def __init__(self):
self._logger = Logger.getLogger(self.__class__.__name__)
self._PACKAGE_NAME = "com.opera.browser"
self._MODULE_NAME = "Opera Analyzer"
self._PROGRAM_NAME = "Opera"
self._VERSION = "53.1.2569"
self.current_case = None
class GoldBuildIngestModule(FileIngestModule):
_logger = Logger.getLogger(GoldBuildIngestModuleFactory.moduleName)
def log(self, level, msg):
self._logger.logp(level, self.__class__.__name__,
inspect.stack()[1][3], msg)
def startUp(self, context):
global md5
md5 = []
def process(self, file):
if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS)
or
(file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS)
or (file.isFile() == False)):
return IngestModule.ProcessResult.OK
if (file.getMd5Hash()):
md5.append(file.getMd5Hash())
return IngestModule.ProcessResult.OK
def shutDown(self):
noDupes = list(set(md5))
outPath = os.path.join(Case.getCurrentCase().getCaseDirectory(),
"GoldBuild.txt")
outFile = open(outPath, 'w')
for line in noDupes:
outFile.write(line + '\n')
outFile.close()
class SampleFileIngestModuleWithUI(FileIngestModule):
_logger = Logger.getLogger(SampleFileIngestModuleWithUIFactory.moduleName)
def log(self, level, msg):
self._logger.logp(level, self.__class__.__name__,
inspect.stack()[1][3], msg)
# Autopsy will pass in the settings from the UI panel
def __init__(self, settings):
self.local_settings = settings
# Where any setup and configuration is done
# TODO: Add any setup code that you need here.
def startUp(self, context):
# As an example, determine if user configured a flag in UI
if self.local_settings.getFlag():
self.log(Level.INFO, "flag is set")
else:
self.log(Level.INFO, "flag is not set")
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException("Oh No!")
pass
# Where the analysis is done. Each file will be passed into here.
# TODO: Add your analysis code in here.
def process(self, file):
# See code in pythonExamples/fileIngestModule.py for example code
return IngestModule.ProcessResult.OK
# Where any shutdown code is run and resources are freed.
# TODO: Add any shutdown code that you need here.
def shutDown(self):
pass
def __init__(self):
self._logger = Logger.getLogger(self.__class__.__name__)
self._PACKAGE_NAME = "oruxmaps"
self._MODULE_NAME = "OruxMaps Analyzer"
self._PROGRAM_NAME = "OruxMaps"
self._VERSION = "7.5.7"
self.current_case = None
class GUI_Test_SQLSettingsIngestModule(DataSourceIngestModule):
_logger = Logger.getLogger(
GUI_Test_SQLSettingsIngestModuleFactory.moduleName)
def log(self, level, msg):
self._logger.logp(level, self.__class__.__name__,
inspect.stack()[1][3], msg)
def __init__(self, settings):
self.context = None
self.local_settings = settings
self.List_Of_GUI_Test_SQLSettings = []
# Where any setup and configuration is done
# 'context' is an instance of org.sleuthkit.autopsy.ingest.IngestJobContext.
# See: http://sleuthkit.org/autopsy/docs/api-docs/3.1/classorg_1_1sleuthkit_1_1autopsy_1_1ingest_1_1_ingest_job_context.html
def startUp(self, context):
self.context = context
# Check to see if the file to execute exists, if it does not then raise an exception and log error
# data is taken from the UI
if self.local_settings.getSetting('Exec_Prog_Flag') == 'true':
self.log(Level.INFO, self.local_settings.getSetting('ExecFile'))
self.path_to_exe = os.path.join(
os.path.dirname(os.path.abspath(__file__)),
self.local_settings.getSetting('ExecFile'))
if not os.path.exists(self.path_to_exe):
raise IngestModuleException(
"File to Run/execute does not exist.")
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
# Where the analysis is done.
# The 'dataSource' object being passed in is of type org.sleuthkit.datamodel.Content.
# See:x http://www.sleuthkit.org/sleuthkit/docs/jni-docs/interfaceorg_1_1sleuthkit_1_1datamodel_1_1_content.html
# 'progressBar' is of type org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProgress
# See: http://sleuthkit.org/autopsy/docs/api-docs/3.1/classorg_1_1sleuthkit_1_1autopsy_1_1ingest_1_1_data_source_ingest_module_progress.html
def process(self, dataSource, progressBar):
self.log(
Level.INFO,
"Starting to process, Just before call to parse_safari_history")
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
self.log(Level.INFO,
"Starting 2 to process, Just before call to ???????")
self.log(Level.INFO, "ending process, Just before call to ??????")
