sleuthkit-users — List to discuss Autopsy and The Sleuth Kit.

[sleuthkit-users] "Recent Files" view in Autopsy

[Brian C. <ca...@sl...>]

Every time I do Autopsy training, I always tell people that the “Recent Files” view in Autopsy should go away because it doesn’t really serve the purpose I intended it to (in my opinion).   This is the area that shows you all files that had any activity on the “Final Day” of the system (which is the most recent day before the current day that there was file system activity) and the day before the final day, and 2 days before the final day, etc. (with a view for each day for the last week). 

My problem with the view is that it shows way too much stuff. You usually have hundreds of files in there.  It needs additional filtering to make it useful.  We don’t have filtering in on the queue, so my vote is to remove it to simplify things.   I think the timeline feature is much better at this now. 

Anybody using it and will be very sad if we disable it until we add filtering in?

brian

Re: [sleuthkit-users] Autopsy Python module - Retrieving data from a blackboard

[Brian C. <ca...@sl...>]

> On Jun 3, 2015, at 8:15 AM, Sylvain Petiot <syl...@gm...> wrote:
> 
> Hello, 
> 
> I am trying to develop a Python module for autopsy but several questions remain unanswered for now despite my research. I need your expertise to carry out my project.
> I would like your help with three points that I haven't found an answer :
> 
> 1) Find the blackboard of data (generated by other modules) in python

In the sample files you referred to below, the ‘file’ object is passed in to the process() method in a FileIngestModule or you get a Content object from the ‘findFiles()’ methods in the DataSourceIngestModules. Both of those are Content objects:

http://sleuthkit.org/sleuthkit/docs/jni-docs/interfaceorg_1_1sleuthkit_1_1datamodel_1_1_content.html

They have methods to get blackboard artifacts from them. Such as getArtifacts().  The above is documentation for the Java classes and the Python modules have access to all of the Java classes.  We’ll have someone work on sample code for querying the blackboard for artifacts. But, it is basically the getArtifacts() method that you can see from the above link and give it the artifact type that you want from that file. 

> 2) Sample module developed for autopsy in python.

You referred below to the sample modules that we have.  We (Basis Technology) do all of our development in Java, so we don’t have any “real” modules that are in Python to point to.

> 3) Find a specific file by his path in python.

The sample data source ingest module (https://github.com/sleuthkit/autopsy/blob/develop/pythonExamples/dataSourceIngestModule.py) uses the FileManager service to query for files. The method used in the sample only gives the file name to search for, but there is another method in FileManager that allows you to specify the parent path:

http://sleuthkit.org/autopsy/docs/api-docs/3.1/classorg_1_1sleuthkit_1_1autopsy_1_1casemodule_1_1services_1_1_file_manager.html#a87f2ab90774caaf385839a242ea1284f

That should do what you need.

NOTE: there is a bug in the current version of Autopsy that prevents that method from working on “logical files”, but it is fixed for the release that we’ll be doing next week.



> 
> 1) I'm interested in the recovery of information from a previous module. 
> I saw the documentation about blackboard, like this page : The Sleuth Kit Framework - The Blackboard and we can see that access to the blackboard is possible in C++ and Java. 
> Is it possible to do the same thing with python and how ?

Yup. As mentioned above. The most update to date docs on the blackboard are here:

http://sleuthkit.org/sleuthkit/docs/jni-docs/mod_bbpage.html

> 
> 2) I did some research to find python modules developed for autopsy, and I have not found complete projects outside the examples found at: https://github.com/sleuthkit/autopsy/tree/develop/pythonExamples
> Do you have some links to existing projects developed in python (not Java or netbeans projects) ?

See above. That’s all we have.

> 3) I would use in my module files with a defined path to display them in the blackboard "INTERESTING_FILE_HIT". The examples clearly show how to recover files with the method find and after that display these files into the blackboard, no problem about that. 
> But how to specify a path to a specific file, without using a keyword search (still in python) ?

See above.

Let us know if you have other questions.


> 
> Thank you to those who respond to this message.
> Cordially
> 
> Sylvain
> 
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

[sleuthkit-users] Autopsy Python module - Retrieving data from a blackboard

[Sylvain P. <syl...@gm...>]

Hello,

I am trying to develop a Python module for autopsy but several questions
remain unanswered for now despite my research. I need your expertise to
carry out my project.
I would like your help with three points that I haven't found an answer :

1) Find the blackboard of data (generated by other modules) in python
2) Sample module developed for autopsy in python.
3) Find a specific file by his path in python.

1) I'm interested in the recovery of information from a previous module.
I saw the documentation about blackboard, like this page : The Sleuth Kit
Framework - The Blackboard
<http://www.sleuthkit.org/sleuthkit/docs/framework-docs/mod_bbpage.html> and
we can see that access to the blackboard is possible in C++ and Java.
Is it possible to do the same thing with python and how ?

2) I did some research to find python modules developed for autopsy, and I
have not found complete projects outside the examples found at:
https://github.com/sleuthkit/autopsy/tree/develop/pythonExamples
Do you have some links to existing projects developed in python (not Java
or netbeans projects) ?

3) I would use in my module files with a defined path to display them in
the blackboard "INTERESTING_FILE_HIT". The examples clearly show how to
recover files with the method find and after that display these files into
the blackboard, no problem about that.
But how to specify a path to a specific file, without using a keyword
search (still in python) ?

Thank you to those who respond to this message.
Cordially

Sylvain

[sleuthkit-users] cross-compile for 64-bit Windows

[Jon S. <JSt...@St...>]

A few years ago, I know I successfully cross-compiled Sleuthkit for Windows. Sadly, that is where my memory ends. The current README_win32.txt says to pass "--host=i586-mingw32msvc" to cross-compile 32-bit Windows binaries.

Has anyone successfully cross-compiled TSK for 64-bit Windows and, if so, how?

Thanks,

Jon

[sleuthkit-users] OSDFCon CFP - Closing Soon

[Brian C. <ca...@sl...>]

There is less than 1 week left to submit a talk for OSDFCon 2015.   It’s time for the final rush to submit. Only abstracts are needed.  Use the form at http://www.osdfcon.org by EOD June 1 to submit. 



The 6th Annual Open Source Digital Forensics Conference (OSDFCon) will be held on October 28, 2015 in Herndon, VA.  All users and developers are invited to submit a presentation or workshop topic by June 1, 2015.  This is a unique opportunity to present your work and experiences to over 400 people.

The conference will be attended by both digital forensic investigators and developers.  This event is a great opportunity to make investigators aware of your tools, get feedback from users, meet fellow developers and users, and help direct the future of open source digital forensics software.

To receive updates about the conference, sign up for e-mail updates (http://www.osdfcon.org) or watch #osdfcon on twitter.

TOPICS

We are looking for 35-minute talks on a variety of topics about using open source tools, including:

* New tools and analysis techniques
* New features to mature tools
* Open, plug-in analysis framework designs and experiences
* Automated analysis
* Hard drive analysis and triage
* Memory and network forensics
* Mobile device forensics
* Analyzing application-level artifacts
* Cyber incident response
* User experiences
* Case studies


We also have openings for half-day workshops on the day before the conference (October 27, 2015).  The workshops should teach people how to use or develop open source tools by providing hands-on guidance.


SUBMISSION INSTRUCTIONS

Topics can be submitted using an online form:

   http://www.osdfcon.org

Submissions are due June 1, 2015. Our plan this year is to do an initial pass of the submissions and then use crowd sourcing to choose the final set of topics.  

E-mail submissions2015 [at] osdfcon [dot] org with any questions.

[sleuthkit-users] New Python Example Modules

[Brian C. <ca...@sl...>]

Based on some questions on and off list, I updated the sample Python modules this past weekend.  If any of you are playing with them, you might want to refer to them. 

https://github.com/sleuthkit/autopsy/tree/develop/pythonExamples

Changes include:
- There are now separate modules for file versus data source ingest modules.  It is more common to have a module that is only one or the other, so this should be easier to start from.
- Both have the sample code to read file content.
- All now have logging code in there to help with debugging
- All have “TODO” entries to figure out what needs to change
- The documentation no longer points you to the (more complex) ingest module with a configuration GUI.

The next release of Autopsy (we expect it to be around June 8) will also make run-time errors in Python easier for you to detect because you’ll have pop-up windows with the errors.  It will also have Python 2.7 (which Jython has now released). 

Let us know if you have any other questions.

  

Re: [sleuthkit-users] Autopsy Python module - read file header

[Justin G. <jus...@gm...>]

Thank you Jim, Sam, and Brian for the info (and code) on how to read the
contents from a file through an Autopsy Python module. Saved me a lot of
time! It now works after figuring out how to adapt them to my specific
situation.

-Justin

On Tue, May 19, 2015 at 8:01 AM, <
sle...@li...> wrote:

> Send sleuthkit-users mailing list submissions to
>         sle...@li...
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> or, via email, send a message with subject or body 'help' to
>         sle...@li...
>
> You can reach the person managing the list at
>         sle...@li...
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of sleuthkit-users digest..."
>
>
> Today's Topics:
>
>    1. Re: Autopsy Python module - read file header (Brian Carrier)
>    2. Re: Information about IngestModule (Brian Carrier)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 18 May 2015 22:52:14 -0400
> From: Brian Carrier <ca...@sl...>
> Subject: Re: [sleuthkit-users] Autopsy Python module - read file
>         header
> To: James H Jr Jones <jj...@gm...>
> Cc: "sle...@li..."
>         <sle...@li...>
> Message-ID: <2F3...@sl...>
> Content-Type: text/plain; charset=us-ascii
>
> Yea, the code that Jim included here is the way to go.  Our first python
> module hit the same road block.  The sample module (
> https://github.com/sleuthkit/autopsy/blob/develop/pythonExamples/simpleingestmodule.py)
> has the code to read content.
>
>
>
>
> > On May 18, 2015, at 5:51 PM, James H Jr Jones <jj...@gm...> wrote:
> >
> > Something like this should work (when modified for your specific needs):
> >
> >
> >
> > # Read the contents of the file.
> >
> > inputStream = ReadContentInputStream(file)
> >
> > buffer = jarray.zeros(1024, "b")
> >
> > totLen = 0
> >
> > len = inputStream.read(buffer)
> >
> > while (len != -1):
> >
> >     totLen = totLen + len
> >
> >     len = inputStream.read(buffer)
> >
> >
> >
> > Also, imports include:
> >
> >
> >
> > import jarray
> >
> > from java.lang import System
> >
> >
> >
> > --Jim
> >
> >
> >
> > From: Justin Grover [mailto:jus...@gm...]
> > Sent: Monday, May 18, 2015 5:42 PM
> > To: sle...@li...
> > Subject: [sleuthkit-users] Autopsy Python module - read file header
> >
> >
> >
> > Autopsy devs--
> >
> >
> >
> > I've got a python File Ingest Module.  Let's say I need to read the
> first byte from each file to determine its header value.  What's the best
> way to do this in Python/Autopsy?
> >
> >
> >
> > I've got the following function within my module, but it doesn't work.
> Jython doesn't seem to handle the callback to fill the buffer.
> >
> >
> >
> > def process(self, abstractFile):
> >
> >     buf = []
> >
> >     tmp = abstractFile.read(buf, 0, 1)
> >
> >
> >
> >
> >
> >
> >
> > -Justin
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > One dashboard for servers and applications across Physical-Virtual-Cloud
> > Widest out-of-the-box monitoring support with 50+ applications
> > Performance metrics, stats and reports that give you Actionable Insights
> > Deep dive visibility with transaction tracing using APM Insight.
> >
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 18 May 2015 22:56:57 -0400
> From: Brian Carrier <ca...@sl...>
> Subject: Re: [sleuthkit-users] Information about IngestModule
> To: Geoffrey Wagnier <wag...@gm...>
> Cc: sleuthkit-users <sle...@li...>
> Message-ID: <300...@sl...>
> Content-Type: text/plain; charset=us-ascii
>
> Hi Geoffrey,
>
> Answers inline.
>
> > On May 18, 2015, at 3:51 AM, Geoffrey Wagnier <
> wag...@gm...> wrote:
> >
> > Hi guys,
> >
> > Some news about my project with autopsy,
> >
> > Now I have my 2 modules installed and it works,
> >
> > However I have 2 questions :
> >
> > First, is it possible to lunch 2 IngestModule at the same time with
> differents name ?
>
> Sure. You should see both ingest modules listed individually after you add
> a data source and can enable or disable each. Do you see both modules in
> there?
>
> > Secondly, Results from thoses modules have to be in "Interesting Items"
> or  could we create another folder ?
>
> You can use Interesting Items or any of the blackboard artifacts that are
> already defined:
>
>
> http://sleuthkit.org/sleuthkit/docs/jni-docs/enumorg_1_1sleuthkit_1_1datamodel_1_1_blackboard_artifact_1_1_a_r_t_i_f_a_c_t___t_y_p_e.html
>
> In theory, you can also make your own Artifact types and add them to the
> database, how ever there is currently a limitation that they are not shown
> in the UI. They need to be part of the official ENUM for them to make their
> way into the UI.
>
> Does that answer your questions?
>
> brian
>
>
>
>
> ------------------------------
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>
> ------------------------------
>
> _______________________________________________
> sleuthkit-users mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>
>
> End of sleuthkit-users Digest, Vol 107, Issue 13
> ************************************************
>

Re: [sleuthkit-users] Information about IngestModule

[Brian C. <ca...@sl...>]

Hi Geoffrey,

Answers inline.

> On May 18, 2015, at 3:51 AM, Geoffrey Wagnier <wag...@gm...> wrote:
> 
> Hi guys,
> 
> Some news about my project with autopsy,
> 
> Now I have my 2 modules installed and it works,
> 
> However I have 2 questions :
> 
> First, is it possible to lunch 2 IngestModule at the same time with differents name ?

Sure. You should see both ingest modules listed individually after you add a data source and can enable or disable each. Do you see both modules in there? 

> Secondly, Results from thoses modules have to be in "Interesting Items" or  could we create another folder ?

You can use Interesting Items or any of the blackboard artifacts that are already defined: 

http://sleuthkit.org/sleuthkit/docs/jni-docs/enumorg_1_1sleuthkit_1_1datamodel_1_1_blackboard_artifact_1_1_a_r_t_i_f_a_c_t___t_y_p_e.html

In theory, you can also make your own Artifact types and add them to the database, how ever there is currently a limitation that they are not shown in the UI. They need to be part of the official ENUM for them to make their way into the UI. 

Does that answer your questions?

brian

Re: [sleuthkit-users] Autopsy Python module - read file header

[Brian C. <ca...@sl...>]

Yea, the code that Jim included here is the way to go.  Our first python module hit the same road block.  The sample module (https://github.com/sleuthkit/autopsy/blob/develop/pythonExamples/simpleingestmodule.py) has the code to read content. 




> On May 18, 2015, at 5:51 PM, James H Jr Jones <jj...@gm...> wrote:
> 
> Something like this should work (when modified for your specific needs):
> 
>  
> 
> # Read the contents of the file.
> 
> inputStream = ReadContentInputStream(file)
> 
> buffer = jarray.zeros(1024, "b")
> 
> totLen = 0
> 
> len = inputStream.read(buffer)
> 
> while (len != -1):
> 
>     totLen = totLen + len
> 
>     len = inputStream.read(buffer)
> 
>  
> 
> Also, imports include:
> 
>  
> 
> import jarray
> 
> from java.lang import System
> 
>  
> 
> --Jim
> 
>  
> 
> From: Justin Grover [mailto:jus...@gm...] 
> Sent: Monday, May 18, 2015 5:42 PM
> To: sle...@li...
> Subject: [sleuthkit-users] Autopsy Python module - read file header
> 
>  
> 
> Autopsy devs--
> 
>  
> 
> I've got a python File Ingest Module.  Let's say I need to read the first byte from each file to determine its header value.  What's the best way to do this in Python/Autopsy?
> 
>  
> 
> I've got the following function within my module, but it doesn't work. Jython doesn't seem to handle the callback to fill the buffer.
> 
>  
> 
> def process(self, abstractFile):
> 
>     buf = []
> 
>     tmp = abstractFile.read(buf, 0, 1)
> 
>  
> 
>  
> 
>  
> 
> -Justin
> 
>  
> 
>     
> 
>  
> 
>      
> 
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud 
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] Autopsy Python module - read file header

[James H Jr J. <jj...@gm...>]

Something like this should work (when modified for your specific needs):

# Read the contents of the file.
inputStream = ReadContentInputStream(file)
buffer = jarray.zeros(1024, "b")
totLen = 0
len = inputStream.read(buffer)
while (len != -1):
    totLen = totLen + len
    len = inputStream.read(buffer)

Also, imports include:

import jarray
from java.lang import System

--Jim

From: Justin Grover [mailto:jus...@gm...]
Sent: Monday, May 18, 2015 5:42 PM
To: sle...@li...
Subject: [sleuthkit-users] Autopsy Python module - read file header

Autopsy devs--

I've got a python File Ingest Module.  Let's say I need to read the first byte from each file to determine its header value.  What's the best way to do this in Python/Autopsy?

I've got the following function within my module, but it doesn't work. Jython doesn't seem to handle the callback to fill the buffer.

def process(self, abstractFile):
    buf = []
    tmp = abstractFile.read(buf, 0, 1)



-Justin

Re: [sleuthkit-users] Autopsy Python module - read file header

[Sam K <sku...@gm...>]

Justin,

I ran into a similar problem using the .read method.  The problem seems to
be that Jython does not have the buffer object like cPython.  I worked
around it using a Java zeros object (since Jython wraps Java, you have
access to resources from both languages).  I have a suspicion that this
might be problematic if you try to write a very large file through the
Jython API (see the comments in the code below), although I haven't
actually run into that problem.  It seems to work perfectly fine in all of
my tests.

from jarray import zeros

def writeFile(self, filename, fileAbstract, filesize):

    ## filename is a string for the filename of the target file
    ## fileAbstract is an AbstractFile object from
sleuthkitCase.getAbstractFileById()
    ## filesize is a string containing the filesize from
str(file.getContent().getSize())

    ### This currently loads the entire file into a single buffer.
    ### This will probably crash if the file is too big.  It would be
    ### preferable to read continuously from a smaller buffer.
    outfile = open(filename, 'wb')
    filesize = int(filesize)
    # Jython doesn't have standard cPython buffer type. Using Java zeros
instead.
    outbuffer = zeros(filesize, 'b')
    fileAbstract.read(outbuffer, 0, filesize)
    outfile.write(outbuffer)
    outfile.close()

Hope it helps-
Sam


On Mon, May 18, 2015 at 5:41 PM, Justin Grover <jus...@gm...>
wrote:

> Autopsy devs--
>
> I've got a python File Ingest Module.  Let's say I need to read the first
> byte from each file to determine its header value.  What's the best way to
> do this in Python/Autopsy?
>
> I've got the following function within my module, but it doesn't work.
> Jython doesn't seem to handle the callback to fill the buffer.
>
> def process(self, abstractFile):
>     buf = []
>     tmp = abstractFile.read(buf, 0, 1)
>
>
>
> -Justin
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>

[sleuthkit-users] Autopsy Python module - read file header

[Justin G. <jus...@gm...>]

Autopsy devs--

I've got a python File Ingest Module.  Let's say I need to read the first
byte from each file to determine its header value.  What's the best way to
do this in Python/Autopsy?

I've got the following function within my module, but it doesn't work.
Jython doesn't seem to handle the callback to fill the buffer.

def process(self, abstractFile):
    buf = []
    tmp = abstractFile.read(buf, 0, 1)



-Justin

[sleuthkit-users] Information about IngestModule

[Geoffrey W. <wag...@gm...>]

Hi guys,

Some news about my project with autopsy,

Now I have my 2 modules installed and it works,

However I have 2 questions :

First, is it possible to lunch 2 IngestModule at the same time with
differents name ?

Secondly, Results from thoses modules have to be in "Interesting Items" or
could we create another folder ?


Thx in advance !

Geoffrey

[sleuthkit-users] FileCount Bug in Sample Autopsy Module?

[Justin G. <jus...@gm...>]

Hi all,

I'm having trouble getting the following function to work properly in the
Sample DataSource Ingest Module.

List<AbstractFile> docFiles = fileManager.findFiles(dataSource, "%.doc");

docFiles is always reported with 0 elements in it, even though my
datasource is a logical file set containing 2000+ doc files with a ".doc"
file extension.

Can someone confirm this problem or look into it?

I've tried both the Python and Java sample modules. Same results.  Here are
the links to the sample modules:

* SampleDataSourceIngestModule.java (
https://github.com/sleuthkit/autopsy/blob/develop/Core/src/org/sleuthkit/autopsy/examples/SampleDataSourceIngestModule.java
)

* ingestmodule.py (
https://github.com/sleuthkit/autopsy/blob/develop/pythonExamples/ingestmodule.py
)

-Justin

Re: [sleuthkit-users] Feature Placement

[Brian C. <ca...@sl...>]

So the consensus seems to be to merge the ability to extract images from doc/xls/ppt into an existing module.  The two ideas were:

- Add to EXIF to make a more general image module
- Add to the Archive module to make a more general “embedded data” module

Any strong options besides those already given?



> On Apr 16, 2015, at 9:57 AM, Brian Carrier <ca...@sl...> wrote:
> 
> Question for the Autopsy users on the list.  We’re about to add a feature to extract pictures from inside of Word/PowerPoint/Excel docs and add them in as derived files that will be hashed, searched, etc.
> 
> The question is where we put the module. 
> 
> Technically, it is using the same library that we use in Keyword Search to extract text from these file types, so it would be fastest and least code for us to add it as a by-product of that module. Though, it is not very intuitive that the Keyword Search module would be doing that (from a user experience perspective).
> 
> A second option is to make a module just for that.  In addition to a slight performance hit, my other concern with this is that the list of ingest modules is starting to get long.  I don’t want Autopsy to have a list of 20 items to select from each time (when most of them will always be enabled).  There are of course longer-term ways to group modules by category, but that doesn’t solve the problem of where do we check this in next week.
> 
> A third option is to make a module that is graphic image focused and merge the EXIF module into it.  So, this new module would extract images from Word and EXIF extract and have a name that is graphics-based. 
> 
> Any strong thoughts?  Should performance trump a little confusion about who is actually going to be extracting the images? 
> 
> 
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] Information about how to develop a autopsy plugin in python/jython

[Richard C. <rco...@ba...>]

Justin is on the right track. We have not implemented Python bindings for
SleuthKit at this time. What we have done is to make it possible to write
Autopsy ingest modules in Python instead of Java. The glue consists of a
combination of Jython and Java code in Autopsy that supports discovering,
loading, and running instances of Python classes that implement the same
ingest module plugin interfaces as do Java ingest module plugins.

Richard Cordovano
Autopsy Team Lead
Basis Technology

On Mon, May 11, 2015 at 3:08 PM, Justin Grover <jus...@gm...>
wrote:

> Geoffrey,
>
> I'm just getting around to playing around with Autopsy python plugins
> myself as well. The only way around the "no module named sleuthkit" error
> that I've found is to actually run the module in Autopsy.  If you try to
> run it outside of Autopsy, you'll get the error.
>
> Developing a module outside of autopsy will be a challenge since there is
> no documentation for it. The Autopsy 3.1 python documentation says "You
> don't really need anything to develop a python Autopsy module except for
> the standard Autopsy and your favorite text editor."
>
> -Justin
>
> On Mon, May 11, 2015 at 9:59 AM, <
> sle...@li...> wrote:
>
>> Send sleuthkit-users mailing list submissions to
>>         sle...@li...
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>         https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> or, via email, send a message with subject or body 'help' to
>>         sle...@li...
>>
>> You can reach the person managing the list at
>>         sle...@li...
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of sleuthkit-users digest..."
>>
>>
>> Today's Topics:
>>
>>    1. Re: Information about how to develop a autopsy plugin in
>>       python/jython (Geoffrey Wagnier)
>>    2. Re: Information about how to develop a autopsy plugin in
>>       python/jython (Sam K)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Mon, 11 May 2015 15:47:52 +0200
>> From: Geoffrey Wagnier <wag...@gm...>
>> Subject: Re: [sleuthkit-users] Information about how to develop a
>>         autopsy plugin in python/jython
>> To: "Richer, Mark (CIV)" <mhr...@np...>
>> Cc: sleuthkit-users <sle...@li...>
>> Message-ID:
>>         <CAA4uvfMp+F3dsbkbVPE8_yji1Nqs2ULkFNMVot5Hk2e_ObHm=
>> Q...@ma...>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Hi again,
>>
>> First thx for all of your helps, it was really nice for us, but we still
>> have some problems with the library of autopsy. The import doesn't work!
>>
>> on this kind of line from the examples (IngestModule):
>>
>> File
>> "C:\Users\Geo\Documents\NetBeansProjects\IngesModule\src\ingestmodule.py",
>> line 5, in <module>
>>     from org.sleuthkit.autopsy.casemodule import Case
>> ImportError: No module named sleuthkit
>>
>>
>> As a result, we would like to develop a plugin which studies the web
>> hystory for autopsy in python, but we are blocked since 2 month.
>>
>> Best regards,
>>
>> Geoffrey
>>
>> 2015-05-06 17:10 GMT+02:00 Richer, Mark (CIV) <mhr...@np...>:
>>
>> >  Geoffrey,
>> >
>> >  It seems you will be best off using NetBeans as your IDE, but in
>> general
>> > if you want to use Eclipse with Python, Jython or IronPython, then you
>> > should install PyDev in Eclipse.
>> >
>> >  http://pydev.org
>> >
>> >  Mark
>> >
>> >   *MARK H RICHER, MS CS*
>> > Faculty Research Associate
>> > Computer Science Department
>> > Naval Postgraduate School - National Capital Region (NCR)
>> > 703-275-8533 (o) 571.303.9498 (m) mhr...@np...
>> >
>> >
>> >  On May 6, 2015, at 11:00 AM, Brian Carrier <ca...@sl...>
>> wrote:
>> >
>> > Hi Geoffrey,
>> >
>> > The development docs contain this information.
>> >
>> > All of the docs are here:
>> > http://sleuthkit.org/autopsy/docs/api-docs/3.1/index.html
>> > The Python-specific page is here:
>> > http://sleuthkit.org/autopsy/docs/api-docs/3.1/mod_dev_py_page.html
>> >
>> > The python page assumes you?ve read the other pages though (except for
>> the
>> > Java-specific page). It references sample modules, which can be found
>> here:
>> >
>> > https://github.com/sleuthkit/autopsy/tree/develop/pythonExamples
>> >
>> > Autopsy is built on top of the NetBeans platform, so we always use
>> > NetBeans as an IDE.  I?ve never tried Eclipse with Autopsy.
>>
>> >
>> > thanks,
>> > brian
>> >
>> >
>> >
>> >
>> > On May 6, 2015, at 10:10 AM, Geoffrey Wagnier <
>> wag...@gm...>
>> > wrote:
>> >
>> > Hi everyone,
>> >
>> > I'm Geoffrey a student in IT security in France, and in order to end a
>> > school project about autopsy and pyhton's plugins, I would like to know
>> if
>> > someone can help on this project.
>> >
>> > First, I wonder if skeleton in python exists and how use it and install
>> > it.
>> >
>> > Secondly, how works the autopsy library on Eclipse ?
>> >
>> > and Finally, every informations will be great for my crew !
>> >
>> >
>> > Thx guys for reading,
>> >
>> > Best regards,
>> >
>> >
>> > Geoffrey
>> >
>> >
>> ------------------------------------------------------------------------------
>> > One dashboard for servers and applications across Physical-Virtual-Cloud
>> > Widest out-of-the-box monitoring support with 50+ applications
>> > Performance metrics, stats and reports that give you Actionable Insights
>> > Deep dive visibility with transaction tracing using APM Insight.
>> >
>> >
>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________
>> > sleuthkit-users mailing list
>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> > http://www.sleuthkit.org
>> >
>> >
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > One dashboard for servers and applications across Physical-Virtual-Cloud
>> > Widest out-of-the-box monitoring support with 50+ applications
>> > Performance metrics, stats and reports that give you Actionable Insights
>> > Deep dive visibility with transaction tracing using APM Insight.
>> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> > _______________________________________________
>> > sleuthkit-users mailing list
>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> > http://www.sleuthkit.org
>> >
>> >
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > One dashboard for servers and applications across Physical-Virtual-Cloud
>> > Widest out-of-the-box monitoring support with 50+ applications
>> > Performance metrics, stats and reports that give you Actionable Insights
>> > Deep dive visibility with transaction tracing using APM Insight.
>> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> > _______________________________________________
>> > sleuthkit-users mailing list
>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> > http://www.sleuthkit.org
>> >
>> >
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Mon, 11 May 2015 09:59:16 -0400
>> From: Sam K <sku...@gm...>
>> Subject: Re: [sleuthkit-users] Information about how to develop a
>>         autopsy plugin in python/jython
>> To: Geoffrey Wagnier <wag...@gm...>
>> Cc: sleuthkit-users <sle...@li...>
>> Message-ID:
>>         <CA+2b7+N9=OqY4__aB9p=
>> Yz0...@ma...>
>> Content-Type: text/plain; charset="utf-8"
>>
>>
>> Geoffrey:
>>
>> Are you running the code from inside Autopsy, or are you trying to run
>> from
>> inside another IDE?  Keep in mind that Python modules are running from a
>> Jython interpreter that is called by Autopsy, so imports of Autopsy case
>> information won't work unless you're actually running the module inside
>> Autopsy.
>>
>> The line:
>>
>> from org.sleuthkit.autopsy.casemodule import Case
>>
>> works fine for me (Autopsy 3.1.2, Windows 7 x64).  If you want to post
>> more
>> of your code somewhere, it would be helpful for troubleshooting it.
>>
>> One more thing to bear in mind when writing Python/Jython modules is that
>> in Autopsy 3.1.2, the Jython interpreter is missing some standard Python
>> libraries, see https://github.com/sleuthkit/autopsy/issues/988.  Some
>> imports will fail unless you make some modifications to the built in
>> Jython.jar; although the error you mentioned is not one of them.
>>
>> -Sam
>>
>> On Mon, May 11, 2015 at 9:47 AM, Geoffrey Wagnier <
>> wag...@gm...> wrote:
>>
>> > Hi again,
>> >
>> > First thx for all of your helps, it was really nice for us, but we still
>> > have some problems with the library of autopsy. The import doesn't work!
>> >
>> > on this kind of line from the examples (IngestModule):
>> >
>> > File
>> >
>> "C:\Users\Geo\Documents\NetBeansProjects\IngesModule\src\ingestmodule.py",
>> > line 5, in <module>
>> >     from org.sleuthkit.autopsy.casemodule import Case
>> > ImportError: No module named sleuthkit
>> >
>> >
>> > As a result, we would like to develop a plugin which studies the web
>> > hystory for autopsy in python, but we are blocked since 2 month.
>> >
>> > Best regards,
>> >
>> > Geoffrey
>> >
>> > 2015-05-06 17:10 GMT+02:00 Richer, Mark (CIV) <mhr...@np...>:
>> >
>> >>  Geoffrey,
>> >>
>> >>  It seems you will be best off using NetBeans as your IDE, but in
>> >> general if you want to use Eclipse with Python, Jython or IronPython,
>> then
>> >> you should install PyDev in Eclipse.
>> >>
>> >>  http://pydev.org
>> >>
>> >>  Mark
>> >>
>> >>   *MARK H RICHER, MS CS*
>> >> Faculty Research Associate
>> >> Computer Science Department
>> >> Naval Postgraduate School - National Capital Region (NCR)
>> >> 703-275-8533 (o) 571.303.9498 (m) mhr...@np...
>> >>
>> >>
>> >>  On May 6, 2015, at 11:00 AM, Brian Carrier <ca...@sl...>
>> >> wrote:
>> >>
>> >> Hi Geoffrey,
>> >>
>> >> The development docs contain this information.
>> >>
>> >> All of the docs are here:
>> >> http://sleuthkit.org/autopsy/docs/api-docs/3.1/index.html
>> >> The Python-specific page is here:
>> >> http://sleuthkit.org/autopsy/docs/api-docs/3.1/mod_dev_py_page.html
>> >>
>> >> The python page assumes you?ve read the other pages though (except for
>> >> the Java-specific page). It references sample modules, which can be
>> found
>> >> here:
>> >>
>> >> https://github.com/sleuthkit/autopsy/tree/develop/pythonExamples
>> >>
>> >> Autopsy is built on top of the NetBeans platform, so we always use
>> >> NetBeans as an IDE.  I?ve never tried Eclipse with Autopsy.
>>
>> >>
>> >> thanks,
>> >> brian
>> >>
>> >>
>> >>
>> >>
>> >> On May 6, 2015, at 10:10 AM, Geoffrey Wagnier <
>> wag...@gm...>
>> >> wrote:
>> >>
>> >> Hi everyone,
>> >>
>> >> I'm Geoffrey a student in IT security in France, and in order to end a
>> >> school project about autopsy and pyhton's plugins, I would like to
>> know if
>> >> someone can help on this project.
>> >>
>> >> First, I wonder if skeleton in python exists and how use it and install
>> >> it.
>> >>
>> >> Secondly, how works the autopsy library on Eclipse ?
>> >>
>> >> and Finally, every informations will be great for my crew !
>> >>
>> >>
>> >> Thx guys for reading,
>> >>
>> >> Best regards,
>> >>
>> >>
>> >> Geoffrey
>> >>
>> >>
>> ------------------------------------------------------------------------------
>> >> One dashboard for servers and applications across
>> Physical-Virtual-Cloud
>> >> Widest out-of-the-box monitoring support with 50+ applications
>> >> Performance metrics, stats and reports that give you Actionable
>> Insights
>> >> Deep dive visibility with transaction tracing using APM Insight.
>> >>
>> >>
>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________
>> >> sleuthkit-users mailing list
>> >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> >> http://www.sleuthkit.org
>> >>
>> >>
>> >>
>> >>
>> >>
>> ------------------------------------------------------------------------------
>> >> One dashboard for servers and applications across
>> Physical-Virtual-Cloud
>> >> Widest out-of-the-box monitoring support with 50+ applications
>> >> Performance metrics, stats and reports that give you Actionable
>> Insights
>> >> Deep dive visibility with transaction tracing using APM Insight.
>> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> >> _______________________________________________
>> >> sleuthkit-users mailing list
>> >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> >> http://www.sleuthkit.org
>> >>
>> >>
>> >>
>> >>
>> >>
>> ------------------------------------------------------------------------------
>> >> One dashboard for servers and applications across
>> Physical-Virtual-Cloud
>> >> Widest out-of-the-box monitoring support with 50+ applications
>> >> Performance metrics, stats and reports that give you Actionable
>> Insights
>> >> Deep dive visibility with transaction tracing using APM Insight.
>> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> >> _______________________________________________
>> >> sleuthkit-users mailing list
>> >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> >> http://www.sleuthkit.org
>> >>
>> >>
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > One dashboard for servers and applications across Physical-Virtual-Cloud
>> > Widest out-of-the-box monitoring support with 50+ applications
>> > Performance metrics, stats and reports that give you Actionable Insights
>> > Deep dive visibility with transaction tracing using APM Insight.
>> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> > _______________________________________________
>> > sleuthkit-users mailing list
>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> > http://www.sleuthkit.org
>> >
>> >
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>>
>> ------------------------------
>>
>>
>> ------------------------------------------------------------------------------
>> One dashboard for servers and applications across Physical-Virtual-Cloud
>> Widest out-of-the-box monitoring support with 50+ applications
>> Performance metrics, stats and reports that give you Actionable Insights
>> Deep dive visibility with transaction tracing using APM Insight.
>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>
>> ------------------------------
>>
>> _______________________________________________
>> sleuthkit-users mailing list
>> sle...@li...
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>
>>
>> End of sleuthkit-users Digest, Vol 107, Issue 6
>> ***********************************************
>>
>
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>

Re: [sleuthkit-users] Information about how to develop a autopsy plugin in python/jython

[Justin G. <jus...@gm...>]

Geoffrey,

I'm just getting around to playing around with Autopsy python plugins
myself as well. The only way around the "no module named sleuthkit" error
that I've found is to actually run the module in Autopsy.  If you try to
run it outside of Autopsy, you'll get the error.

Developing a module outside of autopsy will be a challenge since there is
no documentation for it. The Autopsy 3.1 python documentation says "You
don't really need anything to develop a python Autopsy module except for
the standard Autopsy and your favorite text editor."

-Justin

On Mon, May 11, 2015 at 9:59 AM, <
sle...@li...> wrote:

> Send sleuthkit-users mailing list submissions to
>         sle...@li...
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> or, via email, send a message with subject or body 'help' to
>         sle...@li...
>
> You can reach the person managing the list at
>         sle...@li...
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of sleuthkit-users digest..."
>
>
> Today's Topics:
>
>    1. Re: Information about how to develop a autopsy plugin in
>       python/jython (Geoffrey Wagnier)
>    2. Re: Information about how to develop a autopsy plugin in
>       python/jython (Sam K)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 11 May 2015 15:47:52 +0200
> From: Geoffrey Wagnier <wag...@gm...>
> Subject: Re: [sleuthkit-users] Information about how to develop a
>         autopsy plugin in python/jython
> To: "Richer, Mark (CIV)" <mhr...@np...>
> Cc: sleuthkit-users <sle...@li...>
> Message-ID:
>         <CAA4uvfMp+F3dsbkbVPE8_yji1Nqs2ULkFNMVot5Hk2e_ObHm=
> Q...@ma...>
> Content-Type: text/plain; charset="utf-8"
>
> Hi again,
>
> First thx for all of your helps, it was really nice for us, but we still
> have some problems with the library of autopsy. The import doesn't work!
>
> on this kind of line from the examples (IngestModule):
>
> File
> "C:\Users\Geo\Documents\NetBeansProjects\IngesModule\src\ingestmodule.py",
> line 5, in <module>
>     from org.sleuthkit.autopsy.casemodule import Case
> ImportError: No module named sleuthkit
>
>
> As a result, we would like to develop a plugin which studies the web
> hystory for autopsy in python, but we are blocked since 2 month.
>
> Best regards,
>
> Geoffrey
>
> 2015-05-06 17:10 GMT+02:00 Richer, Mark (CIV) <mhr...@np...>:
>
> >  Geoffrey,
> >
> >  It seems you will be best off using NetBeans as your IDE, but in general
> > if you want to use Eclipse with Python, Jython or IronPython, then you
> > should install PyDev in Eclipse.
> >
> >  http://pydev.org
> >
> >  Mark
> >
> >   *MARK H RICHER, MS CS*
> > Faculty Research Associate
> > Computer Science Department
> > Naval Postgraduate School - National Capital Region (NCR)
> > 703-275-8533 (o) 571.303.9498 (m) mhr...@np...
> >
> >
> >  On May 6, 2015, at 11:00 AM, Brian Carrier <ca...@sl...>
> wrote:
> >
> > Hi Geoffrey,
> >
> > The development docs contain this information.
> >
> > All of the docs are here:
> > http://sleuthkit.org/autopsy/docs/api-docs/3.1/index.html
> > The Python-specific page is here:
> > http://sleuthkit.org/autopsy/docs/api-docs/3.1/mod_dev_py_page.html
> >
> > The python page assumes you?ve read the other pages though (except for
> the
> > Java-specific page). It references sample modules, which can be found
> here:
> >
> > https://github.com/sleuthkit/autopsy/tree/develop/pythonExamples
> >
> > Autopsy is built on top of the NetBeans platform, so we always use
> > NetBeans as an IDE.  I?ve never tried Eclipse with Autopsy.
> >
> > thanks,
> > brian
> >
> >
> >
> >
> > On May 6, 2015, at 10:10 AM, Geoffrey Wagnier <
> wag...@gm...>
> > wrote:
> >
> > Hi everyone,
> >
> > I'm Geoffrey a student in IT security in France, and in order to end a
> > school project about autopsy and pyhton's plugins, I would like to know
> if
> > someone can help on this project.
> >
> > First, I wonder if skeleton in python exists and how use it and install
> > it.
> >
> > Secondly, how works the autopsy library on Eclipse ?
> >
> > and Finally, every informations will be great for my crew !
> >
> >
> > Thx guys for reading,
> >
> > Best regards,
> >
> >
> > Geoffrey
> >
> >
> ------------------------------------------------------------------------------
> > One dashboard for servers and applications across Physical-Virtual-Cloud
> > Widest out-of-the-box monitoring support with 50+ applications
> > Performance metrics, stats and reports that give you Actionable Insights
> > Deep dive visibility with transaction tracing using APM Insight.
> >
> >
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > One dashboard for servers and applications across Physical-Virtual-Cloud
> > Widest out-of-the-box monitoring support with 50+ applications
> > Performance metrics, stats and reports that give you Actionable Insights
> > Deep dive visibility with transaction tracing using APM Insight.
> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> > _______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > One dashboard for servers and applications across Physical-Virtual-Cloud
> > Widest out-of-the-box monitoring support with 50+ applications
> > Performance metrics, stats and reports that give you Actionable Insights
> > Deep dive visibility with transaction tracing using APM Insight.
> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> > _______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 2
> Date: Mon, 11 May 2015 09:59:16 -0400
> From: Sam K <sku...@gm...>
> Subject: Re: [sleuthkit-users] Information about how to develop a
>         autopsy plugin in python/jython
> To: Geoffrey Wagnier <wag...@gm...>
> Cc: sleuthkit-users <sle...@li...>
> Message-ID:
>         <CA+2b7+N9=OqY4__aB9p=
> Yz0...@ma...>
> Content-Type: text/plain; charset="utf-8"
>
> Geoffrey:
>
> Are you running the code from inside Autopsy, or are you trying to run from
> inside another IDE?  Keep in mind that Python modules are running from a
> Jython interpreter that is called by Autopsy, so imports of Autopsy case
> information won't work unless you're actually running the module inside
> Autopsy.
>
> The line:
>
> from org.sleuthkit.autopsy.casemodule import Case
>
> works fine for me (Autopsy 3.1.2, Windows 7 x64).  If you want to post more
> of your code somewhere, it would be helpful for troubleshooting it.
>
> One more thing to bear in mind when writing Python/Jython modules is that
> in Autopsy 3.1.2, the Jython interpreter is missing some standard Python
> libraries, see https://github.com/sleuthkit/autopsy/issues/988.  Some
> imports will fail unless you make some modifications to the built in
> Jython.jar; although the error you mentioned is not one of them.
>
> -Sam
>
> On Mon, May 11, 2015 at 9:47 AM, Geoffrey Wagnier <
> wag...@gm...> wrote:
>
> > Hi again,
> >
> > First thx for all of your helps, it was really nice for us, but we still
> > have some problems with the library of autopsy. The import doesn't work!
> >
> > on this kind of line from the examples (IngestModule):
> >
> > File
> >
> "C:\Users\Geo\Documents\NetBeansProjects\IngesModule\src\ingestmodule.py",
> > line 5, in <module>
> >     from org.sleuthkit.autopsy.casemodule import Case
> > ImportError: No module named sleuthkit
> >
> >
> > As a result, we would like to develop a plugin which studies the web
> > hystory for autopsy in python, but we are blocked since 2 month.
> >
> > Best regards,
> >
> > Geoffrey
> >
> > 2015-05-06 17:10 GMT+02:00 Richer, Mark (CIV) <mhr...@np...>:
> >
> >>  Geoffrey,
> >>
> >>  It seems you will be best off using NetBeans as your IDE, but in
> >> general if you want to use Eclipse with Python, Jython or IronPython,
> then
> >> you should install PyDev in Eclipse.
> >>
> >>  http://pydev.org
> >>
> >>  Mark
> >>
> >>   *MARK H RICHER, MS CS*
> >> Faculty Research Associate
> >> Computer Science Department
> >> Naval Postgraduate School - National Capital Region (NCR)
> >> 703-275-8533 (o) 571.303.9498 (m) mhr...@np...
> >>
> >>
> >>  On May 6, 2015, at 11:00 AM, Brian Carrier <ca...@sl...>
> >> wrote:
> >>
> >> Hi Geoffrey,
> >>
> >> The development docs contain this information.
> >>
> >> All of the docs are here:
> >> http://sleuthkit.org/autopsy/docs/api-docs/3.1/index.html
> >> The Python-specific page is here:
> >> http://sleuthkit.org/autopsy/docs/api-docs/3.1/mod_dev_py_page.html
> >>
> >> The python page assumes you?ve read the other pages though (except for
> >> the Java-specific page). It references sample modules, which can be
> found
> >> here:
> >>
> >> https://github.com/sleuthkit/autopsy/tree/develop/pythonExamples
> >>
> >> Autopsy is built on top of the NetBeans platform, so we always use
> >> NetBeans as an IDE.  I?ve never tried Eclipse with Autopsy.
> >>
> >> thanks,
> >> brian
> >>
> >>
> >>
> >>
> >> On May 6, 2015, at 10:10 AM, Geoffrey Wagnier <
> wag...@gm...>
> >> wrote:
> >>
> >> Hi everyone,
> >>
> >> I'm Geoffrey a student in IT security in France, and in order to end a
> >> school project about autopsy and pyhton's plugins, I would like to know
> if
> >> someone can help on this project.
> >>
> >> First, I wonder if skeleton in python exists and how use it and install
> >> it.
> >>
> >> Secondly, how works the autopsy library on Eclipse ?
> >>
> >> and Finally, every informations will be great for my crew !
> >>
> >>
> >> Thx guys for reading,
> >>
> >> Best regards,
> >>
> >>
> >> Geoffrey
> >>
> >>
> ------------------------------------------------------------------------------
> >> One dashboard for servers and applications across Physical-Virtual-Cloud
> >> Widest out-of-the-box monitoring support with 50+ applications
> >> Performance metrics, stats and reports that give you Actionable Insights
> >> Deep dive visibility with transaction tracing using APM Insight.
> >>
> >>
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________
> >> sleuthkit-users mailing list
> >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> >> http://www.sleuthkit.org
> >>
> >>
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> One dashboard for servers and applications across Physical-Virtual-Cloud
> >> Widest out-of-the-box monitoring support with 50+ applications
> >> Performance metrics, stats and reports that give you Actionable Insights
> >> Deep dive visibility with transaction tracing using APM Insight.
> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> >> _______________________________________________
> >> sleuthkit-users mailing list
> >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> >> http://www.sleuthkit.org
> >>
> >>
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> One dashboard for servers and applications across Physical-Virtual-Cloud
> >> Widest out-of-the-box monitoring support with 50+ applications
> >> Performance metrics, stats and reports that give you Actionable Insights
> >> Deep dive visibility with transaction tracing using APM Insight.
> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> >> _______________________________________________
> >> sleuthkit-users mailing list
> >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> >> http://www.sleuthkit.org
> >>
> >>
> >
> >
> >
> ------------------------------------------------------------------------------
> > One dashboard for servers and applications across Physical-Virtual-Cloud
> > Widest out-of-the-box monitoring support with 50+ applications
> > Performance metrics, stats and reports that give you Actionable Insights
> > Deep dive visibility with transaction tracing using APM Insight.
> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> > _______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>
> ------------------------------
>
> _______________________________________________
> sleuthkit-users mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>
>
> End of sleuthkit-users Digest, Vol 107, Issue 6
> ***********************************************
>

Re: [sleuthkit-users] mactime - meaning of 0000-00-00T00:00:00Z

[W. W. S. <wal...@ic...>]

Thanks Brian and Terry for the info! 

Terry that paper doesn’t mention directory entries changing over time, but this is my recollection too, and I believe Microsoft support articles indicate as much as well. I don’t think DOS did anything but update last revised/modified times, while variants of Windows updated last accessed and created under differing policies.

Thanks again,

Walker

> On May 6, 2015, at 7:51 PM, Terry Olson <twj...@ho...> wrote:
> 
> I won't promise I am correct, but I seem to recall that the directory entries in FAT have changed over time.  The only support I can find is http://www.oldlinux.org/Linux.old/distributions/cnix/FAT.pdf <http://www.oldlinux.org/Linux.old/distributions/cnix/FAT.pdf>, which says that the only time tracked is last changed.  Later, they added created and modified.
> 
> So, maybe this is what is going on?
> 
> Terry Olson
> Digital Forensic Analyst
> Nebraska State Patrol Technical Crimes/ICAC
> 
> 
> > From: wal...@ic... <mailto:wal...@ic...>
> > Date: Tue, 5 May 2015 20:27:52 -0600
> > To: sle...@li... <mailto:sle...@li...>
> > Subject: [sleuthkit-users] mactime - meaning of 0000-00-00T00:00:00Z
> > 
> > Hi everyone,
> > 
> > I’ve been working with mactime timelines across several floppy disk images (in FAT12) and have come upon events with a timestamp of 0000-00-00T00:00:00Z. Some of these events have a single notation (such as ‘c’, ’m’, etc.), others have all four entries marked (‘macb’). 
> > 
> > What does a timestamp of 0000-00-00T00:00:00Z mean? Is this a false positive (not an event at all), or simply an event logged without a time by an OS (and if so, have others seen this)? I understand that blank time entries mean that the event shares the time with previous event - is a zeroed out timestamp the equivalent of that?
> > 
> > - fls command to get body file: fls -m -i raw [image]
> > - mactime command for timeline: mactime -b [timeline.txt] -d -y
> > 
> > Many thanks,
> > 
> > Walker
> > 
> > 
> > ------------------------------------------------------------------------------
> > One dashboard for servers and applications across Physical-Virtual-Cloud 
> > Widest out-of-the-box monitoring support with 50+ applications
> > Performance metrics, stats and reports that give you Actionable Insights
> > Deep dive visibility with transaction tracing using APM Insight.
> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y <http://ad.doubleclick.net/ddm/clk/290420510;117567292;y>
> > _______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users>
> > http://www.sleuthkit.org <http://www.sleuthkit.org/>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud 
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________ <http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________>
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users>
> http://www.sleuthkit.org <http://www.sleuthkit.org/>

Re: [sleuthkit-users] Information about how to develop a autopsy plugin in python/jython

[Sam K <sku...@gm...>]

Geoffrey:

Are you running the code from inside Autopsy, or are you trying to run from
inside another IDE?  Keep in mind that Python modules are running from a
Jython interpreter that is called by Autopsy, so imports of Autopsy case
information won't work unless you're actually running the module inside
Autopsy.

The line:

from org.sleuthkit.autopsy.casemodule import Case

works fine for me (Autopsy 3.1.2, Windows 7 x64).  If you want to post more
of your code somewhere, it would be helpful for troubleshooting it.

One more thing to bear in mind when writing Python/Jython modules is that
in Autopsy 3.1.2, the Jython interpreter is missing some standard Python
libraries, see https://github.com/sleuthkit/autopsy/issues/988.  Some
imports will fail unless you make some modifications to the built in
Jython.jar; although the error you mentioned is not one of them.

-Sam

On Mon, May 11, 2015 at 9:47 AM, Geoffrey Wagnier <
wag...@gm...> wrote:

> Hi again,
>
> First thx for all of your helps, it was really nice for us, but we still
> have some problems with the library of autopsy. The import doesn't work!
>
> on this kind of line from the examples (IngestModule):
>
> File
> "C:\Users\Geo\Documents\NetBeansProjects\IngesModule\src\ingestmodule.py",
> line 5, in <module>
>     from org.sleuthkit.autopsy.casemodule import Case
> ImportError: No module named sleuthkit
>
>
> As a result, we would like to develop a plugin which studies the web
> hystory for autopsy in python, but we are blocked since 2 month.
>
> Best regards,
>
> Geoffrey
>
> 2015-05-06 17:10 GMT+02:00 Richer, Mark (CIV) <mhr...@np...>:
>
>>  Geoffrey,
>>
>>  It seems you will be best off using NetBeans as your IDE, but in
>> general if you want to use Eclipse with Python, Jython or IronPython, then
>> you should install PyDev in Eclipse.
>>
>>  http://pydev.org
>>
>>  Mark
>>
>>   *MARK H RICHER, MS CS*
>> Faculty Research Associate
>> Computer Science Department
>> Naval Postgraduate School - National Capital Region (NCR)
>> 703-275-8533 (o) 571.303.9498 (m) mhr...@np...
>>
>>
>>  On May 6, 2015, at 11:00 AM, Brian Carrier <ca...@sl...>
>> wrote:
>>
>> Hi Geoffrey,
>>
>> The development docs contain this information.
>>
>> All of the docs are here:
>> http://sleuthkit.org/autopsy/docs/api-docs/3.1/index.html
>> The Python-specific page is here:
>> http://sleuthkit.org/autopsy/docs/api-docs/3.1/mod_dev_py_page.html
>>
>> The python page assumes you’ve read the other pages though (except for
>> the Java-specific page). It references sample modules, which can be found
>> here:
>>
>> https://github.com/sleuthkit/autopsy/tree/develop/pythonExamples
>>
>> Autopsy is built on top of the NetBeans platform, so we always use
>> NetBeans as an IDE.  I’ve never tried Eclipse with Autopsy.
>>
>> thanks,
>> brian
>>
>>
>>
>>
>> On May 6, 2015, at 10:10 AM, Geoffrey Wagnier <wag...@gm...>
>> wrote:
>>
>> Hi everyone,
>>
>> I'm Geoffrey a student in IT security in France, and in order to end a
>> school project about autopsy and pyhton's plugins, I would like to know if
>> someone can help on this project.
>>
>> First, I wonder if skeleton in python exists and how use it and install
>> it.
>>
>> Secondly, how works the autopsy library on Eclipse ?
>>
>> and Finally, every informations will be great for my crew !
>>
>>
>> Thx guys for reading,
>>
>> Best regards,
>>
>>
>> Geoffrey
>>
>> ------------------------------------------------------------------------------
>> One dashboard for servers and applications across Physical-Virtual-Cloud
>> Widest out-of-the-box monitoring support with 50+ applications
>> Performance metrics, stats and reports that give you Actionable Insights
>> Deep dive visibility with transaction tracing using APM Insight.
>>
>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> One dashboard for servers and applications across Physical-Virtual-Cloud
>> Widest out-of-the-box monitoring support with 50+ applications
>> Performance metrics, stats and reports that give you Actionable Insights
>> Deep dive visibility with transaction tracing using APM Insight.
>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> One dashboard for servers and applications across Physical-Virtual-Cloud
>> Widest out-of-the-box monitoring support with 50+ applications
>> Performance metrics, stats and reports that give you Actionable Insights
>> Deep dive visibility with transaction tracing using APM Insight.
>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>>
>>
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>

Re: [sleuthkit-users] Information about how to develop a autopsy plugin in python/jython

[Geoffrey W. <wag...@gm...>]

Hi again,

First thx for all of your helps, it was really nice for us, but we still
have some problems with the library of autopsy. The import doesn't work!

on this kind of line from the examples (IngestModule):

File
"C:\Users\Geo\Documents\NetBeansProjects\IngesModule\src\ingestmodule.py",
line 5, in <module>
    from org.sleuthkit.autopsy.casemodule import Case
ImportError: No module named sleuthkit


As a result, we would like to develop a plugin which studies the web
hystory for autopsy in python, but we are blocked since 2 month.

Best regards,

Geoffrey

2015-05-06 17:10 GMT+02:00 Richer, Mark (CIV) <mhr...@np...>:

>  Geoffrey,
>
>  It seems you will be best off using NetBeans as your IDE, but in general
> if you want to use Eclipse with Python, Jython or IronPython, then you
> should install PyDev in Eclipse.
>
>  http://pydev.org
>
>  Mark
>
>   *MARK H RICHER, MS CS*
> Faculty Research Associate
> Computer Science Department
> Naval Postgraduate School - National Capital Region (NCR)
> 703-275-8533 (o) 571.303.9498 (m) mhr...@np...
>
>
>  On May 6, 2015, at 11:00 AM, Brian Carrier <ca...@sl...> wrote:
>
> Hi Geoffrey,
>
> The development docs contain this information.
>
> All of the docs are here:
> http://sleuthkit.org/autopsy/docs/api-docs/3.1/index.html
> The Python-specific page is here:
> http://sleuthkit.org/autopsy/docs/api-docs/3.1/mod_dev_py_page.html
>
> The python page assumes you’ve read the other pages though (except for the
> Java-specific page). It references sample modules, which can be found here:
>
> https://github.com/sleuthkit/autopsy/tree/develop/pythonExamples
>
> Autopsy is built on top of the NetBeans platform, so we always use
> NetBeans as an IDE.  I’ve never tried Eclipse with Autopsy.
>
> thanks,
> brian
>
>
>
>
> On May 6, 2015, at 10:10 AM, Geoffrey Wagnier <wag...@gm...>
> wrote:
>
> Hi everyone,
>
> I'm Geoffrey a student in IT security in France, and in order to end a
> school project about autopsy and pyhton's plugins, I would like to know if
> someone can help on this project.
>
> First, I wonder if skeleton in python exists and how use it and install
> it.
>
> Secondly, how works the autopsy library on Eclipse ?
>
> and Finally, every informations will be great for my crew !
>
>
> Thx guys for reading,
>
> Best regards,
>
>
> Geoffrey
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
>
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>

[sleuthkit-users] A Basic Recovery and Autopsy Duplicating Work

[<mir...@zg...>]

I would have like to have been able to post my work and issues on
Sleuthkit Forum, but as I explained in:

Which blocks my very partly zeroed out, recoverable luks volume file
occupies?
http://sourceforge.net/p/sleuthkit/mailman/message/34090581/
(or if you are subscribed, look by that title for my recent message)

I was prevented (from third parties) to register. As I aske there, pls
help me in this matter!

But I have another issue, and I'll try and put it forward.

I explained these other issues here, on Gentoo Forums:

A Basic Data Recovery with SleuthKit
https://forums.gentoo.org/viewtopic-t-1016618.html

I'll present just a few lines from there, and if I by your help, somehow
get subscribed to Sleuthkit Forum, I'll revert the state of affairs,
and post a complete topic on Sleuthkit Forum, and keep just links and
basic info about it, in the Gentoo Forums, because it is a specific
Sleuthkit issue, suits better there.

So for short:
my "links -g <the-autopsy-given-address>" shows:

[...]
Receive timeout 
[...]

and then starts, as I suspect, the same job over, duplicating it, as it
already happened for a different case.

I also ask a few more question in that topic, such as whether to kill
those duplicate jobs (if they are really duplicates). They are a new
instances of:

'/usr/bin/blkls' -e -f ext -o 0 -i raw
'/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t
d -e l | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi' 

and I also ask whether (rephrasing), in the output directory of the evidence locker,
the file vgn-Cmn-0-0-0.srch that reads:

0||Z1_F0331_Zoom_Lovrić_Škaričić.avi|ascii

means one ascii job is done, and maybe that `0' meanse that nothing is
found?

And I ask other things.

Thank you in advance!
-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

Re: [sleuthkit-users] mactime - meaning of 0000-00-00T00:00:00Z

[Terry O. <twj...@ho...>]

I won't promise I am correct, but I seem to recall that the directory entries in FAT have changed over time.  The only support I can find is http://www.oldlinux.org/Linux.old/distributions/cnix/FAT.pdf, which says that the only time tracked is last changed.  Later, they added created and modified.
So, maybe this is what is going on?

