Re: [sleuthkit-developers] Few clarifications
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] Few clarifications
|
From: Wiktor S. <wik...@gm...> - 2014-11-16 21:46:41
|
Also I want to know how can I add some options in module configuration window? At the moment Volatility Plugins are hard coded I want to be able to let user tick them and choose. How do I add module progress bar? Some of the VF plugins work for considerable amount of time. Thanks Vic ----------------------------------------------- www.bluegreenblack.com www.thisfeelsgreat.blogspot.com For sensitive information please use encryption. Public key available at: http://pgp.mit.edu/ Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 On 16 November 2014 17:57, Wiktor Sypniewski <wik...@gm...> wrote: > Ok Guys this is the code please make comments. Few things hard still > coded but it works > > https://github.com/Vic152/VfIngestModule.git > > Vic > ----------------------------------------------- > www.bluegreenblack.com > www.thisfeelsgreat.blogspot.com > > For sensitive information please use encryption. > > Public key available at: http://pgp.mit.edu/ > Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 > > > On 16 November 2014 17:33, Derrick Karpo <dk...@gm...> wrote: >> Cool! I would say upload it to your github, send out the link here, >> and perhaps it can get added to the 3rd party modules list on the >> wiki. >> >> http://wiki.sleuthkit.org/index.php?title=Autopsy_3rd_Party_Modules >> >> Derrick >> >> >> On Sun, Nov 16, 2014 at 10:08 AM, Wiktor Sypniewski >> <wik...@gm...> wrote: >>> Hi Guys, >>> >>> I have my basic first set up working. How do I share this with you? >>> upload this to GitHub? >>> >>> Vic >>> ----------------------------------------------- >>> www.bluegreenblack.com >>> www.thisfeelsgreat.blogspot.com >>> >>> For sensitive information please use encryption. >>> >>> Public key available at: http://pgp.mit.edu/ >>> Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 >>> >>> >>> On 14 November 2014 12:48, Wiktor Sypniewski >>> <wik...@gm...> wrote: >>>> Can anybody tell me what these lines of code do? >>>> >>>> private static final Logger logger = >>>> Logger.getLogger(PhotoRecCarverFileIngestModule.class.getName()); >>>> >>>> private static final IngestModuleReferenceCounter refCounter = new >>>> IngestModuleReferenceCounter(); >>>> >>>> Vic >>>> ----------------------------------------------- >>>> www.bluegreenblack.com >>>> www.thisfeelsgreat.blogspot.com >>>> http://www.vajrayanaireland.org/ >>>> >>>> For sensitive information please use encryption. >>>> >>>> Public key available at: http://pgp.mit.edu/ >>>> Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 >>>> >>>> >>>> On 13 November 2014 14:13, Brian Carrier <ca...@sl...> wrote: >>>>> Checkout the photorec module for packaging volatility. Basics are: >>>>> - Make a 'release' folder in your NetBeans project folder and place the volatility folder in there >>>>> - Find that file at runtime using something like this: >>>>> >>>>> File exeFile = InstalledFileLocator.getDefault().locate(executableToFindName, PhotoRecCarverFileIngestModule.class.getPackage().getName(), false); >>>>> >>>>> This searches for "executableToFindName" in your netbeans project / module. >>>>> >>>>> For the first pass at this to get it working, I'd suggest: >>>>> - You make it a file-level ingest module >>>>> - Add in the .lime files in as logical/local files. >>>>> - Have the file-level ingest module ignore all files that do not have a .lime extension. >>>>> >>>>> >>>>> >>>>> >>>>> On Nov 12, 2014, at 5:15 PM, Wiktor Sypniewski <wik...@gm...> wrote: >>>>> >>>>>> Hi Guys, >>>>>> >>>>>> I have it working somewhat. I want to know where should I keep >>>>>> Volatility *.py files (at the moment hard coded) and how do I access >>>>>> them? >>>>>> >>>>>> Also how to import the *.lime image and access it from the ingest module? >>>>>> >>>>>> Would my module be file ingest module or data source ingest module? >>>>>> >>>>>> Vic >>>>>> ----------------------------------------------- >>>>>> www.bluegreenblack.com >>>>>> www.thisfeelsgreat.blogspot.com >>>>>> http://www.vajrayanaireland.org/ >>>>>> >>>>>> For sensitive information please use encryption. >>>>>> >>>>>> Public key available at: http://pgp.mit.edu/ >>>>>> Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 >>>>>> >>>>>> >>>>>> On 10 November 2014 14:58, Brian Carrier <ca...@sl...> wrote: >>>>>>> And one other thing. We package the photorec executable up in the 'release' folder of the NetBeans module. It then gets automagically copied into the resulting JAR/NBM: >>>>>>> >>>>>>> https://github.com/sleuthkit/autopsy/tree/develop/Core/release >>>>>>> >>>>>>> On Nov 10, 2014, at 9:56 AM, Brian Carrier <ca...@sl...