mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-18 10:37:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1715 from eugene7646/index_python

Browse Source 
Modified python examples to use blackboard artifact indexing
This commit is contained in:
Richard Cordovano 2015-11-12 13:41:34 -05:00
commit e4743c7195
4 changed files with 45 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
pythonExamples/Aug2015DataSourceTutorial/FindContactsDb.py
View File

@ -57,6 +57,7 @@ from org.sleuthkit.autopsy.coreutils import Logger
from org.sleuthkit.autopsy.casemodule import Case from org.sleuthkit.autopsy.casemodule import Case
from org.sleuthkit.autopsy.casemodule.services import Services from org.sleuthkit.autopsy.casemodule.services import Services
from org.sleuthkit.autopsy.casemodule.services import FileManager from org.sleuthkit.autopsy.casemodule.services import FileManager
from org.sleuthkit.autopsy.casemodule.services import Blackboard
from org.sleuthkit.autopsy.datamodel import ContentUtils from org.sleuthkit.autopsy.datamodel import ContentUtils
@ -112,6 +113,8 @@ class ContactsDbIngestModule(DataSourceIngestModule):
progressBar.switchToIndeterminate() progressBar.switchToIndeterminate()
# Find files named contacts.db, regardless of parent path # Find files named contacts.db, regardless of parent path
# Use blackboard class to index blackboard artifacts for keyword search
blackboard = Case.getCurrentCase().getServices().getBlackboard()
fileManager = Case.getCurrentCase().getServices().getFileManager() fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, "contacts.db") files = fileManager.findFiles(dataSource, "contacts.db")
@ -169,6 +172,12 @@ class ContactsDbIngestModule(DataSourceIngestModule):
art.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER.getTypeID(), art.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER.getTypeID(),
ContactsDbIngestModuleFactory.moduleName, phone)) ContactsDbIngestModuleFactory.moduleName, phone))
try:
# index the artifact for keyword search
blackboard.indexArtifact(art)
except Blackboard.BlackboardException as e:
self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName())
# Fire an event to notify the UI and others that there are new artifacts # Fire an event to notify the UI and others that there are new artifacts
IngestServices.getInstance().fireModuleDataEvent( IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(ContactsDbIngestModuleFactory.moduleName, ModuleDataEvent(ContactsDbIngestModuleFactory.moduleName,

11
pythonExamples/July2015FileTutorial_BigRound/FindBigRoundFiles.py
View File

@ -56,6 +56,7 @@ from org.sleuthkit.autopsy.coreutils import Logger
from org.sleuthkit.autopsy.casemodule import Case from org.sleuthkit.autopsy.casemodule import Case
from org.sleuthkit.autopsy.casemodule.services import Services from org.sleuthkit.autopsy.casemodule.services import Services
from org.sleuthkit.autopsy.casemodule.services import FileManager from org.sleuthkit.autopsy.casemodule.services import FileManager
from org.sleuthkit.autopsy.casemodule.services import Blackboard
# Factory that defines the name and details of the module and allows Autopsy # Factory that defines the name and details of the module and allows Autopsy
# to create instances of the modules that will do the anlaysis. # to create instances of the modules that will do the anlaysis.
@ -104,6 +105,10 @@ class FindBigRoundFilesIngestModule(FileIngestModule):
# The 'file' object being passed in is of type org.sleuthkit.datamodel.AbstractFile. # The 'file' object being passed in is of type org.sleuthkit.datamodel.AbstractFile.
# See: http://www.sleuthkit.org/sleuthkit/docs/jni-docs/4.3/classorg_1_1sleuthkit_1_1datamodel_1_1_abstract_file.html # See: http://www.sleuthkit.org/sleuthkit/docs/jni-docs/4.3/classorg_1_1sleuthkit_1_1datamodel_1_1_abstract_file.html
def process(self, file): def process(self, file):
# Use blackboard class to index blackboard artifacts for keyword search
blackboard = Case.getCurrentCase().getServices().getBlackboard()
# Skip non-files # Skip non-files
if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or
(file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or
@ -120,6 +125,12 @@ class FindBigRoundFilesIngestModule(FileIngestModule):
FindBigRoundFilesIngestModuleFactory.moduleName, "Big and Round Files") FindBigRoundFilesIngestModuleFactory.moduleName, "Big and Round Files")
art.addAttribute(att) art.addAttribute(att)
try:
# index the artifact for keyword search
blackboard.indexArtifact(art)
except Blackboard.BlackboardException as e:
self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName())
# Fire an event to notify the UI and others that there is a new artifact # Fire an event to notify the UI and others that there is a new artifact
IngestServices.getInstance().fireModuleDataEvent( IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(FindBigRoundFilesIngestModuleFactory.moduleName, ModuleDataEvent(FindBigRoundFilesIngestModuleFactory.moduleName,

9
pythonExamples/dataSourceIngestModule.py
View File

@ -51,6 +51,7 @@ from org.sleuthkit.autopsy.coreutils import Logger
from org.sleuthkit.autopsy.casemodule import Case from org.sleuthkit.autopsy.casemodule import Case
from org.sleuthkit.autopsy.casemodule.services import Services from org.sleuthkit.autopsy.casemodule.services import Services
from org.sleuthkit.autopsy.casemodule.services import FileManager from org.sleuthkit.autopsy.casemodule.services import FileManager
from org.sleuthkit.autopsy.casemodule.services import Blackboard
# Factory that defines the name and details of the module and allows Autopsy # Factory that defines the name and details of the module and allows Autopsy
@ -111,6 +112,9 @@ class SampleJythonDataSourceIngestModule(DataSourceIngestModule):
# we don't know how much work there is yet # we don't know how much work there is yet
progressBar.switchToIndeterminate() progressBar.switchToIndeterminate()
# Use blackboard class to index blackboard artifacts for keyword search
blackboard = Case.getCurrentCase().getServices().getBlackboard()
# For our example, we will use FileManager to get all # For our example, we will use FileManager to get all
# files with the word "test" # files with the word "test"
# in the name and then count and read them # in the name and then count and read them
@ -137,6 +141,11 @@ class SampleJythonDataSourceIngestModule(DataSourceIngestModule):
att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), SampleJythonDataSourceIngestModuleFactory.moduleName, "Test file") att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), SampleJythonDataSourceIngestModuleFactory.moduleName, "Test file")
art.addAttribute(att) art.addAttribute(att)
try:
# index the artifact for keyword search
blackboard.indexArtifact(art)
except Blackboard.BlackboardException as e:
self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName())
# To further the example, this code will read the contents of the file and count the number of bytes # To further the example, this code will read the contents of the file and count the number of bytes
inputStream = ReadContentInputStream(file) inputStream = ReadContentInputStream(file)

10
pythonExamples/fileIngestModule.py
View File

@ -53,6 +53,7 @@ from org.sleuthkit.autopsy.coreutils import Logger
from org.sleuthkit.autopsy.casemodule import Case from org.sleuthkit.autopsy.casemodule import Case
from org.sleuthkit.autopsy.casemodule.services import Services from org.sleuthkit.autopsy.casemodule.services import Services
from org.sleuthkit.autopsy.casemodule.services import FileManager from org.sleuthkit.autopsy.casemodule.services import FileManager
from org.sleuthkit.autopsy.casemodule.services import Blackboard
# Factory that defines the name and details of the module and allows Autopsy # Factory that defines the name and details of the module and allows Autopsy
# to create instances of the modules that will do the anlaysis. # to create instances of the modules that will do the anlaysis.
@ -113,6 +114,9 @@ class SampleJythonFileIngestModule(FileIngestModule):
(file.isFile() == False)): (file.isFile() == False)):
return IngestModule.ProcessResult.OK return IngestModule.ProcessResult.OK
# Use blackboard class to index blackboard artifacts for keyword search
blackboard = Case.getCurrentCase().getServices().getBlackboard()
# For an example, we will flag files with .txt in the name and make a blackboard artifact. # For an example, we will flag files with .txt in the name and make a blackboard artifact.
if file.getName().lower().endswith(".txt"): if file.getName().lower().endswith(".txt"):
@ -126,6 +130,12 @@ class SampleJythonFileIngestModule(FileIngestModule):
SampleJythonFileIngestModuleFactory.moduleName, "Text Files") SampleJythonFileIngestModuleFactory.moduleName, "Text Files")
art.addAttribute(att) art.addAttribute(att)
try:
# index the artifact for keyword search
blackboard.indexArtifact(art)
except Blackboard.BlackboardException as e:
self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName())
# Fire an event to notify the UI and others that there is a new artifact # Fire an event to notify the UI and others that there is a new artifact
IngestServices.getInstance().fireModuleDataEvent( IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(SampleJythonFileIngestModuleFactory.moduleName, ModuleDataEvent(SampleJythonFileIngestModuleFactory.moduleName,