mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

updates to tskdbdiff.py for analysis results and aggregate scores

Browse Source
This commit is contained in:
Greg DiCristofaro 2021-06-02 15:06:52 -04:00
parent b4937e1830
commit f763c16ee3
1 changed files with 30 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
test/script/tskdbdiff.py
View File

@ -1004,43 +1004,50 @@ TableNormalization = Union[IGNORE_TABLE, NormalizeRow]
This dictionary maps tables where data should be specially handled to how they should be handled. This dictionary maps tables where data should be specially handled to how they should be handled.
""" """
TABLE_NORMALIZATIONS: Dict[str, TableNormalization] = { TABLE_NORMALIZATIONS: Dict[str, TableNormalization] = {
"image_gallery_groups_seen": IGNORE_TABLE,
"blackboard_artifacts": IGNORE_TABLE, "blackboard_artifacts": IGNORE_TABLE,
"blackboard_attributes": IGNORE_TABLE, "blackboard_attributes": IGNORE_TABLE,
"tsk_files": NormalizeRow(normalize_tsk_files), "data_source_info": NormalizeColumns({
"tsk_vs_parts": NormalizeColumns({ "device_id": "{device id}",
"obj_id": MASKED_OBJ_ID "added_date_time": "{dateTime}"
}), }),
"image_gallery_groups": NormalizeColumns({ "image_gallery_groups": NormalizeColumns({
"group_id": MASKED_ID "group_id": MASKED_ID
}), }),
"tsk_files_path": NormalizeRow(normalize_tsk_files_path), "image_gallery_groups_seen": IGNORE_TABLE,
"tsk_file_layout": NormalizeColumns({ "ingest_jobs": NormalizeRow(normalize_ingest_jobs),
"obj_id": lambda guid_util, col: normalize_unalloc_files(guid_util.get_guid_for_file_objid(col))
}),
"tsk_objects": NormalizeRow(normalize_tsk_objects),
"reports": NormalizeColumns({ "reports": NormalizeColumns({
"obj_id": MASKED_OBJ_ID, "obj_id": MASKED_OBJ_ID,
"path": "AutopsyTestCase", "path": "AutopsyTestCase",
"crtime": 0 "crtime": 0
}), }),
"data_source_info": NormalizeColumns({ "tsk_aggregate_score": NormalizeColumns({
"device_id": "{device id}", "obj_id": lambda guid_util, col: guid_util.get_guid_for_objid(col, omitted_value="Object ID Omitted"),
"added_date_time": "{dateTime}" "data_source_obj_id": lambda guid_util, col: guid_util.get_guid_for_objid(col, omitted_value="Data Source Object ID Omitted"),
}), }),
"ingest_jobs": NormalizeRow(normalize_ingest_jobs), "tsk_analysis_results": NormalizeColumns({
"tsk_examiners": NormalizeColumns({ "artifact_obj_id": lambda guid_util, col: guid_util.get_guid_for_objid(col, omitted_value="Artifact Object ID Omitted"),
"login_name": "{examiner_name}"
}), }),
"tsk_data_artifacts": NormalizeColumns({
"artifact_obj_id":
lambda guid_util, col: guid_util.get_guid_for_file_objid(col, omitted_value="Artifact Object ID Omitted"),
"os_account_obj_id":
lambda guid_util, col: guid_util.get_guid_for_file_objid(col, omitted_value="Account Object ID Omitted"),
}),
"tsk_event_descriptions": NormalizeRow(normalize_tsk_event_descriptions),
"tsk_events": NormalizeColumns({ "tsk_events": NormalizeColumns({
"event_id": "MASKED_EVENT_ID", "event_id": "MASKED_EVENT_ID",
"event_description_id": None, "event_description_id": None,
"time": None, "time": None,
}), }),
"tsk_event_descriptions": NormalizeRow(normalize_tsk_event_descriptions), "tsk_examiners": NormalizeColumns({
"tsk_os_accounts": NormalizeColumns({ "login_name": "{examiner_name}"
"os_account_obj_id": MASKED_OBJ_ID
}), }),
"tsk_files": NormalizeRow(normalize_tsk_files),
"tsk_file_layout": NormalizeColumns({
"obj_id": lambda guid_util, col: normalize_unalloc_files(guid_util.get_guid_for_file_objid(col))
}),
"tsk_files_path": NormalizeRow(normalize_tsk_files_path),
"tsk_objects": NormalizeRow(normalize_tsk_objects),
"tsk_os_account_attributes": NormalizeColumns({ "tsk_os_account_attributes": NormalizeColumns({
"id": MASKED_ID, "id": MASKED_ID,
"os_account_obj_id": lambda guid_util, col: guid_util.get_guid_for_accountid(col), "os_account_obj_id": lambda guid_util, col: guid_util.get_guid_for_accountid(col),
@ -1050,11 +1057,11 @@ TABLE_NORMALIZATIONS: Dict[str, TableNormalization] = {
"id": MASKED_ID, "id": MASKED_ID,
"os_account_obj_id": lambda guid_util, col: guid_util.get_guid_for_accountid(col) "os_account_obj_id": lambda guid_util, col: guid_util.get_guid_for_accountid(col)
}), }),
"tsk_data_artifacts": NormalizeColumns({ "tsk_os_accounts": NormalizeColumns({
"artifact_obj_id": "os_account_obj_id": MASKED_OBJ_ID
lambda guid_util, col: guid_util.get_guid_for_file_objid(col, omitted_value="Artifact Object ID Omitted"), }),
"os_account_obj_id": "tsk_vs_parts": NormalizeColumns({
lambda guid_util, col: guid_util.get_guid_for_file_objid(col, omitted_value="Account Object ID Omitted"), "obj_id": MASKED_OBJ_ID
}) })
} }