> wrote: >>>>>>> >>>>>>>> There have been some offline e-mails from Wiktor, but I wanted to reply to this one to the list for public archival and such. You can refer to our PhotoRec module code as an example of running a command line tool. It basically extracts the unallocated space files to local disk, runs PhotoRec on them, and parses the PhotoRec output. It does a lot more than you may need for the Volatility module, but it is a starting point. >>>>>>>> >>>>>>>> https://github.com/sleuthkit/autopsy/blob/develop/Core/src/org/sleuthkit/autopsy/modules/photoreccarver/PhotoRecCarverFileIngestModule.java >>>>>>>> >>>>>>>> For Volatility, you can either parse the output or simply refer the user to the output folder that you create. >>>>>>>> >>>>>>>> brian >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Nov 3, 2014, at 5:41 PM, Brian Carrier <ca...@sl...> wrote: >>>>>>>> >>>>>>>>> Hi Wiktor, >>>>>>>>> >>>>>>>>> What you have below is basically the easiest way to get started. There is another way, but it is not well documented. You can create a "Data Source Processor" (http://sleuthkit.org/autopsy/docs/api-docs/3.1/interfaceorg_1_1sleuthkit_1_1autopsy_1_1corecomponentinterfaces_1_1_data_source_processor.html) to add the memory image in as a memory image and run Volatility at that point instead of as an ingest module, but it isn't documented as well as the other modules. >>>>>>>>> >>>>>>>>> Generally looks good. The big question for me has always been what to do with the output of volatility. You can either: >>>>>>>>> >>>>>>>>> - parse the output and make Blackboard artifacts for the processes, ports, etc. This will require new artifact types. >>>>>>>>> - Drop the output into a folder and let the user browse it outside of Autopsy. You can call "Case.addReport()" to add a link to the output folder and then it will be shown in the Autopsy tree. >>>>>>>>> >>>>>>>>> brian >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Nov 2, 2014, at 3:45 PM, Wiktor Sypniewski <wik...@gm...> wrote: >>>>>>>>> >>>>>>>>>> Hi Guys! >>>>>>>>>> >>>>>>>>>> (short reminder of what am I trying to do I want to take Volatility >>>>>>>>>> Framework - in Python and implement it in Autopsy) >>>>>>>>>> >>>>>>>>>> I need few clarifications on what and how to do it: >>>>>>>>>> >>>>>>>>>> So the way I was going to proceed with this is to: >>>>>>>>>> >>>>>>>>>> 1. write File Ingest Module that will do points: 3 to 7 >>>>>>>>>> 2. import *.lime image of mobile phone memory/ram >>>>>>>>>> 3. access this image from within my module >>>>>>>>>> 4. access Volatility Framework from within my module (*.py files) >>>>>>>>>> 5. run relevant plugins in VF in the *.lime image >>>>>>>>>> 6. pipe output to Autopsy DB / file on disk - maybe *.txt >>>>>>>>>> 7. display output in Autopsy window >>>>>>>>>> >>>>>>>>>> Any suggestions? >>>>>>>>>> >>>>>>>>>> Regards >>>>>>>>>> Vic >>>>>>>>>> >>>>>>>>>> ----------------------------------------------- >>>>>>>>>> www.bluegreenblack.com >>>>>>>>>> www.thisfeelsgreat.blogspot.com >>>>>>>>>> http://www.vajrayanaireland.org/ >>>>>>>>>> >>>>>>>>>> For sensitive information please use encryption. >>>>>>>>>> >>>>>>>>>> Public key available at: http://pgp.mit.edu/ >>>>>>>>>> Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 >>>>>>>>>> >>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>> _______________________________________________ >>>>>>>>>> sleuthkit-developers mailing list >>>>>>>>>> sle...@li... >>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers >>>>>>>>> >>>>>>>>> >>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>> _______________________________________________ >>>>>>>>> sleuthkit-developers mailing list >>>>>>>>> sle...@li... >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers >>>>>>>> >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> _______________________________________________ >>>>>>>> sleuthkit-developers mailing list >>>>>>>> sle...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers >>>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Comprehensive Server Monitoring with Site24x7. >>>>>> Monitor 10 servers for $9/Month. >>>>>> Get alerted through email, SMS, voice calls or mobile push notifications. >>>>>> Take corrective actions from your mobile device. >>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk >>>>>> _______________________________________________ >>>>>> sleuthkit-developers mailing list >>>>>> sle...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers >>>>> >>> >>> ------------------------------------------------------------------------------ >>> Comprehensive Server Monitoring with Site24x7. >>> Monitor 10 servers for $9/Month. >>> Get alerted through email, SMS, voice calls or mobile push notifications. >>> Take corrective actions from your mobile device. >>> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> sleuthkit-developers mailing list >>> sle...@li... >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers |
