Re: [sleuthkit-users] Autopsy Python Tutorial #2: Data Source Ingest Modules
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy Python Tutorial #2: Data Source Ingest Modules
|
From: Justin G. <jus...@gm...> - 2015-08-20 21:13:30
|
Brian,
Here is my current complete process() function. I've stripped out
everything else. My variable numFiles reports "0" when run against my
logical directory of five JPGs (on my desktop). When I run it against an
image, it reports correctly (e.g., on an image I have, it reports 2331 JPGs
found).
def process(self, dataSource, progressBar):
progressBar.switchToIndeterminate()
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, "%jpg")
numFiles = len(files)
self.log(Level.INFO, "NumFiles:"+str(numFiles))
-Justin
On Thu, Aug 20, 2015 at 9:23 AM, Justin Grover <jus...@gm...>
wrote:
> Hmmmm. Weird. Thanks for checking. My folder structure is really simple.
> Single folder contains 5 jpg's: a.jpg, b.jpg, c.jpg, d.jpg, e.jpg.
>
> I'll provide a larger code snippet when I get a chance later today.
> On Aug 20, 2015 9:19 AM, "Brian Carrier" <ca...@sl...> wrote:
>
>> Never mind. I was using an older version of the sample database. Both
>> the tutorial and %jpg work for me. What does your input data look like
>> (folders, file names, etc.).
>>
>>
>>
>> > On Aug 19, 2015, at 5:40 PM, Brian Carrier <ca...@sl...>
>> wrote:
>> >
>> > Hi Justin,
>> >
>> > Interestingly, I can get the %jpg to work, but I found that the
>> tutorial stopped working for me (it is not finding contacts.db - or at
>> least not making artifacts for it). let me debug this to see if I checked
>> in the wrong final code / sample data.
>> >
>> > brian
>> >
>> >> On Aug 19, 2015, at 12:26 PM, Justin Grover <jus...@gm...>
>> wrote:
>> >>
>> >> Note...I found what I think is a bug while following Tutorial #2. If
>> you run a python Data Source Ingest Module against a LogicalFileSet, the
>> following will not work from the Tutorial:
>> >>
>> >> files = fileManager.findFiles(dataSource, "contacts.db")
>> >>
>> >> I've been trying to point Autopsy against a logical directory of JPGs
>> and using "%jpg" as my search string and it won't find any of them.
>> However, when I switch my Data Source to be an image (instead of a
>> LogicalFileSet), it works just fine.
>> >>
>> >> -Justin
>> >>
>> >> On Mon, Aug 17, 2015 at 6:38 PM, <
>> sle...@li...> wrote:
>> >> Send sleuthkit-users mailing list submissions to
>> >> sle...@li...
>> >>
>> >> To subscribe or unsubscribe via the World Wide Web, visit
>> >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> >> or, via email, send a message with subject or body 'help' to
>> >> sle...@li...
>> >>
>> >> You can reach the person managing the list at
>> >> sle...@li...
>> >>
>> >> When replying, please edit your Subject line so it is more specific
>> >> than "Re: Contents of sleuthkit-users digest..."
>> >>
>> >>
>> >> Today's Topics:
>> >>
>> >> 1. Autopsy Python Tutorial #2: Data Source Ingest Modules
>> >> (Brian Carrier)
>> >> 2. Timeline Survey Question (Brian Carrier)
>> >>
>> >>
>> >> ----------------------------------------------------------------------
>> >>
>> >> Message: 1
>> >> Date: Mon, 17 Aug 2015 18:01:05 -0400
>> >> From: Brian Carrier <ca...@sl...>
>> >> Subject: [sleuthkit-users] Autopsy Python Tutorial #2: Data Source
>> >> Ingest Modules
>> >> To: sleuthkit-users <sle...@li...>
>> >> Message-ID: <889...@sl...>
>> >> Content-Type: text/plain; charset=utf-8
>> >>
>> >> To help you put $1000 in your pocket as part of the OSDFCon Autopsy
>> Module challenge (
>> http://www.osdfcon.org/2015-event/2015-module-development-contest/),
>> Basis Technology released another Python tutorial.
>> >>
>> >>
>> http://www.basistech.com/python-autopsy-module-tutorial-2-the-data-source-ingest-module/
>> >>
>> >> This one is on writing Python-based data source ingest modules and it
>> covers two topics:
>> >> 1) Finding a SQLite database, parsing it, and making blackboard
>> artifacts
>> >> 2) Writing a wrapper around a command line tool that takes a disk
>> image as input
>> >>
>> >> Final source code is included (which can be used as part of a
>> challenge submission with a little copy and pasting?.).
>> >>
>> >> We also uploaded final source code for the first tutorial (on finding
>> big and round files) for those who followed that one:
>> >>
>> >>
>> https://github.com/sleuthkit/autopsy/tree/develop/pythonExamples/July2015FileTutorial_BigRound
>> >>
>> >> Enjoy!
>> >>
>> >> brian
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> ------------------------------
>> >>
>> >> Message: 2
>> >> Date: Mon, 17 Aug 2015 18:38:13 -0400
>> >> From: Brian Carrier <ca...@sl...>
>> >> Subject: [sleuthkit-users] Timeline Survey Question
>> >> To: sleuthkit-users <sle...@li...>
>> >> Message-ID: <902...@sl...>
>> >> Content-Type: text/plain; charset="utf-8"
>> >>
>> >> We?re reviewing some changes to the timeline module and wanted some
>> feedback.
>> >>
>> >> Background: In the ?details? view, we currently cluster together
>> events if they happen close to each other. But, once there is a gap in
>> events in a certain folder (or URL), then we break the cluster in the UI.
>> This means that you could have clusters for the same folder (Program Files
>> in the below example) that span multiple clusters. Notice in this image
>> below, there are three ?Program Files? clusters (two in the top row and one
>> in the fifth row). The motivation for this was that it would be useful to
>> know that there was a gap in between the clusters of events.
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> We are looking at an alternative, which is to have a single cluster
>> for the entire view (regardless of it there is a gap). This means that even
>> if there are only events at left of the screen and right then it would be a
>> solid band. It would look something like this:
>> >>
>> >>
>> >>
>> >>
>> >> The benefit of this would be that it would be obvious of all of the
>> events in the given description (folder name, for example) and we would
>> waste less space rewriting the name so often. It comes at the potential
>> downside though that it may take more vertical space because we could have
>> lots of sparse bands.
>> >>
>> >> Opinions?
>> >>
>> >>
>> >> -------------- next part --------------
>> >> An HTML attachment was scrubbed...
>> >> -------------- next part --------------
>> >> A non-text attachment was scrubbed...
>> >> Name: events_current.png
>> >> Type: image/png
>> >> Size: 76116 bytes
>> >> Desc: not available
>> >> -------------- next part --------------
>> >> A non-text attachment was scrubbed...
>> >> Name: events_spans.png
>> >> Type: image/png
>> >> Size: 44972 bytes
>> >> Desc: not available
>> >>
>> >> ------------------------------
>> >>
>> >>
>> ------------------------------------------------------------------------------
>> >>
>> >>
>> >> ------------------------------
>> >>
>> >> _______________________________________________
>> >> sleuthkit-users mailing list
>> >> sle...@li...
>> >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> >>
>> >>
>> >> End of sleuthkit-users Digest, Vol 110, Issue 2
>> >> ***********************************************
>> >>
>> >>
>> ------------------------------------------------------------------------------
>> >> _______________________________________________
>> >> sleuthkit-users mailing list
>> >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> >> http://www.sleuthkit.org
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > _______________________________________________
>> > sleuthkit-users mailing list
>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> > http://www.sleuthkit.org
>>
>>
|
