From 755f1ade4905b8a7314aa4f7bf4b71560bfc3e5b Mon Sep 17 00:00:00 2001 From: Ann Priestman Date: Wed, 25 Sep 2019 08:57:59 -0400 Subject: [PATCH] Added section on mobile parsing helper classes --- docs/doxygen/modMobile.dox | 50 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/docs/doxygen/modMobile.dox b/docs/doxygen/modMobile.dox index ac24ad8fff..255638aa48 100644 --- a/docs/doxygen/modMobile.dox +++ b/docs/doxygen/modMobile.dox @@ -13,6 +13,56 @@ The ingest module has a basic flow of The BlackBoard has standard artifacts for the standard cell phone forensics data types, such as BlackboardArtifact.TSK_CALLLOG. +There are a couple of classes that can help streamline processing mobile databases. The org.sleuthkit.autopsy.coreutils.AppSQLiteDB class has methods for opening and querying SQLite databases. For example, to find and open a database named "transfer20.db" in the "com.dewmobile.kuaiya.play" package, you can simply use the following method (examples in Python): +\verbatim +transferDbs = AppSQLiteDB.findAppDatabases(dataSource, "transfer20.db", True, "com.dewmobile.kuaiya.play") +\endverbatim + +Once you have your databases, you can run easily run queries on them: +\code +queryString = "SELECT device, name, direction, createtime, path, title FROM transfer" +transfersResultSet = transferDb.runQuery(queryString) +\endcode + +You can make Blackboard Artifacts using the org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper class. This gives you methods to make contacts, messages, and call log entries. The following is sample code in Python to set up the CommunicationArtifactsHelper and then use it to make artifacts. + +\code +transferDbHelper = CommunicationArtifactsHelper(current_case.getSleuthkitCase(), + "Zapya Analyzer", transferDb.getDBFile(), + Account.Type.ZAPYA) +\endcode + +\code +direction = CommunicationDirection.UNKNOWN +fromAddress = None +toAddress = None + +if (transfersResultSet.getInt("direction") == 1): + direction = CommunicationDirection.OUTGOING + toAddress = Account.Address(transfersResultSet.getString("device"), transfersResultSet.getString("name") ) +else: + direction = CommunicationDirection.INCOMING + fromAddress = Account.Address(transfersResultSet.getString("device"), transfersResultSet.getString("name") ) + +msgBody = "" # there is no body. +attachments = [transfersResultSet.getString("path")] +msgBody = general.appendAttachmentList(msgBody, attachments) + +timeStamp = transfersResultSet.getLong("createtime") / 1000 +messageArtifact = transferDbHelper.addMessage( + self._MESSAGE_TYPE, + direction, + fromAddress, + toAddress, + timeStamp, + MessageReadStatus.UNKNOWN, + None, # subject + msgBody, + None ) # thread id +\endcode + +Look in the autopsy\\InternalPythonModules\\android\\ folder for additional examples. + \section mod_mobile_std Android Module Autopsy comes with an Android module, as defined in various classes in the org.sleuthkit.autopsy.modules.android package. You can use those classes as a reference example.