Re: [sleuthkit-developers] How to query file mimetype in Autopsy 3.1-beta

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Thank you very much, Brian, worked fine. The idea is to render files based
on signature. I tried the code posted before because, with minor changes to
the correct artifact and attribute type ids, it worked to get keyword hits.

2014-07-16 10:33 GMT-03:00 Brian Carrier <ca...@sl...>:

> I don't know if the BlackboardArtifacts will be in the node for lookup.
>  Typically, we get them from the file object itself (Node -> Content ->
> Artifacts).
>
> This is the code that we use in several modules (this one is from the 7zip
> module):
>
>         ArrayList<BlackboardAttribute> attributes =
> file.getGenInfoAttributes(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_FILE_TYPE_SIG);
>             for (BlackboardAttribute attribute : attributes) {
>                 attributeFound = true;
>                 String fileType = attribute.getValueString();
>                 if (!fileType.isEmpty() &&
> fileType.equals("application/zip")) { //NON-NLS
>                     return true;
>                 }
>             }
>
>
> On Jul 15, 2014, at 11:11 PM, Luís Filipe Nassif <lfc...@gm...>
> wrote:
>
> > After running File Type Id. and File Ext Mismatch modules, I see the
> generated artifacts and attributes into sqlite. But I am not being able to
> get the mimetype from a file with the code below:
> >
> > Collection<? extends BlackboardArtifact> artifacts =
> node.getLookup().lookupAll(BlackboardArtifact.class);
> >             for(BlackboardArtifact artifact : artifacts)
> >                 if(artifact.getArtifactTypeID() ==
> BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID())
> >                 try {
> >                     for(BlackboardAttribute attr :
> artifact.getAttributes()){
> >                         if(attr.getAttributeTypeID() ==
> BlackboardAttribute.ATTRIBUTE_TYPE.TSK_FILE_TYPE_SIG.getTypeID()){
> >                             String mimeType = attr.getValueString();
> >
> //System.out.println(artifact.getArtifactTypeName() + "-"
> +attr.getAttributeTypeName() + ": " + mimeType);
> >                             return mimeType;
> >                         }
> >                     }
> >                 } catch (TskCoreException ex) {
> >                     Exceptions.printStackTrace(ex);
> >                 }
> >
> > Is there something wrong with the code?
> >
> > Regards,
> > Luis
> >
> ------------------------------------------------------------------------------
> > Want fast and easy access to all the code in your enterprise? Index and
> > search up to 200,000 lines of code with a free copy of Black Duck
> > Code Sight - the same software that powers the world's largest code
> > search on Ohloh, the Black Duck Open Hub! Try it now.
> > http://p.sf.net/sfu/bds_______________________________________________
> > sleuthkit-developers mailing list
> > sle...@li...
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>
>