当前位置: 首页>>代码示例>>Python>>正文


Python IngestMessage.createMessage方法代码示例

本文整理汇总了Python中org.sleuthkit.autopsy.ingest.IngestMessage.createMessage方法的典型用法代码示例。如果您正苦于以下问题:Python IngestMessage.createMessage方法的具体用法?Python IngestMessage.createMessage怎么用?Python IngestMessage.createMessage使用的例子?那么, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在org.sleuthkit.autopsy.ingest.IngestMessage的用法示例。


在下文中一共展示了IngestMessage.createMessage方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。

示例1: process

# 需要导入模块: from org.sleuthkit.autopsy.ingest import IngestMessage [as 别名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 别名]
    def process(self, dataSource, progressBar):

        # we don't know how much work there is yet
        progressBar.switchToIndeterminate()

        imageFiles = dataSource.getPaths()
        imageFile = os.path.basename(imageFiles[0])
        exportFile = os.path.join(Case.getCurrentCase().getExportDirectory(), str(imageFile) + "_hashset.txt")
        #self.log(Level.INFO, "create Directory " + moduleDirectory)

        
        sql_statement = 'select name, md5 from tsk_files where md5 <> "";'
        skCase = Case.getCurrentCase().getSleuthkitCase()
        dbquery = skCase.executeQuery(sql_statement)
        resultSet = dbquery.getResultSet()
        
        with open(exportFile, 'w') as f:   
            while resultSet.next():
                f.write(resultSet.getString("md5") + "\t" + resultSet.getString("name") + "\n")
        
        dbquery.close()
           
        # After all databases, post a message to the ingest messages in box.
        message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
            "Create_DS_Hashset", " Hashset Create For Datasource " + imageFile )
        IngestServices.getInstance().postMessage(message)

        return IngestModule.ProcessResult.OK                
开发者ID:markmckinnon,项目名称:Autopsy-Plugins,代码行数:30,代码来源:Create_Datasource_Hashset.py

示例2: process

# 需要导入模块: from org.sleuthkit.autopsy.ingest import IngestMessage [as 别名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 别名]
    def process(self, dataSource, progressBar):

        # we don't know how much work there is yet
        progressBar.switchToIndeterminate()

        # Use blackboard class to index blackboard artifacts for keyword search
        blackboard = Case.getCurrentCase().getServices().getBlackboard()

        # For our example, we will use FileManager to get all
        # files with the word "test"
        # in the name and then count and read them
        # FileManager API: http://sleuthkit.org/autopsy/docs/api-docs/4.6.0/classorg_1_1sleuthkit_1_1autopsy_1_1casemodule_1_1services_1_1_file_manager.html
        fileManager = Case.getCurrentCase().getServices().getFileManager()
        files = fileManager.findFiles(dataSource, "%test%")

        numFiles = len(files)
        self.log(Level.INFO, "found " + str(numFiles) + " files")
        progressBar.switchToDeterminate(numFiles)
        fileCount = 0
        for file in files:

            # Check if the user pressed cancel while we were busy
            if self.context.isJobCancelled():
                return IngestModule.ProcessResult.OK

            self.log(Level.INFO, "Processing file: " + file.getName())
            fileCount += 1

            # Make an artifact on the blackboard.  TSK_INTERESTING_FILE_HIT is a generic type of
            # artfiact.  Refer to the developer docs for other examples.
            art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
            att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, SampleJythonDataSourceIngestModuleFactory.moduleName, "Test file")
            art.addAttribute(att)

            try:
                # index the artifact for keyword search
                blackboard.indexArtifact(art)
            except Blackboard.BlackboardException as e:
                self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName())

            # To further the example, this code will read the contents of the file and count the number of bytes
            inputStream = ReadContentInputStream(file)
            buffer = jarray.zeros(1024, "b")
            totLen = 0
            readLen = inputStream.read(buffer)
            while (readLen != -1):
                totLen = totLen + readLen
                readLen = inputStream.read(buffer)


            # Update the progress bar
            progressBar.progress(fileCount)


        #Post a message to the ingest messages in box.
        message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
            "Sample Jython Data Source Ingest Module", "Found %d files" % fileCount)
        IngestServices.getInstance().postMessage(message)

        return IngestModule.ProcessResult.OK
开发者ID:sleuthkit,项目名称:autopsy,代码行数:62,代码来源:dataSourceIngestModule.py

示例3: process

# 需要导入模块: from org.sleuthkit.autopsy.ingest import IngestMessage [as 别名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 别名]
    def process(self, dataSource, progressBar):
        if self.context.isJobCancelled():
            return IngestModule.ProcessResult.OK
			
        logger = Logger.getLogger(SampleJythonDataSourceIngestModuleFactory.moduleName)	

        # we don't know how much work there is yet
        progressBar.switchToIndeterminate()

        autopsyCase = Case.getCurrentCase()
        sleuthkitCase = autopsyCase.getSleuthkitCase()
        services = Services(sleuthkitCase)
        fileManager = services.getFileManager()

        # For our example, we will use FileManager to get all 
        # files with the word "test"
        # in the name and then count and read them
        files = fileManager.findFiles(dataSource, "%test%")

        numFiles = len(files)
        logger.logp(Level.INFO, SampleJythonDataSourceIngestModule.__name__, "process", "found " + str(numFiles) + " files")
        progressBar.switchToDeterminate(numFiles)
        fileCount = 0;
        for file in files:

            # Check if the user pressed cancel while we were busy
            if self.context.isJobCancelled():
                return IngestModule.ProcessResult.OK

            logger.logp(Level.INFO, SampleJythonDataSourceIngestModule.__name__, "process", "Processing file: " + file.getName())
            fileCount += 1

            # Make an artifact on the blackboard.  TSK_INTERESTING_FILE_HIT is a generic type of
            # artfiact.  Refer to the developer docs for other examples.
            art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
            att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), SampleJythonDataSourceIngestModuleFactory.moduleName, "Test file")
            art.addAttribute(att)

            
            # To further the example, this code will read the contents of the file and count the number of bytes
            inputStream = ReadContentInputStream(file)
            buffer = jarray.zeros(1024, "b")
            totLen = 0
            readLen = inputStream.read(buffer)
            while (readLen != -1):
                totLen = totLen + readLen
                readLen = inputStream.read(buffer)


            # Update the progress bar
            progressBar.progress(fileCount)


        #Post a message to the ingest messages in box.
        message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
            "Sample Jython Data Source Ingest Module", "Found %d files" % fileCount)
        IngestServices.getInstance().postMessage(message)

        return IngestModule.ProcessResult.OK;
开发者ID:BruceMty,项目名称:Autopsy-hashdb-Python,代码行数:61,代码来源:dataSourceIngestModule.py

示例4: process

# 需要导入模块: from org.sleuthkit.autopsy.ingest import IngestMessage [as 别名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 别名]
    def process(self, dataSource, progressBar):
        
        progressBar.switchToIndeterminate()
        fileManager = Case.getCurrentCase().getServices().getFileManager()
        
        ###---EDIT HERE---###
        files = fileManager.findFiles(dataSource, "%.doc", "%")
        ###---EDIT HERE---###

        numFiles = len(files)
        progressBar.switchToDeterminate(numFiles)
        fileCount = 0;

        ###---EDIT HERE---###
        reportPath = os.path.join(Case.getCurrentCase().getCaseDirectory(), "Reports", "YARA.txt")
        ###---EDIT HERE---###
        
        reportHandle = open(reportPath, 'w')
        
        for file in files:

            if self.context.isJobCancelled():
                return IngestModule.ProcessResult.OK

            if (str(file.getKnown()) != "KNOWN"):

                exportPath = os.path.join(Case.getCurrentCase().getTempDirectory(), str(file.getId())+"."+file.getNameExtension())

                ###---EDIT HERE---###
                ContentUtils.writeToFile(file, File(exportPath))
                subprocess.Popen([self.path_to_exe, self.path_to_rules, exportPath], stdout=reportHandle).communicate()[0]
                ###---EDIT HERE---###
                
                reportHandle.write(file.getParentPath()+file.getName()+'\n\n')
            
            self.log(Level.INFO, "Processing file: " + file.getName())
            fileCount += 1
            progressBar.progress(fileCount)
                
        message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
            "YARA Scan", "Scanned %d Files" % numFiles)
        IngestServices.getInstance().postMessage(message)

        reportHandle.close()
        
        Case.getCurrentCase().addReport(reportPath, "YARA Scan", "Scanned %d Files" % numFiles)
        
        return IngestModule.ProcessResult.OK
开发者ID:CarlosLannister,项目名称:AutopsyModules,代码行数:50,代码来源:YARA.py

示例5: process

# 需要导入模块: from org.sleuthkit.autopsy.ingest import IngestMessage [as 别名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 别名]
    def process(self, dataSource, progressBar):

        self.log(Level.INFO, "Starting to process, Just before call to parse_safari_history")

        # we don't know how much work there is yet
        progressBar.switchToIndeterminate()
        
        self.log(Level.INFO, "Starting 2 to process, Just before call to ???????")
        self.log(Level.INFO, "ending process, Just before call to ??????")
        
        # After all databases, post a message to the ingest messages in box.
        message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
            "GUI_Test", " GUI_Test Has Been Analyzed " )
        IngestServices.getInstance().postMessage(message)

        return IngestModule.ProcessResult.OK                
开发者ID:markmckinnon,项目名称:Autopsy-Plugins,代码行数:18,代码来源:Gui_Test.py

示例6: process

# 需要导入模块: from org.sleuthkit.autopsy.ingest import IngestMessage [as 别名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 别名]
    def process(self, file):
        # If the file has a txt extension, post an artifact to the blackboard.
        if file.getName().find("test") != -1:
            art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
            att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), "Sample Jython File Ingest Module", "Text Files")
            art.addAttribute(att)

            # Read the contents of the file.
            inputStream = ReadContentInputStream(file)
            buffer = jarray.zeros(1024, "b")
            totLen = 0
            len = inputStream.read(buffer)
            while (len != -1):
                    totLen = totLen + len
                    len = inputStream.read(buffer)

            # Send the size of the file to the ingest messages in box. 
            msgText = "Size of %s is %d bytes" % ((file.getName(), totLen))
            message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Sample Jython File IngestModule", msgText)
            ingestServices = IngestServices.getInstance().postMessage(message)

        return IngestModule.ProcessResult.OK
开发者ID:ColdSmoke627,项目名称:autopsy,代码行数:24,代码来源:ingestmodule.py

示例7: process

# 需要导入模块: from org.sleuthkit.autopsy.ingest import IngestMessage [as 别名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 别名]

#.........这里部分代码省略.........
                        artID_art_evt = skCase.getArtifactType("TSK_VOL_" + resultSet1.getString("tbl_name") + "_" + file_name)
                        try: 
                           self.log(Level.INFO, "Result (" + resultSet1.getString("tbl_name") + ")")
                           table_name = resultSet1.getString("tbl_name")
                           resultSet4  = stmt4.executeQuery("Select count(*) 'NumRows' from " + resultSet1.getString("tbl_name") + " ")
                           row_count = resultSet4.getInt("NumRows")
                           self.log(Level.INFO, " Number of Rows is " + str(row_count) + " ")                           
                           if row_count >= 1:
                                SQL_String_1 = "Select * from " + table_name + ";"
                                SQL_String_2 = "PRAGMA table_info('" + table_name + "')"
                                self.log(Level.INFO, SQL_String_1)
                                self.log(Level.INFO, SQL_String_2)
                                artifact_name = "TSK_VOL_" + table_name.upper() + "_" + file_name

                                artID_sql = skCase.getArtifactTypeID(artifact_name)
                                artID_sql_evt = skCase.getArtifactType(artifact_name)
                                                          
                                Column_Names = []
                                Column_Types = []
                                resultSet2  = stmt2.executeQuery(SQL_String_2)
                                while resultSet2.next(): 
                                   Column_Names.append(resultSet2.getString("name").upper())
                                   Column_Types.append(resultSet2.getString("type").upper())
                                   attribute_name = "TSK_VOL_" + table_name + "_" + resultSet2.getString("name").upper()
                                   if resultSet2.getString("type").upper() == "TEXT":
                                       try:
                                           attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name"))
                                       except:		
                                           self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
                                   elif resultSet2.getString("type").upper() == "LONGVARCHAR":
                                       try:
                                           attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name"))
                                       except:		
                                              self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
                                   elif resultSet2.getString("type").upper() == "":
                                       try:
                                           attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name"))
                                       except:		
                                           self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
                                   elif resultSet2.getString("type").upper() == "BLOB":
                                       try:
                                           attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name"))
                                       except:		
                                           self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
                                   elif resultSet2.getString("type").upper() == "REAL":
                                       try:
                                           attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, resultSet2.getString("name"))
                                       except:		
                                           self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
                                   else:
                                       try:
                                           attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, resultSet2.getString("name"))
                                       except:		
                                           self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")

                                                         
                                resultSet3 = stmt3.executeQuery(SQL_String_1)
                                while resultSet3.next():
                                   art = file.newArtifact(artID_sql)
                                   Column_Number = 1
                                   for col_name in Column_Names:
                                      c_name = "TSK_VOL_" + table_name.upper() + "_" + Column_Names[Column_Number - 1]
                                      attID_ex1 = skCase.getAttributeType(c_name)
                                      if Column_Types[Column_Number - 1] == "TEXT":
                                          if resultSet3.getString(Column_Number) == None:
                                             art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, " "))
                                          else:
                                             art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, resultSet3.getString(Column_Number)))
                                      elif Column_Types[Column_Number - 1] == "":
                                          art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, resultSet3.getString(Column_Number)))
                                      elif Column_Types[Column_Number - 1] == "LONGVARCHAR":
                                          art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, "BLOBS Not Supported - Look at actual file"))
                                      elif Column_Types[Column_Number - 1] == "BLOB":
                                          art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, "BLOBS Not Supported - Look at actual file"))
                                      elif Column_Types[Column_Number - 1] == "REAL":
                                          art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, long(resultSet3.getFloat(Column_Number))))
                                      else:
                                          art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, long(resultSet3.getString(Column_Number))))
                                      Column_Number = Column_Number + 1
                                   
                                   IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(VolatilityIngestModuleFactory.moduleName, \
                                        artID_sql_evt, None))
                                    
                        except SQLException as e:
                               self.log(Level.INFO, "Error getting values from table " +  resultSet.getString("tbl_name") + " (" + e.getMessage() + ")")
                        try:
#                            exestmt = createStatement()
                            resultx = exestmt.execute("insert into plugins_loaded_to_Autopsy values ('" + table_name + "');")
                        except SQLException as e:
                            self.log(Level.INFO, "Could not create table plugins_loaded_to_autopsy")

                except SQLException as e:
                       self.log(Level.INFO, "Error querying database " + file.getName() + " (" + e.getMessage() + ")")

        # After all databases, post a message to the ingest messages in box.
        message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
            "VolatilitySettings", " VolatilitySettings Has Been Analyzed " )
        IngestServices.getInstance().postMessage(message)

        return IngestModule.ProcessResult.OK                
开发者ID:markmckinnon,项目名称:Autopsy-Plugins,代码行数:104,代码来源:Volatility.py

示例8: process

# 需要导入模块: from org.sleuthkit.autopsy.ingest import IngestMessage [as 别名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 别名]
    def process(self, dataSource, progressBar):

        if len(self.List_Of_tables) < 1:
            message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "ParseAmcache", " No Amcache tables Selected to Parse " )
            IngestServices.getInstance().postMessage(message)
            return IngestModule.ProcessResult.ERROR

        # we don't know how much work there is yet
        progressBar.switchToIndeterminate()
        
       # Set the database to be read to the once created by the prefetch parser program
        skCase = Case.getCurrentCase().getSleuthkitCase();
        fileManager = Case.getCurrentCase().getServices().getFileManager()
        files = fileManager.findFiles(dataSource, "Amcache.hve")
        numFiles = len(files)
        self.log(Level.INFO, "found " + str(numFiles) + " files")
        progressBar.switchToDeterminate(numFiles)
        fileCount = 0;

		# Create Event Log directory in temp directory, if it exists then continue on processing		
        Temp_Dir = Case.getCurrentCase().getTempDirectory()
        temp_dir = os.path.join(Temp_Dir, "amcache")
        self.log(Level.INFO, "create Directory " + temp_dir)
        try:
		    os.mkdir(temp_dir)
        except:
		    self.log(Level.INFO, "Amcache Directory already exists " + temp_dir)
			
        # Write out each Event Log file to the temp directory
        for file in files:
            
            # Check if the user pressed cancel while we were busy
            if self.context.isJobCancelled():
                return IngestModule.ProcessResult.OK

            #self.log(Level.INFO, "Processing file: " + file.getName())
            fileCount += 1

            # Save the DB locally in the temp folder. use file id as name to reduce collisions
            lclDbPath = os.path.join(temp_dir, file.getName())
            ContentUtils.writeToFile(file, File(lclDbPath))
                        

        # Example has only a Windows EXE, so bail if we aren't on Windows
        # Run the EXE, saving output to a sqlite database
        self.log(Level.INFO, "Running program on data source parm 1 ==> " + Temp_Dir + "\Amcache\Amcache.hve  Parm 2 ==> " + Temp_Dir + "\Amcache.db3")
        subprocess.Popen([self.path_to_exe, os.path.join(temp_dir, "Amcache.hve"), os.path.join(temp_dir, "Amcache.db3")]).communicate()[0]   
               
        for file in files:	
           # Open the DB using JDBC
           lclDbPath = os.path.join(temp_dir, "Amcache.db3")
           self.log(Level.INFO, "Path the Amcache database file created ==> " + lclDbPath)
           try: 
               Class.forName("org.sqlite.JDBC").newInstance()
               dbConn = DriverManager.getConnection("jdbc:sqlite:%s"  % lclDbPath)
           except SQLException as e:
               self.log(Level.INFO, "Could not open database file (not SQLite) " + file.getName() + " (" + e.getMessage() + ")")
               return IngestModule.ProcessResult.OK
            
           # Query the contacts table in the database and get all columns.
           for am_table_name in self.List_Of_tables:           
               try:
                   stmt = dbConn.createStatement()
                   resultSet = stmt.executeQuery("Select tbl_name from SQLITE_MASTER where lower(tbl_name) in ('" + am_table_name + "'); ")
                   # resultSet = stmt.executeQuery("Select tbl_name from SQLITE_MASTER where lower(tbl_name) in ('associated_file_entries', " + \
                                                 # "'unassociated_programs', 'program_entries'); ")
                   self.log(Level.INFO, "query SQLite Master table for " + am_table_name)
               except SQLException as e:
                   self.log(Level.INFO, "Error querying database for Prefetch table (" + e.getMessage() + ")")
                   return IngestModule.ProcessResult.OK

               # Cycle through each row and create artifacts
               while resultSet.next():
                   try: 
                       self.log(Level.INFO, "Result (" + resultSet.getString("tbl_name") + ")")
                       table_name = resultSet.getString("tbl_name")
                       #self.log(Level.INFO, "Result get information from table " + resultSet.getString("tbl_name") + " ")
                       SQL_String_1 = "Select * from " + table_name + ";"
                       SQL_String_2 = "PRAGMA table_info('" + table_name + "')"
                       artifact_name = "TSK_" + table_name.upper()
                       artifact_desc = "Amcache " + table_name.upper()
                       #self.log(Level.INFO, SQL_String_1)
                       #self.log(Level.INFO, "Artifact_Name ==> " + artifact_name)
                       #self.log(Level.INFO, "Artifact_desc ==> " + artifact_desc)
                       #self.log(Level.INFO, SQL_String_2)
                       try:
                            self.log(Level.INFO, "Begin Create New Artifacts")
                            artID_amc = skCase.addArtifactType( artifact_name, artifact_desc)
                       except:		
                            self.log(Level.INFO, "Artifacts Creation Error, some artifacts may not exist now. ==> ")

                       artID_amc = skCase.getArtifactTypeID(artifact_name)
                       artID_amc_evt = skCase.getArtifactType(artifact_name)
                       
                       Column_Names = []
                       Column_Types = []
                       resultSet2  = stmt.executeQuery(SQL_String_2)
                       while resultSet2.next(): 
                          Column_Names.append(resultSet2.getString("name").upper())
                          Column_Types.append(resultSet2.getString("type").upper())
#.........这里部分代码省略.........
开发者ID:markmckinnon,项目名称:Autopsy-Plugins,代码行数:103,代码来源:ParseAmcache.py

示例9: process

# 需要导入模块: from org.sleuthkit.autopsy.ingest import IngestMessage [as 别名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 别名]

#.........这里部分代码省略.........
                                        artID_plist = skCase.addArtifactType( artifact_name, artifact_desc)
                                   except:		
                                        self.log(Level.INFO, "Artifacts Creation Error, some artifacts may not exist now. ==> ")

                                   artID_plist = skCase.getArtifactTypeID(artifact_name)
                                   artID_plist_evt = skCase.getArtifactType(artifact_name)
                                                          
                                   Column_Names = []
                                   Column_Types = []
                                   resultSet2  = stmt2.executeQuery(SQL_String_2)
                                   while resultSet2.next(): 
                                      Column_Names.append(resultSet2.getString("name").upper())
                                      Column_Types.append(resultSet2.getString("type").upper())
                                      attribute_name = "TSK_PLIST_" + resultSet2.getString("name").upper()
                                      #self.log(Level.INFO, "attribure id for " + attribute_name + " == " + resultSet2.getString("type").upper())
                                      if resultSet2.getString("type").upper() == "TEXT":
                                          try:
                                              attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name"))
                                          except:		
                                              self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
                                      elif resultSet2.getString("type").upper() == "LONGVARCHAR":
                                          try:
                                              attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name"))
                                          except:		
                                              self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
                                      elif resultSet2.getString("type").upper() == "":
                                          try:
                                              attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name"))
                                          except:		
                                              self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
                                      elif resultSet2.getString("type").upper() == "BLOB":
                                          try:
                                              attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name"))
                                          except:		
                                              self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
                                      elif resultSet2.getString("type").upper() == "REAL":
                                          try:
                                              attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, resultSet2.getString("name"))
                                          except:		
                                              self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
                                      else:
                                          try:
                                              attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, resultSet2.getString("name"))
                                          except:		
                                              self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")

                                                         
                                   resultSet3 = stmt3.executeQuery(SQL_String_1)
                                   while resultSet3.next():
                                      art = file.newArtifact(artID_plist)
                                      Column_Number = 1
                                      for col_name in Column_Names:
                                         #self.log(Level.INFO, "Result get information for column " + Column_Names[Column_Number - 1] + " ")
                                         #self.log(Level.INFO, "Result get information for column_number " + str(Column_Number) + " ")
                                         #self.log(Level.INFO, "Result get information for column type " + Column_Types[Column_Number - 1] + " <== ")
                                         c_name = "TSK_PLIST_" + Column_Names[Column_Number - 1]
                                         #self.log(Level.INFO, "Attribute Name is " + c_name + " ")
                                         attID_ex1 = skCase.getAttributeType(c_name)
                                         if Column_Types[Column_Number - 1] == "TEXT":
                                             art.addAttribute(BlackboardAttribute(attID_ex1, ParsePlists2DBDelRecIngestModuleFactory.moduleName, resultSet3.getString(Column_Number)))
                                         elif Column_Types[Column_Number - 1] == "":
                                             art.addAttribute(BlackboardAttribute(attID_ex1, ParsePlists2DBDelRecIngestModuleFactory.moduleName, resultSet3.getString(Column_Number)))
                                         elif Column_Types[Column_Number - 1] == "LONGVARCHAR":
                                             art.addAttribute(BlackboardAttribute(attID_ex1, ParsePlists2DBDelRecIngestModuleFactory.moduleName, "BLOBS Not Supported - Look at actual file"))
                                         elif Column_Types[Column_Number - 1] == "BLOB":
                                             art.addAttribute(BlackboardAttribute(attID_ex1, ParsePlists2DBDelRecIngestModuleFactory.moduleName, "BLOBS Not Supported - Look at actual file"))
                                         elif Column_Types[Column_Number - 1] == "REAL":
                                             art.addAttribute(BlackboardAttribute(attID_ex1, ParsePlists2DBDelRecIngestModuleFactory.moduleName, long(resultSet3.getFloat(Column_Number))))
                                         else:
                                             art.addAttribute(BlackboardAttribute(attID_ex1, ParsePlists2DBDelRecIngestModuleFactory.moduleName, long(resultSet3.getInt(Column_Number))))
                                         Column_Number = Column_Number + 1
                                   
                                   IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(ParsePlists2DBDelRecIngestModuleFactory.moduleName, \
                                        artID_plist_evt, None))
                                    
                           except SQLException as e:
                               self.log(Level.INFO, "Error getting values from table " +  resultSet.getString("tbl_name") + " (" + e.getMessage() + ")")
                   except SQLException as e:
                       self.log(Level.INFO, "Error querying database " + file.getName() + " (" + e.getMessage() + ")")
                   #return IngestModule.ProcessResult.OK
               # Clean up
                   stmt.close()
                   dbConn.close()
                   os.remove(os.path.join(Temp_Dir, "Plist_File-" + str(file.getId()) + ".db3"))
               os.remove(os.path.join(Temp_Dir, file.getName() + "-" + str(file.getId())))
               
                
        # After all databases, post a message to the ingest messages in box.
        if len(message_desc) == 0:
            message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
                "Plist Parser", " Plist files have been parsed  " )
            IngestServices.getInstance().postMessage(message)
        else:
            message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
                "Plist Parser", message_desc + " Plist files have been parsed with the above files failing  " )
            IngestServices.getInstance().postMessage(message)
            

        
        return IngestModule.ProcessResult.OK
开发者ID:markmckinnon,项目名称:Autopsy-Plugins,代码行数:104,代码来源:Parse_Plist.py

示例10: process

# 需要导入模块: from org.sleuthkit.autopsy.ingest import IngestMessage [as 别名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 别名]

#.........这里部分代码省略.........
            self.log(Level.INFO, "Data source Directory already exists")        
        
