Re: [sleuthkit-users] Autopsy Python module - read file header
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy Python module - read file header
|
From: Justin G. <jus...@gm...> - 2015-05-21 19:25:33
|
Thank you Jim, Sam, and Brian for the info (and code) on how to read the contents from a file through an Autopsy Python module. Saved me a lot of time! It now works after figuring out how to adapt them to my specific situation. -Justin On Tue, May 19, 2015 at 8:01 AM, < sle...@li...> wrote: > Send sleuthkit-users mailing list submissions to > sle...@li... > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > or, via email, send a message with subject or body 'help' to > sle...@li... > > You can reach the person managing the list at > sle...@li... > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of sleuthkit-users digest..." > > > Today's Topics: > > 1. Re: Autopsy Python module - read file header (Brian Carrier) > 2. Re: Information about IngestModule (Brian Carrier) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 18 May 2015 22:52:14 -0400 > From: Brian Carrier <ca...@sl...> > Subject: Re: [sleuthkit-users] Autopsy Python module - read file > header > To: James H Jr Jones <jj...@gm...> > Cc: "sle...@li..." > <sle...@li...> > Message-ID: <2F3...@sl...> > Content-Type: text/plain; charset=us-ascii > > Yea, the code that Jim included here is the way to go. Our first python > module hit the same road block. The sample module ( > https://github.com/sleuthkit/autopsy/blob/develop/pythonExamples/simpleingestmodule.py) > has the code to read content. > > > > > > On May 18, 2015, at 5:51 PM, James H Jr Jones <jj...@gm...> wrote: > > > > Something like this should work (when modified for your specific needs): > > > > > > > > # Read the contents of the file. > > > > inputStream = ReadContentInputStream(file) > > > > buffer = jarray.zeros(1024, "b") > > > > totLen = 0 > > > > len = inputStream.read(buffer) > > > > while (len != -1): > > > > totLen = totLen + len > > > > len = inputStream.read(buffer) > > > > > > > > Also, imports include: > > > > > > > > import jarray > > > > from java.lang import System > > > > > > > > --Jim > > > > > > > > From: Justin Grover [mailto:jus...@gm...] > > Sent: Monday, May 18, 2015 5:42 PM > > To: sle...@li... > > Subject: [sleuthkit-users] Autopsy Python module - read file header > > > > > > > > Autopsy devs-- > > > > > > > > I've got a python File Ingest Module. Let's say I need to read the > first byte from each file to determine its header value. What's the best > way to do this in Python/Autopsy? > > > > > > > > I've got the following function within my module, but it doesn't work. > Jython doesn't seem to handle the callback to fill the buffer. > > > > > > > > def process(self, abstractFile): > > > > buf = [] > > > > tmp = abstractFile.read(buf, 0, 1) > > > > > > > > > > > > > > > > -Justin > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > One dashboard for servers and applications across Physical-Virtual-Cloud > > Widest out-of-the-box monitoring support with 50+ applications > > Performance metrics, stats and reports that give you Actionable Insights > > Deep dive visibility with transaction tracing using APM Insight. > > > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > > > > ------------------------------ > > Message: 2 > Date: Mon, 18 May 2015 22:56:57 -0400 > From: Brian Carrier <ca...@sl...> > Subject: Re: [sleuthkit-users] Information about IngestModule > To: Geoffrey Wagnier <wag...@gm...> > Cc: sleuthkit-users <sle...@li...> > Message-ID: <300...@sl...> > Content-Type: text/plain; charset=us-ascii > > Hi Geoffrey, > > Answers inline. > > > On May 18, 2015, at 3:51 AM, Geoffrey Wagnier < > wag...@gm...> wrote: > > > > Hi guys, > > > > Some news about my project with autopsy, > > > > Now I have my 2 modules installed and it works, > > > > However I have 2 questions : > > > > First, is it possible to lunch 2 IngestModule at the same time with > differents name ? > > Sure. You should see both ingest modules listed individually after you add > a data source and can enable or disable each. Do you see both modules in > there? > > > Secondly, Results from thoses modules have to be in "Interesting Items" > or could we create another folder ? > > You can use Interesting Items or any of the blackboard artifacts that are > already defined: > > > http://sleuthkit.org/sleuthkit/docs/jni-docs/enumorg_1_1sleuthkit_1_1datamodel_1_1_blackboard_artifact_1_1_a_r_t_i_f_a_c_t___t_y_p_e.html > > In theory, you can also make your own Artifact types and add them to the > database, how ever there is currently a limitation that they are not shown > in the UI. They need to be part of the official ENUM for them to make their > way into the UI. > > Does that answer your questions? > > brian > > > > > ------------------------------ > > > ------------------------------------------------------------------------------ > One dashboard for servers and applications across Physical-Virtual-Cloud > Widest out-of-the-box monitoring support with 50+ applications > Performance metrics, stats and reports that give you Actionable Insights > Deep dive visibility with transaction tracing using APM Insight. > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > > ------------------------------ > > _______________________________________________ > sleuthkit-users mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > > End of sleuthkit-users Digest, Vol 107, Issue 13 > ************************************************ > |
