Re: [sleuthkit-developers] Branching BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT?
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] Branching BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT?
|
From: Richard C. <rco...@ba...> - 2014-12-03 15:27:41
|
Rajmund, I mentioned this conversation to Brian Carrier and learned that the idea of adding this sort of hierarchy for interesting file hits and/or tags via a path-based mechanism has been discussed before, so it is "on the radar screen" so to speak. However, it is still true that this feature has not been allocated to any upcoming release at this point. Uploads to the wiki are outside of my purview, so I am explicitly adding Brian Carrier to this conversation for further comment. On Tue, Dec 2, 2014 at 4:33 AM, Rajmund <ra...@4e...> wrote: > Dear Richard, > > > > Thank you for your long response. The solution you described seems more > suited to the end-user perspective and not for the output of a File Ingest > Module. Since in API 3.1 TSK_TAG_FILE became deprecated and the behaviour > for display changed I was looking for a new Artifact type to use for > allowing the user to view a grouping of files using the Thumbnail result > viewer. > > > > So far TSK_INTERESTING_FILE_HIT seems the most suitable for what I want to > do but does not allow for the hierarchical “tagging” I was looking for. > Your screenshot does however show nicely where some of the other artifact > types will be displayed inside Autopsy, Thank you. > > > > In the end I may have to play around with creating a custom Artifact in > combination with the standard ones and look into how easy it is to > implement a result viewer module. > > > > Do you know if the Sleuthkit wiki can be opened up for uploads so I can > add some screenshots documenting some of the usage for Artifacts which may > benefit other developers looking for the right one. > > > > Thank you > > > > Rajmund > > > > *From:* Richard Cordovano [mailto:rco...@ba...] > *Sent:* 01 December 2014 15:19 > *To:* Rajmund > > *Subject:* Re: [sleuthkit-developers] Branching > BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT? > > > > Rajmund, there are currently no plans to support hierarchical interesting > file set definitions. > > > > Are you aware of Autopsy's tagging capability? Tagging may help you to > highlight folders of interest. You can apply named tags to files (including > folders) and artifacts. There is one predefined "Bookmark" tag. An > individual tag can have a comment associated with it. > > > > To apply a tag, select one or more items in the tabular view (results > viewer) and right-click to bring up the context (right-click) menu. > > > > I have attached a screen shot of the tagging menu items and the way tags > appear in the tree. In the screen shot, you will see that I have selected a > volume in the tree and have selected two folders at the root of that volume > to tag. In the lower left corner of the screen shot, notice that tagged > items are accessed in the tree under Results/Tags and are sorted by tag > name, then by tag type (file or artifact). In this screenshot, five items > have been tagged with the "Bookmark" tag - two files and three artifacts. > > > > Currently, tagging does not work in the tree itself. The work around is as > described described above - use the tree to drill down until what you want > to tag appears in the tabular view. > > > > Richard Cordovano > > Principal Software Engineer > > Basis Technology > > > > On Sun, Nov 30, 2014 at 4:34 PM, Rajmund <ra...@4e...> wrote: > > Thanks Richard, > > > > Do you know if there are plans to allow grouping of results in this > fashion? > > > > What are other common artifact types used by developers here to highlight > files found/analysed? > > > > If I want to highlight certain folders in the navigation tree what have > you found to be a good way to do so? > > > > Thanks > > > > Rajmund > > > > *From:* Richard Cordovano [mailto:rco...@ba...] > *Sent:* 28 November 2014 14:38 > *To:* Rajmund > *Cc:* Autopsy Developers > *Subject:* Re: [sleuthkit-developers] Branching > BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT? > > > > Sorry, Rajmund, there is currently no way to create the sort of hierarchy > of interesting file set definitions you are envisioning. > > > > The code that shows interesting file hits in the "Interesting Items" tree > groups the file hit results (artifacts) by file set name, and every file > hit artifact has a single set name attribute. You could add separators to > your set names, but that would only define new set names - the set names > are not parsed to discover additional structure. > > > > On Fri, Nov 28, 2014 at 2:56 AM, Rajmund <ra...@4e...> wrote: > > Hi Team, > > > > I was wondering if there is a way to branch/create child items for the BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT > in order to group them together? > > > > The goal would be that it would be shown in Autopsy as: > > > > Interesting Items > > SetNameA > > SetNameAB > > SetNameAC > > SetNameB > > > > Is there a separator to be used in TSK_SET_NAME? Or do I somehow have to > add the children to the parent artifact? > > > > Is there another artefact type which allows the above if this one does not? > > > > Thanks > > > > Rajmund > > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > > http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-developers mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers > > > > > |
