本文整理匯總了Python中org.sleuthkit.autopsy.casemodule.Case類的典型用法代碼示例。如果您正苦於以下問題:Python Case類的具體用法?Python Case怎麽用?Python Case使用的例子?那麽, 這裏精選的類代碼示例或許可以為您提供幫助。
在下文中一共展示了Case類的15個代碼示例,這些例子默認根據受歡迎程度排序。您可以為喜歡或者感覺有用的代碼點讚,您的評價將有助於係統推薦出更棒的Python代碼示例。
示例1: process
def process(self, dataSource, progressBar):
# we don't know how much work there will be
progressBar.switchToIndeterminate()
# Example has only a Windows EXE, so bail if we aren't on Windows
if not PlatformUtil.isWindowsOS():
self.log(Level.INFO, "Ignoring data source. Not running on Windows")
return IngestModule.ProcessResult.OK
# Verify we have a disk image and not a folder of files
if not isinstance(dataSource, Image):
self.log(Level.INFO, "Ignoring data source. Not an image")
return IngestModule.ProcessResult.OK
# Get disk image paths
imagePaths = dataSource.getPaths()
# We'll save our output to a file in the reports folder, named based on EXE and data source ID
reportPath = os.path.join(Case.getCurrentCase().getCaseDirectory(), "Reports", "img_stat-" + str(dataSource.getId()) + ".txt")
reportHandle = open(reportPath, 'w')
# Run the EXE, saving output to the report
# NOTE: we should really be checking for if the module has been
# cancelled and then killing the process.
self.log(Level.INFO, "Running program on data source")
subprocess.Popen([self.path_to_exe, imagePaths[0]], stdout=reportHandle).communicate()[0]
reportHandle.close()
# Add the report to the case, so it shows up in the tree
Case.getCurrentCase().addReport(reportPath, "Run EXE", "img_stat output")
return IngestModule.ProcessResult.OK示例2: process
def process(self, dataSource, progressBar):
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
# Use blackboard class to index blackboard artifacts for keyword search
blackboard = Case.getCurrentCase().getServices().getBlackboard()
# For our example, we will use FileManager to get all
# files with the word "test"
# in the name and then count and read them
# FileManager API: http://sleuthkit.org/autopsy/docs/api-docs/4.6.0/classorg_1_1sleuthkit_1_1autopsy_1_1casemodule_1_1services_1_1_file_manager.html
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, "%test%")
numFiles = len(files)
self.log(Level.INFO, "found " + str(numFiles) + " files")
progressBar.switchToDeterminate(numFiles)
fileCount = 0
for file in files:
# Check if the user pressed cancel while we were busy
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
self.log(Level.INFO, "Processing file: " + file.getName())
fileCount += 1
# Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of
# artfiact. Refer to the developer docs for other examples.
art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, SampleJythonDataSourceIngestModuleFactory.moduleName, "Test file")
art.addAttribute(att)
try:
# index the artifact for keyword search
blackboard.indexArtifact(art)
except Blackboard.BlackboardException as e:
self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName())
# To further the example, this code will read the contents of the file and count the number of bytes
inputStream = ReadContentInputStream(file)
buffer = jarray.zeros(1024, "b")
totLen = 0
readLen = inputStream.read(buffer)
while (readLen != -1):
totLen = totLen + readLen
readLen = inputStream.read(buffer)
# Update the progress bar
progressBar.progress(fileCount)
#Post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"Sample Jython Data Source Ingest Module", "Found %d files" % fileCount)
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK示例3: shutDown
def shutDown(self):
noDupes = list(set(md5))
try:
if(filename):
uniquePath = os.path.join(Case.getCurrentCase().getCaseDirectory(), "NewLowHangingFruit.txt")
uniqueFile = open(uniquePath,'w')
dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % filename)
stmt = dbConn.createStatement()
for line in noDupes:
resultSet = stmt.executeQuery("SELECT * FROM MD5 where md5 == '%s'" % line)
if(resultSet.next()):
temp = "Future Improvement"
else:
uniqueFile.write(line+'\n')
stmt.close()
dbConn.close()
uniqueFile.close()
except:
allPath = os.path.join(Case.getCurrentCase().getCaseDirectory(), "AllLowHangingFruit.txt")
allFile = open(allPath,'w')
for line in noDupes:
allFile.write(line+'\n')
allFile.close()示例4: generateReport
def generateReport(self, baseReportDir, progressBar):
# Open the output file.
fileName = os.path.join(baseReportDir, self.getRelativeFilePath())
report = open(fileName, 'w')
# Query the database for the files (ignore the directories)
sleuthkitCase = Case.getCurrentCase().getSleuthkitCase()
files = sleuthkitCase.findAllFilesWhere("NOT meta_type = " + str(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR.getValue()))
# Setup the progress bar
progressBar.setIndeterminate(False)
progressBar.start()
progressBar.setMaximumProgress(len(files))
for file in files:
md5 = file.getMd5Hash()
# md5 will be None if Hash Lookup module was not run
if md5 is None:
md5 = ""
report.write(file.getUniquePath() + "," + md5 + "\n")
progressBar.increment()
report.close()
# Add the report to the Case, so it is shown in the tree
Case.getCurrentCase().addReport(fileName, self.moduleName, "Hashes CSV")
progressBar.complete(ReportStatus.COMPLETE)示例5: process
def process(self, dataSource, progressBar):
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
imageFiles = dataSource.getPaths()
imageFile = os.path.basename(imageFiles[0])
exportFile = os.path.join(Case.getCurrentCase().getExportDirectory(), str(imageFile) + "_hashset.txt")
#self.log(Level.INFO, "create Directory " + moduleDirectory)
sql_statement = 'select name, md5 from tsk_files where md5 <> "";'
skCase = Case.getCurrentCase().getSleuthkitCase()
dbquery = skCase.executeQuery(sql_statement)
resultSet = dbquery.getResultSet()
with open(exportFile, 'w') as f:
while resultSet.next():
f.write(resultSet.getString("md5") + "\t" + resultSet.getString("name") + "\n")
dbquery.close()
# After all databases, post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"Create_DS_Hashset", " Hashset Create For Datasource " + imageFile )
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK 示例6: generateReport
def generateReport(self, baseReportDir, progressBar):
# For an example, we write a file with the number of files created in the past 2 weeks
# Configure progress bar for 2 tasks
progressBar.setIndeterminate(False)
progressBar.start()
progressBar.setMaximumProgress(2)
# Get files by created in last two weeks.
fileCount = 0
autopsyCase = Case.getCurrentCase()
sleuthkitCase = autopsyCase.getSleuthkitCase()
currentTime = System.currentTimeMillis() / 1000
minTime = currentTime - (14 * 24 * 60 * 60)
otherFiles = sleuthkitCase.findFilesWhere("crtime > %d" % minTime)
for otherFile in otherFiles:
fileCount += 1
progressBar.increment()
# Write the result to the report file.
report = open(baseReportDir + '\\' + self.getRelativeFilePath(), 'w')
report.write("file count = %d" % fileCount)
Case.getCurrentCase().addReport(report.name, "SampleGeneralReportModule", "Sample Python Report");
report.close()
progressBar.increment()
progressBar.complete()示例7: customizeComponents
def customizeComponents(self):
#self.Exclude_File_Sources_CB.setSelected(self.local_settings.getExclude_File_Sources())
#self.Run_Timesketch_CB.setSelected(self.local_settings.getRun_Timesketch())
#self.Import_Timesketch_CB.setSelected(self.local_settings.getImport_Timesketch())
#self.check_Database_entries()
self.IP_Address_TF.setText(self.local_settings.getSetting('ipAddress'))
self.Port_Number_TF.setText(self.local_settings.getSetting('portNumber'))
self.userName_TF.setText(self.local_settings.getSetting('userName'))
self.password_TF.setText(self.local_settings.getSetting('password'))
self.sketchName_TF.setText(Case.getCurrentCase().getNumber())
self.sketchDescription_TF.setText(Case.getCurrentCase().getName())
self.local_settings.setSetting('sketchName', self.sketchName_TF.getText())
self.local_settings.setSetting('sketchDescription', self.sketchDescription_TF.getText()) 示例8: process
def process(self, dataSource, progressBar):
progressBar.switchToIndeterminate()
fileManager = Case.getCurrentCase().getServices().getFileManager()
###---EDIT HERE---###
files = fileManager.findFiles(dataSource, "%.doc", "%")
###---EDIT HERE---###
numFiles = len(files)
progressBar.switchToDeterminate(numFiles)
fileCount = 0;
###---EDIT HERE---###
reportPath = os.path.join(Case.getCurrentCase().getCaseDirectory(), "Reports", "YARA.txt")
###---EDIT HERE---###
reportHandle = open(reportPath, 'w')
for file in files:
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
if (str(file.getKnown()) != "KNOWN"):
exportPath = os.path.join(Case.getCurrentCase().getTempDirectory(), str(file.getId())+"."+file.getNameExtension())
###---EDIT HERE---###
ContentUtils.writeToFile(file, File(exportPath))
subprocess.Popen([self.path_to_exe, self.path_to_rules, exportPath], stdout=reportHandle).communicate()[0]
###---EDIT HERE---###
reportHandle.write(file.getParentPath()+file.getName()+'\n\n')
self.log(Level.INFO, "Processing file: " + file.getName())
fileCount += 1
progressBar.progress(fileCount)
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"YARA Scan", "Scanned %d Files" % numFiles)
IngestServices.getInstance().postMessage(message)
reportHandle.close()
Case.getCurrentCase().addReport(reportPath, "YARA Scan", "Scanned %d Files" % numFiles)
return IngestModule.ProcessResult.OK示例9: add_Volatility_Dump_file
def add_Volatility_Dump_file(self, dataSource, dir_abstract_file_info, dump_dir, local_dir, pid_name):
self.log(Level.INFO, "Adding Files from Dump Directory")
self.log(Level.INFO, "Dump Dir is ==> " + dump_dir)
self.log(Level.INFO, "Local Directory is ==> " + local_dir)
self.log(Level.INFO, "Parent Path is ==> " + str(dir_abstract_file_info))
#skCase = Case.getCurrentCase().getSleuthkitCase()
skCase = Case.getCurrentCase().getServices().getFileManager()
files = next(os.walk(dump_dir))[2]
for file in files:
self.log(Level.INFO, " File Name is ==> " + file)
dev_file = os.path.join(dump_dir, file)
local_file = os.path.join(local_dir, file)
self.log(Level.INFO, " Dev File Name is ==> " + dev_file)
self.log(Level.INFO, " Local File Name is ==> " + local_file)
if not(self.check_derived_existance(dataSource, file, dir_abstract_file_info.parentPath)):
# Add derived file
# Parameters Are:
# File Name, Local Path, size, ctime, crtime, atime, mtime, isFile, Parent File, rederive Details, Tool Name,
# Tool Version, Other Details, Encoding Type
derived_file = skCase.addDerivedFile(file, local_file, os.path.getsize(dev_file), + \
0, 0, 0, 0, True, dir_abstract_file_info, "", "Volatility", self.Volatility_Version, "", TskData.EncodingType.NONE)
IngestServices.getInstance().fireModuleContentEvent(ModuleContentEvent(derived_file))
#self.log(Level.INFO, "Derived File ==> " + str(derived_file))
else:
pass 示例10: indexArtifact
def indexArtifact(self, artifact):
blackboard = Case.getCurrentCase().getServices().getBlackboard()
try:
blackboard.indexArtifact(artChat)
except:
pass示例11: createAttribute
def createAttribute(self, attributeName, attributeType, attributeDescription):
skCase = Case.getCurrentCase().getSleuthkitCase()
try:
if "string" == attributeType:
attributeId = skCase.addArtifactAttributeType(attributeName, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, attributeDescription)
return skCase.getAttributeType(attributeName)
elif "datetime" == attributeType:
attributeId = skCase.addArtifactAttributeType(attributeName, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME, attributeDescription)
return skCase.getAttributeType(attributeName)
elif "integer" == attributeType:
attributeId = skCase.addArtifactAttributeType(attributeName, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.INTEGER, attributeDescription)
return skCase.getAttributeType(attributeName)
elif "long" == attributeType:
attributeId = skCase.addArtifactAttributeType(attributeName, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, attributeDescription)
return skCase.getAttributeType(attributeName)
elif "double" == attributeType:
attributeId = skCase.addArtifactAttributeType(attributeName, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DOUBLE, attributeDescription)
return skCase.getAttributeType(attributeName)
elif "byte" == attributeType:
attributeId = skCase.addArtifactAttributeType(attributeName, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.BYTE, attributeDescription)
return skCase.getAttributeType(attributeName)
else:
attributeId = skCase.addArtifactAttributeType(attributeName, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, attributeDescription)
return skCase.getAttributeType(attributeName)
except:
self.log(Level.INFO, "Attributes Creation Error ==> " + str(attributeName) + " <<>> " + str(attributeType) + " <<>> " + str(attributeDescription))
return skCase.getAttributeType(attributeName)示例12: shutDown
def shutDown(self):
noDupes = list(set(md5))
outPath = os.path.join(Case.getCurrentCase().getCaseDirectory(), "GoldBuild.txt")
outFile = open(outPath,'w')
for line in noDupes:
outFile.write(line+'\n')
outFile.close()示例13: process
def process(self, dataSource, progressBar):
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
logger = Logger.getLogger(SampleJythonDataSourceIngestModuleFactory.moduleName)
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
autopsyCase = Case.getCurrentCase()
sleuthkitCase = autopsyCase.getSleuthkitCase()
services = Services(sleuthkitCase)
fileManager = services.getFileManager()
# For our example, we will use FileManager to get all
# files with the word "test"
# in the name and then count and read them
files = fileManager.findFiles(dataSource, "%test%")
numFiles = len(files)
logger.logp(Level.INFO, SampleJythonDataSourceIngestModule.__name__, "process", "found " + str(numFiles) + " files")
progressBar.switchToDeterminate(numFiles)
fileCount = 0;
for file in files:
# Check if the user pressed cancel while we were busy
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
logger.logp(Level.INFO, SampleJythonDataSourceIngestModule.__name__, "process", "Processing file: " + file.getName())
