Re: [sleuthkit-developers] Few clarifications
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] Few clarifications
|
From: Brian C. <ca...@sl...> - 2014-11-13 14:13:19
|
Checkout the photorec module for packaging volatility. Basics are:
- Make a 'release' folder in your NetBeans project folder and place the volatility folder in there
- Find that file at runtime using something like this:
File exeFile = InstalledFileLocator.getDefault().locate(executableToFindName, PhotoRecCarverFileIngestModule.class.getPackage().getName(), false);
This searches for "executableToFindName" in your netbeans project / module.
For the first pass at this to get it working, I'd suggest:
- You make it a file-level ingest module
- Add in the .lime files in as logical/local files.
- Have the file-level ingest module ignore all files that do not have a .lime extension.
On Nov 12, 2014, at 5:15 PM, Wiktor Sypniewski <wik...@gm...> wrote:
> Hi Guys,
>
> I have it working somewhat. I want to know where should I keep
> Volatility *.py files (at the moment hard coded) and how do I access
> them?
>
> Also how to import the *.lime image and access it from the ingest module?
>
> Would my module be file ingest module or data source ingest module?
>
> Vic
> -----------------------------------------------
> www.bluegreenblack.com
> www.thisfeelsgreat.blogspot.com
> http://www.vajrayanaireland.org/
>
> For sensitive information please use encryption.
>
> Public key available at: http://pgp.mit.edu/
> Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801
>
>
> On 10 November 2014 14:58, Brian Carrier <ca...@sl...> wrote:
>> And one other thing. We package the photorec executable up in the 'release' folder of the NetBeans module. It then gets automagically copied into the resulting JAR/NBM:
>>
>> https://github.com/sleuthkit/autopsy/tree/develop/Core/release
>>
>> On Nov 10, 2014, at 9:56 AM, Brian Carrier <ca...@sl...> wrote:
>>
>>> There have been some offline e-mails from Wiktor, but I wanted to reply to this one to the list for public archival and such. You can refer to our PhotoRec module code as an example of running a command line tool. It basically extracts the unallocated space files to local disk, runs PhotoRec on them, and parses the PhotoRec output. It does a lot more than you may need for the Volatility module, but it is a starting point.
>>>
>>> https://github.com/sleuthkit/autopsy/blob/develop/Core/src/org/sleuthkit/autopsy/modules/photoreccarver/PhotoRecCarverFileIngestModule.java
>>>
>>> For Volatility, you can either parse the output or simply refer the user to the output folder that you create.
>>>
>>> brian
>>>
>>>
>>>
>>>
>>>
>>> On Nov 3, 2014, at 5:41 PM, Brian Carrier <ca...@sl...> wrote:
>>>
>>>> Hi Wiktor,
>>>>
>>>> What you have below is basically the easiest way to get started. There is another way, but it is not well documented. You can create a "Data Source Processor" (http://sleuthkit.org/autopsy/docs/api-docs/3.1/interfaceorg_1_1sleuthkit_1_1autopsy_1_1corecomponentinterfaces_1_1_data_source_processor.html) to add the memory image in as a memory image and run Volatility at that point instead of as an ingest module, but it isn't documented as well as the other modules.
>>>>
>>>> Generally looks good. The big question for me has always been what to do with the output of volatility. You can either:
>>>>
>>>> - parse the output and make Blackboard artifacts for the processes, ports, etc. This will require new artifact types.
>>>> - Drop the output into a folder and let the user browse it outside of Autopsy. You can call "Case.addReport()" to add a link to the output folder and then it will be shown in the Autopsy tree.
>>>>
>>>> brian
>>>>
>>>>
>>>>
>>>> On Nov 2, 2014, at 3:45 PM, Wiktor Sypniewski <wik...@gm...> wrote:
>>>>
>>>>> Hi Guys!
>>>>>
>>>>> (short reminder of what am I trying to do I want to take Volatility
>>>>> Framework - in Python and implement it in Autopsy)
>>>>>
>>>>> I need few clarifications on what and how to do it:
>>>>>
>>>>> So the way I was going to proceed with this is to:
>>>>>
>>>>> 1. write File Ingest Module that will do points: 3 to 7
>>>>> 2. import *.lime image of mobile phone memory/ram
>>>>> 3. access this image from within my module
>>>>> 4. access Volatility Framework from within my module (*.py files)
>>>>> 5. run relevant plugins in VF in the *.lime image
>>>>> 6. pipe output to Autopsy DB / file on disk - maybe *.txt
>>>>> 7. display output in Autopsy window
>>>>>
>>>>> Any suggestions?
>>>>>
>>>>> Regards
>>>>> Vic
>>>>>
>>>>> -----------------------------------------------
>>>>> www.bluegreenblack.com
>>>>> www.thisfeelsgreat.blogspot.com
>>>>> http://www.vajrayanaireland.org/
>>>>>
>>>>> For sensitive information please use encryption.
>>>>>
>>>>> Public key available at: http://pgp.mit.edu/
>>>>> Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> _______________________________________________
>>>>> sleuthkit-developers mailing list
>>>>> sle...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> _______________________________________________
>>>> sleuthkit-developers mailing list
>>>> sle...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> sleuthkit-developers mailing list
>>> sle...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>>
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
|
