本文整理匯總了Python中org.sleuthkit.autopsy.ingest.IngestMessage.createMessage方法的典型用法代碼示例。如果您正苦於以下問題:Python IngestMessage.createMessage方法的具體用法?Python IngestMessage.createMessage怎麽用?Python IngestMessage.createMessage使用的例子?那麽, 這裏精選的方法代碼示例或許可以為您提供幫助。您也可以進一步了解該方法所在類org.sleuthkit.autopsy.ingest.IngestMessage
的用法示例。
在下文中一共展示了IngestMessage.createMessage方法的15個代碼示例,這些例子默認根據受歡迎程度排序。您可以為喜歡或者感覺有用的代碼點讚,您的評價將有助於係統推薦出更棒的Python代碼示例。
示例1: process
# 需要導入模塊: from org.sleuthkit.autopsy.ingest import IngestMessage [as 別名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 別名]
def process(self, dataSource, progressBar):
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
imageFiles = dataSource.getPaths()
imageFile = os.path.basename(imageFiles[0])
exportFile = os.path.join(Case.getCurrentCase().getExportDirectory(), str(imageFile) + "_hashset.txt")
#self.log(Level.INFO, "create Directory " + moduleDirectory)
sql_statement = 'select name, md5 from tsk_files where md5 <> "";'
skCase = Case.getCurrentCase().getSleuthkitCase()
dbquery = skCase.executeQuery(sql_statement)
resultSet = dbquery.getResultSet()
with open(exportFile, 'w') as f:
while resultSet.next():
f.write(resultSet.getString("md5") + "\t" + resultSet.getString("name") + "\n")
dbquery.close()
# After all databases, post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"Create_DS_Hashset", " Hashset Create For Datasource " + imageFile )
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
示例2: process
# 需要導入模塊: from org.sleuthkit.autopsy.ingest import IngestMessage [as 別名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 別名]
def process(self, dataSource, progressBar):
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
# Use blackboard class to index blackboard artifacts for keyword search
blackboard = Case.getCurrentCase().getServices().getBlackboard()
# For our example, we will use FileManager to get all
# files with the word "test"
# in the name and then count and read them
# FileManager API: http://sleuthkit.org/autopsy/docs/api-docs/4.6.0/classorg_1_1sleuthkit_1_1autopsy_1_1casemodule_1_1services_1_1_file_manager.html
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, "%test%")
numFiles = len(files)
self.log(Level.INFO, "found " + str(numFiles) + " files")
progressBar.switchToDeterminate(numFiles)
fileCount = 0
for file in files:
# Check if the user pressed cancel while we were busy
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
self.log(Level.INFO, "Processing file: " + file.getName())
fileCount += 1
# Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of
# artfiact. Refer to the developer docs for other examples.
art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, SampleJythonDataSourceIngestModuleFactory.moduleName, "Test file")
art.addAttribute(att)
try:
# index the artifact for keyword search
blackboard.indexArtifact(art)
except Blackboard.BlackboardException as e:
self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName())
# To further the example, this code will read the contents of the file and count the number of bytes
inputStream = ReadContentInputStream(file)
buffer = jarray.zeros(1024, "b")
totLen = 0
readLen = inputStream.read(buffer)
while (readLen != -1):
totLen = totLen + readLen
readLen = inputStream.read(buffer)
# Update the progress bar
progressBar.progress(fileCount)
#Post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"Sample Jython Data Source Ingest Module", "Found %d files" % fileCount)
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
示例3: process
# 需要導入模塊: from org.sleuthkit.autopsy.ingest import IngestMessage [as 別名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 別名]
def process(self, dataSource, progressBar):
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
logger = Logger.getLogger(SampleJythonDataSourceIngestModuleFactory.moduleName)
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
autopsyCase = Case.getCurrentCase()
sleuthkitCase = autopsyCase.getSleuthkitCase()
services = Services(sleuthkitCase)
fileManager = services.getFileManager()
# For our example, we will use FileManager to get all
# files with the word "test"
# in the name and then count and read them
files = fileManager.findFiles(dataSource, "%test%")
numFiles = len(files)
logger.logp(Level.INFO, SampleJythonDataSourceIngestModule.__name__, "process", "found " + str(numFiles) + " files")
progressBar.switchToDeterminate(numFiles)
fileCount = 0;
for file in files:
# Check if the user pressed cancel while we were busy
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
logger.logp(Level.INFO, SampleJythonDataSourceIngestModule.__name__, "process", "Processing file: " + file.getName())
fileCount += 1
# Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of
# artfiact. Refer to the developer docs for other examples.
art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), SampleJythonDataSourceIngestModuleFactory.moduleName, "Test file")
art.addAttribute(att)
# To further the example, this code will read the contents of the file and count the number of bytes
inputStream = ReadContentInputStream(file)
buffer = jarray.zeros(1024, "b")
totLen = 0
readLen = inputStream.read(buffer)
while (readLen != -1):
totLen = totLen + readLen
readLen = inputStream.read(buffer)
# Update the progress bar
progressBar.progress(fileCount)
#Post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"Sample Jython Data Source Ingest Module", "Found %d files" % fileCount)
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK;
示例4: process
# 需要導入模塊: from org.sleuthkit.autopsy.ingest import IngestMessage [as 別名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 別名]
def process(self, dataSource, progressBar):
progressBar.switchToIndeterminate()
fileManager = Case.getCurrentCase().getServices().getFileManager()
###---EDIT HERE---###
files = fileManager.findFiles(dataSource, "%.doc", "%")
###---EDIT HERE---###
numFiles = len(files)
progressBar.switchToDeterminate(numFiles)
fileCount = 0;
###---EDIT HERE---###
reportPath = os.path.join(Case.getCurrentCase().getCaseDirectory(), "Reports", "YARA.txt")
###---EDIT HERE---###
reportHandle = open(reportPath, 'w')
for file in files:
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
if (str(file.getKnown()) != "KNOWN"):
exportPath = os.path.join(Case.getCurrentCase().getTempDirectory(), str(file.getId())+"."+file.getNameExtension())
###---EDIT HERE---###
ContentUtils.writeToFile(file, File(exportPath))
subprocess.Popen([self.path_to_exe, self.path_to_rules, exportPath], stdout=reportHandle).communicate()[0]
###---EDIT HERE---###
reportHandle.write(file.getParentPath()+file.getName()+'\n\n')
self.log(Level.INFO, "Processing file: " + file.getName())
fileCount += 1
progressBar.progress(fileCount)
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"YARA Scan", "Scanned %d Files" % numFiles)
IngestServices.getInstance().postMessage(message)
reportHandle.close()
Case.getCurrentCase().addReport(reportPath, "YARA Scan", "Scanned %d Files" % numFiles)
return IngestModule.ProcessResult.OK
示例5: process
# 需要導入模塊: from org.sleuthkit.autopsy.ingest import IngestMessage [as 別名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 別名]
def process(self, dataSource, progressBar):
self.log(Level.INFO, "Starting to process, Just before call to parse_safari_history")
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
self.log(Level.INFO, "Starting 2 to process, Just before call to ???????")
self.log(Level.INFO, "ending process, Just before call to ??????")
# After all databases, post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"GUI_Test", " GUI_Test Has Been Analyzed " )
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
示例6: process
# 需要導入模塊: from org.sleuthkit.autopsy.ingest import IngestMessage [as 別名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 別名]
def process(self, file):
# If the file has a txt extension, post an artifact to the blackboard.
if file.getName().find("test") != -1:
art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), "Sample Jython File Ingest Module", "Text Files")
art.addAttribute(att)
# Read the contents of the file.
inputStream = ReadContentInputStream(file)
buffer = jarray.zeros(1024, "b")
totLen = 0
len = inputStream.read(buffer)
while (len != -1):
totLen = totLen + len
len = inputStream.read(buffer)
# Send the size of the file to the ingest messages in box.
msgText = "Size of %s is %d bytes" % ((file.getName(), totLen))
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Sample Jython File IngestModule", msgText)
ingestServices = IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
示例7: process
# 需要導入模塊: from org.sleuthkit.autopsy.ingest import IngestMessage [as 別名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 別名]
#.........這裏部分代碼省略.........
artID_art_evt = skCase.getArtifactType("TSK_VOL_" + resultSet1.getString("tbl_name") + "_" + file_name)
try:
self.log(Level.INFO, "Result (" + resultSet1.getString("tbl_name") + ")")
table_name = resultSet1.getString("tbl_name")
resultSet4 = stmt4.executeQuery("Select count(*) 'NumRows' from " + resultSet1.getString("tbl_name") + " ")
row_count = resultSet4.getInt("NumRows")
self.log(Level.INFO, " Number of Rows is " + str(row_count) + " ")
if row_count >= 1:
SQL_String_1 = "Select * from " + table_name + ";"
SQL_String_2 = "PRAGMA table_info('" + table_name + "')"
self.log(Level.INFO, SQL_String_1)
self.log(Level.INFO, SQL_String_2)
artifact_name = "TSK_VOL_" + table_name.upper() + "_" + file_name
artID_sql = skCase.getArtifactTypeID(artifact_name)
artID_sql_evt = skCase.getArtifactType(artifact_name)
Column_Names = []
Column_Types = []
resultSet2 = stmt2.executeQuery(SQL_String_2)
while resultSet2.next():
Column_Names.append(resultSet2.getString("name").upper())
Column_Types.append(resultSet2.getString("type").upper())
attribute_name = "TSK_VOL_" + table_name + "_" + resultSet2.getString("name").upper()
if resultSet2.getString("type").upper() == "TEXT":
try:
attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name"))
except:
self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
elif resultSet2.getString("type").upper() == "LONGVARCHAR":
try:
attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name"))
except:
self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
elif resultSet2.getString("type").upper() == "":
try:
attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name"))
except:
self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
elif resultSet2.getString("type").upper() == "BLOB":
try:
attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name"))
except:
self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
elif resultSet2.getString("type").upper() == "REAL":
try:
attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, resultSet2.getString("name"))
except:
self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
else:
try:
attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, resultSet2.getString("name"))
except:
self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
resultSet3 = stmt3.executeQuery(SQL_String_1)
while resultSet3.next():
art = file.newArtifact(artID_sql)
Column_Number = 1
for col_name in Column_Names:
c_name = "TSK_VOL_" + table_name.upper() + "_" + Column_Names[Column_Number - 1]
attID_ex1 = skCase.getAttributeType(c_name)
if Column_Types[Column_Number - 1] == "TEXT":
if resultSet3.getString(Column_Number) == None:
art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, " "))
else:
art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, resultSet3.getString(Column_Number)))
elif Column_Types[Column_Number - 1] == "":
art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, resultSet3.getString(Column_Number)))
elif Column_Types[Column_Number - 1] == "LONGVARCHAR":
art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, "BLOBS Not Supported - Look at actual file"))
elif Column_Types[Column_Number - 1] == "BLOB":
art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, "BLOBS Not Supported - Look at actual file"))
elif Column_Types[Column_Number - 1] == "REAL":
art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, long(resultSet3.getFloat(Column_Number))))
else:
art.addAttribute(BlackboardAttribute(attID_ex1, VolatilityIngestModuleFactory.moduleName, long(resultSet3.getString(Column_Number))))
Column_Number = Column_Number + 1
IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(VolatilityIngestModuleFactory.moduleName, \
artID_sql_evt, None))
except SQLException as e:
self.log(Level.INFO, "Error getting values from table " + resultSet.getString("tbl_name") + " (" + e.getMessage() + ")")
try:
# exestmt = createStatement()
resultx = exestmt.execute("insert into plugins_loaded_to_Autopsy values ('" + table_name + "');")
except SQLException as e:
self.log(Level.INFO, "Could not create table plugins_loaded_to_autopsy")
except SQLException as e:
self.log(Level.INFO, "Error querying database " + file.getName() + " (" + e.getMessage() + ")")
# After all databases, post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"VolatilitySettings", " VolatilitySettings Has Been Analyzed " )
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
示例8: process
# 需要導入模塊: from org.sleuthkit.autopsy.ingest import IngestMessage [as 別名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 別名]
def process(self, dataSource, progressBar):
if len(self.List_Of_tables) < 1:
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "ParseAmcache", " No Amcache tables Selected to Parse " )
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.ERROR
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
# Set the database to be read to the once created by the prefetch parser program
skCase = Case.getCurrentCase().getSleuthkitCase();
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, "Amcache.hve")
numFiles = len(files)
self.log(Level.INFO, "found " + str(numFiles) + " files")
progressBar.switchToDeterminate(numFiles)
fileCount = 0;
# Create Event Log directory in temp directory, if it exists then continue on processing
Temp_Dir = Case.getCurrentCase().getTempDirectory()
temp_dir = os.path.join(Temp_Dir, "amcache")
self.log(Level.INFO, "create Directory " + temp_dir)
try:
os.mkdir(temp_dir)
except:
self.log(Level.INFO, "Amcache Directory already exists " + temp_dir)
# Write out each Event Log file to the temp directory
for file in files:
# Check if the user pressed cancel while we were busy
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
#self.log(Level.INFO, "Processing file: " + file.getName())
fileCount += 1
# Save the DB locally in the temp folder. use file id as name to reduce collisions
lclDbPath = os.path.join(temp_dir, file.getName())
ContentUtils.writeToFile(file, File(lclDbPath))
# Example has only a Windows EXE, so bail if we aren't on Windows
# Run the EXE, saving output to a sqlite database
self.log(Level.INFO, "Running program on data source parm 1 ==> " + Temp_Dir + "\Amcache\Amcache.hve Parm 2 ==> " + Temp_Dir + "\Amcache.db3")
subprocess.Popen([self.path_to_exe, os.path.join(temp_dir, "Amcache.hve"), os.path.join(temp_dir, "Amcache.db3")]).communicate()[0]
for file in files:
# Open the DB using JDBC
lclDbPath = os.path.join(temp_dir, "Amcache.db3")
self.log(Level.INFO, "Path the Amcache database file created ==> " + lclDbPath)
try:
Class.forName("org.sqlite.JDBC").newInstance()
dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % lclDbPath)
except SQLException as e:
self.log(Level.INFO, "Could not open database file (not SQLite) " + file.getName() + " (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
# Query the contacts table in the database and get all columns.
for am_table_name in self.List_Of_tables:
try:
stmt = dbConn.createStatement()
resultSet = stmt.executeQuery("Select tbl_name from SQLITE_MASTER where lower(tbl_name) in ('" + am_table_name + "'); ")
# resultSet = stmt.executeQuery("Select tbl_name from SQLITE_MASTER where lower(tbl_name) in ('associated_file_entries', " + \
# "'unassociated_programs', 'program_entries'); ")
self.log(Level.INFO, "query SQLite Master table for " + am_table_name)
except SQLException as e:
self.log(Level.INFO, "Error querying database for Prefetch table (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
# Cycle through each row and create artifacts
while resultSet.next():
try:
self.log(Level.INFO, "Result (" + resultSet.getString("tbl_name") + ")")
table_name = resultSet.getString("tbl_name")
#self.log(Level.INFO, "Result get information from table " + resultSet.getString("tbl_name") + " ")
SQL_String_1 = "Select * from " + table_name + ";"
SQL_String_2 = "PRAGMA table_info('" + table_name + "')"
artifact_name = "TSK_" + table_name.upper()
artifact_desc = "Amcache " + table_name.upper()
#self.log(Level.INFO, SQL_String_1)
#self.log(Level.INFO, "Artifact_Name ==> " + artifact_name)
#self.log(Level.INFO, "Artifact_desc ==> " + artifact_desc)
#self.log(Level.INFO, SQL_String_2)
try:
self.log(Level.INFO, "Begin Create New Artifacts")
artID_amc = skCase.addArtifactType( artifact_name, artifact_desc)
except:
self.log(Level.INFO, "Artifacts Creation Error, some artifacts may not exist now. ==> ")
artID_amc = skCase.getArtifactTypeID(artifact_name)
artID_amc_evt = skCase.getArtifactType(artifact_name)
Column_Names = []
Column_Types = []
resultSet2 = stmt.executeQuery(SQL_String_2)
while resultSet2.next():
Column_Names.append(resultSet2.getString("name").upper())
Column_Types.append(resultSet2.getString("type").upper())
#.........這裏部分代碼省略.........
示例9: process
# 需要導入模塊: from org.sleuthkit.autopsy.ingest import IngestMessage [as 別名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 別名]
#.........這裏部分代碼省略.........
artID_plist = skCase.addArtifactType( artifact_name, artifact_desc)
except:
self.log(Level.INFO, "Artifacts Creation Error, some artifacts may not exist now. ==> ")
artID_plist = skCase.getArtifactTypeID(artifact_name)
artID_plist_evt = skCase.getArtifactType(artifact_name)
Column_Names = []
Column_Types = []
resultSet2 = stmt2.executeQuery(SQL_String_2)
while resultSet2.next():
Column_Names.append(resultSet2.getString("name").upper())
Column_Types.append(resultSet2.getString("type").upper())
attribute_name = "TSK_PLIST_" + resultSet2.getString("name").upper()
#self.log(Level.INFO, "attribure id for " + attribute_name + " == " + resultSet2.getString("type").upper())
if resultSet2.getString("type").upper() == "TEXT":
try:
attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name"))
except:
self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
elif resultSet2.getString("type").upper() == "LONGVARCHAR":
try:
attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name"))
except:
self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
elif resultSet2.getString("type").upper() == "":
try:
attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name"))
except:
self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
elif resultSet2.getString("type").upper() == "BLOB":
try:
attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name"))
except:
self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
elif resultSet2.getString("type").upper() == "REAL":
try:
attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, resultSet2.getString("name"))
except:
self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
else:
try:
attID_ex1 = skCase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, resultSet2.getString("name"))
except:
self.log(Level.INFO, "Attributes Creation Error, " + attribute_name + " ==> ")
resultSet3 = stmt3.executeQuery(SQL_String_1)
while resultSet3.next():
art = file.newArtifact(artID_plist)
Column_Number = 1
for col_name in Column_Names:
#self.log(Level.INFO, "Result get information for column " + Column_Names[Column_Number - 1] + " ")
#self.log(Level.INFO, "Result get information for column_number " + str(Column_Number) + " ")
#self.log(Level.INFO, "Result get information for column type " + Column_Types[Column_Number - 1] + " <== ")
c_name = "TSK_PLIST_" + Column_Names[Column_Number - 1]
#self.log(Level.INFO, "Attribute Name is " + c_name + " ")
attID_ex1 = skCase.getAttributeType(c_name)
if Column_Types[Column_Number - 1] == "TEXT":
art.addAttribute(BlackboardAttribute(attID_ex1, ParsePlists2DBDelRecIngestModuleFactory.moduleName, resultSet3.getString(Column_Number)))
elif Column_Types[Column_Number - 1] == "":
art.addAttribute(BlackboardAttribute(attID_ex1, ParsePlists2DBDelRecIngestModuleFactory.moduleName, resultSet3.getString(Column_Number)))
elif Column_Types[Column_Number - 1] == "LONGVARCHAR":
art.addAttribute(BlackboardAttribute(attID_ex1, ParsePlists2DBDelRecIngestModuleFactory.moduleName, "BLOBS Not Supported - Look at actual file"))
elif Column_Types[Column_Number - 1] == "BLOB":
art.addAttribute(BlackboardAttribute(attID_ex1, ParsePlists2DBDelRecIngestModuleFactory.moduleName, "BLOBS Not Supported - Look at actual file"))
elif Column_Types[Column_Number - 1] == "REAL":
art.addAttribute(BlackboardAttribute(attID_ex1, ParsePlists2DBDelRecIngestModuleFactory.moduleName, long(resultSet3.getFloat(Column_Number))))
else:
art.addAttribute(BlackboardAttribute(attID_ex1, ParsePlists2DBDelRecIngestModuleFactory.moduleName, long(resultSet3.getInt(Column_Number))))
Column_Number = Column_Number + 1
IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(ParsePlists2DBDelRecIngestModuleFactory.moduleName, \
artID_plist_evt, None))
except SQLException as e:
self.log(Level.INFO, "Error getting values from table " + resultSet.getString("tbl_name") + " (" + e.getMessage() + ")")
except SQLException as e:
self.log(Level.INFO, "Error querying database " + file.getName() + " (" + e.getMessage() + ")")
#return IngestModule.ProcessResult.OK
# Clean up
stmt.close()
dbConn.close()
os.remove(os.path.join(Temp_Dir, "Plist_File-" + str(file.getId()) + ".db3"))
os.remove(os.path.join(Temp_Dir, file.getName() + "-" + str(file.getId())))
# After all databases, post a message to the ingest messages in box.
if len(message_desc) == 0:
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"Plist Parser", " Plist files have been parsed " )
IngestServices.getInstance().postMessage(message)
else:
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"Plist Parser", message_desc + " Plist files have been parsed with the above files failing " )
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
示例10: process
# 需要導入模塊: from org.sleuthkit.autopsy.ingest import IngestMessage [as 別名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 別名]
#.........這裏部分代碼省略.........
self.log(Level.INFO, "Data source Directory already exists")
# Create log file for the number of extensions found
try:
mod_log_file = os.path.join(vdisk_dir, "File_Extensions_Written_Log_" + dataSource.getName() + ".csv")
self.log(Level.INFO, "Output Directory is ==> " + mod_log_file)
mod_log = open(mod_log_file, "w")
mod_log.write('Directory_In,File_Extension,Number_Of_Files_Written \n')
out_log_file = os.path.join(drive_letter + "\\", "File_Extensions_Written_Log_" + dataSource.getName() + ".csv")
self.log(Level.INFO, "Output Directory is ==> " + out_log_file)
out_log = open(out_log_file, "w")
out_log.write('Directory_In,File_Extension,Number_Of_Files_Written \n')
except:
self.log(Level.INFO, "Log File creation error")
# Open the DB using JDBC
try:
Class.forName("org.sqlite.JDBC").newInstance()
dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % self.file_extension_db)
except SQLException as e:
self.log(Level.INFO, "Could not open File Extension database " + self.file_extension_db + " (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
# Get all the file extensions that we want to find and export to the Preview Disk
try:
stmt = dbConn.createStatement()
SQL_Statement = "select Output_Directory, File_Extension from File_Extensions_To_Export"
self.log(Level.INFO, "SQL Statement --> " + SQL_Statement)
resultSet = stmt.executeQuery(SQL_Statement)
except SQLException as e:
self.log(Level.INFO, "Error querying database for File_Extensions_To_Export table (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
# Cycle through each row and create artifacts
while resultSet.next():
try:
# Update the progress bar with the type of Document we are extracting
progressBar.progress("Extracting " + resultSet.getString('Output_Directory') + " Files")
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, "%." + resultSet.getString("File_Extension"), "")
numFiles = len(files)
self.log(Level.INFO, "Number of files found for file extension " + resultSet.getString("File_Extension") + " ==> " + str(numFiles))
try:
mod_log.write(resultSet.getString('Output_Directory') + "," + resultSet.getString("File_Extension") + "," + str(numFiles) + "\n")
out_log.write(resultSet.getString('Output_Directory') + "," + resultSet.getString("File_Extension") + "," + str(numFiles) + "\n")
except:
self.log(Level.INFO, " Error Writing Log File ==> " + resultSet.getString('Output_Directory') + "," + resultSet.getString("File_Extension") + "," + str(numFiles) + "\n")
# Need to create log file here
# Try and create directory to store files in, may already be created so we will ignore if it does
try:
dir_to_write_to = os.path.join(data_source_dir, resultSet.getString('Output_Directory'))
if not os.path.exists(dir_to_write_to):
os.mkdir(dir_to_write_to)
except:
self.log(Level.INFO, "Directory " + resultSet.getString('Output_Directory') + " already exists.")
# Write all the files to the vhd
for file in files:
lclfile = os.path.join(dir_to_write_to, str(file.getId()) + "-" + file.getName())
#self.log(Level.INFO, "File to write ==> " + lclfile)
ContentUtils.writeToFile(file, File(lclfile))
except:
self.log(Level.INFO, "Error in processing sql statement")
# Close the log file
try:
mod_log.close()
out_log.close()
except:
self.log(Level.INFO, "Error closing log files, they might not exist")
# Set the progress bar to unmounting
progressBar.progress("Unmounting The Virtual Disk")
# Run Diskpart using the scripts to unmount the VHD
self.log(Level.INFO, "Running prog ==> " + "diskpart.exe " + " -S " + vdisk_unmount_script)
pipe = Popen(["diskpart.exe", "-S", vdisk_unmount_script], stdout=PIPE, stderr=PIPE)
out_text = pipe.communicate()[0]
self.log(Level.INFO, "Output from run is ==> " + out_text)
# Clean up
stmt.close()
dbConn.close()
#Clean up prefetch directory and files
try:
shutil.rmtree(os.path.join(Case.getCurrentCase().getTempDirectory(), "vdisk_scripts"))
except:
self.log(Level.INFO, "removal of vdisk script directory failed " + Temp_Dir)
# After all databases, post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"VDiskCreate", " VDiskCreate Files Have Been Analyzed " )
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
示例11: throwWarning
# 需要導入模塊: from org.sleuthkit.autopsy.ingest import IngestMessage [as 別名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 別名]
def throwWarning(self, msg):
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "CookieModulez", msg)
IngestServices.getInstance().postMessage(message)
示例12: process
# 需要導入模塊: from org.sleuthkit.autopsy.ingest import IngestMessage [as 別名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 別名]
def process(self, dataSource, progressBar):
self.log(Level.INFO, "Starting to process Hiberfil.sys and Crash Dumps")
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
# Get the temp directory and create the sub directory
if self.hiber_flag:
Mod_Dir = Case.getCurrentCase().getModulesOutputDirAbsPath()
try:
ModOut_Dir = os.path.join(Mod_Dir, "Volatility", "Memory-Image-hiberfil")
self.log(Level.INFO, "Module Output Directory ===> " + ModOut_Dir)
#dir_util.mkpath(ModOut_Dir)
os.mkdir(os.path.join(Mod_Dir, "Volatility"))
os.mkdir(ModOut_Dir)
except:
self.log(Level.INFO, "***** Error Module Output Directory already exists " + ModOut_Dir)
# Set the database to be read to the once created by the prefetch parser program
skCase = Case.getCurrentCase().getSleuthkitCase();
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, "hiberfil.sys", "/")
numFiles = len(files)
self.log(Level.INFO, "Number of files to process ==> " + str(numFiles))
for file in files:
self.log(Level.INFO, "File to process is ==> " + str(file))
self.log(Level.INFO, "File name to process is ==> " + file.getName())
tmp_Dir = Case.getCurrentCase().getTempDirectory()
Hiber_File = os.path.join(tmp_Dir, file.getName())
ContentUtils.writeToFile(file, File(Hiber_File))
self.log(Level.INFO, "File name to process is ==> " + Hiber_File)
# Create the directory to dump the hiberfil
dump_file = os.path.join(ModOut_Dir, "Memory-Image-from-hiberfil.img")
if self.Python_Program:
self.log(Level.INFO, "Running program ==> " + self.Volatility_Executable + " imagecopy -f " + Hiber_File + " " + \
" -O " + dump_file)
if PlatformUtil.isWindowsOS():
pipe = Popen(["Python.exe", self.Volatility_Executable, "imagecopy", "-f", Hiber_File, "-O" + dump_file], stdout=PIPE, stderr=PIPE)
else:
pipe = Popen(["python", self.Volatility_Executable, "imagecopy", "-f", Hiber_File, "-O" + dump_file], stdout=PIPE, stderr=PIPE)
else:
self.log(Level.INFO, "Running program ==> " + self.Volatility_Executable + " imagecopy -f " + Hiber_File + " " + \
" -O " + dump_file)
pipe = Popen([self.Volatility_Executable, "imagecopy", "-f", Hiber_File, "-O" + dump_file], stdout=PIPE, stderr=PIPE)
out_text = pipe.communicate()[0]
self.log(Level.INFO, "Output from run is ==> " + out_text)
# Add hiberfil memory image to a new local data source
services = IngestServices.getInstance()
progress_updater = ProgressUpdater()
newDataSources = []
dump_file = os.path.join(ModOut_Dir, "Memory-Image-from-hiberfil.img")
dir_list = []
dir_list.append(dump_file)
# skCase = Case.getCurrentCase().getSleuthkitCase();
fileManager_2 = Case.getCurrentCase().getServices().getFileManager()
skcase_data = Case.getCurrentCase()
# Get a Unique device id using uuid
device_id = UUID.randomUUID()
self.log(Level.INFO, "device id: ==> " + str(device_id))
skcase_data.notifyAddingDataSource(device_id)
# Add data source with files
newDataSource = fileManager_2.addLocalFilesDataSource(str(device_id), "Hiberfile Memory Image", "", dir_list, progress_updater)
newDataSources.append(newDataSource.getRootDirectory())
# Get the files that were added
files_added = progress_updater.getFiles()
#self.log(Level.INFO, "Fire Module1: ==> " + str(files_added))
for file_added in files_added:
skcase_data.notifyDataSourceAdded(file_added, device_id)
self.log(Level.INFO, "Fire Module1: ==> " + str(file_added))
# After all databases, post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"HiberFil_Crash", " Hiberfil/Crash Dumps have been extracted fro Image. " )
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
示例13: process
# 需要導入模塊: from org.sleuthkit.autopsy.ingest import IngestMessage [as 別名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 別名]
#.........這裏部分代碼省略.........
# Set the database to be read to the once created by the prefetch parser program
lclDbPath = os.path.join(Temp_Dir, "Autopsy_PF_DB.db3")
self.log(Level.INFO, "Path the prefetch database file created ==> " + lclDbPath)
# Open the DB using JDBC
try:
Class.forName("org.sqlite.JDBC").newInstance()
dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % lclDbPath)
except SQLException as e:
self.log(Level.INFO, "Could not open database file (not SQLite) " + file.getName() + " (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
# Query the contacts table in the database and get all columns.
try:
stmt = dbConn.createStatement()
resultSet = stmt.executeQuery("Select prefetch_File_Name, actual_File_Name, Number_time_file_run, " +
" Embeded_date_Time_Unix_1, " +
" Embeded_date_Time_Unix_2, " +
" Embeded_date_Time_Unix_3, " +
" Embeded_date_Time_Unix_4, " +
" Embeded_date_Time_Unix_5, " +
" Embeded_date_Time_Unix_6, " +
" Embeded_date_Time_Unix_7, " +
" Embeded_date_Time_Unix_8 " +
" from prefetch_file_info ")
except SQLException as e:
self.log(Level.INFO, "Error querying database for Prefetch table (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
# Cycle through each row and create artifacts
while resultSet.next():
try:
self.log(Level.INFO, "Result (" + resultSet.getString("Prefetch_File_Name") + ")")
Prefetch_File_Name = resultSet.getString("Prefetch_File_Name")
Actual_File_Name = resultSet.getString("Actual_File_Name")
Number_Of_Runs = resultSet.getString("Number_Time_File_Run")
Time_1 = resultSet.getInt("Embeded_date_Time_Unix_1")
Time_2 = resultSet.getInt("Embeded_date_Time_Unix_2")
Time_3 = resultSet.getInt("Embeded_date_Time_Unix_3")
Time_4 = resultSet.getInt("Embeded_date_Time_Unix_4")
Time_5 = resultSet.getInt("Embeded_date_Time_Unix_5")
Time_6 = resultSet.getInt("Embeded_date_Time_Unix_6")
Time_7 = resultSet.getInt("Embeded_date_Time_Unix_7")
Time_8 = resultSet.getInt("Embeded_date_Time_Unix_8")
except SQLException as e:
self.log(Level.INFO, "Error getting values from contacts table (" + e.getMessage() + ")")
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, Prefetch_File_Name)
for file in files:
# Make artifact for TSK_PREFETCH, this can happen when custom attributes are fully supported
#art = file.newArtifact(artID_pf)
art = file.newArtifact(artID_pf)
#self.log(Level.INFO, "Attribute Number ==>" + str(attID_pf_fn) + " " + str(attID_pf_an) )