# After all databases, post a message to the ingest messages in box.
message = IngestMessage.createMessage(
IngestMessage.MessageType.DATA, "GUI_Test_SQLSettings",
" GUI_Test_SQLSettings Has Been Analyzed ")
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
def startUp(self, context):
self.logger = Logger.getLogger(SampleJythonFileIngestModuleFactory.moduleName)
self.filesFound = 0
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def __init__(self):
self._logger = Logger.getLogger(self.__class__.__name__)
self._PACKAGE_NAME = "com.sec.android.app.sbrowser"
self._MODULE_NAME = "SBrowser Analyzer"
self._PROGRAM_NAME = "SBrowser"
self._VERSION = "10.1.00.27"
self.current_case = None
def process(self, dataSource, progressBar):
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
logger = Logger.getLogger(SampleJythonDataSourceIngestModuleFactory.moduleName)
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
autopsyCase = Case.getCurrentCase()
sleuthkitCase = autopsyCase.getSleuthkitCase()
services = Services(sleuthkitCase)
fileManager = services.getFileManager()
# For our example, we will use FileManager to get all
# files with the word "test"
# in the name and then count and read them
files = fileManager.findFiles(dataSource, "%test%")
numFiles = len(files)
logger.logp(Level.INFO, SampleJythonDataSourceIngestModule.__name__, "process", "found " + str(numFiles) + " files")
progressBar.switchToDeterminate(numFiles)
fileCount = 0;
for file in files:
# Check if the user pressed cancel while we were busy
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
logger.logp(Level.INFO, SampleJythonDataSourceIngestModule.__name__, "process", "Processing file: " + file.getName())
fileCount += 1
# Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of
# artfiact. Refer to the developer docs for other examples.
art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), SampleJythonDataSourceIngestModuleFactory.moduleName, "Test file")
art.addAttribute(att)
# To further the example, this code will read the contents of the file and count the number of bytes
inputStream = ReadContentInputStream(file)
buffer = jarray.zeros(1024, "b")
totLen = 0
readLen = inputStream.read(buffer)
while (readLen != -1):
totLen = totLen + readLen
readLen = inputStream.read(buffer)
# Update the progress bar
progressBar.progress(fileCount)
#Post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"Sample Jython Data Source Ingest Module", "Found %d files" % fileCount)
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK;
class FindBigRoundFilesIngestModule(FileIngestModule):
_logger = Logger.getLogger(FindBigRoundFilesIngestModuleFactory.moduleName)
def log(self, level, msg):
self._logger.logp(level, self.__class__.__name__, inspect.stack()[1][3], msg)
# Where any setup and configuration is done
# 'context' is an instance of org.sleuthkit.autopsy.ingest.IngestJobContext.
# See: http://sleuthkit.org/autopsy/docs/api-docs/4.6.0/classorg_1_1sleuthkit_1_1autopsy_1_1ingest_1_1_ingest_job_context.html
# TODO: Add any setup code that you need here.
def startUp(self, context):
self.filesFound = 0
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException("Oh No!")
pass
# Where the analysis is done. Each file will be passed into here.
# The 'file' object being passed in is of type org.sleuthkit.datamodel.AbstractFile.
# See: http://www.sleuthkit.org/sleuthkit/docs/jni-docs/4.6.0/classorg_1_1sleuthkit_1_1datamodel_1_1_abstract_file.html
def process(self, file):
# Use blackboard class to index blackboard artifacts for keyword search
blackboard = Case.getCurrentCase().getServices().getBlackboard()
# Skip non-files
if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or
(file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or
(file.isFile() == False)):
return IngestModule.ProcessResult.OK
# Look for files bigger than 10MB that are a multiple of 4096
if ((file.getSize() > 10485760) and ((file.getSize() % 4096) == 0)):
# Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of
# artifact. Refer to the developer docs for other examples.
art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(),
FindBigRoundFilesIngestModuleFactory.moduleName, "Big and Round Files")
art.addAttribute(att)
try:
# index the artifact for keyword search
blackboard.indexArtifact(art)
except Blackboard.BlackboardException as e:
self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName())
# Fire an event to notify the UI and others that there is a new artifact
IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(FindBigRoundFilesIngestModuleFactory.moduleName,
BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, None))
return IngestModule.ProcessResult.OK
# Where any shutdown code is run and resources are freed.
# TODO: Add any shutdown code that you need here.
def shutDown(self):
None
def __init__(self, settings):
self.context = None
self.local_settings = settings
self._logger = Logger.getLogger(self.__class__.__name__)
self._logger.log(Level.SEVERE, "Starting of plugin")
self.fbPeopleDict = {}
self.chatMessages = []
self.fbOwnerId = 0
def startUp(self, context):
self.logger = Logger.getLogger(
SampleJythonFileIngestModuleFactory.moduleName)
self.filesFound = 0
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def __init__(self, settings):
self.context = None
self.local_settings = settings
self._logger = Logger.getLogger(self.__class__.__name__)
self._logger.log(Level.SEVERE, "Starting of plugin")
self.MD5HashToCheck = ""
self.SHA1HashToCheck = ""
self.FTKLogFile = ""
def __init__(self, settings):
self.context = None
self.local_settings = settings
self._logger = Logger.getLogger(self.__class__.__name__)
self._logger.log(Level.SEVERE, "Starting of plugin")
self.fbPeopleDict = {}
self.chatMessages = []
self.fbOwnerId = 0
def log(self, level, msg):
if self._logger == None:
self._logger = \
Logger.getLogger(
self.moduleName)
self._logger.logp(
level,
self.__class__.__name__,
inspect.stack()[1][3], msg)
def __init__(self, rootDir, attachmentPath):
"""Initializes the database file object."""
super(emlParser, self).__init__()
# Path to directory where attachments will be stored:
self.attachmentPath = attachmentPath
self.rootDir = rootDir
self.mailList = {}
self._logger = Logger.getLogger(self.__class__.__name__)
self._logger.log(Level.SEVERE, "Starting of plugin")
class MatchMetaInfoIngestModule(FileIngestModule):
_logger = Logger.getLogger(MatchMetaInfoIngestModuleFactory.moduleName)
def log(self, level, msg):
self._logger.logp(level, self.__class__.__name__,
inspect.stack()[1][3], msg)
def __init__(self, settings):
self.local_settings = settings
def startUp(self, context):
pass
def process(self, file):
try:
if (filename):
dbConn = DriverManager.getConnection("jdbc:sqlite:%s" %
filename)
stmt = dbConn.createStatement()
path = file.getParentPath() + file.getName()
resultSet = stmt.executeQuery(
"SELECT * FROM META WHERE Path == '%s'" % path)
if (resultSet.next()):
temp = "Future Improvement"
else:
art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.
TSK_INTERESTING_FILE_HIT)
att = BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.
getTypeID(),
MatchMetaInfoIngestModuleFactory.moduleName,
"Unknown Meta")
art.addAttribute(att)
IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(
MatchMetaInfoIngestModuleFactory.moduleName,
BlackboardArtifact.ARTIFACT_TYPE.
TSK_INTERESTING_FILE_HIT, None))
stmt.close()
dbConn.close()
except:
pass
return IngestModule.ProcessResult.OK
def shutDown(self):
None
def __init__(self, settings):
self.context = None
self.local_settings = settings
self._logger = Logger.getLogger(self.__class__.__name__)
self._logger.log(Level.INFO, "Starting of plugin")
self.host = "localhost"
self.port = "23232"
self.qt = "select"
self.q = "q=text:*"
self.fl = "fl=text"
self.wt = "wt=json"
def __init__(self):
self._logger = Logger.getLogger(self.__class__.__name__)
self._FB_MESSENGER_PACKAGE_NAME = "com.facebook.orca"
self._FACEBOOK_PACKAGE_NAME = "com.facebook.katana"
self._MODULE_NAME = "FB Messenger Analyzer"
self._MESSAGE_TYPE = "Facebook Messenger"
self._VERSION = "239.0.0.41" ## FB version number. Did not find independent version number in FB Messenger
self.selfAccountId = None
self.current_case = None
class LowHangingFruit(FileIngestModule):
_logger = Logger.getLogger(LowHangingFruitFactory.moduleName)
def log(self, level, msg):
self._logger.logp(level, self.__class__.__name__,
inspect.stack()[1][3], msg)
def __init__(self, settings):
self.local_settings = settings
def startUp(self, context):
global md5
md5 = []
def process(self, file):
if (file.getMd5Hash()):
if (str(file.getKnown()) != "KNOWN"):
md5.append(file.getMd5Hash())
return IngestModule.ProcessResult.OK
def shutDown(self):
noDupes = list(set(md5))
try:
if (filename):
uniquePath = os.path.join(
Case.getCurrentCase().getCaseDirectory(),
"NewLowHangingFruit.txt")
uniqueFile = open(uniquePath, 'w')
dbConn = DriverManager.getConnection("jdbc:sqlite:%s" %
filename)
stmt = dbConn.createStatement()
for line in noDupes:
resultSet = stmt.executeQuery(
"SELECT * FROM MD5 where md5 == '%s'" % line)
if (resultSet.next()):
temp = "Future Improvement"
else:
uniqueFile.write(line + '\n')
stmt.close()
dbConn.close()
uniqueFile.close()
except:
allPath = os.path.join(Case.getCurrentCase().getCaseDirectory(),
"AllLowHangingFruit.txt")
allFile = open(allPath, 'w')
for line in noDupes:
allFile.write(line + '\n')
allFile.close()
def __init__(self):
self._logger = Logger.getLogger(self.__class__.__name__)
self._TIKTOK_PACKAGE_NAME = "com.zhiliaoapp.musically"
self._PARSER_NAME = "Tiktok Parser"
self._VERSION = "15.0.1"
communication_manager = Case.getCurrentCase().getSleuthkitCase(
).getCommunicationsManager()
self.account = CommunicationsManager.addAccountType(
communication_manager, "Tiktok", "Tiktok")
class netArchae(FileIngestModule):
_logger = Logger.getLogger(NetArchaeologist.moduleName)
def log(self, level, msg):
self._logger.logp(level, self.__class__.__name__, inspect.stack()[1][3], msg)
def startUp(self, context):
self.filesFound = 0
pass
def process(self, file):
if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or
(file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or
(file.isFile() == False)):
return IngestModule.ProcessResult.OK
# Flags files with .pcap extensions and makes a blackboard artifact.
if file.getName().lower().endswith(".pcap"):
self.log(Level.INFO, "Found a pcap file: " + file.getName())
self.filesFound+=1
# Makes an artifact on the blackboard.
art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME,
NetArchaeologist.moduleName, "Text Files")
art.addAttribute(att)
try:
# Indexes the artifact for keyword search.
blackboard.indexArtifact(art)
except Blackboard.BlackboardException as e:
self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName())
# Notifies user that there is a new artifact.
IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(NetArchaeologist.moduleName,
BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, None));
artifactList = file.getArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
for artifact in artifactList:
attributeList = artifact.getAttributes();
for attrib in attributeList:
self.log(Level.INFO, attrib.toString())
return IngestModule.ProcessResult.OK
def shutDown(self):
# Sends a message to the ingest inbox with the number of PCAP files found.
message = IngestMessage.createMessage(
IngestMessage.MessageType.DATA, NetArchaeologist.moduleName,
str(self.filesFound) + " PCAP files found")
ingestServices = IngestServices.getInstance().postMessage(message)
def startUp(self, context):
self.logger = Logger.getLogger(SampleFileIngestModuleWithUIFactory.moduleName)
# As an example, determine if user configured a flag in UI
if self.local_settings.getFlag():
self.logger.logp(Level.INFO, SampleFileIngestModuleWithUI.__name__, "startUp", "flag is set")
else:
self.logger.logp(Level.INFO, SampleFileIngestModuleWithUI.__name__, "startUp", "flag is not set")
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
class Create_DS_HashsetIngestModule(DataSourceIngestModule):
_logger = Logger.getLogger(Create_DS_HashsetIngestModuleFactory.moduleName)
def log(self, level, msg):
self._logger.logp(level, self.__class__.__name__,
inspect.stack()[1][3], msg)
def __init__(self, settings):
self.context = None
self.local_settings = settings
self.list_box_entry = []
self.delete_all_artifacts = False
self.delete_all_attributes = False
# Where any setup and configuration is done
def startUp(self, context):
self.context = context
pass
# Where the analysis is done.
def process(self, dataSource, progressBar):
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
imageFiles = dataSource.getPaths()
imageFile = os.path.basename(imageFiles[0])
exportFile = os.path.join(Case.getCurrentCase().getExportDirectory(),
str(imageFile) + "_hashset.txt")
#self.log(Level.INFO, "create Directory " + moduleDirectory)
sql_statement = 'select name, md5 from tsk_files where md5 <> "";'
skCase = Case.getCurrentCase().getSleuthkitCase()
dbquery = skCase.executeQuery(sql_statement)
resultSet = dbquery.getResultSet()
with open(exportFile, 'w') as f:
while resultSet.next():
f.write(
resultSet.getString("md5") + "\t" +
resultSet.getString("name") + "\n")
dbquery.close()
# After all databases, post a message to the ingest messages in box.
message = IngestMessage.createMessage(
IngestMessage.MessageType.DATA, "Create_DS_Hashset",
" Hashset Create For Datasource " + imageFile)
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
class FindTextFilesIngestModule(FileIngestModule):
_logger = Logger.getLogger(FindTextFilesModuleFactory.moduleName)
def log(self, level, msg):
self._logger.logp(level, self.__class__.__name__, inspect.stack()[1][3], msg)
def startUp(self, context):
self.filesFound = 0
pass
def process(self, file):
# Skip non-files
if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or
(file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or
(file.isFile() == False)):
return IngestModule.ProcessResult.OK
# Look for files with extension docx, ,doc, pdf and txt
extensions = ['docx','doc','pdf','txt','csv', 'ppt','pptx','rtf','html']
if (file.getNameExtension() in extensions):
# Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of
# artifact. Refer to the developer docs for other examples.
art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(),
FindTextFilesModuleFactory.moduleName, "Find text Files")
# Create find text directory in module output directory, if it exists then continue on processing
outpuDir = Case.getCurrentCase().getModulesOutputDirAbsPath() + "\TextFiles"
self.log(Level.INFO, "create Directory " + outpuDir)
try:
os.mkdir(outpuDir)
except:
self.log(Level.INFO, "Find Text Directory already exists " + outpuDir)
configFilesPath = os.path.join(outpuDir, str(file.getName()))
ContentUtils.writeToFile(file, File(configFilesPath))
art.addAttribute(att)
IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(FindTextFilesModuleFactory.moduleName,
BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, None));
return IngestModule.ProcessResult.OK
def shutDown(self):
None
def startUp(self, context):
self.logger = Logger.getLogger(
SampleFileIngestModuleWithUIFactory.moduleName)
# As an example, determine if user configured a flag in UI
if self.local_settings.getFlag():
self.logger.logp(Level.INFO, SampleFileIngestModuleWithUI.__name__,
"startUp", "flag is set")
else:
self.logger.logp(Level.INFO, SampleFileIngestModuleWithUI.__name__,
"startUp", "flag is not set")
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException(IngestModule(), "Oh No!")
pass
def __init__(self, settings):
self.context = None
self.local_settings = settings
self._logger = Logger.getLogger(self.__class__.__name__)
self._logger.log(Level.SEVERE, "Starting of plugin")
self.stringColumns = (('TSK_OPERATION_STATE','Operation State'), ('TSK_FILE_SIZE', 'Size (Bytes)'), \
('TSK_ATTRIBUTES','Attributes'), ('TSK_ISFOLDER','Is Folder'), \
('TSK_SOURCE_CRC','Source CRC'), ('TSK_TARGET_CRC','Target CRC'), \
('TSK_MESSAGE','Message'), ('TSK_OPERATION_TYPE','Operation Type'), \
('TSK_HISTORY_FILE','History File'), ('TSK_SOURCE_LOCATION', 'File Source Location'), \
('TSK_TARGET_LOCATION', 'Target Location'), ('TSK_FILE_PATH', 'File Path'))
self.dateColumns = []
self.dateColumn = ('TSK_DATETIME_START', 'TSK_DATETIME_ACCESSED', 'TSK_DATETIME_CREATED', 'TSK_DATETIME_MODIFIED', \
'TSK_ACTCACHE_CRT_CLOUD', 'TSK_ACTCACHE_LAST_MOD_CLIENT', 'TSK_ACTCACHE_ORIG_LMOC')
def __init__(self, settings):
self.context = None
self.local_settings = settings
self._logger = Logger.getLogger(self.__class__.__name__)
self._logger.log(Level.SEVERE, "Starting of plugin")
self.stringColumns = (('TSK_ACTCACHE_ID','ActivityCache Id'), ('TSK_ACTCACHE_APP_ID', 'Activity Cache App Id'), \
('TSK_ACTCACHE_PAYLOAD','Activity Cache Payload'), ('TSK_ACTCACHE_ACT_TYPE','Activity Type'), \
('TSK_ACTCACHE_LOCAL_ONLY','Is Local Only'), ('TSK_ACTCACHE_ETAG','ETag'), \
('TSK_ACTCACHE_PKGID_HASH','Package Id Hash'), ('TSK_ACTCACHE_PLAT_DEVID','Platform Device Id'), \
('TSK_ACTCACHE_STATUS','Activity Cache Status'))
self.dateColumns = (('TSK_ACTCACHE_ST_TIME','Start Time'), ('TSK_ACTCACHE_ENDTIME','End Time'), \
('TSK_ACTCACHE_LAST_MOD','Last Modified Time'), ('TSK_ACTCACHE_EXP_TIME','Expiration Time'), \
('TSK_ACTCACHE_CRT_CLOUD','Created In Cloud'), ('TSK_ACTCACHE_LAST_MOD_CLIENT','Last Modified On Client'), \
('TSK_ACTCACHE_ORIG_LMOC','Original Last Modified On Client'))
self.dateColumn = ('TSK_ACTCACHE_ST_TIME', 'TSK_ACTCACHE_ENDTIME', 'TSK_ACTCACHE_LAST_MOD', 'TSK_ACTCACHE_EXP_TIME', \
'TSK_ACTCACHE_CRT_CLOUD', 'TSK_ACTCACHE_LAST_MOD_CLIENT', 'TSK_ACTCACHE_ORIG_LMOC')
def __init__(self, settings):
self.context = None
self.local_settings = settings
self._logger = Logger.getLogger(self.__class__.__name__)
self._logger.log(Level.SEVERE, "Starting of plugin")
self.stringColumns = (('TSK_ACTCACHE_ID','ActivityCache Id'), ('TSK_ACTCACHE_APP_ID', 'Activity Cache App Id'), \
('TSK_ACTCACHE_PAYLOAD','Activity Cache Payload'), ('TSK_ACTCACHE_ACT_TYPE','Activity Type'), \
('TSK_ACTCACHE_LOCAL_ONLY','Is Local Only'), ('TSK_ACTCACHE_ETAG','ETag'), \
('TSK_ACTCACHE_PKGID_HASH','Package Id Hash'), ('TSK_ACTCACHE_PLAT_DEVID','Platform Device Id'), \
('TSK_ACTCACHE_STATUS','Activity Cache Status'))
self.dateColumns = (('TSK_ACTCACHE_ST_TIME','Start Time'), ('TSK_ACTCACHE_ENDTIME','End Time'), \
('TSK_ACTCACHE_LAST_MOD','Last Modified Time'), ('TSK_ACTCACHE_EXP_TIME','Expiration Time'), \
('TSK_ACTCACHE_CRT_CLOUD','Created In Cloud'), ('TSK_ACTCACHE_LAST_MOD_CLIENT','Last Modified On Client'), \
('TSK_ACTCACHE_ORIG_LMOC','Original Last Modified On Client'))
self.dateColumn = ('TSK_ACTCACHE_ST_TIME', 'TSK_ACTCACHE_ENDTIME', 'TSK_ACTCACHE_LAST_MOD', 'TSK_ACTCACHE_EXP_TIME', \
'TSK_ACTCACHE_CRT_CLOUD', 'TSK_ACTCACHE_LAST_MOD_CLIENT', 'TSK_ACTCACHE_ORIG_LMOC')
class BuildMetaInfo(FileIngestModule):
_logger = Logger.getLogger(BuildMetaInfoFactory.moduleName)
def log(self, level, msg):
self._logger.logp(level, self.__class__.__name__,
inspect.stack()[1][3], msg)
def __init__(self, settings):
self.local_settings = settings
def startUp(self, context):
try:
if (filename):
global dbConn
global stmt
dbConn = DriverManager.getConnection("jdbc:sqlite:%s" %
filename)
stmt = dbConn.createStatement()
except:
pass
def process(self, file):
try:
path = file.getParentPath() + file.getName()
#count = len(file.getNameExtension()) + 1
#full = file.getName()[:-count]
stmt.executeQuery("INSERT INTO META VALUES('%s')" % path)
except:
pass
return IngestModule.ProcessResult.OK
def shutDown(self):
try:
stmt.close()
dbConn.close()
except:
pass
class DiscordParseIngestModule(DataSourceIngestModule):
_logger = Logger.getLogger(DiscordParseIngestModuleFactory.moduleName)
def log(self, level, msg):
self._logger.logp(level, self.__class__.__name__, inspect.stack()[1][3], msg)
def __init__(self):
self.context = None
# Where any setup and configuration is done
# 'context' is an instance of org.sleuthkit.autopsy.ingest.IngestJobContext.
# See: http://sleuthkit.org/autopsy/docs/api-docs/latest/classorg_1_1sleuthkit_1_1autopsy_1_1ingest_1_1_ingest_job_context.html
def startUp(self, context):
self.context = context
def create_artifact_type(self,case,art_Name,desc):
try:
artId = case.addArtifactType(art_Name, desc)
return case.getArtifactTypeID(art_Name)
except:
return case.getArtifactTypeID(art_Name)
class SampleJythonFileIngestModule(FileIngestModule):
_logger = Logger.getLogger(SampleJythonFileIngestModuleFactory.moduleName)
def log(self, level, msg):
self._logger.logp(level, self.__class__.__name__, inspect.stack()[1][3], msg)
# Where any setup and configuration is done
# 'context' is an instance of org.sleuthkit.autopsy.ingest.IngestJobContext.
# See: http://sleuthkit.org/autopsy/docs/api-docs/4.4/classorg_1_1sleuthkit_1_1autopsy_1_1ingest_1_1_ingest_job_context.html
# TODO: Add any setup code that you need here.
def startUp(self, context):
self.filesFound = 0
# Throw an IngestModule.IngestModuleException exception if there was a problem setting up
# raise IngestModuleException("Oh No!")
pass
# Where the analysis is done. Each file will be passed into here.
# The 'file' object being passed in is of type org.sleuthkit.datamodel.AbstractFile.
# See: http://www.sleuthkit.org/sleuthkit/docs/jni-docs/4.4/classorg_1_1sleuthkit_1_1datamodel_1_1_abstract_file.html
# TODO: Add your analysis code in here.
def process(self, file):
# Skip non-files
if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or
(file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or
(file.isFile() == False)):
return IngestModule.ProcessResult.OK
# Use blackboard class to index blackboard artifacts for keyword search
blackboard = Case.getCurrentCase().getServices().getBlackboard()
# For an example, we will flag files with .txt in the name and make a blackboard artifact.
if file.getName().lower().endswith(".txt"):
self.log(Level.INFO, "Found a text file: " + file.getName())
self.filesFound+=1
# Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of
# artifact. Refer to the developer docs for other examples.
art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME,
SampleJythonFileIngestModuleFactory.moduleName, "Text Files")
art.addAttribute(att)
try:
# index the artifact for keyword search
blackboard.indexArtifact(art)
except Blackboard.BlackboardException as e:
self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName())
# Fire an event to notify the UI and others that there is a new artifact
IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(SampleJythonFileIngestModuleFactory.moduleName,
BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, None))
# For the example (this wouldn't be needed normally), we'll query the blackboard for data that was added
# by other modules. We then iterate over its attributes. We'll just print them, but you would probably
# want to do something with them.
artifactList = file.getArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
for artifact in artifactList:
attributeList = artifact.getAttributes()
for attrib in attributeList:
self.log(Level.INFO, attrib.toString())
# To further the example, this code will read the contents of the file and count the number of bytes
inputStream = ReadContentInputStream(file)
buffer = jarray.zeros(1024, "b")
totLen = 0
len = inputStream.read(buffer)
while (len != -1):
totLen = totLen + len
len = inputStream.read(buffer)
return IngestModule.ProcessResult.OK
# Where any shutdown code is run and resources are freed.
# TODO: Add any shutdown code that you need here.
def shutDown(self):
# As a final part of this example, we'll send a message to the ingest inbox with the number of files found (in this thread)
message = IngestMessage.createMessage(
IngestMessage.MessageType.DATA, SampleJythonFileIngestModuleFactory.moduleName,
str(self.filesFound) + " files found")
ingestServices = IngestServices.getInstance().postMessage(message)
class ArtifactGroup(DataSourceIngestModule):
_logger = Logger.getLogger(ArtifactGroupFactory.moduleName)
def log(self, level, msg):
self._logger.logp(level, self.__class__.__name__, inspect.stack()[1][3], msg)
def __init__(self):
self.context = None
# Where any setup and configuration is done
# 'context' is an instance of org.sleuthkit.autopsy.ingest.IngestJobContext.
# See: http://sleuthkit.org/autopsy/docs/api-docs/4.6.0/classorg_1_1sleuthkit_1_1autopsy_1_1ingest_1_1_ingest_job_context.html
# TODO: Add any setup code that you need here.
def startUp(self, context):
self.context = context
pass
# Where the analysis is done. Each file will be passed into here.
# The 'file' object being passed in is of type org.sleuthkit.datamodel.AbstractFile.
# See: http://www.sleuthkit.org/sleuthkit/docs/jni-docs/4.6.0/classorg_1_1sleuthkit_1_1datamodel_1_1_abstract_file.html
# TODO: Add your analysis code in here.
def process(self, dataSource, progressBar):
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
# Get Devices Attached from blackboard ////////////////////////
skCase = Case.getCurrentCase().getSleuthkitCase()
artDevicesID = skCase.getArtifactTypeID("TSK_DEVICE_ATTACHED")
# print it to the log file
self.log(Level.INFO, "Artifact type ID of TSK_DEVICE_ATTACHED: " + str(artDevicesID))
# get all artifacts that have this type ID from the database using the Sleuthkit API - not the database via sql queries
devicesAttArtifacts = skCase.getBlackboardArtifacts(artDevicesID)
# print the number of the artifacts in the log file
self.log(Level.INFO, "Number of TSK_DEVICE_ATTACHED artifacts found: " + str(len(devicesAttArtifacts)))
# create new artifact type
try:
skCase.addArtifactType("TSK_CKC_DEVICE_ATTACHED", "CKC Delivery Device Attached")
except:
# if the artifact type already exists do nothing
self.log(Level.INFO, "TSK_CKC_DEVICE_ATTACHED artifact already exists")
# first we need to get the IDs of the TSK_CKC_DEVICE_ATTACHED and of the attributes of the TSK_CKC_DEVICE_ATTACHED
artID_CKC_DEVICE_ATTACHED = skCase.getArtifactTypeID("TSK_CKC_DEVICE_ATTACHED")
attID_TSK_DATETIME = skCase.getAttributeType("TSK_DATETIME")
attID_TSK_DEVICE_MAKE = skCase.getAttributeType("TSK_DEVICE_MAKE")
attID_TSK_DEVICE_MODEL = skCase.getAttributeType("TSK_DEVICE_MODEL")
attID_TSK_DEVICE_ID = skCase.getAttributeType("TSK_DEVICE_ID")
for attDArt in devicesAttArtifacts:
# get the obj_id -> this is the ID of the Source file
sourceFileID = attDArt.getObjectID()
# get the actual file using its obj_id
sourceFile = skCase.getAbstractFileById(sourceFileID)
# create a TSK_CKC_WEB_DOWNLOAD blackboard artifact based on this TSK_WEB_DOWNLOAD
try:
art = sourceFile.newArtifact(artID_CKC_DEVICE_ATTACHED)
art.addAttributes((
(BlackboardAttribute(attID_TSK_DATETIME, ArtifactGroupFactory.moduleName,
attDArt.getAttribute(attID_TSK_DATETIME).getValueLong())), \
(BlackboardAttribute(attID_TSK_DEVICE_MAKE, ArtifactGroupFactory.moduleName,
attDArt.getAttribute(attID_TSK_DEVICE_MAKE).getValueString())), \
(BlackboardAttribute(attID_TSK_DEVICE_MODEL, ArtifactGroupFactory.moduleName,
attDArt.getAttribute(attID_TSK_DEVICE_MODEL).getValueString())), \
(BlackboardAttribute(attID_TSK_DEVICE_ID, ArtifactGroupFactory.moduleName,
attDArt.getAttribute(attID_TSK_DEVICE_ID).getValueString()))
))
except:
self.log(Level.INFO, "Artifact cannot be created. Moved to next.")
return IngestModule.ProcessResult.OK
def shutDown(self):
# As a final part of this example, we'll send a message to the ingest inbox with the number of files found (in this thread)
message = IngestMessage.createMessage(
IngestMessage.MessageType.DATA, ArtifactGroupFactory.moduleName,
str(self.filesFound) + " files found")
ingestServices = IngestServices.getInstance().postMessage(message)
def log(self, level, msg):
self._logger.logp(level, self.__class__.__name__, inspect.stack()[1][3], msg)
self._logger = Logger.getLogger(self.__class__.__name__)
def log(self, level, msg):
if _logger == None:
_logger = Logger.getLogger(self.moduleName)
self._logger.logp(level, self.__class__.__name__, inspect.stack()[1][3], msg)
def __init__(self):
self._logger = Logger.getLogger(self.__class__.__name__)
def log(self, level, msg):
self._logger.logp(level, self.__class__.__name__,
inspect.stack()[1][3], msg)
self._logger = Logger.getLogger(self.__class__.__name__)
def __init__(self, settings):
self.context = None
self.local_settings = settings
self._logger = Logger.getLogger(self.__class__.__name__)
self._logger.log(Level.SEVERE, "Starting of plugin")
def __init__(self, settings):
self.context = None
self.local_settings = settings
self._logger = Logger.getLogger(self.__class__.__name__)
self._logger.log(Level.SEVERE, "Starting of plugin")