sleuthkit-developers — A list to discuss development of new features of The Sleuth Kit and Autopsy

[sleuthkit-developers] Few clarifications

[Wiktor S. <wik...@gm...>]

Hi Guys!

(short reminder of what am I trying to do I want to take Volatility
Framework - in Python and implement it in Autopsy)

I need few clarifications on what and how to do it:

So the way I was going to proceed with this is to:

1. write File Ingest Module that will do points: 3 to 7
2. import *.lime image of mobile phone memory/ram
3. access this image from within my module
4. access Volatility Framework from within my module (*.py files)
5. run relevant plugins in VF in the *.lime image
6. pipe output to Autopsy DB / file on disk - maybe *.txt
7. display output in Autopsy window

Any suggestions?

Regards
Vic

-----------------------------------------------
www.bluegreenblack.com
www.thisfeelsgreat.blogspot.com
http://www.vajrayanaireland.org/

For sensitive information please use encryption.

Public key available at: http://pgp.mit.edu/
Figerprint: 3D8C 48ED 42BD 4004 D23C  C455 8D80 7FB4 2C4D 7801

Re: [sleuthkit-developers] Millions of orphan files found with sleuthkit develop branch

[Luís F. N. <lfc...@gm...>]

This problem still happens with 4.2.0 branch. If I can help with some more
information, please let me know.

Thanks
Luis

2014-07-24 9:21 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:

> Another information: the sum of the millions of file sizes resulted in 1,1
> petabyte, while the image has only 250 GB.
>
>
> 2014-07-23 22:21 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:
>
>> We tested loaddb of both the released 4.1.3 version and the develop
>> branch of sleuthkit on a NTFS image of a hard disk with a lot of bad
>> blocks, many of them at the beginning of the disk.
>>
>> The 4.1.3 version found ~400.000 allocated files more ~100.000 orphan
>> files, about the same found by other forensic tools. The develop branch
>> found the same ~400.000 allocated files more ~2.500.000 orphan files! Most
>> of these millions of orphans have corrupted names or the name
>> OrphanFile-xxxxxxx and have lengths ranging from 0 to 4.294.967.296 bytes.
>> We think the recent changes to NTFS code are causing this large number of
>> corrupted orphans to be added to the case. Maybe it should be investigated
>> before the final 4.2 release.
>>
>> Luis
>>
>
>

Re: [sleuthkit-developers] Code Name Base

[Brian C. <ca...@sl...>]

Hi Wiktor,

The ServiceProvider line should be for IngestModuleFactory.class and not the IngestModuleFactoryAdaptor.   We search for providers of that class. Though, we probably could search for both.

thanks,
brian


On Sep 13, 2014, at 12:44 PM, Wiktor Sypniewski <wik...@gm...> wrote:

> Hi guys so I did make my first module in the module factory:
> 
> At this stage I should be able to see it in the ingest modules list(when I compile/run from NetBeans), right? I think I added look up service okey to my package...
> 
> When I run/compile can see the name of my module in the list. And the instruction says:{At this point, when you add a data source to an Autopsy case, you should see the module in the list of ingest modules. If you don't see it, double check that you either implementedorg.sleuthkit.autopsy.ingest.IngestModuleFactory or extended or inherited org.sleuthkit.autopsy.ingest.IngestModuleFactoryAdapter. If using Java, make sure that you added the service provider annotation.}
> 
> Am I doind sth wrong?
> 
> Thanks Vic
> 
> <listmod.bmp>
> ×        
> 
> ​
> 
> package org.myproject.vf;
> 
> import org.openide.util.lookup.ServiceProvider;
> import org.sleuthkit.autopsy.ingest.IngestModuleFactoryAdapter;
>  @ServiceProvider(service = IngestModuleFactoryAdapter.class)
>     
> public class TestIngest extends org.sleuthkit.autopsy.ingest.IngestModuleFactoryAdapter{
>    
>     @Override
>     public String getModuleDisplayName() {
>        // throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
>         String moduleName = "VF";
>         return moduleName;
>     }
> 
>     @Override
>     public String getModuleDescription() {
>        // throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
>     
>         String moduleDescription = "This is my module and its mine";
>         return moduleDescription;
>     
>     }
> 
> 
>     @Override
>     public String getModuleVersionNumber() {
>         // throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
>     String moduleVersion = "0.0.1";
>     return moduleVersion;
>     }
>     
> }
> 
> -----------------------------------------------
> www.bluegreenblack.com
> www.thisfeelsgreat.blogspot.com
> http://www.vajrayanaireland.org/
> 
> For sensitive information please use encryption.
> 
> Public key available at: http://pgp.mit.edu/
> Figerprint: 3D8C 48ED 42BD 4004 D23C  C455 8D80 7FB4 2C4D 7801
> 
> On 10 September 2014 03:20, Brian Carrier <ca...@sl...> wrote:
> You can choose whatever you want for that.  We use the same naming conventions as suggested for package names:
> 
> http://docs.oracle.com/javase/tutorial/java/package/namingpkgs.html
> 
> 
> 
> On Sep 9, 2014, at 10:30 AM, Wiktor Sypniewski <wik...@gm...> wrote:
> 
> > Hi Guys,
> >
> > I'm building my first module for autopsy 3.1. Netbeans wants me to
> > enter Code Name Base. Does it matter what I enter here? And how?
> > org.myproject.vf would do?
> >
> > Vic
> > -----------------------------------------------
> > www.bluegreenblack.com
> > www.thisfeelsgreat.blogspot.com
> > http://www.vajrayanaireland.org/
> >
> > For sensitive information please use encryption.
> >
> > Public key available at: http://pgp.mit.edu/
> > Figerprint: 3D8C 48ED 42BD 4004 D23C  C455 8D80 7FB4 2C4D 7801
> >
> > ------------------------------------------------------------------------------
> > Want excitement?
> > Manually upgrade your production database.
> > When you want reliability, choose Perforce.
> > Perforce version control. Predictably reliable.
> > http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
> > _______________________________________________
> > sleuthkit-developers mailing list
> > sle...@li...
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
> 
> 
> <bundle.bmp><API lookup.bmp>

Re: [sleuthkit-developers] Code Name Base

[Brian C. <ca...@sl...>]

You can choose whatever you want for that.  We use the same naming conventions as suggested for package names:

http://docs.oracle.com/javase/tutorial/java/package/namingpkgs.html



On Sep 9, 2014, at 10:30 AM, Wiktor Sypniewski <wik...@gm...> wrote:

> Hi Guys,
> 
> I'm building my first module for autopsy 3.1. Netbeans wants me to
> enter Code Name Base. Does it matter what I enter here? And how?
> org.myproject.vf would do?
> 
> Vic
> -----------------------------------------------
> www.bluegreenblack.com
> www.thisfeelsgreat.blogspot.com
> http://www.vajrayanaireland.org/
> 
> For sensitive information please use encryption.
> 
> Public key available at: http://pgp.mit.edu/
> Figerprint: 3D8C 48ED 42BD 4004 D23C  C455 8D80 7FB4 2C4D 7801
> 
> ------------------------------------------------------------------------------
> Want excitement?
> Manually upgrade your production database.
> When you want reliability, choose Perforce.
> Perforce version control. Predictably reliable.
> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

[sleuthkit-developers] Code Name Base

[Wiktor S. <wik...@gm...>]

Hi Guys,

I'm building my first module for autopsy 3.1. Netbeans wants me to
enter Code Name Base. Does it matter what I enter here? And how?
org.myproject.vf would do?

Vic
-----------------------------------------------
www.bluegreenblack.com
www.thisfeelsgreat.blogspot.com
http://www.vajrayanaireland.org/

For sensitive information please use encryption.

Public key available at: http://pgp.mit.edu/
Figerprint: 3D8C 48ED 42BD 4004 D23C  C455 8D80 7FB4 2C4D 7801

[sleuthkit-developers] Corrections to developer's guide to Autopsy ingest modules

[Richard C. <rco...@ba...>]

The documentation available at
http://www.sleuthkit.org/autopsy/docs/api-docs/3.1/mod_ingest_page.html is
a bit out of synch with the recent Autopsy 3.1.0 Beta release. Please note
the following:

- Step 2 for creating a data source or file ingest module states that your
module can optionally extend
org.sleuthkit.autopsy.ingest.IngestModuleAdapter. The adapter class was
removed before the beta release, so you should simply have your module
implement org.sleuthkit.autopsy.ingest.DataSourceIngestModule or
org.sleuthkit.autopsy.ingest.FileIngestModule, both of which extend the
org.sleuthkit.autopsy.ingest.IngestModule interface.
- The section on "Controlling the Ordering of Ingest Modules in Ingest
Pipelines" should be ignored. User configuration of ingest module ordering
has been deferred to a later release.

Re: [sleuthkit-developers] Millions of orphan files found with sleuthkit develop branch

[Luís F. N. <lfc...@gm...>]

Another information: the sum of the millions of file sizes resulted in 1,1
petabyte, while the image has only 250 GB.


2014-07-23 22:21 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:

> We tested loaddb of both the released 4.1.3 version and the develop branch
> of sleuthkit on a NTFS image of a hard disk with a lot of bad blocks, many
> of them at the beginning of the disk.
>
> The 4.1.3 version found ~400.000 allocated files more ~100.000 orphan
> files, about the same found by other forensic tools. The develop branch
> found the same ~400.000 allocated files more ~2.500.000 orphan files! Most
> of these millions of orphans have corrupted names or the name
> OrphanFile-xxxxxxx and have lengths ranging from 0 to 4.294.967.296 bytes.
> We think the recent changes to NTFS code are causing this large number of
> corrupted orphans to be added to the case. Maybe it should be investigated
> before the final 4.2 release.
>
> Luis
>

[sleuthkit-developers] Millions of orphan files found with sleuthkit develop branch

[Luís F. N. <lfc...@gm...>]

We tested loaddb of both the released 4.1.3 version and the develop branch
of sleuthkit on a NTFS image of a hard disk with a lot of bad blocks, many
of them at the beginning of the disk.

The 4.1.3 version found ~400.000 allocated files more ~100.000 orphan
files, about the same found by other forensic tools. The develop branch
found the same ~400.000 allocated files more ~2.500.000 orphan files! Most
of these millions of orphans have corrupted names or the name
OrphanFile-xxxxxxx and have lengths ranging from 0 to 4.294.967.296 bytes.
We think the recent changes to NTFS code are causing this large number of
corrupted orphans to be added to the case. Maybe it should be investigated
before the final 4.2 release.

Luis

Re: [sleuthkit-developers] Creating My First Module

[Justin G. <jus...@gm...>]

Onto my next basic 3.1 module creation issue...

I'm trying to extend the IngestModuleAdapter class, but Netbeans cannot
find *org.sleuthkit.autopsy.ingest.IngestModuleAdapter* (referenced in step
2 under "Creating a Data Source Ingest Module" at
http://www.sleuthkit.org/autopsy/docs/api-docs/3.1/mod_ingest_page.html).

This particular class does not seem to exist in the Autopsy-core library in
3.1-beta.  Should it?

Justin


On Wed, Jul 23, 2014 at 1:07 PM, Justin Grover <jus...@gm...>
wrote:

> Ah great, thank you all for the good info.
> On Jul 23, 2014 12:37 PM, "Brian Carrier" <ca...@sl...> wrote:
>
>> Yea, the docs probably need to be updated to state that Java 8 is now
>> required. We had to make this jump because of the way that they bundle
>> JavaFX in 7 versus 8.
>>
>>
>>
>> On Jul 23, 2014, at 12:26 PM, Luís Filipe Nassif <lfc...@gm...>
>> wrote:
>>
>> > I got this error too. It was solved changing the project JDK to JDK
>> 1.8, that is the autopsy 3.1-beta embedded (and compilation?) java version.
>> >
>> >
>> > 2014-07-23 11:25 GMT-03:00 Justin Grover <jus...@gm...>:
>> > Rajmund & SleuthKit Devs,
>> >
>> > This may be a bug...  I tried creating a basic bare-bones ingest module
>> using the 3.1 documentation with Autopsy 3.1-beta installed.  When running
>> my module from Netbeans, I get the following error:
>> >
>> > org.netbean.InvalidException: StandardModule:org.sleuthkit.autopsy.core
>> jarFile: C:\Program
>> Files\Autopsy-3.1.0_Beta\autopsy\modules\org-sleuthkit-autopsy-core.jar:
>> java.lang.UnsupportedClassVersionError:
>> org/sleuthkit/datamodel/TskCoreException : Unsupported major.minor version
>> 52.0
>> >
>> > -Justin
>> >
>> >
>> > On Mon, Jul 14, 2014 at 5:14 PM, Justin Grover <jus...@gm...>
>> wrote:
>> > Thank you!
>> >
>> >
>> > On Mon, Jul 14, 2014 at 4:43 PM, Rajmund <ra...@4e...> wrote:
>> > Hi Justin,
>> >
>> >
>> >
>> > The documentation you are following is for the upcoming release (3.1)
>> and not the one you are using (3.0.10)
>> >
>> >
>> >
>> > Either wait until the next one is out or follow:
>> >
>> >
>> >
>> > http://www.sleuthkit.org/autopsy/docs/api-docs/3.0/mod_ingest_page.html
>> >
>> >
>> >
>> > I have found it very useful to start with an working example such as:
>> >
>> >
>> >
>> >
>> https://github.com/sleuthkit/autopsy/blob/master/ExifParser/src/org/sleuthkit/autopsy/exifparser/ExifParserFileIngestModule.java
>> >
>> >
>> >
>> > and modify some of the lines to do other things J
>> >
>> >
>> >
>> > Once you get to start looking at artifacts you may find the following
>> useful:
>> >
>> >
>> >
>> >
>> http://www.4ensics.co.uk/2014/05/autopsy-3-artifacts-attributes-quick-overview/
>> >
>> >
>> >
>> > Regards
>> >
>> >
>> >
>> > Rajmund
>> >
>> >
>> >
>> > From: Justin Grover [mailto:jus...@gm...]
>> > Sent: 14 July 2014 19:50
>> > To: sle...@li...
>> > Subject: [sleuthkit-developers] Creating My First Module
>> >
>> >
>> >
>> > Hi sleuthkit-devs,
>> >
>> >
>> >
>> > Trying to create my first basic Autopsy module and am failing
>> miserably. Can someone help me out?
>> >
>> >
>> >
>> > I've followed the documentation and have Netbeans, Java & Autopsy setup
>> properly on Windows 7. I'm now following the docs to create an ingest
>> module. I created a class, tried to extend it with
>> org.sleuthkit.autopsy.ingest.IngestModuleFactoryAdapter, but this class is
>> not found :(.
>> >
>> >
>> >
>> > I peeked in the Autopsy-Core library, and it looks like the class files
>> for IngestModuleFactory & IngestModuleFactoryAdapter are both missing.
>>  Many other files that begin with "IngestModule" are there.
>> >
>> >
>> >
>> > I've been following these docs:
>> http://www.sleuthkit.org/autopsy/docs/api-docs/3.1/mod_ingest_page.html.
>> >
>> >
>> >
>> > Were these files moved? or forgotten about?  I'm working with Autopsy
>> 3.0.10.
>> >
>> >
>> >
>> > Justin
>> >
>> >
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Want fast and easy access to all the code in your enterprise? Index and
>> > search up to 200,000 lines of code with a free copy of Black Duck
>> > Code Sight - the same software that powers the world's largest code
>> > search on Ohloh, the Black Duck Open Hub! Try it now.
>> > http://p.sf.net/sfu/bds
>> > _______________________________________________
>> > sleuthkit-developers mailing list
>> > sle...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Want fast and easy access to all the code in your enterprise? Index and
>> > search up to 200,000 lines of code with a free copy of Black Duck
>> > Code Sight - the same software that powers the world's largest code
>> > search on Ohloh, the Black Duck Open Hub! Try it now.
>> > http://p.sf.net/sfu/bds_______________________________________________
>> > sleuthkit-developers mailing list
>> > sle...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>>
>>

Re: [sleuthkit-developers] Creating My First Module

[Justin G. <jus...@gm...>]

Ah great, thank you all for the good info.
On Jul 23, 2014 12:37 PM, "Brian Carrier" <ca...@sl...> wrote:

> Yea, the docs probably need to be updated to state that Java 8 is now
> required. We had to make this jump because of the way that they bundle
> JavaFX in 7 versus 8.
>
>
>
> On Jul 23, 2014, at 12:26 PM, Luís Filipe Nassif <lfc...@gm...>
> wrote:
>
> > I got this error too. It was solved changing the project JDK to JDK 1.8,
> that is the autopsy 3.1-beta embedded (and compilation?) java version.
> >
> >
> > 2014-07-23 11:25 GMT-03:00 Justin Grover <jus...@gm...>:
> > Rajmund & SleuthKit Devs,
> >
> > This may be a bug...  I tried creating a basic bare-bones ingest module
> using the 3.1 documentation with Autopsy 3.1-beta installed.  When running
> my module from Netbeans, I get the following error:
> >
> > org.netbean.InvalidException: StandardModule:org.sleuthkit.autopsy.core
> jarFile: C:\Program
> Files\Autopsy-3.1.0_Beta\autopsy\modules\org-sleuthkit-autopsy-core.jar:
> java.lang.UnsupportedClassVersionError:
> org/sleuthkit/datamodel/TskCoreException : Unsupported major.minor version
> 52.0
> >
> > -Justin
> >
> >
> > On Mon, Jul 14, 2014 at 5:14 PM, Justin Grover <jus...@gm...>
> wrote:
> > Thank you!
> >
> >
> > On Mon, Jul 14, 2014 at 4:43 PM, Rajmund <ra...@4e...> wrote:
> > Hi Justin,
> >
> >
> >
> > The documentation you are following is for the upcoming release (3.1)
> and not the one you are using (3.0.10)
> >
> >
> >
> > Either wait until the next one is out or follow:
> >
> >
> >
> > http://www.sleuthkit.org/autopsy/docs/api-docs/3.0/mod_ingest_page.html
> >
> >
> >
> > I have found it very useful to start with an working example such as:
> >
> >
> >
> >
> https://github.com/sleuthkit/autopsy/blob/master/ExifParser/src/org/sleuthkit/autopsy/exifparser/ExifParserFileIngestModule.java
> >
> >
> >
> > and modify some of the lines to do other things J
> >
> >
> >
> > Once you get to start looking at artifacts you may find the following
> useful:
> >
> >
> >
> >
> http://www.4ensics.co.uk/2014/05/autopsy-3-artifacts-attributes-quick-overview/
> >
> >
> >
> > Regards
> >
> >
> >
> > Rajmund
> >
> >
> >
> > From: Justin Grover [mailto:jus...@gm...]
> > Sent: 14 July 2014 19:50
> > To: sle...@li...
> > Subject: [sleuthkit-developers] Creating My First Module
> >
> >
> >
> > Hi sleuthkit-devs,
> >
> >
> >
> > Trying to create my first basic Autopsy module and am failing miserably.
> Can someone help me out?
> >
> >
> >
> > I've followed the documentation and have Netbeans, Java & Autopsy setup
> properly on Windows 7. I'm now following the docs to create an ingest
> module. I created a class, tried to extend it with
> org.sleuthkit.autopsy.ingest.IngestModuleFactoryAdapter, but this class is
> not found :(.
> >
> >
> >
> > I peeked in the Autopsy-Core library, and it looks like the class files
> for IngestModuleFactory & IngestModuleFactoryAdapter are both missing.
>  Many other files that begin with "IngestModule" are there.
> >
> >
> >
> > I've been following these docs:
> http://www.sleuthkit.org/autopsy/docs/api-docs/3.1/mod_ingest_page.html.
> >
> >
> >
> > Were these files moved? or forgotten about?  I'm working with Autopsy
> 3.0.10.
> >
> >
> >
> > Justin
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Want fast and easy access to all the code in your enterprise? Index and
> > search up to 200,000 lines of code with a free copy of Black Duck
> > Code Sight - the same software that powers the world's largest code
> > search on Ohloh, the Black Duck Open Hub! Try it now.
> > http://p.sf.net/sfu/bds
> > _______________________________________________
> > sleuthkit-developers mailing list
> > sle...@li...
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
> >
> >
> >
> ------------------------------------------------------------------------------
> > Want fast and easy access to all the code in your enterprise? Index and
> > search up to 200,000 lines of code with a free copy of Black Duck
> > Code Sight - the same software that powers the world's largest code
> > search on Ohloh, the Black Duck Open Hub! Try it now.
> > http://p.sf.net/sfu/bds_______________________________________________
> > sleuthkit-developers mailing list
> > sle...@li...
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>
>

Re: [sleuthkit-developers] Creating My First Module

[Brian C. <ca...@sl...>]

Yea, the docs probably need to be updated to state that Java 8 is now required. We had to make this jump because of the way that they bundle JavaFX in 7 versus 8.  



On Jul 23, 2014, at 12:26 PM, Luís Filipe Nassif <lfc...@gm...> wrote:

> I got this error too. It was solved changing the project JDK to JDK 1.8, that is the autopsy 3.1-beta embedded (and compilation?) java version.
> 
> 
> 2014-07-23 11:25 GMT-03:00 Justin Grover <jus...@gm...>:
> Rajmund & SleuthKit Devs,
> 
> This may be a bug...  I tried creating a basic bare-bones ingest module using the 3.1 documentation with Autopsy 3.1-beta installed.  When running my module from Netbeans, I get the following error:
> 
> org.netbean.InvalidException: StandardModule:org.sleuthkit.autopsy.core jarFile: C:\Program Files\Autopsy-3.1.0_Beta\autopsy\modules\org-sleuthkit-autopsy-core.jar: java.lang.UnsupportedClassVersionError: org/sleuthkit/datamodel/TskCoreException : Unsupported major.minor version 52.0
> 
> -Justin
> 
> 
> On Mon, Jul 14, 2014 at 5:14 PM, Justin Grover <jus...@gm...> wrote:
> Thank you!
> 
> 
> On Mon, Jul 14, 2014 at 4:43 PM, Rajmund <ra...@4e...> wrote:
> Hi Justin,
> 
>  
> 
> The documentation you are following is for the upcoming release (3.1) and not the one you are using (3.0.10)
> 
>  
> 
> Either wait until the next one is out or follow:
> 
>  
> 
> http://www.sleuthkit.org/autopsy/docs/api-docs/3.0/mod_ingest_page.html
> 
>  
> 
> I have found it very useful to start with an working example such as:
> 
>  
> 
> https://github.com/sleuthkit/autopsy/blob/master/ExifParser/src/org/sleuthkit/autopsy/exifparser/ExifParserFileIngestModule.java
> 
>  
> 
> and modify some of the lines to do other things J
> 
>  
> 
> Once you get to start looking at artifacts you may find the following useful:
> 
>  
> 
> http://www.4ensics.co.uk/2014/05/autopsy-3-artifacts-attributes-quick-overview/
> 
>  
> 
> Regards
> 
>  
> 
> Rajmund
> 
>  
> 
> From: Justin Grover [mailto:jus...@gm...] 
> Sent: 14 July 2014 19:50
> To: sle...@li...
> Subject: [sleuthkit-developers] Creating My First Module
> 
>  
> 
> Hi sleuthkit-devs,
> 
>  
> 
> Trying to create my first basic Autopsy module and am failing miserably. Can someone help me out?
> 
>  
> 
> I've followed the documentation and have Netbeans, Java & Autopsy setup properly on Windows 7. I'm now following the docs to create an ingest module. I created a class, tried to extend it with org.sleuthkit.autopsy.ingest.IngestModuleFactoryAdapter, but this class is not found :(.  
> 
>  
> 
> I peeked in the Autopsy-Core library, and it looks like the class files for IngestModuleFactory & IngestModuleFactoryAdapter are both missing.  Many other files that begin with "IngestModule" are there.
> 
>  
> 
> I've been following these docs: http://www.sleuthkit.org/autopsy/docs/api-docs/3.1/mod_ingest_page.html.
> 
>  
> 
> Were these files moved? or forgotten about?  I'm working with Autopsy 3.0.10.
> 
>  
> 
> Justin
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
> 
> 
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds_______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

Re: [sleuthkit-developers] Creating My First Module

[Luís F. N. <lfc...@gm...>]

I got this error too. It was solved changing the project JDK to JDK 1.8,
that is the autopsy 3.1-beta embedded (and compilation?) java version.


2014-07-23 11:25 GMT-03:00 Justin Grover <jus...@gm...>:

> Rajmund & SleuthKit Devs,
>
> This may be a bug...  I tried creating a basic
> bare-bones ingest module using the 3.1 documentation with Autopsy 3.1-beta
> installed.  When running my module from Netbeans, I get the following error:
>
> org.netbean.InvalidException: StandardModule:org.sleuthkit.autopsy.core
> jarFile: C:\Program
> Files\Autopsy-3.1.0_Beta\autopsy\modules\org-sleuthkit-autopsy-core.jar:
> java.lang.UnsupportedClassVersionError:
> org/sleuthkit/datamodel/TskCoreException : Unsupported major.minor version
> 52.0
>
> -Justin
>
>
> On Mon, Jul 14, 2014 at 5:14 PM, Justin Grover <jus...@gm...>
> wrote:
>
>> Thank you!
>>
>>
>> On Mon, Jul 14, 2014 at 4:43 PM, Rajmund <ra...@4e...> wrote:
>>
>>> Hi Justin,
>>>
>>>
>>>
>>> The documentation you are following is for the upcoming release (3.1)
>>> and not the one you are using (3.0.10)
>>>
>>>
>>>
>>> Either wait until the next one is out or follow:
>>>
>>>
>>>
>>> http://www.sleuthkit.org/autopsy/docs/api-docs/3.0/mod_ingest_page.html
>>>
>>>
>>>
>>> I have found it very useful to start with an working example such as:
>>>
>>>
>>>
>>>
>>> https://github.com/sleuthkit/autopsy/blob/master/ExifParser/src/org/sleuthkit/autopsy/exifparser/ExifParserFileIngestModule.java
>>>
>>>
>>>
>>> and modify some of the lines to do other things J
>>>
>>>
>>>
>>> Once you get to start looking at artifacts you may find the following
>>> useful:
>>>
>>>
>>>
>>>
>>> http://www.4ensics.co.uk/2014/05/autopsy-3-artifacts-attributes-quick-overview/
>>>
>>>
>>>
>>> Regards
>>>
>>>
>>>
>>> Rajmund
>>>
>>>
>>>
>>> *From:* Justin Grover [mailto:jus...@gm...]
>>> *Sent:* 14 July 2014 19:50
>>> *To:* sle...@li...
>>> *Subject:* [sleuthkit-developers] Creating My First Module
>>>
>>>
>>>
>>> Hi sleuthkit-devs,
>>>
>>>
>>>
>>> Trying to create my first basic Autopsy module and am failing miserably.
>>> Can someone help me out?
>>>
>>>
>>>
>>> I've followed the documentation and have Netbeans, Java & Autopsy setup
>>> properly on Windows 7. I'm now following the docs to create an ingest
>>> module. I created a class, tried to extend it with
>>> org.sleuthkit.autopsy.ingest.IngestModuleFactoryAdapter, but this class is
>>> not found :(.
>>>
>>>
>>>
>>> I peeked in the Autopsy-Core library, and it looks like the class files
>>> for IngestModuleFactory & IngestModuleFactoryAdapter are both missing.
>>>  Many other files that begin with "IngestModule" are there.
>>>
>>>
>>>
>>> I've been following these docs:
>>> http://www.sleuthkit.org/autopsy/docs/api-docs/3.1/mod_ingest_page.html.
>>>
>>>
>>>
>>> Were these files moved? or forgotten about?  I'm working with Autopsy
>>> 3.0.10.
>>>
>>>
>>>
>>> Justin
>>>
>>
>>
>
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>
>