fileCount += 1
# Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of
# artfiact. Refer to the developer docs for other examples.
art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), SampleJythonDataSourceIngestModuleFactory.moduleName, "Test file")
art.addAttribute(att)
# To further the example, this code will read the contents of the file and count the number of bytes
inputStream = ReadContentInputStream(file)
buffer = jarray.zeros(1024, "b")
totLen = 0
readLen = inputStream.read(buffer)
while (readLen != -1):
totLen = totLen + readLen
readLen = inputStream.read(buffer)
# Update the progress bar
progressBar.progress(fileCount)
#Post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"Sample Jython Data Source Ingest Module", "Found %d files" % fileCount)
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK;示例14: __findGeoLocationsInDB
def __findGeoLocationsInDB(self, databasePath, abstractFile):
if not databasePath:
return
try:
Class.forName("org.sqlite.JDBC") #load JDBC driver
connection = DriverManager.getConnection("jdbc:sqlite:" + databasePath)
statement = connection.createStatement()
except (ClassNotFoundException) as ex:
self._logger.log(Level.SEVERE, "Error loading JDBC driver", ex)
self._logger.log(Level.SEVERE, traceback.format_exc())
return
except (SQLException) as ex:
# Error connecting to SQL databse.
return
resultSet = None
try:
resultSet = statement.executeQuery("SELECT timestamp, latitude, longitude, accuracy FROM CachedPosition;")
while resultSet.next():
timestamp = Long.valueOf(resultSet.getString("timestamp")) / 1000
latitude = Double.valueOf(resultSet.getString("latitude"))
longitude = Double.valueOf(resultSet.getString("longitude"))
attributes = ArrayList()
artifact = abstractFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_TRACKPOINT)
attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE, general.MODULE_NAME, latitude))
attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE, general.MODULE_NAME, longitude))
attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME, general.MODULE_NAME, timestamp))
attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, general.MODULE_NAME, "Browser Location History"))
# artifact.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),moduleName, accuracy))
# NOTE: originally commented out
artifact.addAttributes(attributes);
try:
# index the artifact for keyword search
blackboard = Case.getCurrentCase().getServices().getBlackboard()
blackboard.indexArtifact(artifact)
except Blackboard.BlackboardException as ex:
self._logger.log(Level.SEVERE, "Unable to index blackboard artifact " + str(artifact.getArtifactTypeName()), ex)
self._logger.log(Level.SEVERE, traceback.format_exc())
MessageNotifyUtil.Notify.error("Failed to index GPS trackpoint artifact for keyword search.", artifact.getDisplayName())
except SQLException as ex:
# Unable to execute browser location SQL query against database.
pass
except Exception as ex:
self._logger.log(Level.SEVERE, "Error putting artifacts to blackboard", ex)
self._logger.log(Level.SEVERE, traceback.format_exc())
finally:
try:
if resultSet is not None:
resultSet.close()
statement.close()
connection.close()
except Exception as ex:
# Error closing database.
pass示例15: analyze
def analyze(self, dataSource, fileManager, context):
try:
global wwfAccountType
wwfAccountType = Case.getCurrentCase().getSleuthkitCase().getCommunicationsManager().addAccountType("WWF", "Words with Friends")
absFiles = fileManager.findFiles(dataSource, "WordsFramework")
for abstractFile in absFiles:
try:
jFile = File(Case.getCurrentCase().getTempDirectory(), str(abstractFile.getId()) + abstractFile.getName())
ContentUtils.writeToFile(abstractFile, jFile, context.dataSourceIngestIsCancelled)
self.__findWWFMessagesInDB(jFile.toString(), abstractFile, dataSource)
except Exception as ex:
self._logger.log(Level.SEVERE, "Error parsing WWF messages", ex)
self._logger.log(Level.SEVERE, traceback.format_exc())
except TskCoreException as ex:
# Error finding WWF messages.
pass