sleuthkit-developers Mailing List for The Sleuth Kit (Page 6)
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-developers — A list to discuss development of new features of The Sleuth Kit and Autopsy
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(10) |
Sep
(2) |
Oct
|
Nov
(1) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(22) |
Feb
(39) |
Mar
(8) |
Apr
(17) |
May
(10) |
Jun
(2) |
Jul
(6) |
Aug
(4) |
Sep
(1) |
Oct
(3) |
Nov
|
Dec
|
| 2005 |
Jan
(2) |
Feb
(6) |
Mar
(2) |
Apr
(2) |
May
(13) |
Jun
(2) |
Jul
|
Aug
|
Sep
(5) |
Oct
|
Nov
(2) |
Dec
|
| 2006 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
(2) |
Jun
(9) |
Jul
(4) |
Aug
(2) |
Sep
|
Oct
(1) |
Nov
(9) |
Dec
(4) |
| 2007 |
Jan
(1) |
Feb
(2) |
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
(6) |
Aug
|
Sep
(4) |
Oct
|
Nov
|
Dec
(2) |
| 2008 |
Jan
(4) |
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
(9) |
Jul
(14) |
Aug
|
Sep
(5) |
Oct
(10) |
Nov
(4) |
Dec
(7) |
| 2009 |
Jan
(7) |
Feb
(10) |
Mar
(10) |
Apr
(19) |
May
(16) |
Jun
(3) |
Jul
(9) |
Aug
(5) |
Sep
(5) |
Oct
(16) |
Nov
(35) |
Dec
(30) |
| 2010 |
Jan
(4) |
Feb
(24) |
Mar
(25) |
Apr
(31) |
May
(11) |
Jun
(9) |
Jul
(11) |
Aug
(31) |
Sep
(11) |
Oct
(10) |
Nov
(15) |
Dec
(3) |
| 2011 |
Jan
(8) |
Feb
(17) |
Mar
(14) |
Apr
(2) |
May
(4) |
Jun
(4) |
Jul
(3) |
Aug
(7) |
Sep
(18) |
Oct
(8) |
Nov
(16) |
Dec
(1) |
| 2012 |
Jan
(9) |
Feb
(2) |
Mar
(3) |
Apr
(13) |
May
(10) |
Jun
(7) |
Jul
(1) |
Aug
(5) |
Sep
|
Oct
(3) |
Nov
(19) |
Dec
(3) |
| 2013 |
Jan
(16) |
Feb
(3) |
Mar
(2) |
Apr
(4) |
May
|
Jun
(3) |
Jul
(2) |
Aug
(17) |
Sep
(6) |
Oct
(1) |
Nov
|
Dec
(4) |
| 2014 |
Jan
(2) |
Feb
|
Mar
(3) |
Apr
(7) |
May
(6) |
Jun
(1) |
Jul
(18) |
Aug
|
Sep
(3) |
Oct
(1) |
Nov
(26) |
Dec
(7) |
| 2015 |
Jan
(5) |
Feb
(1) |
Mar
(2) |
Apr
|
May
(1) |
Jun
(1) |
Jul
(5) |
Aug
(7) |
Sep
(4) |
Oct
(1) |
Nov
(1) |
Dec
|
| 2016 |
Jan
(3) |
Feb
|
Mar
(1) |
Apr
|
May
(1) |
Jun
(13) |
Jul
(23) |
Aug
(2) |
Sep
(11) |
Oct
|
Nov
(1) |
Dec
|
| 2017 |
Jan
(4) |
Feb
|
Mar
|
Apr
(2) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(2) |
Apr
|
May
(1) |
Jun
(3) |
Jul
|
Aug
|
Sep
(2) |
Oct
|
Nov
(2) |
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(2) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2020 |
Jan
(4) |
Feb
|
Mar
|
Apr
|
May
|
Jun
(3) |
Jul
(5) |
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2024 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
|
From: Rajmund <ra...@4e...> - 2014-11-30 21:35:11
|
Thanks Richard,
Do you know if there are plans to allow grouping of results in this fashion?
What are other common artifact types used by developers here to highlight files found/analysed?
If I want to highlight certain folders in the navigation tree what have you found to be a good way to do so?
Thanks
Rajmund
From: Richard Cordovano [mailto:rco...@ba...]
Sent: 28 November 2014 14:38
To: Rajmund
Cc: Autopsy Developers
Subject: Re: [sleuthkit-developers] Branching BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT?
Sorry, Rajmund, there is currently no way to create the sort of hierarchy of interesting file set definitions you are envisioning.
The code that shows interesting file hits in the "Interesting Items" tree groups the file hit results (artifacts) by file set name, and every file hit artifact has a single set name attribute. You could add separators to your set names, but that would only define new set names - the set names are not parsed to discover additional structure.
On Fri, Nov 28, 2014 at 2:56 AM, Rajmund <ra...@4e... <mailto:ra...@4e...> > wrote:
Hi Team,
I was wondering if there is a way to branch/create child items for the BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT in order to group them together?
The goal would be that it would be shown in Autopsy as:
Interesting Items
SetNameA
SetNameAB
SetNameAC
SetNameB
Is there a separator to be used in TSK_SET_NAME? Or do I somehow have to add the children to the parent artifact?
Is there another artefact type which allows the above if this one does not?
Thanks
Rajmund
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751 <http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk> &iu=/4140/ostg.clktrk
_______________________________________________
sleuthkit-developers mailing list
sle...@li... <mailto:sle...@li...>
https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
|
|
From: Rajmund <ra...@4e...> - 2014-11-30 20:59:16
|
Hi Team/Wiki Admin, Can we enable Images/Uploads on the Sleuthkit wiki so we can improve some of the pages by adding screenshots? Thanks Rajmund (Wiki User ID: 428201) |
|
From: Richard C. <rco...@ba...> - 2014-11-28 14:38:27
|
Sorry, Rajmund, there is currently no way to create the sort of hierarchy of interesting file set definitions you are envisioning. The code that shows interesting file hits in the "Interesting Items" tree groups the file hit results (artifacts) by file set name, and every file hit artifact has a single set name attribute. You could add separators to your set names, but that would only define new set names - the set names are not parsed to discover additional structure. On Fri, Nov 28, 2014 at 2:56 AM, Rajmund <ra...@4e...> wrote: > Hi Team, > > > > I was wondering if there is a way to branch/create child items for the BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT > in order to group them together? > > > > The goal would be that it would be shown in Autopsy as: > > > > Interesting Items > > SetNameA > > SetNameAB > > SetNameAC > > SetNameB > > > > Is there a separator to be used in TSK_SET_NAME? Or do I somehow have to > add the children to the parent artifact? > > > > Is there another artefact type which allows the above if this one does not? > > > > Thanks > > > > Rajmund > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > > http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-developers mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers > > |
|
From: Rajmund <ra...@4e...> - 2014-11-28 09:09:07
|
Hi Team,
I was wondering if there is a way to branch/create child items for the
BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT in order to group
them together?
The goal would be that it would be shown in Autopsy as:
Interesting Items
SetNameA
SetNameAB
SetNameAC
SetNameB
Is there a separator to be used in TSK_SET_NAME? Or do I somehow have to add
the children to the parent artifact?
Is there another artefact type which allows the above if this one does not?
Thanks
Rajmund
|
|
From: Wiktor S. <wik...@gm...> - 2014-11-25 19:25:55
|
When I call JDialog or JFrame from the module settings panel I can't access this panel or frame.... Any ideas? https://github.com/Vic152/VfIngestModule Vic ----------------------------------------------- www.bluegreenblack.com www.thisfeelsgreat.blogspot.com For sensitive information please use encryption. Public key available at: http://pgp.mit.edu/ Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 |
|
From: Wiktor S. <wik...@gm...> - 2014-11-23 14:54:11
|
I have a little problem with this code. When I run module on one file feww times my settings are not cleared for each run. The somehow magically stay set... Vic https://github.com/Vic152/VfIngestModule ----------------------------------------------- www.bluegreenblack.com www.thisfeelsgreat.blogspot.com For sensitive information please use encryption. Public key available at: http://pgp.mit.edu/ Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 |
|
From: Wiktor S. <wik...@gm...> - 2014-11-22 19:16:57
|
Hi Guys, I implemented panels for job and global settings. But nothing seems to be passed to the module class... Any ideas? Vic ----------------------------------------------- www.bluegreenblack.com www.thisfeelsgreat.blogspot.com For sensitive information please use encryption. Public key available at: http://pgp.mit.edu/ Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 |
|
From: Wiktor S. <wik...@gm...> - 2014-11-17 18:38:39
|
Hey Guys Swing back in action! ignore pls. Vic ----------------------------------------------- www.bluegreenblack.com www.thisfeelsgreat.blogspot.com For sensitive information please use encryption. Public key available at: http://pgp.mit.edu/ Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 On 17 November 2014 15:55, Wiktor Sypniewski <wik...@gm...> wrote: > posting again it bounced from server > > Okey I started producing panels... > > can someone explain whats is going on here? > > assert settings instanceof VfModuleSettings; > if (!(settings instanceof VfModuleSettings)) { > throw new > IllegalArgumentException(NbBundle.getMessage(this.getClass(), > > "FileTypeIdModuleFactory.getIngestJobSettingsPanel.exception.msg")); > > > I keep getting these errors while compiling and trying to run module > > java.lang.AssertionError > at org.myproject.vf.VfIngestFatoryAdapter.getIngestJobSettingsPanel(VfIngestFatoryAdapter.java:54) > at org.sleuthkit.autopsy.ingest.IngestModuleTemplate.getModuleSettingsPanel(IngestModuleTemplate.java:61) > at org.sleuthkit.autopsy.ingest.IngestJobConfigurationPanel$IngestModuleModel.<init>(IngestJobConfigurationPanel.java:318) > at org.sleuthkit.autopsy.ingest.IngestJobConfigurationPanel.<init>(IngestJobConfigurationPanel.java:49) > > > ----------------------------------------------- > www.bluegreenblack.com > www.thisfeelsgreat.blogspot.com > > For sensitive information please use encryption. > > Public key available at: http://pgp.mit.edu/ > Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 |
|
From: Wiktor S. <wik...@gm...> - 2014-11-17 15:55:51
|
posting again it bounced from server
Okey I started producing panels...
can someone explain whats is going on here?
assert settings instanceof VfModuleSettings;
if (!(settings instanceof VfModuleSettings)) {
throw new
IllegalArgumentException(NbBundle.getMessage(this.getClass(),
"FileTypeIdModuleFactory.getIngestJobSettingsPanel.exception.msg"));
I keep getting these errors while compiling and trying to run module
java.lang.AssertionError
at org.myproject.vf.VfIngestFatoryAdapter.getIngestJobSettingsPanel(VfIngestFatoryAdapter.java:54)
at org.sleuthkit.autopsy.ingest.IngestModuleTemplate.getModuleSettingsPanel(IngestModuleTemplate.java:61)
at org.sleuthkit.autopsy.ingest.IngestJobConfigurationPanel$IngestModuleModel.<init>(IngestJobConfigurationPanel.java:318)
at org.sleuthkit.autopsy.ingest.IngestJobConfigurationPanel.<init>(IngestJobConfigurationPanel.java:49)
-----------------------------------------------
www.bluegreenblack.com
www.thisfeelsgreat.blogspot.com
For sensitive information please use encryption.
Public key available at: http://pgp.mit.edu/
Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801
|
|
From: Wiktor S. <wik...@gm...> - 2014-11-16 21:46:41
|
Also I want to know how can I add some options in module configuration window? At the moment Volatility Plugins are hard coded I want to be able to let user tick them and choose. How do I add module progress bar? Some of the VF plugins work for considerable amount of time. Thanks Vic ----------------------------------------------- www.bluegreenblack.com www.thisfeelsgreat.blogspot.com For sensitive information please use encryption. Public key available at: http://pgp.mit.edu/ Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 On 16 November 2014 17:57, Wiktor Sypniewski <wik...@gm...> wrote: > Ok Guys this is the code please make comments. Few things hard still > coded but it works > > https://github.com/Vic152/VfIngestModule.git > > Vic > ----------------------------------------------- > www.bluegreenblack.com > www.thisfeelsgreat.blogspot.com > > For sensitive information please use encryption. > > Public key available at: http://pgp.mit.edu/ > Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 > > > On 16 November 2014 17:33, Derrick Karpo <dk...@gm...> wrote: >> Cool! I would say upload it to your github, send out the link here, >> and perhaps it can get added to the 3rd party modules list on the >> wiki. >> >> http://wiki.sleuthkit.org/index.php?title=Autopsy_3rd_Party_Modules >> >> Derrick >> >> >> On Sun, Nov 16, 2014 at 10:08 AM, Wiktor Sypniewski >> <wik...@gm...> wrote: >>> Hi Guys, >>> >>> I have my basic first set up working. How do I share this with you? >>> upload this to GitHub? >>> >>> Vic >>> ----------------------------------------------- >>> www.bluegreenblack.com >>> www.thisfeelsgreat.blogspot.com >>> >>> For sensitive information please use encryption. >>> >>> Public key available at: http://pgp.mit.edu/ >>> Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 >>> >>> >>> On 14 November 2014 12:48, Wiktor Sypniewski >>> <wik...@gm...> wrote: >>>> Can anybody tell me what these lines of code do? >>>> >>>> private static final Logger logger = >>>> Logger.getLogger(PhotoRecCarverFileIngestModule.class.getName()); >>>> >>>> private static final IngestModuleReferenceCounter refCounter = new >>>> IngestModuleReferenceCounter(); >>>> >>>> Vic >>>> ----------------------------------------------- >>>> www.bluegreenblack.com >>>> www.thisfeelsgreat.blogspot.com >>>> http://www.vajrayanaireland.org/ >>>> >>>> For sensitive information please use encryption. >>>> >>>> Public key available at: http://pgp.mit.edu/ >>>> Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 >>>> >>>> >>>> On 13 November 2014 14:13, Brian Carrier <ca...@sl...> wrote: >>>>> Checkout the photorec module for packaging volatility. Basics are: >>>>> - Make a 'release' folder in your NetBeans project folder and place the volatility folder in there >>>>> - Find that file at runtime using something like this: >>>>> >>>>> File exeFile = InstalledFileLocator.getDefault().locate(executableToFindName, PhotoRecCarverFileIngestModule.class.getPackage().getName(), false); >>>>> >>>>> This searches for "executableToFindName" in your netbeans project / module. >>>>> >>>>> For the first pass at this to get it working, I'd suggest: >>>>> - You make it a file-level ingest module >>>>> - Add in the .lime files in as logical/local files. >>>>> - Have the file-level ingest module ignore all files that do not have a .lime extension. >>>>> >>>>> >>>>> >>>>> >>>>> On Nov 12, 2014, at 5:15 PM, Wiktor Sypniewski <wik...@gm...> wrote: >>>>> >>>>>> Hi Guys, >>>>>> >>>>>> I have it working somewhat. I want to know where should I keep >>>>>> Volatility *.py files (at the moment hard coded) and how do I access >>>>>> them? >>>>>> >>>>>> Also how to import the *.lime image and access it from the ingest module? >>>>>> >>>>>> Would my module be file ingest module or data source ingest module? >>>>>> >>>>>> Vic >>>>>> ----------------------------------------------- >>>>>> www.bluegreenblack.com >>>>>> www.thisfeelsgreat.blogspot.com >>>>>> http://www.vajrayanaireland.org/ >>>>>> >>>>>> For sensitive information please use encryption. >>>>>> >>>>>> Public key available at: http://pgp.mit.edu/ >>>>>> Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 >>>>>> >>>>>> >>>>>> On 10 November 2014 14:58, Brian Carrier <ca...@sl...> wrote: >>>>>>> And one other thing. We package the photorec executable up in the 'release' folder of the NetBeans module. It then gets automagically copied into the resulting JAR/NBM: >>>>>>> >>>>>>> https://github.com/sleuthkit/autopsy/tree/develop/Core/release >>>>>>> >>>>>>> On Nov 10, 2014, at 9:56 AM, Brian Carrier <ca...@sl...> wrote: >>>>>>> >>>>>>>> There have been some offline e-mails from Wiktor, but I wanted to reply to this one to the list for public archival and such. You can refer to our PhotoRec module code as an example of running a command line tool. It basically extracts the unallocated space files to local disk, runs PhotoRec on them, and parses the PhotoRec output. It does a lot more than you may need for the Volatility module, but it is a starting point. >>>>>>>> >>>>>>>> https://github.com/sleuthkit/autopsy/blob/develop/Core/src/org/sleuthkit/autopsy/modules/photoreccarver/PhotoRecCarverFileIngestModule.java >>>>>>>> >>>>>>>> For Volatility, you can either parse the output or simply refer the user to the output folder that you create. >>>>>>>> >>>>>>>> brian >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Nov 3, 2014, at 5:41 PM, Brian Carrier <ca...@sl...> wrote: >>>>>>>> >>>>>>>>> Hi Wiktor, >>>>>>>>> >>>>>>>>> What you have below is basically the easiest way to get started. There is another way, but it is not well documented. You can create a "Data Source Processor" (http://sleuthkit.org/autopsy/docs/api-docs/3.1/interfaceorg_1_1sleuthkit_1_1autopsy_1_1corecomponentinterfaces_1_1_data_source_processor.html) to add the memory image in as a memory image and run Volatility at that point instead of as an ingest module, but it isn't documented as well as the other modules. >>>>>>>>> >>>>>>>>> Generally looks good. The big question for me has always been what to do with the output of volatility. You can either: >>>>>>>>> >>>>>>>>> - parse the output and make Blackboard artifacts for the processes, ports, etc. This will require new artifact types. >>>>>>>>> - Drop the output into a folder and let the user browse it outside of Autopsy. You can call "Case.addReport()" to add a link to the output folder and then it will be shown in the Autopsy tree. >>>>>>>>> >>>>>>>>> brian >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Nov 2, 2014, at 3:45 PM, Wiktor Sypniewski <wik...@gm...> wrote: >>>>>>>>> >>>>>>>>>> Hi Guys! >>>>>>>>>> >>>>>>>>>> (short reminder of what am I trying to do I want to take Volatility >>>>>>>>>> Framework - in Python and implement it in Autopsy) >>>>>>>>>> >>>>>>>>>> I need few clarifications on what and how to do it: >>>>>>>>>> >>>>>>>>>> So the way I was going to proceed with this is to: >>>>>>>>>> >>>>>>>>>> 1. write File Ingest Module that will do points: 3 to 7 >>>>>>>>>> 2. import *.lime image of mobile phone memory/ram >>>>>>>>>> 3. access this image from within my module >>>>>>>>>> 4. access Volatility Framework from within my module (*.py files) >>>>>>>>>> 5. run relevant plugins in VF in the *.lime image >>>>>>>>>> 6. pipe output to Autopsy DB / file on disk - maybe *.txt >>>>>>>>>> 7. display output in Autopsy window >>>>>>>>>> >>>>>>>>>> Any suggestions? >>>>>>>>>> >>>>>>>>>> Regards >>>>>>>>>> Vic >>>>>>>>>> >>>>>>>>>> ----------------------------------------------- >>>>>>>>>> www.bluegreenblack.com >>>>>>>>>> www.thisfeelsgreat.blogspot.com >>>>>>>>>> http://www.vajrayanaireland.org/ >>>>>>>>>> >>>>>>>>>> For sensitive information please use encryption. >>>>>>>>>> >>>>>>>>>> Public key available at: http://pgp.mit.edu/ >>>>>>>>>> Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 >>>>>>>>>> >>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>> _______________________________________________ >>>>>>>>>> sleuthkit-developers mailing list >>>>>>>>>> sle...@li... >>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers >>>>>>>>> >>>>>>>>> >>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>> _______________________________________________ >>>>>>>>> sleuthkit-developers mailing list >>>>>>>>> sle...@li... >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers >>>>>>>> >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> _______________________________________________ >>>>>>>> sleuthkit-developers mailing list >>>>>>>> sle...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers >>>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Comprehensive Server Monitoring with Site24x7. >>>>>> Monitor 10 servers for $9/Month. >>>>>> Get alerted through email, SMS, voice calls or mobile push notifications. >>>>>> Take corrective actions from your mobile device. >>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk >>>>>> _______________________________________________ >>>>>> sleuthkit-developers mailing list >>>>>> sle...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers >>>>> >>> >>> ------------------------------------------------------------------------------ >>> Comprehensive Server Monitoring with Site24x7. >>> Monitor 10 servers for $9/Month. >>> Get alerted through email, SMS, voice calls or mobile push notifications. >>> Take corrective actions from your mobile device. >>> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> sleuthkit-developers mailing list >>> sle...@li... >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers |
|
From: Wiktor S. <wik...@gm...> - 2014-11-16 17:58:04
|
Ok Guys this is the code please make comments. Few things hard still coded but it works https://github.com/Vic152/VfIngestModule.git Vic ----------------------------------------------- www.bluegreenblack.com www.thisfeelsgreat.blogspot.com For sensitive information please use encryption. Public key available at: http://pgp.mit.edu/ Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 On 16 November 2014 17:33, Derrick Karpo <dk...@gm...> wrote: > Cool! I would say upload it to your github, send out the link here, > and perhaps it can get added to the 3rd party modules list on the > wiki. > > http://wiki.sleuthkit.org/index.php?title=Autopsy_3rd_Party_Modules > > Derrick > > > On Sun, Nov 16, 2014 at 10:08 AM, Wiktor Sypniewski > <wik...@gm...> wrote: >> Hi Guys, >> >> I have my basic first set up working. How do I share this with you? >> upload this to GitHub? >> >> Vic >> ----------------------------------------------- >> www.bluegreenblack.com >> www.thisfeelsgreat.blogspot.com >> >> For sensitive information please use encryption. >> >> Public key available at: http://pgp.mit.edu/ >> Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 >> >> >> On 14 November 2014 12:48, Wiktor Sypniewski >> <wik...@gm...> wrote: >>> Can anybody tell me what these lines of code do? >>> >>> private static final Logger logger = >>> Logger.getLogger(PhotoRecCarverFileIngestModule.class.getName()); >>> >>> private static final IngestModuleReferenceCounter refCounter = new >>> IngestModuleReferenceCounter(); >>> >>> Vic >>> ----------------------------------------------- >>> www.bluegreenblack.com >>> www.thisfeelsgreat.blogspot.com >>> http://www.vajrayanaireland.org/ >>> >>> For sensitive information please use encryption. >>> >>> Public key available at: http://pgp.mit.edu/ >>> Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 >>> >>> >>> On 13 November 2014 14:13, Brian Carrier <ca...@sl...> wrote: >>>> Checkout the photorec module for packaging volatility. Basics are: >>>> - Make a 'release' folder in your NetBeans project folder and place the volatility folder in there >>>> - Find that file at runtime using something like this: >>>> >>>> File exeFile = InstalledFileLocator.getDefault().locate(executableToFindName, PhotoRecCarverFileIngestModule.class.getPackage().getName(), false); >>>> >>>> This searches for "executableToFindName" in your netbeans project / module. >>>> >>>> For the first pass at this to get it working, I'd suggest: >>>> - You make it a file-level ingest module >>>> - Add in the .lime files in as logical/local files. >>>> - Have the file-level ingest module ignore all files that do not have a .lime extension. >>>> >>>> >>>> >>>> >>>> On Nov 12, 2014, at 5:15 PM, Wiktor Sypniewski <wik...@gm...> wrote: >>>> >>>>> Hi Guys, >>>>> >>>>> I have it working somewhat. I want to know where should I keep >>>>> Volatility *.py files (at the moment hard coded) and how do I access >>>>> them? >>>>> >>>>> Also how to import the *.lime image and access it from the ingest module? >>>>> >>>>> Would my module be file ingest module or data source ingest module? >>>>> >>>>> Vic >>>>> ----------------------------------------------- >>>>> www.bluegreenblack.com >>>>> www.thisfeelsgreat.blogspot.com >>>>> http://www.vajrayanaireland.org/ >>>>> >>>>> For sensitive information please use encryption. >>>>> >>>>> Public key available at: http://pgp.mit.edu/ >>>>> Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 >>>>> >>>>> >>>>> On 10 November 2014 14:58, Brian Carrier <ca...@sl...> wrote: >>>>>> And one other thing. We package the photorec executable up in the 'release' folder of the NetBeans module. It then gets automagically copied into the resulting JAR/NBM: >>>>>> >>>>>> https://github.com/sleuthkit/autopsy/tree/develop/Core/release >>>>>> >>>>>> On Nov 10, 2014, at 9:56 AM, Brian Carrier <ca...@sl...> wrote: >>>>>> >>>>>>> There have been some offline e-mails from Wiktor, but I wanted to reply to this one to the list for public archival and such. You can refer to our PhotoRec module code as an example of running a command line tool. It basically extracts the unallocated space files to local disk, runs PhotoRec on them, and parses the PhotoRec output. It does a lot more than you may need for the Volatility module, but it is a starting point. >>>>>>> >>>>>>> https://github.com/sleuthkit/autopsy/blob/develop/Core/src/org/sleuthkit/autopsy/modules/photoreccarver/PhotoRecCarverFileIngestModule.java >>>>>>> >>>>>>> For Volatility, you can either parse the output or simply refer the user to the output folder that you create. >>>>>>> >>>>>>> brian >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Nov 3, 2014, at 5:41 PM, Brian Carrier <ca...@sl...> wrote: >>>>>>> >>>>>>>> Hi Wiktor, >>>>>>>> >>>>>>>> What you have below is basically the easiest way to get started. There is another way, but it is not well documented. You can create a "Data Source Processor" (http://sleuthkit.org/autopsy/docs/api-docs/3.1/interfaceorg_1_1sleuthkit_1_1autopsy_1_1corecomponentinterfaces_1_1_data_source_processor.html) to add the memory image in as a memory image and run Volatility at that point instead of as an ingest module, but it isn't documented as well as the other modules. >>>>>>>> >>>>>>>> Generally looks good. The big question for me has always been what to do with the output of volatility. You can either: >>>>>>>> >>>>>>>> - parse the output and make Blackboard artifacts for the processes, ports, etc. This will require new artifact types. >>>>>>>> - Drop the output into a folder and let the user browse it outside of Autopsy. You can call "Case.addReport()" to add a link to the output folder and then it will be shown in the Autopsy tree. >>>>>>>> >>>>>>>> brian >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Nov 2, 2014, at 3:45 PM, Wiktor Sypniewski <wik...@gm...> wrote: >>>>>>>> >>>>>>>>> Hi Guys! >>>>>>>>> >>>>>>>>> (short reminder of what am I trying to do I want to take Volatility >>>>>>>>> Framework - in Python and implement it in Autopsy) >>>>>>>>> >>>>>>>>> I need few clarifications on what and how to do it: >>>>>>>>> >>>>>>>>> So the way I was going to proceed with this is to: >>>>>>>>> >>>>>>>>> 1. write File Ingest Module that will do points: 3 to 7 >>>>>>>>> 2. import *.lime image of mobile phone memory/ram >>>>>>>>> 3. access this image from within my module >>>>>>>>> 4. access Volatility Framework from within my module (*.py files) >>>>>>>>> 5. run relevant plugins in VF in the *.lime image >>>>>>>>> 6. pipe output to Autopsy DB / file on disk - maybe *.txt >>>>>>>>> 7. display output in Autopsy window >>>>>>>>> >>>>>>>>> Any suggestions? >>>>>>>>> >>>>>>>>> Regards >>>>>>>>> Vic >>>>>>>>> >>>>>>>>> ----------------------------------------------- >>>>>>>>> www.bluegreenblack.com >>>>>>>>> www.thisfeelsgreat.blogspot.com >>>>>>>>> http://www.vajrayanaireland.org/ >>>>>>>>> >>>>>>>>> For sensitive information please use encryption. >>>>>>>>> >>>>>>>>> Public key available at: http://pgp.mit.edu/ >>>>>>>>> Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 >>>>>>>>> >>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>> _______________________________________________ >>>>>>>>> sleuthkit-developers mailing list >>>>>>>>> sle...@li... >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers >>>>>>>> >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> _______________________________________________ >>>>>>>> sleuthkit-developers mailing list >>>>>>>> sle...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> _______________________________________________ >>>>>>> sleuthkit-developers mailing list >>>>>>> sle...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers >>>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Comprehensive Server Monitoring with Site24x7. >>>>> Monitor 10 servers for $9/Month. >>>>> Get alerted through email, SMS, voice calls or mobile push notifications. >>>>> Take corrective actions from your mobile device. >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk >>>>> _______________________________________________ >>>>> sleuthkit-developers mailing list >>>>> sle...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers >>>> >> >> ------------------------------------------------------------------------------ >> Comprehensive Server Monitoring with Site24x7. >> Monitor 10 servers for $9/Month. >> Get alerted through email, SMS, voice calls or mobile push notifications. >> Take corrective actions from your mobile device. >> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk >> _______________________________________________ >> sleuthkit-developers mailing list >> sle...@li... >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers |
|
From: Derrick K. <dk...@gm...> - 2014-11-16 17:33:37
|
Cool! I would say upload it to your github, send out the link here, and perhaps it can get added to the 3rd party modules list on the wiki. http://wiki.sleuthkit.org/index.php?title=Autopsy_3rd_Party_Modules Derrick On Sun, Nov 16, 2014 at 10:08 AM, Wiktor Sypniewski <wik...@gm...> wrote: > Hi Guys, > > I have my basic first set up working. How do I share this with you? > upload this to GitHub? > > Vic > ----------------------------------------------- > www.bluegreenblack.com > www.thisfeelsgreat.blogspot.com > > For sensitive information please use encryption. > > Public key available at: http://pgp.mit.edu/ > Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 > > > On 14 November 2014 12:48, Wiktor Sypniewski > <wik...@gm...> wrote: >> Can anybody tell me what these lines of code do? >> >> private static final Logger logger = >> Logger.getLogger(PhotoRecCarverFileIngestModule.class.getName()); >> >> private static final IngestModuleReferenceCounter refCounter = new >> IngestModuleReferenceCounter(); >> >> Vic >> ----------------------------------------------- >> www.bluegreenblack.com >> www.thisfeelsgreat.blogspot.com >> http://www.vajrayanaireland.org/ >> >> For sensitive information please use encryption. >> >> Public key available at: http://pgp.mit.edu/ >> Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 >> >> >> On 13 November 2014 14:13, Brian Carrier <ca...@sl...> wrote: >>> Checkout the photorec module for packaging volatility. Basics are: >>> - Make a 'release' folder in your NetBeans project folder and place the volatility folder in there >>> - Find that file at runtime using something like this: >>> >>> File exeFile = InstalledFileLocator.getDefault().locate(executableToFindName, PhotoRecCarverFileIngestModule.class.getPackage().getName(), false); >>> >>> This searches for "executableToFindName" in your netbeans project / module. >>> >>> For the first pass at this to get it working, I'd suggest: >>> - You make it a file-level ingest module >>> - Add in the .lime files in as logical/local files. >>> - Have the file-level ingest module ignore all files that do not have a .lime extension. >>> >>> >>> >>> >>> On Nov 12, 2014, at 5:15 PM, Wiktor Sypniewski <wik...@gm...> wrote: >>> >>>> Hi Guys, >>>> >>>> I have it working somewhat. I want to know where should I keep >>>> Volatility *.py files (at the moment hard coded) and how do I access >>>> them? >>>> >>>> Also how to import the *.lime image and access it from the ingest module? >>>> >>>> Would my module be file ingest module or data source ingest module? >>>> >>>> Vic >>>> ----------------------------------------------- >>>> www.bluegreenblack.com >>>> www.thisfeelsgreat.blogspot.com >>>> http://www.vajrayanaireland.org/ >>>> >>>> For sensitive information please use encryption. >>>> >>>> Public key available at: http://pgp.mit.edu/ >>>> Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 >>>> >>>> >>>> On 10 November 2014 14:58, Brian Carrier <ca...@sl...> wrote: >>>>> And one other thing. We package the photorec executable up in the 'release' folder of the NetBeans module. It then gets automagically copied into the resulting JAR/NBM: >>>>> >>>>> https://github.com/sleuthkit/autopsy/tree/develop/Core/release >>>>> >>>>> On Nov 10, 2014, at 9:56 AM, Brian Carrier <ca...@sl...> wrote: >>>>> >>>>>> There have been some offline e-mails from Wiktor, but I wanted to reply to this one to the list for public archival and such. You can refer to our PhotoRec module code as an example of running a command line tool. It basically extracts the unallocated space files to local disk, runs PhotoRec on them, and parses the PhotoRec output. It does a lot more than you may need for the Volatility module, but it is a starting point. >>>>>> >>>>>> https://github.com/sleuthkit/autopsy/blob/develop/Core/src/org/sleuthkit/autopsy/modules/photoreccarver/PhotoRecCarverFileIngestModule.java >>>>>> >>>>>> For Volatility, you can either parse the output or simply refer the user to the output folder that you create. >>>>>> >>>>>> brian >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Nov 3, 2014, at 5:41 PM, Brian Carrier <ca...@sl...> wrote: >>>>>> >>>>>>> Hi Wiktor, >>>>>>> >>>>>>> What you have below is basically the easiest way to get started. There is another way, but it is not well documented. You can create a "Data Source Processor" (http://sleuthkit.org/autopsy/docs/api-docs/3.1/interfaceorg_1_1sleuthkit_1_1autopsy_1_1corecomponentinterfaces_1_1_data_source_processor.html) to add the memory image in as a memory image and run Volatility at that point instead of as an ingest module, but it isn't documented as well as the other modules. >>>>>>> >>>>>>> Generally looks good. The big question for me has always been what to do with the output of volatility. You can either: >>>>>>> >>>>>>> - parse the output and make Blackboard artifacts for the processes, ports, etc. This will require new artifact types. >>>>>>> - Drop the output into a folder and let the user browse it outside of Autopsy. You can call "Case.addReport()" to add a link to the output folder and then it will be shown in the Autopsy tree. >>>>>>> >>>>>>> brian >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Nov 2, 2014, at 3:45 PM, Wiktor Sypniewski <wik...@gm...> wrote: >>>>>>> >>>>>>>> Hi Guys! >>>>>>>> >>>>>>>> (short reminder of what am I trying to do I want to take Volatility >>>>>>>> Framework - in Python and implement it in Autopsy) >>>>>>>> >>>>>>>> I need few clarifications on what and how to do it: >>>>>>>> >>>>>>>> So the way I was going to proceed with this is to: >>>>>>>> >>>>>>>> 1. write File Ingest Module that will do points: 3 to 7 >>>>>>>> 2. import *.lime image of mobile phone memory/ram >>>>>>>> 3. access this image from within my module >>>>>>>> 4. access Volatility Framework from within my module (*.py files) >>>>>>>> 5. run relevant plugins in VF in the *.lime image >>>>>>>> 6. pipe output to Autopsy DB / file on disk - maybe *.txt >>>>>>>> 7. display output in Autopsy window >>>>>>>> >>>>>>>> Any suggestions? >>>>>>>> >>>>>>>> Regards >>>>>>>> Vic >>>>>>>> >>>>>>>> ----------------------------------------------- >>>>>>>> www.bluegreenblack.com >>>>>>>> www.thisfeelsgreat.blogspot.com >>>>>>>> http://www.vajrayanaireland.org/ >>>>>>>> >>>>>>>> For sensitive information please use encryption. >>>>>>>> >>>>>>>> Public key available at: http://pgp.mit.edu/ >>>>>>>> Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> _______________________________________________ >>>>>>>> sleuthkit-developers mailing list >>>>>>>> sle...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> _______________________________________________ >>>>>>> sleuthkit-developers mailing list >>>>>>> sle...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> _______________________________________________ >>>>>> sleuthkit-developers mailing list >>>>>> sle...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers >>>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Comprehensive Server Monitoring with Site24x7. >>>> Monitor 10 servers for $9/Month. >>>> Get alerted through email, SMS, voice calls or mobile push notifications. >>>> Take corrective actions from your mobile device. >>>> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> sleuthkit-developers mailing list >>>> sle...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers >>> > > ------------------------------------------------------------------------------ > Comprehensive Server Monitoring with Site24x7. > Monitor 10 servers for $9/Month. > Get alerted through email, SMS, voice calls or mobile push notifications. > Take corrective actions from your mobile device. > http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-developers mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers |
|
From: Wiktor S. <wik...@gm...> - 2014-11-16 17:08:52
|
Hi Guys, I have my basic first set up working. How do I share this with you? upload this to GitHub? Vic ----------------------------------------------- www.bluegreenblack.com www.thisfeelsgreat.blogspot.com For sensitive information please use encryption. Public key available at: http://pgp.mit.edu/ Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 On 14 November 2014 12:48, Wiktor Sypniewski <wik...@gm...> wrote: > Can anybody tell me what these lines of code do? > > private static final Logger logger = > Logger.getLogger(PhotoRecCarverFileIngestModule.class.getName()); > > private static final IngestModuleReferenceCounter refCounter = new > IngestModuleReferenceCounter(); > > Vic > ----------------------------------------------- > www.bluegreenblack.com > www.thisfeelsgreat.blogspot.com > http://www.vajrayanaireland.org/ > > For sensitive information please use encryption. > > Public key available at: http://pgp.mit.edu/ > Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 > > > On 13 November 2014 14:13, Brian Carrier <ca...@sl...> wrote: >> Checkout the photorec module for packaging volatility. Basics are: >> - Make a 'release' folder in your NetBeans project folder and place the volatility folder in there >> - Find that file at runtime using something like this: >> >> File exeFile = InstalledFileLocator.getDefault().locate(executableToFindName, PhotoRecCarverFileIngestModule.class.getPackage().getName(), false); >> >> This searches for "executableToFindName" in your netbeans project / module. >> >> For the first pass at this to get it working, I'd suggest: >> - You make it a file-level ingest module >> - Add in the .lime files in as logical/local files. >> - Have the file-level ingest module ignore all files that do not have a .lime extension. >> >> >> >> >> On Nov 12, 2014, at 5:15 PM, Wiktor Sypniewski <wik...@gm...> wrote: >> >>> Hi Guys, >>> >>> I have it working somewhat. I want to know where should I keep >>> Volatility *.py files (at the moment hard coded) and how do I access >>> them? >>> >>> Also how to import the *.lime image and access it from the ingest module? >>> >>> Would my module be file ingest module or data source ingest module? >>> >>> Vic >>> ----------------------------------------------- >>> www.bluegreenblack.com >>> www.thisfeelsgreat.blogspot.com >>> http://www.vajrayanaireland.org/ >>> >>> For sensitive information please use encryption. >>> >>> Public key available at: http://pgp.mit.edu/ >>> Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 >>> >>> >>> On 10 November 2014 14:58, Brian Carrier <ca...@sl...> wrote: >>>> And one other thing. We package the photorec executable up in the 'release' folder of the NetBeans module. It then gets automagically copied into the resulting JAR/NBM: >>>> >>>> https://github.com/sleuthkit/autopsy/tree/develop/Core/release >>>> >>>> On Nov 10, 2014, at 9:56 AM, Brian Carrier <ca...@sl...> wrote: >>>> >>>>> There have been some offline e-mails from Wiktor, but I wanted to reply to this one to the list for public archival and such. You can refer to our PhotoRec module code as an example of running a command line tool. It basically extracts the unallocated space files to local disk, runs PhotoRec on them, and parses the PhotoRec output. It does a lot more than you may need for the Volatility module, but it is a starting point. >>>>> >>>>> https://github.com/sleuthkit/autopsy/blob/develop/Core/src/org/sleuthkit/autopsy/modules/photoreccarver/PhotoRecCarverFileIngestModule.java >>>>> >>>>> For Volatility, you can either parse the output or simply refer the user to the output folder that you create. >>>>> >>>>> brian >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Nov 3, 2014, at 5:41 PM, Brian Carrier <ca...@sl...> wrote: >>>>> >>>>>> Hi Wiktor, >>>>>> >>>>>> What you have below is basically the easiest way to get started. There is another way, but it is not well documented. You can create a "Data Source Processor" (http://sleuthkit.org/autopsy/docs/api-docs/3.1/interfaceorg_1_1sleuthkit_1_1autopsy_1_1corecomponentinterfaces_1_1_data_source_processor.html) to add the memory image in as a memory image and run Volatility at that point instead of as an ingest module, but it isn't documented as well as the other modules. >>>>>> >>>>>> Generally looks good. The big question for me has always been what to do with the output of volatility. You can either: >>>>>> >>>>>> - parse the output and make Blackboard artifacts for the processes, ports, etc. This will require new artifact types. >>>>>> - Drop the output into a folder and let the user browse it outside of Autopsy. You can call "Case.addReport()" to add a link to the output folder and then it will be shown in the Autopsy tree. >>>>>> >>>>>> brian >>>>>> >>>>>> >>>>>> >>>>>> On Nov 2, 2014, at 3:45 PM, Wiktor Sypniewski <wik...@gm...> wrote: >>>>>> >>>>>>> Hi Guys! >>>>>>> >>>>>>> (short reminder of what am I trying to do I want to take Volatility >>>>>>> Framework - in Python and implement it in Autopsy) >>>>>>> >>>>>>> I need few clarifications on what and how to do it: >>>>>>> >>>>>>> So the way I was going to proceed with this is to: >>>>>>> >>>>>>> 1. write File Ingest Module that will do points: 3 to 7 >>>>>>> 2. import *.lime image of mobile phone memory/ram >>>>>>> 3. access this image from within my module >>>>>>> 4. access Volatility Framework from within my module (*.py files) >>>>>>> 5. run relevant plugins in VF in the *.lime image >>>>>>> 6. pipe output to Autopsy DB / file on disk - maybe *.txt >>>>>>> 7. display output in Autopsy window >>>>>>> >>>>>>> Any suggestions? >>>>>>> >>>>>>> Regards >>>>>>> Vic >>>>>>> >>>>>>> ----------------------------------------------- >>>>>>> www.bluegreenblack.com >>>>>>> www.thisfeelsgreat.blogspot.com >>>>>>> http://www.vajrayanaireland.org/ >>>>>>> >>>>>>> For sensitive information please use encryption. >>>>>>> >>>>>>> Public key available at: http://pgp.mit.edu/ >>>>>>> Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> _______________________________________________ >>>>>>> sleuthkit-developers mailing list >>>>>>> sle...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> _______________________________________________ >>>>>> sleuthkit-developers mailing list >>>>>> sle...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> _______________________________________________ >>>>> sleuthkit-developers mailing list >>>>> sle...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers >>>> >>> >>> ------------------------------------------------------------------------------ >>> Comprehensive Server Monitoring with Site24x7. >>> Monitor 10 servers for $9/Month. >>> Get alerted through email, SMS, voice calls or mobile push notifications. >>> Take corrective actions from your mobile device. >>> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> sleuthkit-developers mailing list >>> sle...@li... >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers >> |
|
From: Wiktor S. <wik...@gm...> - 2014-11-14 12:48:10
|
Can anybody tell me what these lines of code do? private static final Logger logger = Logger.getLogger(PhotoRecCarverFileIngestModule.class.getName()); private static final IngestModuleReferenceCounter refCounter = new IngestModuleReferenceCounter(); Vic ----------------------------------------------- www.bluegreenblack.com www.thisfeelsgreat.blogspot.com http://www.vajrayanaireland.org/ For sensitive information please use encryption. Public key available at: http://pgp.mit.edu/ Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 On 13 November 2014 14:13, Brian Carrier <ca...@sl...> wrote: > Checkout the photorec module for packaging volatility. Basics are: > - Make a 'release' folder in your NetBeans project folder and place the volatility folder in there > - Find that file at runtime using something like this: > > File exeFile = InstalledFileLocator.getDefault().locate(executableToFindName, PhotoRecCarverFileIngestModule.class.getPackage().getName(), false); > > This searches for "executableToFindName" in your netbeans project / module. > > For the first pass at this to get it working, I'd suggest: > - You make it a file-level ingest module > - Add in the .lime files in as logical/local files. > - Have the file-level ingest module ignore all files that do not have a .lime extension. > > > > > On Nov 12, 2014, at 5:15 PM, Wiktor Sypniewski <wik...@gm...> wrote: > >> Hi Guys, >> >> I have it working somewhat. I want to know where should I keep >> Volatility *.py files (at the moment hard coded) and how do I access >> them? >> >> Also how to import the *.lime image and access it from the ingest module? >> >> Would my module be file ingest module or data source ingest module? >> >> Vic >> ----------------------------------------------- >> www.bluegreenblack.com >> www.thisfeelsgreat.blogspot.com >> http://www.vajrayanaireland.org/ >> >> For sensitive information please use encryption. >> >> Public key available at: http://pgp.mit.edu/ >> Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 >> >> >> On 10 November 2014 14:58, Brian Carrier <ca...@sl...> wrote: >>> And one other thing. We package the photorec executable up in the 'release' folder of the NetBeans module. It then gets automagically copied into the resulting JAR/NBM: >>> >>> https://github.com/sleuthkit/autopsy/tree/develop/Core/release >>> >>> On Nov 10, 2014, at 9:56 AM, Brian Carrier <ca...@sl...> wrote: >>> >>>> There have been some offline e-mails from Wiktor, but I wanted to reply to this one to the list for public archival and such. You can refer to our PhotoRec module code as an example of running a command line tool. It basically extracts the unallocated space files to local disk, runs PhotoRec on them, and parses the PhotoRec output. It does a lot more than you may need for the Volatility module, but it is a starting point. >>>> >>>> https://github.com/sleuthkit/autopsy/blob/develop/Core/src/org/sleuthkit/autopsy/modules/photoreccarver/PhotoRecCarverFileIngestModule.java >>>> >>>> For Volatility, you can either parse the output or simply refer the user to the output folder that you create. >>>> >>>> brian >>>> >>>> >>>> >>>> >>>> >>>> On Nov 3, 2014, at 5:41 PM, Brian Carrier <ca...@sl...> wrote: >>>> >>>>> Hi Wiktor, >>>>> >>>>> What you have below is basically the easiest way to get started. There is another way, but it is not well documented. You can create a "Data Source Processor" (http://sleuthkit.org/autopsy/docs/api-docs/3.1/interfaceorg_1_1sleuthkit_1_1autopsy_1_1corecomponentinterfaces_1_1_data_source_processor.html) to add the memory image in as a memory image and run Volatility at that point instead of as an ingest module, but it isn't documented as well as the other modules. >>>>> >>>>> Generally looks good. The big question for me has always been what to do with the output of volatility. You can either: >>>>> >>>>> - parse the output and make Blackboard artifacts for the processes, ports, etc. This will require new artifact types. >>>>> - Drop the output into a folder and let the user browse it outside of Autopsy. You can call "Case.addReport()" to add a link to the output folder and then it will be shown in the Autopsy tree. >>>>> >>>>> brian >>>>> >>>>> >>>>> >>>>> On Nov 2, 2014, at 3:45 PM, Wiktor Sypniewski <wik...@gm...> wrote: >>>>> >>>>>> Hi Guys! >>>>>> >>>>>> (short reminder of what am I trying to do I want to take Volatility >>>>>> Framework - in Python and implement it in Autopsy) >>>>>> >>>>>> I need few clarifications on what and how to do it: >>>>>> >>>>>> So the way I was going to proceed with this is to: >>>>>> >>>>>> 1. write File Ingest Module that will do points: 3 to 7 >>>>>> 2. import *.lime image of mobile phone memory/ram >>>>>> 3. access this image from within my module >>>>>> 4. access Volatility Framework from within my module (*.py files) >>>>>> 5. run relevant plugins in VF in the *.lime image >>>>>> 6. pipe output to Autopsy DB / file on disk - maybe *.txt >>>>>> 7. display output in Autopsy window >>>>>> >>>>>> Any suggestions? >>>>>> >>>>>> Regards >>>>>> Vic >>>>>> >>>>>> ----------------------------------------------- >>>>>> www.bluegreenblack.com >>>>>> www.thisfeelsgreat.blogspot.com >>>>>> http://www.vajrayanaireland.org/ >>>>>> >>>>>> For sensitive information please use encryption. >>>>>> >>>>>> Public key available at: http://pgp.mit.edu/ >>>>>> Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> _______________________________________________ >>>>>> sleuthkit-developers mailing list >>>>>> sle...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> _______________________________________________ >>>>> sleuthkit-developers mailing list >>>>> sle...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> _______________________________________________ >>>> sleuthkit-developers mailing list >>>> sle...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers >>> >> >> ------------------------------------------------------------------------------ >> Comprehensive Server Monitoring with Site24x7. >> Monitor 10 servers for $9/Month. >> Get alerted through email, SMS, voice calls or mobile push notifications. >> Take corrective actions from your mobile device. >> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk >> _______________________________________________ >> sleuthkit-developers mailing list >> sle...@li... >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers > |
|
From: Milindu S. K. <age...@gm...> - 2014-11-14 01:34:44
|
Great!! Thank to you and Stuart I could solve my problem :D Thanks a lot.
Now I see "SleuthkitJNI: loaded libtsk_jni" message, but gets following
error. I'll try to get it solved :)
Any ideas, why it could be?
*org.sleuthkit.datamodel.TskCoreException: Database Error (Can't open
database: unable to open database file)*
On Thu, Nov 13, 2014 at 7:44 PM, Brian Carrier <ca...@sl...>
wrote:
> I think Stuart is on the right path with his comments. Did you do a 'make
> install' with TSK? The JNI code assumes that the other TSK libraries are in
> their installed locations.
>
>
> On Nov 12, 2014, at 3:00 PM, Milindu Sanoj Kumarage <
> age...@gm...> wrote:
>
> > Hi,
> >
> > I'm trying to call Sleuth Kit from a JMS MessageListener. But I'm
> getting this error
> >
> > java.lang.UnsatisfiedLinkError: /tmp/libtsk_jni.so: libtsk.so.10: cannot
> open shared object file: No such file or directory
> >
> > I tried coping the libtsk_jni.so to /tmp but no difference. But I can
> call Sleuth Kit from from a Java console application. What could be the
> error?
> >
> >
> >
> > Below is my MessageListener
> >
> > public void onMessage(Message message) {
> >
> > try {
> >
> > String imagePath = "uploads/Cfreds001A001.dd";
> >
> > try{
> >
> > SleuthkitCase sk = SleuthkitCase.newCase(imagePath + ".db");
> >
> > } catch (TskCoreException ex) {
> >
> > }
> >
> > } catch (JMSException ex) {
> >
> > Logger.getLogger(WorkerBean.class.getName()).log(Level.SEVERE,
> null, ex);
> >
> > } catch (InterruptedException ex) {
> >
> > Logger.getLogger(WorkerBean.class.getName()).log(Level.SEVERE,
> null, ex);
> >
> > }
> >
> >
> ------------------------------------------------------------------------------
> > Comprehensive Server Monitoring with Site24x7.
> > Monitor 10 servers for $9/Month.
> > Get alerted through email, SMS, voice calls or mobile push notifications.
> > Take corrective actions from your mobile device.
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk_______________________________________________
> > sleuthkit-developers mailing list
> > sle...@li...
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>
>
|
|
From: Brian C. <ca...@sl...> - 2014-11-13 14:14:18
|
I think Stuart is on the right path with his comments. Did you do a 'make install' with TSK? The JNI code assumes that the other TSK libraries are in their installed locations.
On Nov 12, 2014, at 3:00 PM, Milindu Sanoj Kumarage <age...@gm...> wrote:
> Hi,
>
> I'm trying to call Sleuth Kit from a JMS MessageListener. But I'm getting this error
>
> java.lang.UnsatisfiedLinkError: /tmp/libtsk_jni.so: libtsk.so.10: cannot open shared object file: No such file or directory
>
> I tried coping the libtsk_jni.so to /tmp but no difference. But I can call Sleuth Kit from from a Java console application. What could be the error?
>
>
>
> Below is my MessageListener
>
> public void onMessage(Message message) {
>
> try {
>
> String imagePath = "uploads/Cfreds001A001.dd";
>
> try{
>
> SleuthkitCase sk = SleuthkitCase.newCase(imagePath + ".db");
>
> } catch (TskCoreException ex) {
>
> }
>
> } catch (JMSException ex) {
>
> Logger.getLogger(WorkerBean.class.getName()).log(Level.SEVERE, null, ex);
>
> } catch (InterruptedException ex) {
>
> Logger.getLogger(WorkerBean.class.getName()).log(Level.SEVERE, null, ex);
>
> }
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk_______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
|
|
From: Brian C. <ca...@sl...> - 2014-11-13 14:13:19
|
Checkout the photorec module for packaging volatility. Basics are:
- Make a 'release' folder in your NetBeans project folder and place the volatility folder in there
- Find that file at runtime using something like this:
File exeFile = InstalledFileLocator.getDefault().locate(executableToFindName, PhotoRecCarverFileIngestModule.class.getPackage().getName(), false);
This searches for "executableToFindName" in your netbeans project / module.
For the first pass at this to get it working, I'd suggest:
- You make it a file-level ingest module
- Add in the .lime files in as logical/local files.
- Have the file-level ingest module ignore all files that do not have a .lime extension.
On Nov 12, 2014, at 5:15 PM, Wiktor Sypniewski <wik...@gm...> wrote:
> Hi Guys,
>
> I have it working somewhat. I want to know where should I keep
> Volatility *.py files (at the moment hard coded) and how do I access
> them?
>
> Also how to import the *.lime image and access it from the ingest module?
>
> Would my module be file ingest module or data source ingest module?
>
> Vic
> -----------------------------------------------
> www.bluegreenblack.com
> www.thisfeelsgreat.blogspot.com
> http://www.vajrayanaireland.org/
>
> For sensitive information please use encryption.
>
> Public key available at: http://pgp.mit.edu/
> Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801
>
>
> On 10 November 2014 14:58, Brian Carrier <ca...@sl...> wrote:
>> And one other thing. We package the photorec executable up in the 'release' folder of the NetBeans module. It then gets automagically copied into the resulting JAR/NBM:
>>
>> https://github.com/sleuthkit/autopsy/tree/develop/Core/release
>>
>> On Nov 10, 2014, at 9:56 AM, Brian Carrier <ca...@sl...> wrote:
>>
>>> There have been some offline e-mails from Wiktor, but I wanted to reply to this one to the list for public archival and such. You can refer to our PhotoRec module code as an example of running a command line tool. It basically extracts the unallocated space files to local disk, runs PhotoRec on them, and parses the PhotoRec output. It does a lot more than you may need for the Volatility module, but it is a starting point.
>>>
>>> https://github.com/sleuthkit/autopsy/blob/develop/Core/src/org/sleuthkit/autopsy/modules/photoreccarver/PhotoRecCarverFileIngestModule.java
>>>
>>> For Volatility, you can either parse the output or simply refer the user to the output folder that you create.
>>>
>>> brian
>>>
>>>
>>>
>>>
>>>
>>> On Nov 3, 2014, at 5:41 PM, Brian Carrier <ca...@sl...> wrote:
>>>
>>>> Hi Wiktor,
>>>>
>>>> What you have below is basically the easiest way to get started. There is another way, but it is not well documented. You can create a "Data Source Processor" (http://sleuthkit.org/autopsy/docs/api-docs/3.1/interfaceorg_1_1sleuthkit_1_1autopsy_1_1corecomponentinterfaces_1_1_data_source_processor.html) to add the memory image in as a memory image and run Volatility at that point instead of as an ingest module, but it isn't documented as well as the other modules.
>>>>
>>>> Generally looks good. The big question for me has always been what to do with the output of volatility. You can either:
>>>>
>>>> - parse the output and make Blackboard artifacts for the processes, ports, etc. This will require new artifact types.
>>>> - Drop the output into a folder and let the user browse it outside of Autopsy. You can call "Case.addReport()" to add a link to the output folder and then it will be shown in the Autopsy tree.
>>>>
>>>> brian
>>>>
>>>>
>>>>
>>>> On Nov 2, 2014, at 3:45 PM, Wiktor Sypniewski <wik...@gm...> wrote:
>>>>
>>>>> Hi Guys!
>>>>>
>>>>> (short reminder of what am I trying to do I want to take Volatility
>>>>> Framework - in Python and implement it in Autopsy)
>>>>>
>>>>> I need few clarifications on what and how to do it:
>>>>>
>>>>> So the way I was going to proceed with this is to:
>>>>>
>>>>> 1. write File Ingest Module that will do points: 3 to 7
>>>>> 2. import *.lime image of mobile phone memory/ram
>>>>> 3. access this image from within my module
>>>>> 4. access Volatility Framework from within my module (*.py files)
>>>>> 5. run relevant plugins in VF in the *.lime image
>>>>> 6. pipe output to Autopsy DB / file on disk - maybe *.txt
>>>>> 7. display output in Autopsy window
>>>>>
>>>>> Any suggestions?
>>>>>
>>>>> Regards
>>>>> Vic
>>>>>
>>>>> -----------------------------------------------
>>>>> www.bluegreenblack.com
>>>>> www.thisfeelsgreat.blogspot.com
>>>>> http://www.vajrayanaireland.org/
>>>>>
>>>>> For sensitive information please use encryption.
>>>>>
>>>>> Public key available at: http://pgp.mit.edu/
>>>>> Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> _______________________________________________
>>>>> sleuthkit-developers mailing list
>>>>> sle...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> _______________________________________________
>>>> sleuthkit-developers mailing list
>>>> sle...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> sleuthkit-developers mailing list
>>> sle...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>>
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
|
|
From: Stuart M. <st...@ap...> - 2014-11-12 22:42:03
|
The error printed is not that your java code can find libtsk_jni.so, but that THAT library is linked against libtsk.so, which your Java VM cannot find. You need to locate the path to the original libtsk.so, let's say its in /usr/local/lib. Then you two options: 1 extend LD_LIBRARY_PATH to include /usr/local/lib 2 Add /usr/local/lib to the VM's own shared library search path, like this java -Djava.library.path=/usr/local/lib -classpath ..... If you have jni code with external dependenices, like you do in this case, it might be better to build the libtsk_jni.so file such that the tsk calls it makes are linked in STATICALLY, then the issue you are having would disappear. I do this in my own Java/JNI binding to sleuthkit. Cheers Stuart |
|
From: Stuart M. <st...@ap...> - 2014-11-12 22:40:26
|
One useful trick I forgot to mention in my previous post in debugging issues with Java/JNI issues, and .so dependencies in general, is the use of the ldd command $ ldd /path/to/libtsk_jni.so If you see 'unresolved' against any dependencies, it basically says that the runtime link/loader would not be able to load that .so, and your program would not run, which is what you are seeing. You can see immediately the effects of the LD_LIBRARY_PATH variable in this respect, e.g. $ LD_LIBRARY_PATH=/usr/local/lib ldd /path/to/libtsk_jni.so which would likely give a different output to the initial ldd invocation, subject to the libtsk.so file being in /usr/local/lib. Stuart |
|
From: Wiktor S. <wik...@gm...> - 2014-11-12 22:15:45
|
Hi Guys, I have it working somewhat. I want to know where should I keep Volatility *.py files (at the moment hard coded) and how do I access them? Also how to import the *.lime image and access it from the ingest module? Would my module be file ingest module or data source ingest module? Vic ----------------------------------------------- www.bluegreenblack.com www.thisfeelsgreat.blogspot.com http://www.vajrayanaireland.org/ For sensitive information please use encryption. Public key available at: http://pgp.mit.edu/ Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 On 10 November 2014 14:58, Brian Carrier <ca...@sl...> wrote: > And one other thing. We package the photorec executable up in the 'release' folder of the NetBeans module. It then gets automagically copied into the resulting JAR/NBM: > > https://github.com/sleuthkit/autopsy/tree/develop/Core/release > > On Nov 10, 2014, at 9:56 AM, Brian Carrier <ca...@sl...> wrote: > >> There have been some offline e-mails from Wiktor, but I wanted to reply to this one to the list for public archival and such. You can refer to our PhotoRec module code as an example of running a command line tool. It basically extracts the unallocated space files to local disk, runs PhotoRec on them, and parses the PhotoRec output. It does a lot more than you may need for the Volatility module, but it is a starting point. >> >> https://github.com/sleuthkit/autopsy/blob/develop/Core/src/org/sleuthkit/autopsy/modules/photoreccarver/PhotoRecCarverFileIngestModule.java >> >> For Volatility, you can either parse the output or simply refer the user to the output folder that you create. >> >> brian >> >> >> >> >> >> On Nov 3, 2014, at 5:41 PM, Brian Carrier <ca...@sl...> wrote: >> >>> Hi Wiktor, >>> >>> What you have below is basically the easiest way to get started. There is another way, but it is not well documented. You can create a "Data Source Processor" (http://sleuthkit.org/autopsy/docs/api-docs/3.1/interfaceorg_1_1sleuthkit_1_1autopsy_1_1corecomponentinterfaces_1_1_data_source_processor.html) to add the memory image in as a memory image and run Volatility at that point instead of as an ingest module, but it isn't documented as well as the other modules. >>> >>> Generally looks good. The big question for me has always been what to do with the output of volatility. You can either: >>> >>> - parse the output and make Blackboard artifacts for the processes, ports, etc. This will require new artifact types. >>> - Drop the output into a folder and let the user browse it outside of Autopsy. You can call "Case.addReport()" to add a link to the output folder and then it will be shown in the Autopsy tree. >>> >>> brian >>> >>> >>> >>> On Nov 2, 2014, at 3:45 PM, Wiktor Sypniewski <wik...@gm...> wrote: >>> >>>> Hi Guys! >>>> >>>> (short reminder of what am I trying to do I want to take Volatility >>>> Framework - in Python and implement it in Autopsy) >>>> >>>> I need few clarifications on what and how to do it: >>>> >>>> So the way I was going to proceed with this is to: >>>> >>>> 1. write File Ingest Module that will do points: 3 to 7 >>>> 2. import *.lime image of mobile phone memory/ram >>>> 3. access this image from within my module >>>> 4. access Volatility Framework from within my module (*.py files) >>>> 5. run relevant plugins in VF in the *.lime image >>>> 6. pipe output to Autopsy DB / file on disk - maybe *.txt >>>> 7. display output in Autopsy window >>>> >>>> Any suggestions? >>>> >>>> Regards >>>> Vic >>>> >>>> ----------------------------------------------- >>>> www.bluegreenblack.com >>>> www.thisfeelsgreat.blogspot.com >>>> http://www.vajrayanaireland.org/ >>>> >>>> For sensitive information please use encryption. >>>> >>>> Public key available at: http://pgp.mit.edu/ >>>> Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 >>>> >>>> ------------------------------------------------------------------------------ >>>> _______________________________________________ >>>> sleuthkit-developers mailing list >>>> sle...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers >>> >>> >>> ------------------------------------------------------------------------------ >>> _______________________________________________ >>> sleuthkit-developers mailing list >>> sle...@li... >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sleuthkit-developers mailing list >> sle...@li... >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers > |
|
From: Milindu S. K. <age...@gm...> - 2014-11-12 20:00:57
|
Hi,
I'm trying to call Sleuth Kit from a JMS MessageListener. But I'm getting
this error
*java.lang.UnsatisfiedLinkError: /tmp/libtsk_jni.so: libtsk.so.10: cannot
open shared object file: No such file or directory*
I tried coping the libtsk_jni.so to /tmp but no difference. But I can call
Sleuth Kit from from a Java console application. What could be the error?
Below is my MessageListener
public void onMessage(Message message) {
try {
String imagePath = "uploads/Cfreds001A001.dd";
try{
SleuthkitCase sk = SleuthkitCase.newCase(imagePath + ".db");
} catch (TskCoreException ex) {
}
} catch (JMSException ex) {
Logger.getLogger(WorkerBean.class.getName()).log(Level.SEVERE, null,
ex);
} catch (InterruptedException ex) {
Logger.getLogger(WorkerBean.class.getName()).log(Level.SEVERE, null,
ex);
}
|
|
From: Brian C. <ca...@sl...> - 2014-11-10 14:58:38
|
And one other thing. We package the photorec executable up in the 'release' folder of the NetBeans module. It then gets automagically copied into the resulting JAR/NBM: https://github.com/sleuthkit/autopsy/tree/develop/Core/release On Nov 10, 2014, at 9:56 AM, Brian Carrier <ca...@sl...> wrote: > There have been some offline e-mails from Wiktor, but I wanted to reply to this one to the list for public archival and such. You can refer to our PhotoRec module code as an example of running a command line tool. It basically extracts the unallocated space files to local disk, runs PhotoRec on them, and parses the PhotoRec output. It does a lot more than you may need for the Volatility module, but it is a starting point. > > https://github.com/sleuthkit/autopsy/blob/develop/Core/src/org/sleuthkit/autopsy/modules/photoreccarver/PhotoRecCarverFileIngestModule.java > > For Volatility, you can either parse the output or simply refer the user to the output folder that you create. > > brian > > > > > > On Nov 3, 2014, at 5:41 PM, Brian Carrier <ca...@sl...> wrote: > >> Hi Wiktor, >> >> What you have below is basically the easiest way to get started. There is another way, but it is not well documented. You can create a "Data Source Processor" (http://sleuthkit.org/autopsy/docs/api-docs/3.1/interfaceorg_1_1sleuthkit_1_1autopsy_1_1corecomponentinterfaces_1_1_data_source_processor.html) to add the memory image in as a memory image and run Volatility at that point instead of as an ingest module, but it isn't documented as well as the other modules. >> >> Generally looks good. The big question for me has always been what to do with the output of volatility. You can either: >> >> - parse the output and make Blackboard artifacts for the processes, ports, etc. This will require new artifact types. >> - Drop the output into a folder and let the user browse it outside of Autopsy. You can call "Case.addReport()" to add a link to the output folder and then it will be shown in the Autopsy tree. >> >> brian >> >> >> >> On Nov 2, 2014, at 3:45 PM, Wiktor Sypniewski <wik...@gm...> wrote: >> >>> Hi Guys! >>> >>> (short reminder of what am I trying to do I want to take Volatility >>> Framework - in Python and implement it in Autopsy) >>> >>> I need few clarifications on what and how to do it: >>> >>> So the way I was going to proceed with this is to: >>> >>> 1. write File Ingest Module that will do points: 3 to 7 >>> 2. import *.lime image of mobile phone memory/ram >>> 3. access this image from within my module >>> 4. access Volatility Framework from within my module (*.py files) >>> 5. run relevant plugins in VF in the *.lime image >>> 6. pipe output to Autopsy DB / file on disk - maybe *.txt >>> 7. display output in Autopsy window >>> >>> Any suggestions? >>> >>> Regards >>> Vic >>> >>> ----------------------------------------------- >>> www.bluegreenblack.com >>> www.thisfeelsgreat.blogspot.com >>> http://www.vajrayanaireland.org/ >>> >>> For sensitive information please use encryption. >>> >>> Public key available at: http://pgp.mit.edu/ >>> Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 >>> >>> ------------------------------------------------------------------------------ >>> _______________________________________________ >>> sleuthkit-developers mailing list >>> sle...@li... >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sleuthkit-developers mailing list >> sle...@li... >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers > > > ------------------------------------------------------------------------------ > _______________________________________________ > sleuthkit-developers mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers |
|
From: Brian C. <ca...@sl...> - 2014-11-10 14:56:22
|
There have been some offline e-mails from Wiktor, but I wanted to reply to this one to the list for public archival and such. You can refer to our PhotoRec module code as an example of running a command line tool. It basically extracts the unallocated space files to local disk, runs PhotoRec on them, and parses the PhotoRec output. It does a lot more than you may need for the Volatility module, but it is a starting point. https://github.com/sleuthkit/autopsy/blob/develop/Core/src/org/sleuthkit/autopsy/modules/photoreccarver/PhotoRecCarverFileIngestModule.java For Volatility, you can either parse the output or simply refer the user to the output folder that you create. brian On Nov 3, 2014, at 5:41 PM, Brian Carrier <ca...@sl...> wrote: > Hi Wiktor, > > What you have below is basically the easiest way to get started. There is another way, but it is not well documented. You can create a "Data Source Processor" (http://sleuthkit.org/autopsy/docs/api-docs/3.1/interfaceorg_1_1sleuthkit_1_1autopsy_1_1corecomponentinterfaces_1_1_data_source_processor.html) to add the memory image in as a memory image and run Volatility at that point instead of as an ingest module, but it isn't documented as well as the other modules. > > Generally looks good. The big question for me has always been what to do with the output of volatility. You can either: > > - parse the output and make Blackboard artifacts for the processes, ports, etc. This will require new artifact types. > - Drop the output into a folder and let the user browse it outside of Autopsy. You can call "Case.addReport()" to add a link to the output folder and then it will be shown in the Autopsy tree. > > brian > > > > On Nov 2, 2014, at 3:45 PM, Wiktor Sypniewski <wik...@gm...> wrote: > >> Hi Guys! >> >> (short reminder of what am I trying to do I want to take Volatility >> Framework - in Python and implement it in Autopsy) >> >> I need few clarifications on what and how to do it: >> >> So the way I was going to proceed with this is to: >> >> 1. write File Ingest Module that will do points: 3 to 7 >> 2. import *.lime image of mobile phone memory/ram >> 3. access this image from within my module >> 4. access Volatility Framework from within my module (*.py files) >> 5. run relevant plugins in VF in the *.lime image >> 6. pipe output to Autopsy DB / file on disk - maybe *.txt >> 7. display output in Autopsy window >> >> Any suggestions? >> >> Regards >> Vic >> >> ----------------------------------------------- >> www.bluegreenblack.com >> www.thisfeelsgreat.blogspot.com >> http://www.vajrayanaireland.org/ >> >> For sensitive information please use encryption. >> >> Public key available at: http://pgp.mit.edu/ >> Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sleuthkit-developers mailing list >> sle...@li... >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers > > > ------------------------------------------------------------------------------ > _______________________________________________ > sleuthkit-developers mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers |
|
From: Brian C. <ca...@sl...> - 2014-11-03 22:41:57
|
Hi Wiktor, What you have below is basically the easiest way to get started. There is another way, but it is not well documented. You can create a "Data Source Processor" (http://sleuthkit.org/autopsy/docs/api-docs/3.1/interfaceorg_1_1sleuthkit_1_1autopsy_1_1corecomponentinterfaces_1_1_data_source_processor.html) to add the memory image in as a memory image and run Volatility at that point instead of as an ingest module, but it isn't documented as well as the other modules. Generally looks good. The big question for me has always been what to do with the output of volatility. You can either: - parse the output and make Blackboard artifacts for the processes, ports, etc. This will require new artifact types. - Drop the output into a folder and let the user browse it outside of Autopsy. You can call "Case.addReport()" to add a link to the output folder and then it will be shown in the Autopsy tree. brian On Nov 2, 2014, at 3:45 PM, Wiktor Sypniewski <wik...@gm...> wrote: > Hi Guys! > > (short reminder of what am I trying to do I want to take Volatility > Framework - in Python and implement it in Autopsy) > > I need few clarifications on what and how to do it: > > So the way I was going to proceed with this is to: > > 1. write File Ingest Module that will do points: 3 to 7 > 2. import *.lime image of mobile phone memory/ram > 3. access this image from within my module > 4. access Volatility Framework from within my module (*.py files) > 5. run relevant plugins in VF in the *.lime image > 6. pipe output to Autopsy DB / file on disk - maybe *.txt > 7. display output in Autopsy window > > Any suggestions? > > Regards > Vic > > ----------------------------------------------- > www.bluegreenblack.com > www.thisfeelsgreat.blogspot.com > http://www.vajrayanaireland.org/ > > For sensitive information please use encryption. > > Public key available at: http://pgp.mit.edu/ > Figerprint: 3D8C 48ED 42BD 4004 D23C C455 8D80 7FB4 2C4D 7801 > > ------------------------------------------------------------------------------ > _______________________________________________ > sleuthkit-developers mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers |
|
From: Justin G. <jus...@gm...> - 2014-11-03 21:24:15
|
Quick question for you all -- is fiwalk available on Windows? I recently downloaded the Win32 Sleuthkit-4.1.3, but didn't see it in there. Thanks, Justin |
1 message has been excluded from this view by a project administrator.
