Re: [sleuthkit-developers] Branching BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT?

[Rajmund <ra...@4e...>]

Dear Richard,

 

Thank you for your long response. The solution you described seems more suited to the end-user perspective and not for the output of a File Ingest Module. Since in API 3.1 TSK_TAG_FILE became deprecated and the behaviour for display changed I was looking for a new Artifact type to use for allowing the user to view a grouping of files using the Thumbnail result viewer.

 

So far TSK_INTERESTING_FILE_HIT seems the most suitable for what I want to do but does not allow for the hierarchical “tagging” I was looking for. Your screenshot does however show nicely where some of the other artifact types will be displayed inside Autopsy, Thank you.

 

In the end I may have to play around with creating a custom Artifact in combination with the standard ones and look into how easy it is to implement a result viewer module.

 

Do you know if the Sleuthkit wiki can be opened up for uploads so I can add some screenshots documenting some of the usage for Artifacts which may benefit other developers looking for the right one.

 

Thank you

 

Rajmund

 

From: Richard Cordovano [mailto:rco...@ba...] 
Sent: 01 December 2014 15:19
To: Rajmund
Subject: Re: [sleuthkit-developers] Branching BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT?

 

Rajmund, there are currently no plans to support hierarchical interesting file set definitions.

 

Are you aware of Autopsy's tagging capability? Tagging may help you to highlight folders of interest. You can apply named tags to files (including folders) and artifacts. There is one predefined "Bookmark" tag. An individual tag can have a comment associated with it.

 

 To apply a tag, select one or more items in the tabular view (results viewer) and right-click to bring up the context (right-click) menu. 

 

I have attached a screen shot of the tagging menu items and the way tags appear in the tree. In the screen shot, you will see that I have selected a volume in the tree and have selected two folders at the root of that volume to tag. In the lower left corner of the screen shot, notice that tagged items are accessed in the tree under Results/Tags and are sorted by tag name, then by tag type (file or artifact). In this screenshot, five items have been tagged with the "Bookmark" tag - two files and three artifacts.

 

Currently, tagging does not work in the tree itself. The work around is as described described above - use the tree to drill down until what you want to tag appears in the tabular view. 

 

Richard Cordovano

Principal Software Engineer

Basis Technology

 

On Sun, Nov 30, 2014 at 4:34 PM, Rajmund <ra...@4e... <mailto:ra...@4e...> > wrote:

Thanks Richard,

 

Do you know if there are plans to allow grouping of results in this fashion?

 

What are other common artifact types used by developers here to highlight files found/analysed?

 

If I want to highlight certain folders in the navigation tree what have you found to be a good way to do so?

 

Thanks

 

Rajmund

 

From: Richard Cordovano [mailto:rco...@ba... <mailto:rco...@ba...> ] 
Sent: 28 November 2014 14:38
To: Rajmund
Cc: Autopsy Developers
Subject: Re: [sleuthkit-developers] Branching BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT?

 

Sorry, Rajmund, there is currently no way to create the sort of hierarchy of interesting file set definitions you are envisioning. 

 

The code that shows interesting file hits in the "Interesting Items" tree groups the file hit results (artifacts) by file set name, and every file hit artifact has a single set name attribute. You could add separators to your set names, but that would only define new set names - the set names are not parsed to discover additional structure.    

 

On Fri, Nov 28, 2014 at 2:56 AM, Rajmund <ra...@4e... <mailto:ra...@4e...> > wrote:

Hi Team,

 

I was wondering if there is a way to branch/create child items for the BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT in order to group them together?

 

The goal would be that it would be shown in Autopsy as:

 

Interesting Items

              SetNameA

                             SetNameAB

                             SetNameAC

              SetNameB

 

Is there a separator to be used in TSK_SET_NAME? Or do I somehow have to add the children to the parent artifact?

 

Is there another artefact type which allows the above if this one does not?

 

Thanks

 

Rajmund


------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751 <http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk> &iu=/4140/ostg.clktrk
_______________________________________________
sleuthkit-developers mailing list
sle...@li... <mailto:sle...@li...> 
https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers