Re: [sleuthkit-users] Autopsy Python Tutorial #2: Data Source Ingest Modules
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy Python Tutorial #2: Data Source Ingest Modules
|
From: Brian C. <ca...@sl...> - 2015-08-19 21:40:49
|
Hi Justin, Interestingly, I can get the %jpg to work, but I found that the tutorial stopped working for me (it is not finding contacts.db - or at least not making artifacts for it). let me debug this to see if I checked in the wrong final code / sample data. brian > On Aug 19, 2015, at 12:26 PM, Justin Grover <jus...@gm...> wrote: > > Note...I found what I think is a bug while following Tutorial #2. If you run a python Data Source Ingest Module against a LogicalFileSet, the following will not work from the Tutorial: > > files = fileManager.findFiles(dataSource, "contacts.db") > > I've been trying to point Autopsy against a logical directory of JPGs and using "%jpg" as my search string and it won't find any of them. However, when I switch my Data Source to be an image (instead of a LogicalFileSet), it works just fine. > > -Justin > > On Mon, Aug 17, 2015 at 6:38 PM, <sle...@li...> wrote: > Send sleuthkit-users mailing list submissions to > sle...@li... > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > or, via email, send a message with subject or body 'help' to > sle...@li... > > You can reach the person managing the list at > sle...@li... > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of sleuthkit-users digest..." > > > Today's Topics: > > 1. Autopsy Python Tutorial #2: Data Source Ingest Modules > (Brian Carrier) > 2. Timeline Survey Question (Brian Carrier) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 17 Aug 2015 18:01:05 -0400 > From: Brian Carrier <ca...@sl...> > Subject: [sleuthkit-users] Autopsy Python Tutorial #2: Data Source > Ingest Modules > To: sleuthkit-users <sle...@li...> > Message-ID: <889...@sl...> > Content-Type: text/plain; charset=utf-8 > > To help you put $1000 in your pocket as part of the OSDFCon Autopsy Module challenge (http://www.osdfcon.org/2015-event/2015-module-development-contest/), Basis Technology released another Python tutorial. > > http://www.basistech.com/python-autopsy-module-tutorial-2-the-data-source-ingest-module/ > > This one is on writing Python-based data source ingest modules and it covers two topics: > 1) Finding a SQLite database, parsing it, and making blackboard artifacts > 2) Writing a wrapper around a command line tool that takes a disk image as input > > Final source code is included (which can be used as part of a challenge submission with a little copy and pasting?.). > > We also uploaded final source code for the first tutorial (on finding big and round files) for those who followed that one: > > https://github.com/sleuthkit/autopsy/tree/develop/pythonExamples/July2015FileTutorial_BigRound > > Enjoy! > > brian > > > > > > ------------------------------ > > Message: 2 > Date: Mon, 17 Aug 2015 18:38:13 -0400 > From: Brian Carrier <ca...@sl...> > Subject: [sleuthkit-users] Timeline Survey Question > To: sleuthkit-users <sle...@li...> > Message-ID: <902...@sl...> > Content-Type: text/plain; charset="utf-8" > > We?re reviewing some changes to the timeline module and wanted some feedback. > > Background: In the ?details? view, we currently cluster together events if they happen close to each other. But, once there is a gap in events in a certain folder (or URL), then we break the cluster in the UI. This means that you could have clusters for the same folder (Program Files in the below example) that span multiple clusters. Notice in this image below, there are three ?Program Files? clusters (two in the top row and one in the fifth row). The motivation for this was that it would be useful to know that there was a gap in between the clusters of events. > > > > > > > We are looking at an alternative, which is to have a single cluster for the entire view (regardless of it there is a gap). This means that even if there are only events at left of the screen and right then it would be a solid band. It would look something like this: > > > > > The benefit of this would be that it would be obvious of all of the events in the given description (folder name, for example) and we would waste less space rewriting the name so often. It comes at the potential downside though that it may take more vertical space because we could have lots of sparse bands. > > Opinions? > > > -------------- next part -------------- > An HTML attachment was scrubbed... > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: events_current.png > Type: image/png > Size: 76116 bytes > Desc: not available > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: events_spans.png > Type: image/png > Size: 44972 bytes > Desc: not available > > ------------------------------ > > ------------------------------------------------------------------------------ > > > ------------------------------ > > _______________________________________________ > sleuthkit-users mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > > End of sleuthkit-users Digest, Vol 110, Issue 2 > *********************************************** > > ------------------------------------------------------------------------------ > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