Re: [sleuthkit-developers] Creating My First Module

[Justin G. <jus...@gm...>]

Rajmund & SleuthKit Devs,

This may be a bug...  I tried creating a basic
bare-bones ingest module using the 3.1 documentation with Autopsy 3.1-beta
installed.  When running my module from Netbeans, I get the following error:

org.netbean.InvalidException: StandardModule:org.sleuthkit.autopsy.core
jarFile: C:\Program
Files\Autopsy-3.1.0_Beta\autopsy\modules\org-sleuthkit-autopsy-core.jar:
java.lang.UnsupportedClassVersionError:
org/sleuthkit/datamodel/TskCoreException : Unsupported major.minor version
52.0

-Justin


On Mon, Jul 14, 2014 at 5:14 PM, Justin Grover <jus...@gm...>
wrote:

> Thank you!
>
>
> On Mon, Jul 14, 2014 at 4:43 PM, Rajmund <ra...@4e...> wrote:
>
>> Hi Justin,
>>
>>
>>
>> The documentation you are following is for the upcoming release (3.1) and
>> not the one you are using (3.0.10)
>>
>>
>>
>> Either wait until the next one is out or follow:
>>
>>
>>
>> http://www.sleuthkit.org/autopsy/docs/api-docs/3.0/mod_ingest_page.html
>>
>>
>>
>> I have found it very useful to start with an working example such as:
>>
>>
>>
>>
>> https://github.com/sleuthkit/autopsy/blob/master/ExifParser/src/org/sleuthkit/autopsy/exifparser/ExifParserFileIngestModule.java
>>
>>
>>
>> and modify some of the lines to do other things J
>>
>>
>>
>> Once you get to start looking at artifacts you may find the following
>> useful:
>>
>>
>>
>>
>> http://www.4ensics.co.uk/2014/05/autopsy-3-artifacts-attributes-quick-overview/
>>
>>
>>
>> Regards
>>
>>
>>
>> Rajmund
>>
>>
>>
>> *From:* Justin Grover [mailto:jus...@gm...]
>> *Sent:* 14 July 2014 19:50
>> *To:* sle...@li...
>> *Subject:* [sleuthkit-developers] Creating My First Module
>>
>>
>>
>> Hi sleuthkit-devs,
>>
>>
>>
>> Trying to create my first basic Autopsy module and am failing miserably.
>> Can someone help me out?
>>
>>
>>
>> I've followed the documentation and have Netbeans, Java & Autopsy setup
>> properly on Windows 7. I'm now following the docs to create an ingest
>> module. I created a class, tried to extend it with
>> org.sleuthkit.autopsy.ingest.IngestModuleFactoryAdapter, but this class is
>> not found :(.
>>
>>
>>
>> I peeked in the Autopsy-Core library, and it looks like the class files
>> for IngestModuleFactory & IngestModuleFactoryAdapter are both missing.
>>  Many other files that begin with "IngestModule" are there.
>>
>>
>>
>> I've been following these docs:
>> http://www.sleuthkit.org/autopsy/docs/api-docs/3.1/mod_ingest_page.html.
>>
>>
>>
>> Were these files moved? or forgotten about?  I'm working with Autopsy
>> 3.0.10.
>>
>>
>>
>> Justin
>>
>
>

[sleuthkit-developers] Is it possible to change Autopsy security manager?

[Luís F. N. <lfc...@gm...>]

I tried to install a security policy into an autopsy module, to block
internet connections from the html viewer of MultiContentViewer module, but
it seems that the default netbeans security manager, TopSecurityManager, is
too permissive and is ignoring the installed
policy. TopSecurityManager does not permit to be uninstalled or changed
too. Does any netbeans platform expert know if it is possible to do an
early install of a new security manager on autopsy/netbeans platform
initialization, before the loading of TopSecurityManager?

Luis

Re: [sleuthkit-developers] How to query file mimetype in Autopsy 3.1-beta

[Luís F. N. <lfc...@gm...>]

Thank you very much, Brian, worked fine. The idea is to render files based
on signature. I tried the code posted before because, with minor changes to
the correct artifact and attribute type ids, it worked to get keyword hits.


2014-07-16 10:33 GMT-03:00 Brian Carrier <ca...@sl...>:

> I don't know if the BlackboardArtifacts will be in the node for lookup.
>  Typically, we get them from the file object itself (Node -> Content ->
> Artifacts).
>
> This is the code that we use in several modules (this one is from the 7zip
> module):
>
>         ArrayList<BlackboardAttribute> attributes =
> file.getGenInfoAttributes(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_FILE_TYPE_SIG);
>             for (BlackboardAttribute attribute : attributes) {
>                 attributeFound = true;
>                 String fileType = attribute.getValueString();
>                 if (!fileType.isEmpty() &&
> fileType.equals("application/zip")) { //NON-NLS
>                     return true;
>                 }
>             }
>
>
> On Jul 15, 2014, at 11:11 PM, Luís Filipe Nassif <lfc...@gm...>
> wrote:
>
> > After running File Type Id. and File Ext Mismatch modules, I see the
> generated artifacts and attributes into sqlite. But I am not being able to
> get the mimetype from a file with the code below:
> >
> > Collection<? extends BlackboardArtifact> artifacts =
> node.getLookup().lookupAll(BlackboardArtifact.class);
> >             for(BlackboardArtifact artifact : artifacts)
> >                 if(artifact.getArtifactTypeID() ==
> BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID())
> >                 try {
> >                     for(BlackboardAttribute attr :
> artifact.getAttributes()){
> >                         if(attr.getAttributeTypeID() ==
> BlackboardAttribute.ATTRIBUTE_TYPE.TSK_FILE_TYPE_SIG.getTypeID()){
> >                             String mimeType = attr.getValueString();
> >
> //System.out.println(artifact.getArtifactTypeName() + "-"
> +attr.getAttributeTypeName() + ": " + mimeType);
> >                             return mimeType;
> >                         }
> >                     }
> >                 } catch (TskCoreException ex) {
> >                     Exceptions.printStackTrace(ex);
> >                 }
> >
> > Is there something wrong with the code?
> >
> > Regards,
> > Luis
> >
> ------------------------------------------------------------------------------
> > Want fast and easy access to all the code in your enterprise? Index and
> > search up to 200,000 lines of code with a free copy of Black Duck
> > Code Sight - the same software that powers the world's largest code
> > search on Ohloh, the Black Duck Open Hub! Try it now.
> > http://p.sf.net/sfu/bds_______________________________________________
> > sleuthkit-developers mailing list
> > sle...@li...
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>
>

Re: [sleuthkit-developers] How to query file mimetype in Autopsy 3.1-beta

[Brian C. <ca...@sl...>]

I don't know if the BlackboardArtifacts will be in the node for lookup.  Typically, we get them from the file object itself (Node -> Content -> Artifacts). 

This is the code that we use in several modules (this one is from the 7zip module):

	ArrayList<BlackboardAttribute> attributes = file.getGenInfoAttributes(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_FILE_TYPE_SIG);
            for (BlackboardAttribute attribute : attributes) {
                attributeFound = true;
                String fileType = attribute.getValueString();
                if (!fileType.isEmpty() && fileType.equals("application/zip")) { //NON-NLS
                    return true;
                }
            }


On Jul 15, 2014, at 11:11 PM, Luís Filipe Nassif <lfc...@gm...> wrote:

> After running File Type Id. and File Ext Mismatch modules, I see the generated artifacts and attributes into sqlite. But I am not being able to get the mimetype from a file with the code below:
> 
> Collection<? extends BlackboardArtifact> artifacts = node.getLookup().lookupAll(BlackboardArtifact.class);
>             for(BlackboardArtifact artifact : artifacts)
>                 if(artifact.getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID())
>                 try {
>                     for(BlackboardAttribute attr : artifact.getAttributes()){
>                         if(attr.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_FILE_TYPE_SIG.getTypeID()){
>                             String mimeType = attr.getValueString();
>                             //System.out.println(artifact.getArtifactTypeName() + "-" +attr.getAttributeTypeName() + ": " + mimeType);
>                             return mimeType;
>                         }    
>                     }
>                 } catch (TskCoreException ex) {
>                     Exceptions.printStackTrace(ex);
>                 }
> 
> Is there something wrong with the code?
> 
> Regards,
> Luis
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds_______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

[sleuthkit-developers] How to query file mimetype in Autopsy 3.1-beta

[Luís F. N. <lfc...@gm...>]

After running File Type Id. and File Ext Mismatch modules, I see the
generated artifacts and attributes into sqlite. But I am not being able to
get the mimetype from a file with the code below:

Collection<? extends BlackboardArtifact> artifacts =
node.getLookup().lookupAll(BlackboardArtifact.class);
            for(BlackboardArtifact artifact : artifacts)
                if(artifact.getArtifactTypeID() ==
BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID())
                try {
                    for(BlackboardAttribute attr :
artifact.getAttributes()){
                        if(attr.getAttributeTypeID() ==
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_FILE_TYPE_SIG.getTypeID()){
                            String mimeType = attr.getValueString();

//System.out.println(artifact.getArtifactTypeName() + "-"
+attr.getAttributeTypeName() + ": " + mimeType);
                            return mimeType;
                        }
                    }
                } catch (TskCoreException ex) {
                    Exceptions.printStackTrace(ex);
                }

Is there something wrong with the code?

Regards,
Luis

Re: [sleuthkit-developers] Would like to contribute

[Brian C. <ca...@sl...>]

Yea, LGPL is OK.  The Apache license doesn't limit the license of the modules. The code that you bring in may limit your license, but Autopsy won't limit it. 

On Jul 15, 2014, at 8:03 PM, Luís Filipe Nassif <lfc...@gm...> wrote:

> Hi Brian,
> 
> Thank you for the link. I decided to embed libreoffice for windows, as it is the current OS for which there is an installer, so the module will work transparently. I think that in a few days I will be able to share the module and the source. LGPL is ok to a possible future integration with Autopsy?
> 
> Luis
> 
> 
> 2014-07-15 17:50 GMT-03:00 Brian Carrier <ca...@sl...>:
> Hi Luis,
> 
> In terms of how to embed native libraries, use this page:
> 
> http://wiki.netbeans.org/DevFaqNativeLibraries
> 
> In terms of dependencies and what you bring along versus what you ask the user to install, that's up to how much effort you want to put into it, who you think the target user is, and how many platforms you want to target. Autopsy won't care.
> 
> brian
> 
> 
> 
> 
> On Jul 11, 2014, at 9:25 AM, Luís Filipe Nassif <lfc...@gm...> wrote:
> 
> > Hi,
> >
> > I am working on a multi data content viewer, that will display several file formats, including html, pdf, eml, tif, psd, visio, cdr, dbf, open office, ms office, etc, as said before. Is there any guideline on how to embed native libs into the module? And would it be better to embed a portable LibreOffice into the module (some hundreds of megabytes, ~100 MB zipped) or to ask the user to download and install LibreOffice to enable all module features?
> >
> > Regards,
> > Luis Nassif
> >
> >
> > 2014-04-25 22:34 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:
> > Hi guys,
> >
> > I think Autopsy 3 is a very promising forensic framework, and it will become a lot better. Looking at the developers guidelines, apis and source, I think I could contribute with one or some modules. I have been working for the last three years on a java analisys tool and I think that I could adapt some of its modules to autopsy modules.
> >
> > 1. A PST file parser for extracting emails and attachs, powered by java-libpst, Apache licensed
> >
> > 2. A DBX file parser for extracting emails and attachs, powered by a patched version of java OEReader, GPL
> >
> > 3. HTML viewer, by using javaFx (i read somewhere it is being implemented?)
> >
> > 4. PDF viewer, by IcePDF, Apache License (I have already coded a proof of concept PDFContentViewer autopsy module)
> >
> > 5. EML viewer, using Apache Mime4J and JavaFx
> >
> > 6. TIF viewer, using java imageio
> >
> > 7. Office and many other formats viewer, integrating LibreOffice4
> >
> > Which one of these is not being developed and could better improve Autopsy functionalities?
> >
> > PS: I did not see a file signature ingest module. Does it already exist?
> >
> > Nassif
> >
> > Brazilian Federal Police Examiner
> >
> >
> > ------------------------------------------------------------------------------
> > Open source business process management suite built on Java and Eclipse
> > Turn processes into business applications with Bonita BPM Community Edition
> > Quickly connect people, data, and systems into organized workflows
> > Winner of BOSSIE, CODIE, OW2 and Gartner awards
> > http://p.sf.net/sfu/Bonitasoft_______________________________________________
> > sleuthkit-developers mailing list
> > sle...@li...
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
> 
> 
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds_______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

Re: [sleuthkit-developers] Would like to contribute

[Luís F. N. <lfc...@gm...>]

Hi Brian,

Thank you for the link. I decided to embed libreoffice for windows, as it
is the current OS for which there is an installer, so the module will work
transparently. I think that in a few days I will be able to share the
module and the source. LGPL is ok to a possible future integration with
Autopsy?

Luis


2014-07-15 17:50 GMT-03:00 Brian Carrier <ca...@sl...>:

> Hi Luis,
>
> In terms of how to embed native libraries, use this page:
>
> http://wiki.netbeans.org/DevFaqNativeLibraries
>
> In terms of dependencies and what you bring along versus what you ask the
> user to install, that's up to how much effort you want to put into it, who
> you think the target user is, and how many platforms you want to target.
> Autopsy won't care.
>
> brian
>
>
>
>
> On Jul 11, 2014, at 9:25 AM, Luís Filipe Nassif <lfc...@gm...>
> wrote:
>
> > Hi,
> >
> > I am working on a multi data content viewer, that will display several
> file formats, including html, pdf, eml, tif, psd, visio, cdr, dbf, open
> office, ms office, etc, as said before. Is there any guideline on how to
> embed native libs into the module? And would it be better to embed a
> portable LibreOffice into the module (some hundreds of megabytes, ~100 MB
> zipped) or to ask the user to download and install LibreOffice to enable
> all module features?
> >
> > Regards,
> > Luis Nassif
> >
> >
> > 2014-04-25 22:34 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:
> > Hi guys,
> >
> > I think Autopsy 3 is a very promising forensic framework, and it will
> become a lot better. Looking at the developers guidelines, apis and source,
> I think I could contribute with one or some modules. I have been working
> for the last three years on a java analisys tool and I think that I could
> adapt some of its modules to autopsy modules.
> >
> > 1. A PST file parser for extracting emails and attachs, powered by
> java-libpst, Apache licensed
> >
> > 2. A DBX file parser for extracting emails and attachs, powered by a
> patched version of java OEReader, GPL
> >
> > 3. HTML viewer, by using javaFx (i read somewhere it is being
> implemented?)
> >
> > 4. PDF viewer, by IcePDF, Apache License (I have already coded a proof
> of concept PDFContentViewer autopsy module)
> >
> > 5. EML viewer, using Apache Mime4J and JavaFx
> >
> > 6. TIF viewer, using java imageio
> >
> > 7. Office and many other formats viewer, integrating LibreOffice4
> >
> > Which one of these is not being developed and could better improve
> Autopsy functionalities?
> >
> > PS: I did not see a file signature ingest module. Does it already exist?
> >
> > Nassif
> >
> > Brazilian Federal Police Examiner
> >
> >
> >
> ------------------------------------------------------------------------------
> > Open source business process management suite built on Java and Eclipse
> > Turn processes into business applications with Bonita BPM Community
> Edition
> > Quickly connect people, data, and systems into organized workflows
> > Winner of BOSSIE, CODIE, OW2 and Gartner awards
> >
> http://p.sf.net/sfu/Bonitasoft_______________________________________________
> > sleuthkit-developers mailing list
> > sle...@li...
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>
>

Re: [sleuthkit-developers] Would like to contribute

[Brian C. <ca...@sl...>]

Hi Luis,

In terms of how to embed native libraries, use this page:

http://wiki.netbeans.org/DevFaqNativeLibraries

In terms of dependencies and what you bring along versus what you ask the user to install, that's up to how much effort you want to put into it, who you think the target user is, and how many platforms you want to target. Autopsy won't care. 

brian




On Jul 11, 2014, at 9:25 AM, Luís Filipe Nassif <lfc...@gm...> wrote:

> Hi,
> 
> I am working on a multi data content viewer, that will display several file formats, including html, pdf, eml, tif, psd, visio, cdr, dbf, open office, ms office, etc, as said before. Is there any guideline on how to embed native libs into the module? And would it be better to embed a portable LibreOffice into the module (some hundreds of megabytes, ~100 MB zipped) or to ask the user to download and install LibreOffice to enable all module features?
> 
> Regards,
> Luis Nassif
> 
> 
> 2014-04-25 22:34 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:
> Hi guys,
> 
> I think Autopsy 3 is a very promising forensic framework, and it will become a lot better. Looking at the developers guidelines, apis and source, I think I could contribute with one or some modules. I have been working for the last three years on a java analisys tool and I think that I could adapt some of its modules to autopsy modules.
> 
> 1. A PST file parser for extracting emails and attachs, powered by java-libpst, Apache licensed
> 
> 2. A DBX file parser for extracting emails and attachs, powered by a patched version of java OEReader, GPL
> 
> 3. HTML viewer, by using javaFx (i read somewhere it is being implemented?)
> 
> 4. PDF viewer, by IcePDF, Apache License (I have already coded a proof of concept PDFContentViewer autopsy module)
> 
> 5. EML viewer, using Apache Mime4J and JavaFx
> 
> 6. TIF viewer, using java imageio
> 
> 7. Office and many other formats viewer, integrating LibreOffice4
> 
> Which one of these is not being developed and could better improve Autopsy functionalities?
> 
> PS: I did not see a file signature ingest module. Does it already exist?
> 
> Nassif
> 
> Brazilian Federal Police Examiner
> 
> 
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft_______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers

Re: [sleuthkit-developers] Creating My First Module

[Rajmund <ra...@4e...>]

Hi Justin,

 

The documentation you are following is for the upcoming release (3.1) and not the one you are using (3.0.10)

 

Either wait until the next one is out or follow:

 

http://www.sleuthkit.org/autopsy/docs/api-docs/3.0/mod_ingest_page.html

 

I have found it very useful to start with an working example such as:

 

https://github.com/sleuthkit/autopsy/blob/master/ExifParser/src/org/sleuthkit/autopsy/exifparser/ExifParserFileIngestModule.java

 

and modify some of the lines to do other things :)

 

Once you get to start looking at artifacts you may find the following useful:

 

http://www.4ensics.co.uk/2014/05/autopsy-3-artifacts-attributes-quick-overview/

 

Regards

 

Rajmund

 

From: Justin Grover [mailto:jus...@gm...] 
Sent: 14 July 2014 19:50
To: sle...@li...
Subject: [sleuthkit-developers] Creating My First Module

 

Hi sleuthkit-devs,

 

Trying to create my first basic Autopsy module and am failing miserably. Can someone help me out?

 

I've followed the documentation and have Netbeans, Java & Autopsy setup properly on Windows 7. I'm now following the docs to create an ingest module. I created a class, tried to extend it with org.sleuthkit.autopsy.ingest.IngestModuleFactoryAdapter, but this class is not found :(.  

 

I peeked in the Autopsy-Core library, and it looks like the class files for IngestModuleFactory & IngestModuleFactoryAdapter are both missing.  Many other files that begin with "IngestModule" are there.

 

I've been following these docs: http://www.sleuthkit.org/autopsy/docs/api-docs/3.1/mod_ingest_page.html.

 

Were these files moved? or forgotten about?  I'm working with Autopsy 3.0.10.

 

Justin

[sleuthkit-developers] Creating My First Module

[Justin G. <jus...@gm...>]

Hi sleuthkit-devs,

Trying to create my first basic Autopsy module and am failing miserably.
Can someone help me out?

I've followed the documentation and have Netbeans, Java & Autopsy setup
properly on Windows 7. I'm now following the docs to create an ingest
module. I created a class, tried to extend it with
org.sleuthkit.autopsy.ingest.IngestModuleFactoryAdapter, but this class is
not found :(.

I peeked in the Autopsy-Core library, and it looks like the class files for
IngestModuleFactory & IngestModuleFactoryAdapter are both missing.  Many
other files that begin with "IngestModule" are there.

I've been following these docs:
http://www.sleuthkit.org/autopsy/docs/api-docs/3.1/mod_ingest_page.html.

Were these files moved? or forgotten about?  I'm working with Autopsy
3.0.10.

Justin

Re: [sleuthkit-developers] Would like to contribute

[Luís F. N. <lfc...@gm...>]

Hi,

I am working on a multi data content viewer, that will display several file
formats, including html, pdf, eml, tif, psd, visio, cdr, dbf, open office,
ms office, etc, as said before. Is there any guideline on how to embed
native libs into the module? And would it be better to embed a portable
LibreOffice into the module (some hundreds of megabytes, ~100 MB zipped) or
to ask the user to download and install LibreOffice to enable all module
features?

Regards,
Luis Nassif


2014-04-25 22:34 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:

> Hi guys,
>
> I think Autopsy 3 is a very promising forensic framework, and it will
> become a lot better. Looking at the developers guidelines, apis and source,
> I think I could contribute with one or some modules. I have been working
> for the last three years on a java analisys tool and I think that I could
> adapt some of its modules to autopsy modules.
>
> 1. A PST file parser for extracting emails and attachs, powered by
> java-libpst, Apache licensed
>
> 2. A DBX file parser for extracting emails and attachs, powered by a
> patched version of java OEReader, GPL
>
> 3. HTML viewer, by using javaFx (i read somewhere it is being implemented?)
>
> 4. PDF viewer, by IcePDF, Apache License (I have already coded a proof of
> concept PDFContentViewer autopsy module)
>
> 5. EML viewer, using Apache Mime4J and JavaFx
>
> 6. TIF viewer, using java imageio
>
> 7. Office and many other formats viewer, integrating LibreOffice4
>
> Which one of these is not being developed and could better improve Autopsy
> functionalities?
>
> PS: I did not see a file signature ingest module. Does it already exist?
>
> Nassif
>
> Brazilian Federal Police Examiner
>

[sleuthkit-developers] Import to DB

[Wiktor S. <wik...@gm...>]

Hi Guys,

I am doing project on mobile forensics and want to use Volatility
Framework with Autopsy. I understand that the first step I have to do
is to import image into SQLite DB.

I am using image acquired with https://code.google.com/p/lime-forensics/
file.lime

What class should I change to be able to import this file?

Vic


-----------------------------------------------
www.bluegreenblack.com
www.thisfeelsgreat.blogspot.com

For sensitive information please use encryption.

Public key available at: http://pgp.mit.edu/
Figerprint: E52E 7520 1196 410B 13A0 0F7B B809 1A84 3617 C7D8

Re: [sleuthkit-developers] Signature Detection Ingest Module

[Luís F. N. <lfc...@gm...>]

Does someone take a look at this? I think using Tika.detec(stream,
filename) would improve autopsy file type detection.

Nassif


2014-04-28 20:38 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:

> Updating, I did not build nor test the develop branch, but the
> configuration file mismatch_config.xml from the FileExtMismatch module
> seems like Autopsy is not being able to differentiate between the MS Office
> formats. If this is correct, I think using Tika detection from an
> inputStream would solve the issue.
>
>
> 2014-04-28 20:18 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:
>
> Great news, Brian, thank you.
>>
>> I took a look at TikaFileTypeDetector and it is using only the file
>> first 100 bytes for detection. From Tika.detect(byte[]) doc:
>>
>> "For best results at least a few kilobytes of the document data are
>> needed. See also the other detect() methods for better alternatives when
>> you have more than just the document prefix available for type detection.
>> "
>>
>> And Tika's default, when reading from a stream, currently is 64KB, so it
>> can correctly detect things like "XML root elements after initial
>> comment and DTDs" (MimeTypes doc) and, IMHO, zip based types (ooxml,
>> odf...), ole2 and the text detection heuristcs would work better.
>>
>> From my Tika experience, I think it would do better detection using
>> Tika.detec(inputStream, fileName), so Tika will read file bytes as needed
>> and will use the file name for detection refinement. In some cases Tika
>> will spool the entire stream to a temporary file for correct detection, but
>> in the general case will read 64KB. I think reading only 100B, instead of
>> 64KB, do not have significant time difference when reading from a spinning
>> magnetic drive, with high latency times, commonlly used for disk images
>> storage.
>>
>>
>> 2014-04-28 11:01 GMT-03:00 Brian Carrier <ca...@sl...>:
>>
>>> Yea, the 3.1 release (which is the develop branch on github) is using
>>> Tika's file type detection.
>>>
>>>
>>>
>>> On Apr 26, 2014, at 7:57 AM, Luís Filipe Nassif <lfc...@gm...>
>>> wrote:
>>>
>>> > Hi all,
>>> >
>>> > As I previously mentioned, I did not see a module like this in Autopsy
>>> 3, but read somewhere it will be in Autopsy 3.1, right? Solr, under the
>>> hoods, uses Tika for this purpose (and the results are great) before
>>> extracting text from files to index. I think explicitly using Tika for
>>> detection would be good, so Autopsy could inform Solr about the detected
>>> file mime type instead of Solr re-detecting all file signatures again. What
>>> do you think about it?
>>> >
>>> > Nassif
>>> >
>>> ------------------------------------------------------------------------------
>>> > Start Your Social Network Today - Download eXo Platform
>>> > Build your Enterprise Intranet with eXo Platform Software
>>> > Java Based Open Source Intranet - Social, Extensible, Cloud Ready
>>> > Get Started Now And Turn Your Intranet Into A Collaboration Platform
>>> >
>>> http://p.sf.net/sfu/ExoPlatform_______________________________________________
>>> > sleuthkit-developers mailing list
>>> > sle...@li...
>>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>>>
>>>
>>
>