From d0e632ff0c4a484a0bc2b3e357c0e1d92b8dfd06 Mon Sep 17 00:00:00 2001 From: Eugene Livis Date: Thu, 12 Nov 2015 11:35:25 -0500 Subject: [PATCH 1/2] Modified python examples to use blackboard artifact intexing --- .../Aug2015DataSourceTutorial/FindContactsDb.py | 15 ++++++++++++--- .../FindBigRoundFiles.py | 13 ++++++++++++- pythonExamples/dataSourceIngestModule.py | 9 +++++++++ pythonExamples/fileIngestModule.py | 14 ++++++++++++-- 4 files changed, 45 insertions(+), 6 deletions(-) diff --git a/pythonExamples/Aug2015DataSourceTutorial/FindContactsDb.py b/pythonExamples/Aug2015DataSourceTutorial/FindContactsDb.py index b625f84032..5463d42eb1 100755 --- a/pythonExamples/Aug2015DataSourceTutorial/FindContactsDb.py +++ b/pythonExamples/Aug2015DataSourceTutorial/FindContactsDb.py @@ -53,6 +53,7 @@ from org.sleuthkit.autopsy.ingest import IngestModuleFactoryAdapter from org.sleuthkit.autopsy.ingest import IngestMessage from org.sleuthkit.autopsy.ingest import IngestServices from org.sleuthkit.autopsy.ingest import ModuleDataEvent +from org.sleuthkit.autopsy.casemodule.services import Blackboard from org.sleuthkit.autopsy.coreutils import Logger from org.sleuthkit.autopsy.casemodule import Case from org.sleuthkit.autopsy.casemodule.services import Services @@ -107,11 +108,13 @@ class ContactsDbIngestModule(DataSourceIngestModule): # 'progressBar' is of type org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProgress # See: http://sleuthkit.org/autopsy/docs/api-docs/3.1/classorg_1_1sleuthkit_1_1autopsy_1_1ingest_1_1_data_source_ingest_module_progress.html def process(self, dataSource, progressBar): - + # we don't know how much work there is yet progressBar.switchToIndeterminate() # Find files named contacts.db, regardless of parent path + # Use blackboard class to index blackboard artifacts for keyword search + blackboard = Case.getCurrentCase().getServices().getBlackboard() fileManager = Case.getCurrentCase().getServices().getFileManager() files = fileManager.findFiles(dataSource, "contacts.db") @@ -168,8 +171,14 @@ class ContactsDbIngestModule(DataSourceIngestModule): art.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER.getTypeID(), ContactsDbIngestModuleFactory.moduleName, phone)) + + try: + # index the artifact for keyword search + blackboard.indexArtifact(art) + except Blackboard.BlackboardException as e: + self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) - # Fire an event to notify the UI and others that there are new artifacts + # Fire an event to notify the UI and others that there are new artifacts IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent(ContactsDbIngestModuleFactory.moduleName, BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT, None)) @@ -184,5 +193,5 @@ class ContactsDbIngestModule(DataSourceIngestModule): message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "ContactsDb Analyzer", "Found %d files" % fileCount) IngestServices.getInstance().postMessage(message) - + return IngestModule.ProcessResult.OK \ No newline at end of file diff --git a/pythonExamples/July2015FileTutorial_BigRound/FindBigRoundFiles.py b/pythonExamples/July2015FileTutorial_BigRound/FindBigRoundFiles.py index 8b93bc977e..95b18423d3 100755 --- a/pythonExamples/July2015FileTutorial_BigRound/FindBigRoundFiles.py +++ b/pythonExamples/July2015FileTutorial_BigRound/FindBigRoundFiles.py @@ -56,6 +56,7 @@ from org.sleuthkit.autopsy.coreutils import Logger from org.sleuthkit.autopsy.casemodule import Case from org.sleuthkit.autopsy.casemodule.services import Services from org.sleuthkit.autopsy.casemodule.services import FileManager +from org.sleuthkit.autopsy.casemodule.services import Blackboard # Factory that defines the name and details of the module and allows Autopsy # to create instances of the modules that will do the anlaysis. @@ -104,6 +105,10 @@ class FindBigRoundFilesIngestModule(FileIngestModule): # The 'file' object being passed in is of type org.sleuthkit.datamodel.AbstractFile. # See: http://www.sleuthkit.org/sleuthkit/docs/jni-docs/4.3/classorg_1_1sleuthkit_1_1datamodel_1_1_abstract_file.html def process(self, file): + + # Use blackboard class to index blackboard artifacts for keyword search + blackboard = Case.getCurrentCase().getServices().getBlackboard() + # Skip non-files if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or @@ -119,7 +124,13 @@ class FindBigRoundFilesIngestModule(FileIngestModule): att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), FindBigRoundFilesIngestModuleFactory.moduleName, "Big and Round Files") art.addAttribute(att) - + + try: + # index the artifact for keyword search + blackboard.indexArtifact(art) + except Blackboard.BlackboardException as e: + self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) + # Fire an event to notify the UI and others that there is a new artifact IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent(FindBigRoundFilesIngestModuleFactory.moduleName, diff --git a/pythonExamples/dataSourceIngestModule.py b/pythonExamples/dataSourceIngestModule.py index bd05273f55..b341e05cd7 100755 --- a/pythonExamples/dataSourceIngestModule.py +++ b/pythonExamples/dataSourceIngestModule.py @@ -51,6 +51,7 @@ from org.sleuthkit.autopsy.coreutils import Logger from org.sleuthkit.autopsy.casemodule import Case from org.sleuthkit.autopsy.casemodule.services import Services from org.sleuthkit.autopsy.casemodule.services import FileManager +from org.sleuthkit.autopsy.casemodule.services import Blackboard # Factory that defines the name and details of the module and allows Autopsy @@ -111,6 +112,9 @@ class SampleJythonDataSourceIngestModule(DataSourceIngestModule): # we don't know how much work there is yet progressBar.switchToIndeterminate() + # Use blackboard class to index blackboard artifacts for keyword search + blackboard = Case.getCurrentCase().getServices().getBlackboard() + # For our example, we will use FileManager to get all # files with the word "test" # in the name and then count and read them @@ -137,6 +141,11 @@ class SampleJythonDataSourceIngestModule(DataSourceIngestModule): att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), SampleJythonDataSourceIngestModuleFactory.moduleName, "Test file") art.addAttribute(att) + try: + # index the artifact for keyword search + blackboard.indexArtifact(art) + except Blackboard.BlackboardException as e: + self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) # To further the example, this code will read the contents of the file and count the number of bytes inputStream = ReadContentInputStream(file) diff --git a/pythonExamples/fileIngestModule.py b/pythonExamples/fileIngestModule.py index 086b4c2c55..b677d64d80 100755 --- a/pythonExamples/fileIngestModule.py +++ b/pythonExamples/fileIngestModule.py @@ -53,6 +53,7 @@ from org.sleuthkit.autopsy.coreutils import Logger from org.sleuthkit.autopsy.casemodule import Case from org.sleuthkit.autopsy.casemodule.services import Services from org.sleuthkit.autopsy.casemodule.services import FileManager +from org.sleuthkit.autopsy.casemodule.services import Blackboard # Factory that defines the name and details of the module and allows Autopsy # to create instances of the modules that will do the anlaysis. @@ -113,6 +114,9 @@ class SampleJythonFileIngestModule(FileIngestModule): (file.isFile() == False)): return IngestModule.ProcessResult.OK + # Use blackboard class to index blackboard artifacts for keyword search + blackboard = Case.getCurrentCase().getServices().getBlackboard() + # For an example, we will flag files with .txt in the name and make a blackboard artifact. if file.getName().lower().endswith(".txt"): @@ -125,8 +129,14 @@ class SampleJythonFileIngestModule(FileIngestModule): att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), SampleJythonFileIngestModuleFactory.moduleName, "Text Files") art.addAttribute(att) - - # Fire an event to notify the UI and others that there is a new artifact + + try: + # index the artifact for keyword search + blackboard.indexArtifact(art) + except Blackboard.BlackboardException as e: + self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) + + # Fire an event to notify the UI and others that there is a new artifact IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent(SampleJythonFileIngestModuleFactory.moduleName, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, None)); From 7ec3426d022cb7d9b140f3db13cc810f15072abb Mon Sep 17 00:00:00 2001 From: Eugene Livis Date: Thu, 12 Nov 2015 11:37:44 -0500 Subject: [PATCH 2/2] Minor --- pythonExamples/Aug2015DataSourceTutorial/FindContactsDb.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pythonExamples/Aug2015DataSourceTutorial/FindContactsDb.py b/pythonExamples/Aug2015DataSourceTutorial/FindContactsDb.py index 5463d42eb1..40d2d41ee4 100755 --- a/pythonExamples/Aug2015DataSourceTutorial/FindContactsDb.py +++ b/pythonExamples/Aug2015DataSourceTutorial/FindContactsDb.py @@ -53,11 +53,11 @@ from org.sleuthkit.autopsy.ingest import IngestModuleFactoryAdapter from org.sleuthkit.autopsy.ingest import IngestMessage from org.sleuthkit.autopsy.ingest import IngestServices from org.sleuthkit.autopsy.ingest import ModuleDataEvent -from org.sleuthkit.autopsy.casemodule.services import Blackboard from org.sleuthkit.autopsy.coreutils import Logger from org.sleuthkit.autopsy.casemodule import Case from org.sleuthkit.autopsy.casemodule.services import Services from org.sleuthkit.autopsy.casemodule.services import FileManager +from org.sleuthkit.autopsy.casemodule.services import Blackboard from org.sleuthkit.autopsy.datamodel import ContentUtils