Re: [sleuthkit-users] Autopsy Python Tutorial #2: Data Source Ingest Modules
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy Python Tutorial #2: Data Source Ingest Modules
|
From: Justin G. <jus...@gm...> - 2015-08-20 13:23:55
|
Hmmmm. Weird. Thanks for checking. My folder structure is really simple. Single folder contains 5 jpg's: a.jpg, b.jpg, c.jpg, d.jpg, e.jpg. I'll provide a larger code snippet when I get a chance later today. On Aug 20, 2015 9:19 AM, "Brian Carrier" <ca...@sl...> wrote: > Never mind. I was using an older version of the sample database. Both > the tutorial and %jpg work for me. What does your input data look like > (folders, file names, etc.). > > > > > On Aug 19, 2015, at 5:40 PM, Brian Carrier <ca...@sl...> > wrote: > > > > Hi Justin, > > > > Interestingly, I can get the %jpg to work, but I found that the tutorial > stopped working for me (it is not finding contacts.db - or at least not > making artifacts for it). let me debug this to see if I checked in the > wrong final code / sample data. > > > > brian > > > >> On Aug 19, 2015, at 12:26 PM, Justin Grover <jus...@gm...> > wrote: > >> > >> Note...I found what I think is a bug while following Tutorial #2. If > you run a python Data Source Ingest Module against a LogicalFileSet, the > following will not work from the Tutorial: > >> > >> files = fileManager.findFiles(dataSource, "contacts.db") > >> > >> I've been trying to point Autopsy against a logical directory of JPGs > and using "%jpg" as my search string and it won't find any of them. > However, when I switch my Data Source to be an image (instead of a > LogicalFileSet), it works just fine. > >> > >> -Justin > >> > >> On Mon, Aug 17, 2015 at 6:38 PM, < > sle...@li...> wrote: > >> Send sleuthkit-users mailing list submissions to > >> sle...@li... > >> > >> To subscribe or unsubscribe via the World Wide Web, visit > >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > >> or, via email, send a message with subject or body 'help' to > >> sle...@li... > >> > >> You can reach the person managing the list at > >> sle...@li... > >> > >> When replying, please edit your Subject line so it is more specific > >> than "Re: Contents of sleuthkit-users digest..." > >> > >> > >> Today's Topics: > >> > >> 1. Autopsy Python Tutorial #2: Data Source Ingest Modules > >> (Brian Carrier) > >> 2. Timeline Survey Question (Brian Carrier) > >> > >> > >> ---------------------------------------------------------------------- > >> > >> Message: 1 > >> Date: Mon, 17 Aug 2015 18:01:05 -0400 > >> From: Brian Carrier <ca...@sl...> > >> Subject: [sleuthkit-users] Autopsy Python Tutorial #2: Data Source > >> Ingest Modules > >> To: sleuthkit-users <sle...@li...> > >> Message-ID: <889...@sl...> > >> Content-Type: text/plain; charset=utf-8 > >> > >> To help you put $1000 in your pocket as part of the OSDFCon Autopsy > Module challenge ( > http://www.osdfcon.org/2015-event/2015-module-development-contest/), > Basis Technology released another Python tutorial. > >> > >> > http://www.basistech.com/python-autopsy-module-tutorial-2-the-data-source-ingest-module/ > >> > >> This one is on writing Python-based data source ingest modules and it > covers two topics: > >> 1) Finding a SQLite database, parsing it, and making blackboard > artifacts > >> 2) Writing a wrapper around a command line tool that takes a disk image > as input > >> > >> Final source code is included (which can be used as part of a challenge > submission with a little copy and pasting?.). > >> > >> We also uploaded final source code for the first tutorial (on finding > big and round files) for those who followed that one: > >> > >> > https://github.com/sleuthkit/autopsy/tree/develop/pythonExamples/July2015FileTutorial_BigRound > >> > >> Enjoy! > >> > >> brian > >> > >> > >> > >> > >> > >> ------------------------------ > >> > >> Message: 2 > >> Date: Mon, 17 Aug 2015 18:38:13 -0400 > >> From: Brian Carrier <ca...@sl...> > >> Subject: [sleuthkit-users] Timeline Survey Question > >> To: sleuthkit-users <sle...@li...> > >> Message-ID: <902...@sl...> > >> Content-Type: text/plain; charset="utf-8" > >> > >> We?re reviewing some changes to the timeline module and wanted some > feedback. > >> > >> Background: In the ?details? view, we currently cluster together events > if they happen close to each other. But, once there is a gap in events in > a certain folder (or URL), then we break the cluster in the UI. This means > that you could have clusters for the same folder (Program Files in the > below example) that span multiple clusters. Notice in this image below, > there are three ?Program Files? clusters (two in the top row and one in the > fifth row). The motivation for this was that it would be useful to know > that there was a gap in between the clusters of events. > >> > >> > >> > >> > >> > >> > >> We are looking at an alternative, which is to have a single cluster for > the entire view (regardless of it there is a gap). This means that even if > there are only events at left of the screen and right then it would be a > solid band. It would look something like this: > >> > >> > >> > >> > >> The benefit of this would be that it would be obvious of all of the > events in the given description (folder name, for example) and we would > waste less space rewriting the name so often. It comes at the potential > downside though that it may take more vertical space because we could have > lots of sparse bands. > >> > >> Opinions? > >> > >> > >> -------------- next part -------------- > >> An HTML attachment was scrubbed... > >> -------------- next part -------------- > >> A non-text attachment was scrubbed... > >> Name: events_current.png > >> Type: image/png > >> Size: 76116 bytes > >> Desc: not available > >> -------------- next part -------------- > >> A non-text attachment was scrubbed... > >> Name: events_spans.png > >> Type: image/png > >> Size: 44972 bytes > >> Desc: not available > >> > >> ------------------------------ > >> > >> > ------------------------------------------------------------------------------ > >> > >> > >> ------------------------------ > >> > >> _______________________________________________ > >> sleuthkit-users mailing list > >> sle...@li... > >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > >> > >> > >> End of sleuthkit-users Digest, Vol 110, Issue 2 > >> *********************************************** > >> > >> > ------------------------------------------------------------------------------ > >> _______________________________________________ > >> sleuthkit-users mailing list > >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > >> http://www.sleuthkit.org > > > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > |
