Re: [sleuthkit-developers] Few clarifications
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] Few clarifications
|
From: Brian C. <ca...@sl...> - 2014-11-03 22:41:57
|
Hi Wiktor, What you have below is basically the easiest way to get started. There is another way, but it is not well documented. You can create a "Data Source Processor" (http://sleuthkit.org/autopsy/docs/api-docs/3.1/interfaceorg_1_1sleuthkit_1_1autopsy_1_1corecomponentinterfaces_1_1_data_source_processor.html) to add the memory image in as a memory image and run Volatility at that point instead of as an ingest module, but it isn't documented as well as the other modules. Generally looks good. The big question for me has always been what to do with the output of volatility. You can either: - parse the output and make Blackboard artifacts for the processes, ports, etc. This will require new artifact types. - Drop the output into a folder and let the user browse it outside of Autopsy. You can call "Case.addReport()" to add a link to the output folder and then it will be shown in the Autopsy tree. brian On Nov 2, 2014, at 3:45 PM, Wiktor Sypniewski <wik...@gm...> wrote: > Hi Guys! > > (short reminder of what am I trying to do I want to take Volatility > Framework - in Python and implement it in Autopsy) > > I need few clarifications on what and how to do it: > > So the way I was going to proceed with this is to: > > 1. write File Ingest Module that will do points: 3 to 7 > 2. import *.lime image of mobile phone memory/ram > 3. access this image from within my module > 4. access Volatility Framework from within my module (*.py files) > 5. run relevant plugins in VF in the *.lime image > 6. pipe output to Autopsy DB / file on disk - maybe *.txt > 7. display output in Autopsy window > > Any suggestions? > > Regards > Vic > > ----------------------------------------------- > www.bluegreenblack.com > www.thisfeelsgreat.blogspot.com > http://www.vajrayanaireland.org/ > > For sensitive information please use encryption. > > Public key available at: http://pgp.mit.edu/ > Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 > > ------------------------------------------------------------------------------ > _______________________________________________ > sleuthkit-developers mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers |
