From 6893e1c35b2b3f50cd820d7837e51ca462a7fe0c Mon Sep 17 00:00:00 2001 From: Richard Cordovano Date: Wed, 27 Jan 2016 17:29:29 -0500 Subject: [PATCH 1/4] Make tskdbdiff.py handle attr value types correctly --- test/script/tskdbdiff.py | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/test/script/tskdbdiff.py b/test/script/tskdbdiff.py index 9db3aeb863..2b0322f102 100755 --- a/test/script/tskdbdiff.py +++ b/test/script/tskdbdiff.py @@ -208,7 +208,7 @@ class TskDbDiff(object): try: art_id = "" art_id = str(row["artifact_id"]) - attribute_cursor.execute("SELECT blackboard_attributes.source, blackboard_attribute_types.display_name, blackboard_attributes.value_type, blackboard_attributes.value_text, blackboard_attributes.value_int32, blackboard_attributes.value_int64, blackboard_attributes.value_double FROM blackboard_attributes INNER JOIN blackboard_attribute_types ON blackboard_attributes.attribute_type_id = blackboard_attribute_types.attribute_type_id WHERE artifact_id =? ORDER BY blackboard_attributes.source, blackboard_attribute_types.display_name, blackboard_attributes.value_type, blackboard_attributes.value_text, blackboard_attributes.value_int32, blackboard_attributes.value_int64, blackboard_attributes.value_double", [art_id]) + attribute_cursor.execute("SELECT blackboard_attributes.source, blackboard_attribute_types.display_name, blackboard_attributes.value_type, blackboard_attributes.value_text, blackboard_attributes.value_int32, blackboard_attributes.value_int64, blackboard_attributes.value_double, blackboard_attributes.value_byte FROM blackboard_attributes INNER JOIN blackboard_attribute_types ON blackboard_attributes.attribute_type_id = blackboard_attribute_types.attribute_type_id WHERE artifact_id =? ORDER BY blackboard_attributes.source, blackboard_attribute_types.display_name, blackboard_attributes.value_type, blackboard_attributes.value_text, blackboard_attributes.value_int32, blackboard_attributes.value_int64, blackboard_attributes.value_double", [art_id]) attributes = attribute_cursor.fetchall() # Print attributes @@ -220,7 +220,6 @@ class TskDbDiff(object): src = attributes[0][0] for attr in attributes: - attr_value_index = 3 + attr["value_type"] numvals = 0 for x in range(3, 6): if(attr[x] != None): @@ -232,11 +231,20 @@ class TskDbDiff(object): msg = "There were inconsistent sources for artifact with id #" + str(row["artifact_id"]) + ".\n" try: - attr_value_as_string = str(attr[attr_value_index]) + if attr["value_type"] == 0: + attr_value_as_string = str(attr["value_text"]) + elif attr["value_type"] == 1: + attr_value_as_string = str(attr["value_int32"]) + elif attr["value_type"] == 2: + attr_value_as_string = str(attr["value_int64"]) + elif attr["value_type"] == 3: + attr_value_as_string = str(attr["value_double"]) + elif attr["value_type"] == 4: + attr_value_as_string = "bytes" + elif attr["value_type"] == 5: + attr_value_as_string = str(attr["value_int64"]) if attr["display_name"] == "Associated Artifact": - attr_value_as_string = getAssociatedArtifactType(db_file, attr_value_as_string) - #if((type(attr_value_as_string) != 'unicode') or (type(attr_value_as_string) != 'str')): - # attr_value_as_string = str(attr_value_as_string) + attr_value_as_string = getAssociatedArtifactType(db_file, attr_value_as_string) patrn = re.compile("[\n\0\a\b\r\f]") attr_value_as_string = re.sub(patrn, ' ', attr_value_as_string) database_log.write('') From 06b499f7afe398287db4aa929d8b3eabdfa9fa2f Mon Sep 17 00:00:00 2001 From: Richard Cordovano Date: Wed, 27 Jan 2016 17:36:25 -0500 Subject: [PATCH 2/4] Revert "Make tskdbdiff.py handle attr value types correctly" This reverts commit 6893e1c35b2b3f50cd820d7837e51ca462a7fe0c. --- test/script/tskdbdiff.py | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/test/script/tskdbdiff.py b/test/script/tskdbdiff.py index 2b0322f102..9db3aeb863 100755 --- a/test/script/tskdbdiff.py +++ b/test/script/tskdbdiff.py @@ -208,7 +208,7 @@ class TskDbDiff(object): try: art_id = "" art_id = str(row["artifact_id"]) - attribute_cursor.execute("SELECT blackboard_attributes.source, blackboard_attribute_types.display_name, blackboard_attributes.value_type, blackboard_attributes.value_text, blackboard_attributes.value_int32, blackboard_attributes.value_int64, blackboard_attributes.value_double, blackboard_attributes.value_byte FROM blackboard_attributes INNER JOIN blackboard_attribute_types ON blackboard_attributes.attribute_type_id = blackboard_attribute_types.attribute_type_id WHERE artifact_id =? ORDER BY blackboard_attributes.source, blackboard_attribute_types.display_name, blackboard_attributes.value_type, blackboard_attributes.value_text, blackboard_attributes.value_int32, blackboard_attributes.value_int64, blackboard_attributes.value_double", [art_id]) + attribute_cursor.execute("SELECT blackboard_attributes.source, blackboard_attribute_types.display_name, blackboard_attributes.value_type, blackboard_attributes.value_text, blackboard_attributes.value_int32, blackboard_attributes.value_int64, blackboard_attributes.value_double FROM blackboard_attributes INNER JOIN blackboard_attribute_types ON blackboard_attributes.attribute_type_id = blackboard_attribute_types.attribute_type_id WHERE artifact_id =? ORDER BY blackboard_attributes.source, blackboard_attribute_types.display_name, blackboard_attributes.value_type, blackboard_attributes.value_text, blackboard_attributes.value_int32, blackboard_attributes.value_int64, blackboard_attributes.value_double", [art_id]) attributes = attribute_cursor.fetchall() # Print attributes @@ -220,6 +220,7 @@ class TskDbDiff(object): src = attributes[0][0] for attr in attributes: + attr_value_index = 3 + attr["value_type"] numvals = 0 for x in range(3, 6): if(attr[x] != None): @@ -231,20 +232,11 @@ class TskDbDiff(object): msg = "There were inconsistent sources for artifact with id #" + str(row["artifact_id"]) + ".\n" try: - if attr["value_type"] == 0: - attr_value_as_string = str(attr["value_text"]) - elif attr["value_type"] == 1: - attr_value_as_string = str(attr["value_int32"]) - elif attr["value_type"] == 2: - attr_value_as_string = str(attr["value_int64"]) - elif attr["value_type"] == 3: - attr_value_as_string = str(attr["value_double"]) - elif attr["value_type"] == 4: - attr_value_as_string = "bytes" - elif attr["value_type"] == 5: - attr_value_as_string = str(attr["value_int64"]) + attr_value_as_string = str(attr[attr_value_index]) if attr["display_name"] == "Associated Artifact": - attr_value_as_string = getAssociatedArtifactType(db_file, attr_value_as_string) + attr_value_as_string = getAssociatedArtifactType(db_file, attr_value_as_string) + #if((type(attr_value_as_string) != 'unicode') or (type(attr_value_as_string) != 'str')): + # attr_value_as_string = str(attr_value_as_string) patrn = re.compile("[\n\0\a\b\r\f]") attr_value_as_string = re.sub(patrn, ' ', attr_value_as_string) database_log.write('') From 88a2f37a5ec33adb574311eecc7106cea7cba86f Mon Sep 17 00:00:00 2001 From: Richard Cordovano Date: Wed, 27 Jan 2016 17:37:54 -0500 Subject: [PATCH 3/4] Make tskdbdiff.py handle bb-attr value types correctly --- test/script/tskdbdiff.py | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/test/script/tskdbdiff.py b/test/script/tskdbdiff.py index 9db3aeb863..0cc6907a56 100755 --- a/test/script/tskdbdiff.py +++ b/test/script/tskdbdiff.py @@ -220,7 +220,6 @@ class TskDbDiff(object): src = attributes[0][0] for attr in attributes: - attr_value_index = 3 + attr["value_type"] numvals = 0 for x in range(3, 6): if(attr[x] != None): @@ -232,7 +231,20 @@ class TskDbDiff(object): msg = "There were inconsistent sources for artifact with id #" + str(row["artifact_id"]) + ".\n" try: - attr_value_as_string = str(attr[attr_value_index]) + if attr["value_type"] == 0: + attr_value_as_string = str(attr["value_text"]) + elif attr["value_type"] == 1: + attr_value_as_string = str(attr["value_int32"]) + elif attr["value_type"] == 2: + attr_value_as_string = str(attr["value_int64"]) + elif attr["value_type"] == 3: + attr_value_as_string = str(attr["value_double"]) + elif attr["value_type"] == 4: + attr_value_as_string = "bytes" + elif attr["value_type"] == 5: + attr_value_as_string = str(attr["value_int64"]) + if attr["display_name"] == "Associated Artifact": + attr_value_as_string = getAssociatedArtifactType(db_file, attr_value_as_string) if attr["display_name"] == "Associated Artifact": attr_value_as_string = getAssociatedArtifactType(db_file, attr_value_as_string) #if((type(attr_value_as_string) != 'unicode') or (type(attr_value_as_string) != 'str')): From 30676cb0b3030cdadd10d0cce93e89f6396a5fa3 Mon Sep 17 00:00:00 2001 From: Richard Cordovano Date: Wed, 27 Jan 2016 17:40:04 -0500 Subject: [PATCH 4/4] tskdbdiff.py bb-attr value type fix correction --- test/script/tskdbdiff.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/test/script/tskdbdiff.py b/test/script/tskdbdiff.py index 0cc6907a56..5fcbb8ff2a 100755 --- a/test/script/tskdbdiff.py +++ b/test/script/tskdbdiff.py @@ -245,10 +245,6 @@ class TskDbDiff(object): attr_value_as_string = str(attr["value_int64"]) if attr["display_name"] == "Associated Artifact": attr_value_as_string = getAssociatedArtifactType(db_file, attr_value_as_string) - if attr["display_name"] == "Associated Artifact": - attr_value_as_string = getAssociatedArtifactType(db_file, attr_value_as_string) - #if((type(attr_value_as_string) != 'unicode') or (type(attr_value_as_string) != 'str')): - # attr_value_as_string = str(attr_value_as_string) patrn = re.compile("[\n\0\a\b\r\f]") attr_value_as_string = re.sub(patrn, ' ', attr_value_as_string) database_log.write('')