Terry Olson

Digital Forensic Analyst

Nebraska State Patrol
Technical Crimes/ICAC

> From: wal...@ic...
> Date: Tue, 5 May 2015 20:27:52 -0600
> To: sle...@li...
> Subject: [sleuthkit-users] mactime - meaning of 0000-00-00T00:00:00Z
> 
> Hi everyone,
> 
> I’ve been working with mactime timelines across several floppy disk images (in FAT12) and have come upon events with a timestamp of 0000-00-00T00:00:00Z. Some of these events have a single notation (such as ‘c’, ’m’, etc.), others have all four entries marked (‘macb’). 
> 
> What does a timestamp of 0000-00-00T00:00:00Z mean? Is this a false positive (not an event at all), or simply an event logged without a time by an OS (and if so, have others seen this)? I understand that blank time entries mean that the event shares the time with previous event - is a zeroed out timestamp the equivalent of that?
> 
>  - fls command to get body file: fls -m -i raw [image]
>  - mactime command for timeline: mactime -b [timeline.txt] -d -y
> 
> Many thanks,
> 
> Walker
> 
> 
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud 
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
 		 	   		  

Re: [sleuthkit-users] Which blocks my very partly zeroed out, recoverable luks volume file occupies?

[<mir...@zg...>]

I had not received, and surely it is because of my provider being likely
intentionally lousy, the reply that Atila's reply that I see in the
list archives at:

( of this same subject as this message you are reading )
http://sourceforge.net/p/sleuthkit/mailman/message/33695222/

> Please don't use mke2fs!!! That's for create a new fs!
> 
> Since you can mount the luks vol, I guess you are at a point were you 
> have a unencrypted ext4 fs with the first 5% (or other number)
> overwritten.
I think it is even more complicated than that; try and skimm through:
i) the beginning of the topic, to see how exactly the trouble started:
https://forums.gentoo.org/viewtopic-t-1004014.html
ii) the very good explanation from frostschutz that I only recently
grasped:
https://forums.gentoo.org/viewtopic-t-1004014.html#7724060
iii) more of a good explanation by another Gentooer:
https://forums.gentoo.org/viewtopic-t-1004014-start-25.html#7724620
> 
> Is this correct? If so, a 'hexdump -C'  of the middle of your 
> unencrypted disk may have readable text.
> 
> Did you try that that sugestion of using mount with sb=...?
Yes, but as in iii) did not help, at this stage:
https://forums.gentoo.org/viewtopic-t-1004014-start-25.html#7742740
> I didn't understand the MD5 part. You have the MD5 of the luks header? 
> How is this helpful?
It's not. Forget it, that was wrong on my part.

So to Atila's kind message I reconstructed a reply by pasting it from
the web archives, as I already have done about a month ago, and that one
from a month ago still got in the right place in the thread of the
archives. Will this mail arrive to the Sleuthkit ML, remains to be
seen...

If this mail doesn't pass through my provider's
censorship/sloppiness/other, to arrive to Sleuthkit ML, I'll post it at:

Recover partly overwritten luks volume?
https://forums.gentoo.org/viewtopic-t-1004014.html
(where it will be publicly visible around the current date and time plus
a few more hours),

and there I will kindly ask readers of that topic to paste it in their
mail and send it to Sleuthit ML for me.

I have tried a few times to register to Sleuthkit Forum, and you can see
two of my documented failed attempts, in screeencasts and packet dumps:

i) linked from:
https://forums.gentoo.org/viewtopic-t-1004014.html#7724054
registration completely successful at forum.sleuthkit.org, mail never
arrived
ii) linked from:
https://forums.gentoo.org/viewtopic-t-1004014-start-25.html#7734200
my correct captcha response at the Schmoogle wouldn't be reacted at all,
Schmoog was playing mute. It's a miniature, easily checked it I am
saying the truth.

As I kindly ask in i) above, help me some of you dear people at
Sleuthkit.org!

E.g. encrypt a random password for me to my 0x4FBAF0AE key, e.g. to user
miroR that I tried to register as, and send it to me via email, but
check for my reaction within a couple of days to see if I got it.

And if no reaction from me, a stubborn wannabe SleuthKit Forum user,
than it is very likely that it didn't get through to my mailbox.

In which case, as I suggest in i), it's quick and easy (for you
uncensored free people, and the most of your readers), to log into
Gentoo Forums; people like, e.g. PaX Team, or the MirBSD creator
Thorsten mirabilos Glaser did it for just a message or two...  Log into
Gentoo Forums some of you, and send me a private message with the
necessary password, encrypted or even unencrypted to my 0x4FBAF0AE key.

Once I can log into forum.SleuthKit.org, I'm likely free to finally post
my issues there. With the email correspondence, my provider are real
jerks.

Thank you in advance!
-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

Re: [sleuthkit-users] sleuthkit framework and scalpel

[Eamonn S. <ea...@ya...>]

Hi Ricky,    This looks like it was an oversight on our part in the framework. It looks like the files get added to the database but are not getting scheduled for analysis.If you are comfortable editing the C++ code the quickest fix would be to add something along the following lines to TskCarveExtractScalpel.cpp at line 375:
TskServices::Instance().getScheduler().schedule(Scheduler::FileAnalysis, fileId, fileId);
Of course you probably want a little extra error handling. For other examples of how this works, take a look at the TskL01Extract.cpp and ZipExtractionModule.cpp.
Out of curiosity, what are you looking to accomplish that led you to the Sleuthkit framework rather than Autopsy?
Thanks.
 


     On Wednesday, April 29, 2015 1:08 PM, "Sanchez, Ricardo" <rr...@ra...> wrote:
   

  <!--#yiv7819723122 _filtered #yiv7819723122 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}#yiv7819723122 #yiv7819723122 p.yiv7819723122MsoNormal, #yiv7819723122 li.yiv7819723122MsoNormal, #yiv7819723122 div.yiv7819723122MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:"Calibri", "sans-serif";}#yiv7819723122 a:link, #yiv7819723122 span.yiv7819723122MsoHyperlink {color:blue;text-decoration:underline;}#yiv7819723122 a:visited, #yiv7819723122 span.yiv7819723122MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv7819723122 span.yiv7819723122EmailStyle17 {font-family:"Calibri", "sans-serif";color:windowtext;}#yiv7819723122 .yiv7819723122MsoChpDefault {font-family:"Calibri", "sans-serif";} _filtered #yiv7819723122 {margin:1.0in 1.0in 1.0in 1.0in;}#yiv7819723122 div.yiv7819723122WordSection1 {}-->I have a question about scalpel and integration with the sleuthkit framework. I was able to get scalpel and sleuthkit built and I used the sample framework and pipeline XML files to carve and do some file analysis on a test image. However, I notice that carved files aren’t being processing in the file analysis phase. E.g., the carved files don’t get hashed. At least they don’t appear in the file_hashes table in the output database. So my question is: do I need to do something special to make sure the carved files get added to the scheduler for processing.    I’m just getting started with sleuthkit, so I apologize if this is a simple question.    Thank you,    -ricky       Ricardo Sanchez, RAND Corporation Research Software Engineer, Information Services n1428b   (504) 299-3448  rr...@ra...    
__________________________________________________________________________This email message is for the sole use of the intended recipient(s) and
may contain confidential information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies
of the original message.
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org


  

Re: [sleuthkit-users] Information about how to develop a autopsy plugin in python/jython

[Richer, M. (CIV) <mhr...@np...>]

Geoffrey,

It seems you will be best off using NetBeans as your IDE, but in general if you want to use Eclipse with Python, Jython or IronPython, then you should install PyDev in Eclipse.

http://pydev.org

Mark

MARK H RICHER, MS CS
Faculty Research Associate
Computer Science Department
Naval Postgraduate School - National Capital Region (NCR)
703-275-8533 (o) 571.303.9498 (m) mhr...@np...<mailto:mhr...@np...>


On May 6, 2015, at 11:00 AM, Brian Carrier <ca...@sl...<mailto:ca...@sl...>> wrote:

Hi Geoffrey,

The development docs contain this information.

All of the docs are here: http://sleuthkit.org/autopsy/docs/api-docs/3.1/index.html
The Python-specific page is here: http://sleuthkit.org/autopsy/docs/api-docs/3.1/mod_dev_py_page.html

The python page assumes you’ve read the other pages though (except for the Java-specific page). It references sample modules, which can be found here:

https://github.com/sleuthkit/autopsy/tree/develop/pythonExamples

Autopsy is built on top of the NetBeans platform, so we always use NetBeans as an IDE.  I’ve never tried Eclipse with Autopsy.

thanks,
brian




On May 6, 2015, at 10:10 AM, Geoffrey Wagnier <wag...@gm...> wrote:

Hi everyone,

I'm Geoffrey a student in IT security in France, and in order to end a school project about autopsy and pyhton's plugins, I would like to know if someone can help on this project.

First, I wonder if skeleton in python exists and how use it and install it.

Secondly, how works the autopsy library on Eclipse ?

and Finally, every informations will be great for my crew !


Thx guys for reading,

Best regards,


Geoffrey
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org