Re: [sleuthkit-developers] Few clarifications
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] Few clarifications
|
From: Brian C. <ca...@sl...> - 2014-11-10 14:56:22
|
There have been some offline e-mails from Wiktor, but I wanted to reply to this one to the list for public archival and such. You can refer to our PhotoRec module code as an example of running a command line tool. It basically extracts the unallocated space files to local disk, runs PhotoRec on them, and parses the PhotoRec output. It does a lot more than you may need for the Volatility module, but it is a starting point. https://github.com/sleuthkit/autopsy/blob/develop/Core/src/org/sleuthkit/autopsy/modules/photoreccarver/PhotoRecCarverFileIngestModule.java For Volatility, you can either parse the output or simply refer the user to the output folder that you create. brian On Nov 3, 2014, at 5:41 PM, Brian Carrier <ca...@sl...> wrote: > Hi Wiktor, > > What you have below is basically the easiest way to get started. There is another way, but it is not well documented. You can create a "Data Source Processor" (http://sleuthkit.org/autopsy/docs/api-docs/3.1/interfaceorg_1_1sleuthkit_1_1autopsy_1_1corecomponentinterfaces_1_1_data_source_processor.html) to add the memory image in as a memory image and run Volatility at that point instead of as an ingest module, but it isn't documented as well as the other modules. > > Generally looks good. The big question for me has always been what to do with the output of volatility. You can either: > > - parse the output and make Blackboard artifacts for the processes, ports, etc. This will require new artifact types. > - Drop the output into a folder and let the user browse it outside of Autopsy. You can call "Case.addReport()" to add a link to the output folder and then it will be shown in the Autopsy tree. > > brian > > > > On Nov 2, 2014, at 3:45 PM, Wiktor Sypniewski <wik...@gm...> wrote: > >> Hi Guys! >> >> (short reminder of what am I trying to do I want to take Volatility >> Framework - in Python and implement it in Autopsy) >> >> I need few clarifications on what and how to do it: >> >> So the way I was going to proceed with this is to: >> >> 1. write File Ingest Module that will do points: 3 to 7 >> 2. import *.lime image of mobile phone memory/ram >> 3. access this image from within my module >> 4. access Volatility Framework from within my module (*.py files) >> 5. run relevant plugins in VF in the *.lime image >> 6. pipe output to Autopsy DB / file on disk - maybe *.txt >> 7. display output in Autopsy window >> >> Any suggestions? >> >> Regards >> Vic >> >> ----------------------------------------------- >> www.bluegreenblack.com >> www.thisfeelsgreat.blogspot.com >> http://www.vajrayanaireland.org/ >> >> For sensitive information please use encryption. >> >> Public key available at: http://pgp.mit.edu/ >> Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sleuthkit-developers mailing list >> sle...@li... >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers > > > ------------------------------------------------------------------------------ > _______________________________________________ > sleuthkit-developers mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers |
