

[Rock M. <am...@gm...>]

Hi Team,
I have a challenge in performing forensic image acquisition of a system
that is configured as; Solaris with Oracle operating system. it's a
supercluster box(M8-8) database server.
I am unable to execute any Linux command such as dd or dcfldd on it as it
has "cellcli" command line integrated.

Can you please suggest any of the tools or methodologies to acquire using
sleuthkit as this supports ZFS Pooled file system image?

Thanks.

[sleuthkit-developers] Refs support

[Cuk t. R. <ana...@gm...>]

Hello

since this
<https://www.sciencedirect.com/science/article/pii/S1742287619301252> paper
was released, we can add support to refs filesystems

I am willing to work on adding support for another filesystem.
I searched through the documentation but i didn't find any resource on
extending sleuthkit.

Can anyone point me to the right direction?

Kind Regards
Mageirias Anastasios

-- 
Mageirias Anastasios
mageirias.com <http://www.mageirias.com>

Re: [sleuthkit-developers] Question about the Module Development Contest

[Richard C. <rco...@ba...>]

One way that you could handle this would be to add the following to all of
your files

/*
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

Then your answer to the question about the license of your source code is
"Apache License, Version 2.0."

On Tue, Aug 13, 2019 at 5:20 AM Chen Yuming <mot...@ou...> wrote:

> Dear Sir or Madam,
>
>
>
> I’m a student in George Mason University. I want to submit my module for
> the 2019 Module Development Contest.
>
> In *Guidelines*, it mentions that “The module must be released as open
> source software by the submission deadline under one of the licenses
> approved by the Open Source Initiative.”, and in *How To Submit*, it also
> says that I need to answer the question about the * license of source
> code*. Here is my question: What exactly do I need to do? Should I write
> an authentication or something else?
>
> I have little experience about this kind of stuff. Please give me some
> help.
>
>
>
> Yours,
>
> Yuming
>
>
> _______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>

[sleuthkit-developers] Question about the Module Development Contest

[Chen Y. <mot...@ou...>]

Dear Sir or Madam,

I’m a student in George Mason University. I want to submit my module for the 2019 Module Development Contest.
In Guidelines, it mentions that “The module must be released as open source software by the submission deadline under one of the licenses approved by the Open Source Initiative.”, and in How To Submit, it also says that I need to answer the question about the license of source code. Here is my question: What exactly do I need to do? Should I write an authentication or something else?
I have little experience about this kind of stuff. Please give me some help.

Yours,
Yuming

Re: [sleuthkit-developers] Error compliling for the first time.

[Goldberg, J. <JGo...@cy...>]

​Ignore request, I thought I had to run it from Framework directory, it is the root.

Jon Goldberg
Cyopsis


Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please notify me immediately by replying to this message and deleting it from your computer. Thank you
________________________________
From: Goldberg, Jon <JGo...@cy...>
Sent: Monday, November 5, 2018 11:29 AM
To: sle...@li...
Subject: [sleuthkit-developers] Error compliling for the first time.


Compiling tsk/framework for the first time on Linux Ubuntu.  I have run bootst​rap and configure, I have installed libtool and Poco-dev.  When I am doing the first make I am getting the following error, it looks like it shouldn't be looking for this with the comment about this being MSC only.  There are no errors with aclocal, autoconf, Thoughts?


(Auto Make warnings):


~/sleuthkit/framework$ automake
Makefile.am:69: warning: deprecated feature: target 'copy_configs' overrides 'copy_configs$(EXEEXT)'
Makefile.am:69: change your target to read 'copy_configs$(EXEEXT)'
/usr/share/automake-1.15/am/program.am: target 'copy_configs$(EXEEXT)' was defined here
Makefile.am:57:   while processing program 'copy_configs'
Makefile.am:63: warning: deprecated feature: target 'copy_libs' overrides 'copy_libs$(EXEEXT)'
Makefile.am:63: change your target to read 'copy_libs$(EXEEXT)'
/usr/share/automake-1.15/am/program.am: target 'copy_libs$(EXEEXT)' was defined here
Makefile.am:57:   while processing program 'copy_libs'
modules/c_InterestingFilesModule/Makefile.am:20: warning: deprecated feature: target 'maybe_copy_configs' overrides 'maybe_copy_configs$(EXEEXT)'
modules/c_InterestingFilesModule/Makefile.am:20: change your target to read 'maybe_copy_configs$(EXEEXT)'
/usr/share/automake-1.15/am/program.am: target 'maybe_copy_configs$(EXEEXT)' was defined here
modules/c_InterestingFilesModule/Makefile.am:10:   while processing program 'maybe_copy_configs'
modules/c_InterestingFilesModule/Makefile.am:13: warning: deprecated feature: target 'setup_data' overrides 'setup_data$(EXEEXT)'
modules/c_InterestingFilesModule/Makefile.am:13: change your target to read 'setup_data$(EXEEXT)'
/usr/share/automake-1.15/am/program.am: target 'setup_data$(EXEEXT)' was defined here
modules/c_InterestingFilesModule/Makefile.am:10:   while processing program 'setup_data'





cyopsis@cyopsis-splunk:~/sleuthkit/framework$ make
make  all-recursive
make[1]: Entering directory '/home/cyopsis/sleuthkit/framework'
Making all in tsk/framework
make[2]: Entering directory '/home/cyopsis/sleuthkit/framework/tsk/framework'
Making all in extraction
make[3]: Entering directory '/home/cyopsis/sleuthkit/framework/tsk/framework/extraction'
/bin/bash ../../../libtool  --tag=CXX   --mode=compile g++ -DHAVE_CONFIG_H -I. -I../../..  -I.. -I../.. -I../../../..   -g -O2 -MT TskAutoImpl.lo -MD -MP -MF .deps/TskAutoImpl.Tpo -c -o TskAutoImpl.lo TskAutoImpl.cpp
libtool: compile:  g++ -DHAVE_CONFIG_H -I. -I../../.. -I.. -I../.. -I../../../.. -g -O2 -MT TskAutoImpl.lo -MD -MP -MF .deps/TskAutoImpl.Tpo -c TskAutoImpl.cpp  -fPIC -DPIC -o .libs/TskAutoImpl.o
In file included from ../../../../tsk/libtsk.h:4:0,
                 from ../../../tsk/framework/framework_i.h:16,
                 from TskAutoImpl.h:11,
                 from TskAutoImpl.cpp:15:
../../../../tsk/base/tsk_base.h:53:26: fatal error: tsk/tsk_incs.h: No such file or directory
compilation terminated.
Makefile:411: recipe for target 'TskAutoImpl.lo' failed
make[3]: *** [TskAutoImpl.lo] Error 1
make[3]: Leaving directory '/home/cyopsis/sleuthkit/framework/tsk/framework/extraction'
Makefile:481: recipe for target 'all-recursive' failed
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory '/home/cyopsis/sleuthkit/framework/tsk/framework'
Makefile:629: recipe for target 'all-recursive' failed
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory '/home/cyopsis/sleuthkit/framework'
Makefile:461: recipe for target 'all' failed
make: *** [all] Error 2



Jon Goldberg
Cyopsis
jgo...@cy...<mailto:CBernard@Cyopsis.com>
www.Cyopsis.com​<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.cyopsis.com_&d=DwMGaQ&c=y6L7g950KfMp92YmLM0QlMdXcRn6b-Cq4AApnSJOenE&r=IhHMgpGcihcPgakuTOzCOYQHtgNjLVMZFETPpmKCw2o&m=VotOOPFOiYr9IV-4noJqiM86p3QIeCNQDCpkdqwDbfc&s=AlK1RSUhW7CjdBgih-1M1qucSJYsZjzuAJ4y7E3_gEU&e=>
Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please notify me immediately by replying to this message and deleting it from your computer. Thank you

[sleuthkit-developers] Error compliling for the first time.

[Goldberg, J. <JGo...@cy...>]

Compiling tsk/framework for the first time on Linux Ubuntu.  I have run bootst​rap and configure, I have installed libtool and Poco-dev.  When I am doing the first make I am getting the following error, it looks like it shouldn't be looking for this with the comment about this being MSC only.  There are no errors with aclocal, autoconf, Thoughts?


(Auto Make warnings):


~/sleuthkit/framework$ automake
Makefile.am:69: warning: deprecated feature: target 'copy_configs' overrides 'copy_configs$(EXEEXT)'
Makefile.am:69: change your target to read 'copy_configs$(EXEEXT)'
/usr/share/automake-1.15/am/program.am: target 'copy_configs$(EXEEXT)' was defined here
Makefile.am:57:   while processing program 'copy_configs'
Makefile.am:63: warning: deprecated feature: target 'copy_libs' overrides 'copy_libs$(EXEEXT)'
Makefile.am:63: change your target to read 'copy_libs$(EXEEXT)'
/usr/share/automake-1.15/am/program.am: target 'copy_libs$(EXEEXT)' was defined here
Makefile.am:57:   while processing program 'copy_libs'
modules/c_InterestingFilesModule/Makefile.am:20: warning: deprecated feature: target 'maybe_copy_configs' overrides 'maybe_copy_configs$(EXEEXT)'
modules/c_InterestingFilesModule/Makefile.am:20: change your target to read 'maybe_copy_configs$(EXEEXT)'
/usr/share/automake-1.15/am/program.am: target 'maybe_copy_configs$(EXEEXT)' was defined here
modules/c_InterestingFilesModule/Makefile.am:10:   while processing program 'maybe_copy_configs'
modules/c_InterestingFilesModule/Makefile.am:13: warning: deprecated feature: target 'setup_data' overrides 'setup_data$(EXEEXT)'
modules/c_InterestingFilesModule/Makefile.am:13: change your target to read 'setup_data$(EXEEXT)'
/usr/share/automake-1.15/am/program.am: target 'setup_data$(EXEEXT)' was defined here
modules/c_InterestingFilesModule/Makefile.am:10:   while processing program 'setup_data'





cyopsis@cyopsis-splunk:~/sleuthkit/framework$ make
make  all-recursive
make[1]: Entering directory '/home/cyopsis/sleuthkit/framework'
Making all in tsk/framework
make[2]: Entering directory '/home/cyopsis/sleuthkit/framework/tsk/framework'
Making all in extraction
make[3]: Entering directory '/home/cyopsis/sleuthkit/framework/tsk/framework/extraction'
/bin/bash ../../../libtool  --tag=CXX   --mode=compile g++ -DHAVE_CONFIG_H -I. -I../../..  -I.. -I../.. -I../../../..   -g -O2 -MT TskAutoImpl.lo -MD -MP -MF .deps/TskAutoImpl.Tpo -c -o TskAutoImpl.lo TskAutoImpl.cpp
libtool: compile:  g++ -DHAVE_CONFIG_H -I. -I../../.. -I.. -I../.. -I../../../.. -g -O2 -MT TskAutoImpl.lo -MD -MP -MF .deps/TskAutoImpl.Tpo -c TskAutoImpl.cpp  -fPIC -DPIC -o .libs/TskAutoImpl.o
In file included from ../../../../tsk/libtsk.h:4:0,
                 from ../../../tsk/framework/framework_i.h:16,
                 from TskAutoImpl.h:11,
                 from TskAutoImpl.cpp:15:
../../../../tsk/base/tsk_base.h:53:26: fatal error: tsk/tsk_incs.h: No such file or directory
compilation terminated.
Makefile:411: recipe for target 'TskAutoImpl.lo' failed
make[3]: *** [TskAutoImpl.lo] Error 1
make[3]: Leaving directory '/home/cyopsis/sleuthkit/framework/tsk/framework/extraction'
Makefile:481: recipe for target 'all-recursive' failed
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory '/home/cyopsis/sleuthkit/framework/tsk/framework'
Makefile:629: recipe for target 'all-recursive' failed
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory '/home/cyopsis/sleuthkit/framework'
Makefile:461: recipe for target 'all' failed
make: *** [all] Error 2



Jon Goldberg
Cyopsis
jgo...@cy...<mailto:CBernard@Cyopsis.com>
www.Cyopsis.com​<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.cyopsis.com_&d=DwMGaQ&c=y6L7g950KfMp92YmLM0QlMdXcRn6b-Cq4AApnSJOenE&r=IhHMgpGcihcPgakuTOzCOYQHtgNjLVMZFETPpmKCw2o&m=VotOOPFOiYr9IV-4noJqiM86p3QIeCNQDCpkdqwDbfc&s=AlK1RSUhW7CjdBgih-1M1qucSJYsZjzuAJ4y7E3_gEU&e=>
Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please notify me immediately by replying to this message and deleting it from your computer. Thank you

[sleuthkit-developers] Autopsy Module Competition Ends

[Brian C. <ca...@sl...>]

Friendly reminder that monday is the deadline for the OSDFCon Autopsy
module competition.

    https://www.osdfcon.org/2018-event/2018-module-development-contest/

Modules can be Python or Java.

thanks,
brian

[sleuthkit-developers] Generate files reports with more data attributes for each file

[Hoel S. <hoe...@gm...>]

 Hello,

It is my first message on the sleuthkit-developers mailing list, I am also
new to Autopsy / sleuthkit environment in general (I don't even know if I
should post here for what I want). Also I intend to use Autopsy only for
personal purpose on my own data so not really for forensics reasons.

Also, english is not my native language (I am french), so pardon my
mistakes if you find some ;)

I am using Autopsy 4.8.0 on Windows (7 and 10).

So I would like to know if it is possible to generate files reports (in CSV
or text format) for entire NTFS volumes with all the 4 NTFS timestamps
(created,
modified, MFT modified and accessed), for the core files but also for the
corresponding filenames (hardlink). Because each different file name
(hardlink) of an NTFS file has its own set of 4 timestamps and they do not
reflect exactly the core 4 timestamps of the file. Also I would like to
have the possibility to report for each file his MFT entry (ref), parent's
folder ref, record sizes, number of hardlinks, etc. Actually these are the
informations that are displayed in the "File Metadata" of the result tab
for each file.

I didn't find a way to do that in the regular Autopsy interface, for
exemple there are only 3 timestamps reportable (Last Accessed, File
Created, Last Modified). If not possible in regular report I think it might
be possible by doing some custom report module, but I don't know how to do
that also.

I ask this because in my NTFS volumes I classify many files with multiple
hardlinks (per file), and I need to create reports of the folders/files
structures with the maximum of informations about the files themselves and
their individual hardlinks (file names) and the relations between them.

So do you think what I ask is possible and how ? If we must create a report
module for that, can someone help me to do one ?

Thanks in advance,

Regards

Re: [sleuthkit-developers] Help Writing a Module - isMimeType() - SortedSet

[Brian C. <ca...@sl...>]

Are you writing a Jython module?

If so, I'm not sure how to create a SortedSet in Jython.  Looks like we
made an API mistake by forcing it to be a SortedSet instead of a generic
Set.

If your list of MIME types are different from the ones that Richard
mentioned, I'd recommend you call AbstractFile.getMIMEType() and use that
value to see if it is in your list of mime types that you care about.


On Fri, Jun 15, 2018 at 1:59 PM, Richard Cordovano <rco...@ba...
> wrote:

> You could call the following ImageUtils to get a SortedSet of image MIME
> types:
>
> public static SortedSet<String> getSupportedImageMimeTypes()
>
> You could also call this FIleTypeDetector method to see all the values
> that can be stored in the field returned by AbstractFile.getMIMEType:
>
>     /**
>      * Gets a sorted set of the file types that can be detected: the MIME
> types
>      * detected by Tika (without optional parameters), the custom MIME
> types
>      * defined by Autopsy, and any custom MIME types defined by the user.
>      *
>      * @return A list of all detectable file types.
>      *
>      * @throws FileTypeDetectorInitException If an error occurs while
> assembling
>      *                                       the list of types
>      */
>     public static synchronized SortedSet<String> getDetectedTypes() throws
> FileTypeDetectorInitException
>
>
>
> On Wed, Jun 13, 2018 at 8:47 PM Edes4ud Kheheb2enud <bee...@gm...>
> wrote:
>
>> Hello,
>>
>> I'm trying to write a module and I am running in to some problems and was
>> wondering if anyone could help.
>>
>> My module is an ingest module. I would like it to run against any file
>> with an image mimetype. I'm using the sample ingest module from the 1st
>> tutorial as a model and I'm attempting to use:
>>
>> if file.isMimeType()
>>
>> I'm having difficulty with the parameter for isMimeType. It is supposed
>> to be a sorted set. I guess I am confused on what a sorted set is and what
>> format it should be in. I tried passing strings that were a mimetype but
>> everything I tried fails. Has anyone had any success filtering files based
>> on mimetype?
>>
>> Rod
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot______
>> _________________________________________
>> sleuthkit-developers mailing list
>> sle...@li...
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>
>

Re: [sleuthkit-developers] Help Writing a Module - isMimeType() - SortedSet

[Richard C. <rco...@ba...>]

You could call the following ImageUtils to get a SortedSet of image MIME
types:

public static SortedSet<String> getSupportedImageMimeTypes()

You could also call this FIleTypeDetector method to see all the values that
can be stored in the field returned by AbstractFile.getMIMEType:

    /**
     * Gets a sorted set of the file types that can be detected: the MIME
types
     * detected by Tika (without optional parameters), the custom MIME types
     * defined by Autopsy, and any custom MIME types defined by the user.
     *
     * @return A list of all detectable file types.
     *
     * @throws FileTypeDetectorInitException If an error occurs while
assembling
     *                                       the list of types
     */
    public static synchronized SortedSet<String> getDetectedTypes() throws
FileTypeDetectorInitException



On Wed, Jun 13, 2018 at 8:47 PM Edes4ud Kheheb2enud <bee...@gm...>
wrote:

> Hello,
>
> I'm trying to write a module and I am running in to some problems and was
> wondering if anyone could help.
>
> My module is an ingest module. I would like it to run against any file
> with an image mimetype. I'm using the sample ingest module from the 1st
> tutorial as a model and I'm attempting to use:
>
> if file.isMimeType()
>
> I'm having difficulty with the parameter for isMimeType. It is supposed to
> be a sorted set. I guess I am confused on what a sorted set is and what
> format it should be in. I tried passing strings that were a mimetype but
> everything I tried fails. Has anyone had any success filtering files based
> on mimetype?
>
> Rod
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>

[sleuthkit-developers] Help Writing a Module - isMimeType() - SortedSet

[Edes4ud K. <bee...@gm...>]

Hello,

I'm trying to write a module and I am running in to some problems and was
wondering if anyone could help.

My module is an ingest module. I would like it to run against any file with
an image mimetype. I'm using the sample ingest module from the 1st tutorial
as a model and I'm attempting to use:

if file.isMimeType()

I'm having difficulty with the parameter for isMimeType. It is supposed to
be a sorted set. I guess I am confused on what a sorted set is and what
format it should be in. I tried passing strings that were a mimetype but
everything I tried fails. Has anyone had any success filtering files based
on mimetype?

Rod

[sleuthkit-developers] TSK Framework

[Brian C. <ca...@sl...>]

Is anyone using the TSK framework
<http://sleuthkit.org/sleuthkit/framework.php>?  We no longer use it at
Basis because we now have the framework in Autopsy. The TSK framework
hasn't been maintained and I'd like to stop shipping it with each TSK tar
ball.

Would anyone miss it?

[sleuthkit-developers] Minimum Java Version for The Sleuth Kit JAR

[Brian C. <ca...@sl...>]

We have tried to maintain the lowest possible Java level to enable the most
widespread usage.  Currently, it is set to 1.6, but we would like to move
to the more modern 1.8.

If we change to 1.8 is this going to break anyone's Java projects that use
the JAR?

brian