Re: [sleuthkit-users] Autopsy Python module - Retrieving data from a blackboard
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy Python module - Retrieving data from a blackboard
|
From: Brian C. <ca...@sl...> - 2015-06-05 17:28:38
|
Sidesh and I updated the sample module to: - have an example reading artifacts using python - have easier logging - skip non-files - added URLs to the java objects that are being passed in so that you have more context about what you can do https://github.com/sleuthkit/autopsy/blob/develop/pythonExamples/fileIngestModule.py Hopefully that helps! > On Jun 3, 2015, at 6:00 PM, Brian Carrier <ca...@sl...> wrote: > > >> On Jun 3, 2015, at 8:15 AM, Sylvain Petiot <syl...@gm...> wrote: >> >> Hello, >> >> I am trying to develop a Python module for autopsy but several questions remain unanswered for now despite my research. I need your expertise to carry out my project. >> I would like your help with three points that I haven't found an answer : >> >> 1) Find the blackboard of data (generated by other modules) in python > > In the sample files you referred to below, the ‘file’ object is passed in to the process() method in a FileIngestModule or you get a Content object from the ‘findFiles()’ methods in the DataSourceIngestModules. Both of those are Content objects: > > http://sleuthkit.org/sleuthkit/docs/jni-docs/interfaceorg_1_1sleuthkit_1_1datamodel_1_1_content.html > > They have methods to get blackboard artifacts from them. Such as getArtifacts(). The above is documentation for the Java classes and the Python modules have access to all of the Java classes. We’ll have someone work on sample code for querying the blackboard for artifacts. But, it is basically the getArtifacts() method that you can see from the above link and give it the artifact type that you want from that file. > >> 2) Sample module developed for autopsy in python. > > You referred below to the sample modules that we have. We (Basis Technology) do all of our development in Java, so we don’t have any “real” modules that are in Python to point to. > >> 3) Find a specific file by his path in python. > > The sample data source ingest module (https://github.com/sleuthkit/autopsy/blob/develop/pythonExamples/dataSourceIngestModule.py) uses the FileManager service to query for files. The method used in the sample only gives the file name to search for, but there is another method in FileManager that allows you to specify the parent path: > > http://sleuthkit.org/autopsy/docs/api-docs/3.1/classorg_1_1sleuthkit_1_1autopsy_1_1casemodule_1_1services_1_1_file_manager.html#a87f2ab90774caaf385839a242ea1284f > > That should do what you need. > > NOTE: there is a bug in the current version of Autopsy that prevents that method from working on “logical files”, but it is fixed for the release that we’ll be doing next week. > > > >> >> 1) I'm interested in the recovery of information from a previous module. >> I saw the documentation about blackboard, like this page : The Sleuth Kit Framework - The Blackboard and we can see that access to the blackboard is possible in C++ and Java. >> Is it possible to do the same thing with python and how ? > > Yup. As mentioned above. The most update to date docs on the blackboard are here: > > http://sleuthkit.org/sleuthkit/docs/jni-docs/mod_bbpage.html > >> >> 2) I did some research to find python modules developed for autopsy, and I have not found complete projects outside the examples found at: https://github.com/sleuthkit/autopsy/tree/develop/pythonExamples >> Do you have some links to existing projects developed in python (not Java or netbeans projects) ? > > See above. That’s all we have. > >> 3) I would use in my module files with a defined path to display them in the blackboard "INTERESTING_FILE_HIT". The examples clearly show how to recover files with the method find and after that display these files into the blackboard, no problem about that. >> But how to specify a path to a specific file, without using a keyword search (still in python) ? > > See above. > > Let us know if you have other questions. > > >> >> Thank you to those who respond to this message. >> Cordially >> >> Sylvain >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > > > ------------------------------------------------------------------------------ > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