        # Create log file for the number of extensions found
        try:
            mod_log_file = os.path.join(vdisk_dir, "File_Extensions_Written_Log_" + dataSource.getName() + ".csv")
            self.log(Level.INFO, "Output Directory is ==> " + mod_log_file)
            mod_log = open(mod_log_file, "w")
            mod_log.write('Directory_In,File_Extension,Number_Of_Files_Written \n')
            out_log_file = os.path.join(drive_letter + "\\", "File_Extensions_Written_Log_" + dataSource.getName() + ".csv")
            self.log(Level.INFO, "Output Directory is ==> " + out_log_file)
            out_log = open(out_log_file, "w")
            out_log.write('Directory_In,File_Extension,Number_Of_Files_Written \n')
        except:
            self.log(Level.INFO, "Log File creation error")

        # Open the DB using JDBC
        try: 
            Class.forName("org.sqlite.JDBC").newInstance()
            dbConn = DriverManager.getConnection("jdbc:sqlite:%s"  % self.file_extension_db)
        except SQLException as e:
            self.log(Level.INFO, "Could not open File Extension database " + self.file_extension_db + " (" + e.getMessage() + ")")
            return IngestModule.ProcessResult.OK

        # Get all the file extensions that we want to find and export to the Preview Disk            
        try:
            stmt = dbConn.createStatement()
            SQL_Statement = "select Output_Directory, File_Extension from File_Extensions_To_Export"
            self.log(Level.INFO, "SQL Statement --> " + SQL_Statement)
            resultSet = stmt.executeQuery(SQL_Statement)
        except SQLException as e:
            self.log(Level.INFO, "Error querying database for File_Extensions_To_Export table (" + e.getMessage() + ")")
            return IngestModule.ProcessResult.OK
            
        # Cycle through each row and create artifacts
        while resultSet.next():
            try: 
                # Update the progress bar with the type of Document we are extracting
                progressBar.progress("Extracting " + resultSet.getString('Output_Directory') + " Files")
                
                fileManager = Case.getCurrentCase().getServices().getFileManager()
                files = fileManager.findFiles(dataSource, "%." + resultSet.getString("File_Extension"), "")
                numFiles = len(files)
                self.log(Level.INFO, "Number of files found for file extension " + resultSet.getString("File_Extension") + " ==> " + str(numFiles))

                try:
                    mod_log.write(resultSet.getString('Output_Directory') + "," + resultSet.getString("File_Extension") + "," + str(numFiles) + "\n")
                    out_log.write(resultSet.getString('Output_Directory') + "," + resultSet.getString("File_Extension") + "," + str(numFiles) + "\n")
                except:
                    self.log(Level.INFO, " Error Writing Log File ==> " + resultSet.getString('Output_Directory') + "," + resultSet.getString("File_Extension") + "," + str(numFiles) + "\n")
                    
                # Need to create log file here
                
                # Try and create directory to store files in, may already be created so we will ignore if it does
                try:
                    dir_to_write_to = os.path.join(data_source_dir, resultSet.getString('Output_Directory'))
                    if not os.path.exists(dir_to_write_to):
                        os.mkdir(dir_to_write_to)
                except:
                    self.log(Level.INFO, "Directory " + resultSet.getString('Output_Directory') + " already exists.")
                    
                # Write all the files to the vhd
                for file in files:
                    lclfile = os.path.join(dir_to_write_to, str(file.getId()) + "-" + file.getName())
                    #self.log(Level.INFO, "File to write ==> " + lclfile)
                    ContentUtils.writeToFile(file, File(lclfile))
            except:
                self.log(Level.INFO, "Error in processing sql statement")
                   
        # Close the log file
        try:
            mod_log.close()
            out_log.close()
        except:
            self.log(Level.INFO, "Error closing log files, they might not exist")        

        # Set the progress bar to unmounting
        progressBar.progress("Unmounting The Virtual Disk")
        
        # Run Diskpart using the scripts to unmount the VHD   
        self.log(Level.INFO, "Running prog ==> " + "diskpart.exe "  + " -S " + vdisk_unmount_script)
        pipe = Popen(["diskpart.exe", "-S", vdisk_unmount_script], stdout=PIPE, stderr=PIPE)
        out_text = pipe.communicate()[0]
        self.log(Level.INFO, "Output from run is ==> " + out_text)               

        # Clean up
        stmt.close()
        dbConn.close()
      	
		#Clean up prefetch directory and files
        try:
             shutil.rmtree(os.path.join(Case.getCurrentCase().getTempDirectory(), "vdisk_scripts"))		
        except:
		     self.log(Level.INFO, "removal of vdisk script directory failed " + Temp_Dir)
  
        # After all databases, post a message to the ingest messages in box.
        message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
            "VDiskCreate", " VDiskCreate Files Have Been Analyzed " )
        IngestServices.getInstance().postMessage(message)

        return IngestModule.ProcessResult.OK                
开发者ID:markmckinnon,项目名称:Autopsy-Plugins,代码行数:104,代码来源:Create_Preview_Data_Container.py

示例11: throwWarning

# 需要导入模块: from org.sleuthkit.autopsy.ingest import IngestMessage [as 别名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 别名]
 def throwWarning(self, msg):
     message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "CookieModulez", msg)
     IngestServices.getInstance().postMessage(message)   
开发者ID:bcarrier,项目名称:makisu2015,代码行数:5,代码来源:ingestMod.py

示例12: process

# 需要导入模块: from org.sleuthkit.autopsy.ingest import IngestMessage [as 别名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 别名]
    def process(self, dataSource, progressBar):

        self.log(Level.INFO, "Starting to process Hiberfil.sys and Crash Dumps")

        # we don't know how much work there is yet
        progressBar.switchToIndeterminate()
        
        # Get the temp directory and create the sub directory
        if self.hiber_flag:
            Mod_Dir = Case.getCurrentCase().getModulesOutputDirAbsPath()
            try:
                ModOut_Dir = os.path.join(Mod_Dir, "Volatility", "Memory-Image-hiberfil")
                self.log(Level.INFO, "Module Output Directory ===>  " + ModOut_Dir)
                #dir_util.mkpath(ModOut_Dir)
                os.mkdir(os.path.join(Mod_Dir, "Volatility"))
                os.mkdir(ModOut_Dir)
            except:
                self.log(Level.INFO, "***** Error Module Output Directory already exists " + ModOut_Dir)

            # Set the database to be read to the once created by the prefetch parser program
            skCase = Case.getCurrentCase().getSleuthkitCase();
            fileManager = Case.getCurrentCase().getServices().getFileManager()
            files = fileManager.findFiles(dataSource, "hiberfil.sys", "/")
            numFiles = len(files)
            self.log(Level.INFO, "Number of files to process ==> " + str(numFiles))

            for file in files:
                self.log(Level.INFO, "File to process is ==> " + str(file))
                self.log(Level.INFO, "File name to process is ==> " + file.getName())
                tmp_Dir = Case.getCurrentCase().getTempDirectory()
                Hiber_File = os.path.join(tmp_Dir, file.getName())
                ContentUtils.writeToFile(file, File(Hiber_File))
                self.log(Level.INFO, "File name to process is ==> " + Hiber_File)
                # Create the directory to dump the hiberfil
                dump_file = os.path.join(ModOut_Dir, "Memory-Image-from-hiberfil.img")
                if self.Python_Program:    
                    self.log(Level.INFO, "Running program ==> " + self.Volatility_Executable + " imagecopy -f " + Hiber_File + " " + \
                             " -O " + dump_file)
                    if PlatformUtil.isWindowsOS():
                        pipe = Popen(["Python.exe", self.Volatility_Executable, "imagecopy", "-f", Hiber_File, "-O" + dump_file], stdout=PIPE, stderr=PIPE)
                    else:
                        pipe = Popen(["python", self.Volatility_Executable, "imagecopy", "-f", Hiber_File, "-O" + dump_file], stdout=PIPE, stderr=PIPE)						
                else:
                    self.log(Level.INFO, "Running program ==> " + self.Volatility_Executable + " imagecopy -f " + Hiber_File + " " + \
                             " -O " + dump_file)
                    pipe = Popen([self.Volatility_Executable, "imagecopy", "-f", Hiber_File, "-O" + dump_file], stdout=PIPE, stderr=PIPE)
                out_text = pipe.communicate()[0]
                self.log(Level.INFO, "Output from run is ==> " + out_text)               
                
                # Add hiberfil memory image to a new local data source
                services = IngestServices.getInstance()
        
                progress_updater = ProgressUpdater()  
                newDataSources = []  

                dump_file = os.path.join(ModOut_Dir, "Memory-Image-from-hiberfil.img")            
                dir_list = []
                dir_list.append(dump_file)
             
                # skCase = Case.getCurrentCase().getSleuthkitCase();
                fileManager_2 = Case.getCurrentCase().getServices().getFileManager()
                skcase_data = Case.getCurrentCase()
            
                # Get a Unique device id using uuid
                device_id = UUID.randomUUID()
                self.log(Level.INFO, "device id: ==> " + str(device_id))

                skcase_data.notifyAddingDataSource(device_id)
                
                # Add data source with files
                newDataSource = fileManager_2.addLocalFilesDataSource(str(device_id), "Hiberfile Memory Image", "", dir_list, progress_updater)
                
                newDataSources.append(newDataSource.getRootDirectory())
               
                # Get the files that were added
                files_added = progress_updater.getFiles()
                #self.log(Level.INFO, "Fire Module1: ==> " + str(files_added))
                
                for file_added in files_added:
                    skcase_data.notifyDataSourceAdded(file_added, device_id)
                    self.log(Level.INFO, "Fire Module1: ==> " + str(file_added))
  
            
        # After all databases, post a message to the ingest messages in box.
        message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
            "HiberFil_Crash", " Hiberfil/Crash Dumps have been extracted fro Image. " )
        IngestServices.getInstance().postMessage(message)

        return IngestModule.ProcessResult.OK                
开发者ID:markmckinnon,项目名称:Autopsy-Plugins,代码行数:91,代码来源:Volatility_Convert.py

示例13: process

# 需要导入模块: from org.sleuthkit.autopsy.ingest import IngestMessage [as 别名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 别名]

#.........这里部分代码省略.........
			
        # Set the database to be read to the once created by the prefetch parser program
        lclDbPath = os.path.join(Temp_Dir, "Autopsy_PF_DB.db3")
        self.log(Level.INFO, "Path the prefetch database file created ==> " + lclDbPath)
                        
        # Open the DB using JDBC
        try: 
            Class.forName("org.sqlite.JDBC").newInstance()
            dbConn = DriverManager.getConnection("jdbc:sqlite:%s"  % lclDbPath)
        except SQLException as e:
            self.log(Level.INFO, "Could not open database file (not SQLite) " + file.getName() + " (" + e.getMessage() + ")")
            return IngestModule.ProcessResult.OK
            
        # Query the contacts table in the database and get all columns. 
        try:
            stmt = dbConn.createStatement()
            resultSet = stmt.executeQuery("Select prefetch_File_Name, actual_File_Name, Number_time_file_run, " +
                                          " Embeded_date_Time_Unix_1, " +
                                          " Embeded_date_Time_Unix_2, " +
                                          " Embeded_date_Time_Unix_3, " +
                                          " Embeded_date_Time_Unix_4, " +
                                          " Embeded_date_Time_Unix_5, " +
                                          " Embeded_date_Time_Unix_6, " +   
                                          " Embeded_date_Time_Unix_7, " +       
                                          " Embeded_date_Time_Unix_8 " +
                                          " from prefetch_file_info ")
        except SQLException as e:
            self.log(Level.INFO, "Error querying database for Prefetch table (" + e.getMessage() + ")")
            return IngestModule.ProcessResult.OK

        # Cycle through each row and create artifacts
        while resultSet.next():
            try: 
                self.log(Level.INFO, "Result (" + resultSet.getString("Prefetch_File_Name") + ")")
                Prefetch_File_Name  = resultSet.getString("Prefetch_File_Name")
                Actual_File_Name = resultSet.getString("Actual_File_Name")
                Number_Of_Runs = resultSet.getString("Number_Time_File_Run")
                Time_1 = resultSet.getInt("Embeded_date_Time_Unix_1")
                Time_2 = resultSet.getInt("Embeded_date_Time_Unix_2")
                Time_3 = resultSet.getInt("Embeded_date_Time_Unix_3")
                Time_4 = resultSet.getInt("Embeded_date_Time_Unix_4")
                Time_5 = resultSet.getInt("Embeded_date_Time_Unix_5")
                Time_6 = resultSet.getInt("Embeded_date_Time_Unix_6")
                Time_7 = resultSet.getInt("Embeded_date_Time_Unix_7")
                Time_8 = resultSet.getInt("Embeded_date_Time_Unix_8")
            except SQLException as e:
                self.log(Level.INFO, "Error getting values from contacts table (" + e.getMessage() + ")")

            fileManager = Case.getCurrentCase().getServices().getFileManager()
            files = fileManager.findFiles(dataSource, Prefetch_File_Name)                
            
            for file in files:
                # Make artifact for TSK_PREFETCH,  this can happen when custom attributes are fully supported
                #art = file.newArtifact(artID_pf)
                art = file.newArtifact(artID_pf)

                #self.log(Level.INFO, "Attribute Number ==>" + str(attID_pf_fn) + " " + str(attID_pf_an) )
                # Add the attributes to the artifact.
                art.addAttributes(((BlackboardAttribute(attID_pf_fn, ParsePrefetchDbIngestModuleFactory.moduleName, Prefetch_File_Name)), \
                                  (BlackboardAttribute(attID_pf_an, ParsePrefetchDbIngestModuleFactory.moduleName, Actual_File_Name)), \
                                  (BlackboardAttribute(attID_nr, ParsePrefetchDbIngestModuleFactory.moduleName, Number_Of_Runs)), \
                                  (BlackboardAttribute(attID_ex1, ParsePrefetchDbIngestModuleFactory.moduleName, Time_1)), \
                                  (BlackboardAttribute(attID_ex2, ParsePrefetchDbIngestModuleFactory.moduleName, Time_2)), \
                                  (BlackboardAttribute(attID_ex3, ParsePrefetchDbIngestModuleFactory.moduleName, Time_3)), \
                                  (BlackboardAttribute(attID_ex4, ParsePrefetchDbIngestModuleFactory.moduleName, Time_4)), \
                                  (BlackboardAttribute(attID_ex5, ParsePrefetchDbIngestModuleFactory.moduleName, Time_5)), \
                                  (BlackboardAttribute(attID_ex6, ParsePrefetchDbIngestModuleFactory.moduleName, Time_6)), \
                                  (BlackboardAttribute(attID_ex7, ParsePrefetchDbIngestModuleFactory.moduleName, Time_7)), \
                                  (BlackboardAttribute(attID_ex8, ParsePrefetchDbIngestModuleFactory.moduleName, Time_8))))
			
        # Fire an event to notify the UI and others that there are new artifacts  
        IngestServices.getInstance().fireModuleDataEvent(
            ModuleDataEvent(ParsePrefetchDbIngestModuleFactory.moduleName, artID_pf_evt, None))
                
        # Clean up
        stmt.close()
        dbConn.close()
        os.remove(lclDbPath)

		#Clean up prefetch directory and files
        for file in files:
            try:
			    os.remove(os.path.join(Temp_Dir, file.getName()))
            except:
			    self.log(Level.INFO, "removal of prefetch file failed " + Temp_Dir + "\\" + file.getName())
        try:
             os.rmdir(Temp_Dir)		
        except:
		     self.log(Level.INFO, "removal of prefetch directory failed " + Temp_Dir)
            
        # After all databases, post a message to the ingest messages in box.
        message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
            "Prefetch Analyzer", " Prefetch Has Been Analyzed " )
        IngestServices.getInstance().postMessage(message)

        # Fire an event to notify the UI and others that there are new artifacts  
        IngestServices.getInstance().fireModuleDataEvent(
            ModuleDataEvent(ParsePrefetchDbIngestModuleFactory.moduleName, artID_pf_evt, None))
        
        return IngestModule.ProcessResult.OK
开发者ID:markmckinnon,项目名称:Autopsy-Plugins,代码行数:104,代码来源:ParsePrefetch_v41.py

示例14: process

# 需要导入模块: from org.sleuthkit.autopsy.ingest import IngestMessage [as 别名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 别名]
    def process(self, dataSource, progressBar):

        # we don't know how much work there is yet
        progressBar.switchToIndeterminate()
        
        # get current case and the store.vol abstract file information
        skCase = Case.getCurrentCase().getSleuthkitCase();
        fileManager = Case.getCurrentCase().getServices().getFileManager()
        connectionFiles = fileManager.findFiles(dataSource, "Connection.log%", ".atomic")
        numFiles = len(connectionFiles)
        progressBar.switchToDeterminate(numFiles)
        fileCount = 0;

		# Create Atomic Wallet directory in temp directory, if it exists then continue on processing		
        temporaryDirectory = os.path.join(Case.getCurrentCase().getTempDirectory(), "Atomic_Wallet")
        try:
		    os.mkdir(temporaryDirectory)
        except:
            pass
			
        # get and process connections
        for file in connectionFiles:
            if "-slack" not in file.getName():
                # Check if the user pressed cancel while we were busy
                if self.context.isJobCancelled():
                    return IngestModule.ProcessResult.OK

                fileCount += 1

                # Save the file locally. Use file id as name to reduce collisions
                extractedFile = os.path.join(temporaryDirectory, str(file.getId()) + "-" + file.getName())
                ContentUtils.writeToFile(file, File(extractedFile))
                self.processConnectionLogs(extractedFile, file)
                try:
                    os.remove(extractedFile)
                except:
                    self.log(Level.INFO, "Failed to remove file " + extractedFile)

            else:
                extractedFile = os.path.join(temporaryDirectory, str(file.getId()) + "-" + file.getName())
                try:
                    os.remove(extractedFile)
                except:
                    self.log(Level.INFO, "Failed to remove file " + extractedFile)


        # Get and process history file            
        historyFiles = fileManager.findFiles(dataSource, "history.json", ".atomic")
        numFiles = len(historyFiles)

        for file in historyFiles:	
            if "-slack" not in file.getName():
                if self.context.isJobCancelled():
                    return IngestModule.ProcessResult.OK

                #self.log(Level.INFO, "Processing file: " + file.getName())
                fileCount += 1

                # Save the file locally. Use file id as name to reduce collisions
                extractedFile = os.path.join(temporaryDirectory, str(file.getId()) + "-" + file.getName())
                ContentUtils.writeToFile(file, File(extractedFile))
                self.processHistory(extractedFile, file)
                try:
                    os.remove(extractedFile)
                except:
                    self.log(Level.INFO, "Failed to remove file " + extractedFile)
            else:
                extractedFile = os.path.join(temporaryDirectory, str(file.getId()) + "-" + file.getName())
                try:
                    os.remove(extractedFile)
                except:
                    self.log(Level.INFO, "Failed to remove file " + extractedFile)

        try:
           shutil.rmtree(temporaryDirectory)		
        except:
		   self.log(Level.INFO, "removal of temporary directory failed " + temporaryDirectory)
                
        # After all databases, post a message to the ingest messages in box.
        message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
            "Facebook Chat", " Facebook Chat Has Been Analyzed " )
        IngestServices.getInstance().postMessage(message)

        return IngestModule.ProcessResult.OK                
开发者ID:markmckinnon,项目名称:Autopsy-Plugins,代码行数:86,代码来源:Atomic_Wallet.py

示例15: process

# 需要导入模块: from org.sleuthkit.autopsy.ingest import IngestMessage [as 别名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 别名]

#.........这里部分代码省略.........
                    # self.log(Level.INFO, "Result (" + resultSet.getString("Event_Offset") + ")")
                    # self.log(Level.INFO, "Result (" + resultSet.getString("Identifier") + ")")
                    # self.log(Level.INFO, "Result (" + resultSet.getString("Event_Source_Name") + ")")
                    # self.log(Level.INFO, "Result (" + resultSet.getString("Event_User_Security_Identifier") + ")")
                    # self.log(Level.INFO, "Result (" + resultSet.getString("Event_Time") + ")")
                    # self.log(Level.INFO, "Result (" + resultSet.getString("Event_Time_Epoch") + ")")
                    # self.log(Level.INFO, "Result (" + resultSet.getString("Event_Detail_Text") + ")")
                
                    File_Name = resultSet.getString("File_Name")
                    File_Description = resultSet.getString("File_Description")
                    Item_Name = resultSet.getString("Item_Name")
                    Command_Line_Arguments = resultSet.getString("command_line_arguments")
                    Drive_Type = resultSet.getInt("drive_type")
                    Drive_Serial_Number = resultSet.getInt("drive_serial_number")
                    Description = resultSet.getString("description")
                    Environment_Variables_Location = resultSet.getString("environment_variables_location")
                    File_Access_Time = resultSet.getString("file_access_time")
                    File_Attribute_Flags = resultSet.getInt("file_attribute_flags")
                    File_Creation_Time = resultSet.getString("file_creation_time")
                    File_Modification_Time = resultSet.getString("file_modification_time")
                    File_Size = resultSet.getInt("file_size")
                    Icon_Location = resultSet.getString("icon_location")
                    Link_Target_Identifier_Data = resultSet.getString("link_target_identifier_data")
                    Local_Path = resultSet.getString("local_path")
                    Machine_Identifier = resultSet.getString("machine_identifier")
                    Network_Path = resultSet.getString("network_path")
                    Relative_Path = resultSet.getString("relative_path")
                    Volume_Label = resultSet.getString("volume_label")
                    Working_Directory = resultSet.getString("working_directory")                
                except SQLException as e:
                    self.log(Level.INFO, "Error getting values from contacts table (" + e.getMessage() + ")")
        
                #fileManager = Case.getCurrentCase().getServices().getFileManager()
                #files = fileManager.findFiles(dataSource, Prefetch_File_Name)                
            
                #for file in files:
                    # Make artifact for TSK_PREFETCH,  this can happen when custom attributes are fully supported
                    #art = file.newArtifact(artID_pf)
                    # Make an artifact on the blackboard, TSK_PROG_RUN and give it attributes for each of the fields
			        # Not the proper way to do it but it will work for the time being.
                art = file.newArtifact(artID_jl_ad)

                # This is for when proper atributes can be created.			
                art.addAttributes(((BlackboardAttribute(attID_jl_fn, JumpListADDbIngestModuleFactory.moduleName, File_Name)), \
                                   (BlackboardAttribute(attID_jl_fg, JumpListADDbIngestModuleFactory.moduleName, File_Description)), \
                                   (BlackboardAttribute(attID_jl_in, JumpListADDbIngestModuleFactory.moduleName, Item_Name)), \
                                   (BlackboardAttribute(attID_jl_cl, JumpListADDbIngestModuleFactory.moduleName, Command_Line_Arguments)), \
                                   (BlackboardAttribute(attID_jl_dt, JumpListADDbIngestModuleFactory.moduleName, Drive_Type)), \
                                   (BlackboardAttribute(attID_jl_dsn, JumpListADDbIngestModuleFactory.moduleName, Drive_Serial_Number)), \
                                   (BlackboardAttribute(attID_jl_des, JumpListADDbIngestModuleFactory.moduleName, Description)), \
                                   (BlackboardAttribute(attID_jl_evl, JumpListADDbIngestModuleFactory.moduleName, Environment_Variables_Location)), \
                                   (BlackboardAttribute(attID_jl_fat, JumpListADDbIngestModuleFactory.moduleName, File_Access_Time)), \
                                   (BlackboardAttribute(attID_jl_faf, JumpListADDbIngestModuleFactory.moduleName, File_Attribute_Flags)), \
                                   (BlackboardAttribute(attID_jl_fct, JumpListADDbIngestModuleFactory.moduleName, File_Creation_Time)), \
                                   (BlackboardAttribute(attID_jl_fmt, JumpListADDbIngestModuleFactory.moduleName, File_Modification_Time)), \
                                   (BlackboardAttribute(attID_jl_fs, JumpListADDbIngestModuleFactory.moduleName, File_Size)), \
                                   (BlackboardAttribute(attID_jl_ic, JumpListADDbIngestModuleFactory.moduleName, Icon_Location)), \
                                   (BlackboardAttribute(attID_jl_ltid, JumpListADDbIngestModuleFactory.moduleName, Link_Target_Identifier_Data)), \
                                   (BlackboardAttribute(attID_jl_lp, JumpListADDbIngestModuleFactory.moduleName, Local_Path)), \
                                   (BlackboardAttribute(attID_jl_mi, JumpListADDbIngestModuleFactory.moduleName, Machine_Identifier)), \
                                   (BlackboardAttribute(attID_jl_np, JumpListADDbIngestModuleFactory.moduleName, Network_Path)), \
                                   (BlackboardAttribute(attID_jl_rp, JumpListADDbIngestModuleFactory.moduleName, Relative_Path)), \
                                   (BlackboardAttribute(attID_jl_vl, JumpListADDbIngestModuleFactory.moduleName, Volume_Label)), \
                                   (BlackboardAttribute(attID_jl_wd, JumpListADDbIngestModuleFactory.moduleName, Working_Directory))))
			
        # Fire an event to notify the UI and others that there are new artifacts  
        IngestServices.getInstance().fireModuleDataEvent(
            ModuleDataEvent(JumpListADDbIngestModuleFactory.moduleName, artID_jl_ad_evt, None))
                
        # Clean up
        skCase_Tran.commit()
        stmt.close()
        dbConn.close()
        try:
            os.remove(lclDbPath)
        except:
			self.log(Level.INFO, "Failed to remove the file " + lclDbPath)
        #skCase.close()
			
		#Clean up EventLog directory and files
        for file in files:
            try:
			    os.remove(os.path.join(temp_dir, file.getName()))
            except:
			    self.log(Level.INFO, "removal of JL_AD file failed " + os.path.join(temp_dir, file.getName()))
        try:
             os.rmdir(temp_dir)		
        except:
		     self.log(Level.INFO, "removal of JL_AD directory failed " + temp_dir)
            
        # After all databases, post a message to the ingest messages in box.
        message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
            "JumpList AD", " JumpList AD Has Been Analyzed " )
        IngestServices.getInstance().postMessage(message)

        # Fire an event to notify the UI and others that there are new artifacts  
        IngestServices.getInstance().fireModuleDataEvent(
            ModuleDataEvent(JumpListADDbIngestModuleFactory.moduleName, artID_jl_ad_evt, None))
        
        return IngestModule.ProcessResult.OK
开发者ID:markmckinnon,项目名称:Autopsy-Plugins,代码行数:104,代码来源:JumpList_AD.py


注:本文中的org.sleuthkit.autopsy.ingest.IngestMessage.createMessage方法示例由纯净天空整理自Github/MSDocs等开源代码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。