# Add the attributes to the artifact.
art.addAttributes(((BlackboardAttribute(attID_pf_fn, ParsePrefetchDbIngestModuleFactory.moduleName, Prefetch_File_Name)), \
(BlackboardAttribute(attID_pf_an, ParsePrefetchDbIngestModuleFactory.moduleName, Actual_File_Name)), \
(BlackboardAttribute(attID_nr, ParsePrefetchDbIngestModuleFactory.moduleName, Number_Of_Runs)), \
(BlackboardAttribute(attID_ex1, ParsePrefetchDbIngestModuleFactory.moduleName, Time_1)), \
(BlackboardAttribute(attID_ex2, ParsePrefetchDbIngestModuleFactory.moduleName, Time_2)), \
(BlackboardAttribute(attID_ex3, ParsePrefetchDbIngestModuleFactory.moduleName, Time_3)), \
(BlackboardAttribute(attID_ex4, ParsePrefetchDbIngestModuleFactory.moduleName, Time_4)), \
(BlackboardAttribute(attID_ex5, ParsePrefetchDbIngestModuleFactory.moduleName, Time_5)), \
(BlackboardAttribute(attID_ex6, ParsePrefetchDbIngestModuleFactory.moduleName, Time_6)), \
(BlackboardAttribute(attID_ex7, ParsePrefetchDbIngestModuleFactory.moduleName, Time_7)), \
(BlackboardAttribute(attID_ex8, ParsePrefetchDbIngestModuleFactory.moduleName, Time_8))))
# Fire an event to notify the UI and others that there are new artifacts
IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(ParsePrefetchDbIngestModuleFactory.moduleName, artID_pf_evt, None))
# Clean up
stmt.close()
dbConn.close()
os.remove(lclDbPath)
#Clean up prefetch directory and files
for file in files:
try:
os.remove(os.path.join(Temp_Dir, file.getName()))
except:
self.log(Level.INFO, "removal of prefetch file failed " + Temp_Dir + "\\" + file.getName())
try:
os.rmdir(Temp_Dir)
except:
self.log(Level.INFO, "removal of prefetch directory failed " + Temp_Dir)
# After all databases, post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"Prefetch Analyzer", " Prefetch Has Been Analyzed " )
IngestServices.getInstance().postMessage(message)
# Fire an event to notify the UI and others that there are new artifacts
IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(ParsePrefetchDbIngestModuleFactory.moduleName, artID_pf_evt, None))
return IngestModule.ProcessResult.OK
示例14: process
# 需要導入模塊: from org.sleuthkit.autopsy.ingest import IngestMessage [as 別名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 別名]
def process(self, dataSource, progressBar):
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
# get current case and the store.vol abstract file information
skCase = Case.getCurrentCase().getSleuthkitCase();
fileManager = Case.getCurrentCase().getServices().getFileManager()
connectionFiles = fileManager.findFiles(dataSource, "Connection.log%", ".atomic")
numFiles = len(connectionFiles)
progressBar.switchToDeterminate(numFiles)
fileCount = 0;
# Create Atomic Wallet directory in temp directory, if it exists then continue on processing
temporaryDirectory = os.path.join(Case.getCurrentCase().getTempDirectory(), "Atomic_Wallet")
try:
os.mkdir(temporaryDirectory)
except:
pass
# get and process connections
for file in connectionFiles:
if "-slack" not in file.getName():
# Check if the user pressed cancel while we were busy
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
fileCount += 1
# Save the file locally. Use file id as name to reduce collisions
extractedFile = os.path.join(temporaryDirectory, str(file.getId()) + "-" + file.getName())
ContentUtils.writeToFile(file, File(extractedFile))
self.processConnectionLogs(extractedFile, file)
try:
os.remove(extractedFile)
except:
self.log(Level.INFO, "Failed to remove file " + extractedFile)
else:
extractedFile = os.path.join(temporaryDirectory, str(file.getId()) + "-" + file.getName())
try:
os.remove(extractedFile)
except:
self.log(Level.INFO, "Failed to remove file " + extractedFile)
# Get and process history file
historyFiles = fileManager.findFiles(dataSource, "history.json", ".atomic")
numFiles = len(historyFiles)
for file in historyFiles:
if "-slack" not in file.getName():
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
#self.log(Level.INFO, "Processing file: " + file.getName())
fileCount += 1
# Save the file locally. Use file id as name to reduce collisions
extractedFile = os.path.join(temporaryDirectory, str(file.getId()) + "-" + file.getName())
ContentUtils.writeToFile(file, File(extractedFile))
self.processHistory(extractedFile, file)
try:
os.remove(extractedFile)
except:
self.log(Level.INFO, "Failed to remove file " + extractedFile)
else:
extractedFile = os.path.join(temporaryDirectory, str(file.getId()) + "-" + file.getName())
try:
os.remove(extractedFile)
except:
self.log(Level.INFO, "Failed to remove file " + extractedFile)
try:
shutil.rmtree(temporaryDirectory)
except:
self.log(Level.INFO, "removal of temporary directory failed " + temporaryDirectory)
# After all databases, post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"Facebook Chat", " Facebook Chat Has Been Analyzed " )
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
示例15: process
# 需要導入模塊: from org.sleuthkit.autopsy.ingest import IngestMessage [as 別名]
# 或者: from org.sleuthkit.autopsy.ingest.IngestMessage import createMessage [as 別名]
#.........這裏部分代碼省略.........
# self.log(Level.INFO, "Result (" + resultSet.getString("Event_Offset") + ")")
# self.log(Level.INFO, "Result (" + resultSet.getString("Identifier") + ")")
# self.log(Level.INFO, "Result (" + resultSet.getString("Event_Source_Name") + ")")
# self.log(Level.INFO, "Result (" + resultSet.getString("Event_User_Security_Identifier") + ")")
# self.log(Level.INFO, "Result (" + resultSet.getString("Event_Time") + ")")
# self.log(Level.INFO, "Result (" + resultSet.getString("Event_Time_Epoch") + ")")
# self.log(Level.INFO, "Result (" + resultSet.getString("Event_Detail_Text") + ")")
File_Name = resultSet.getString("File_Name")
File_Description = resultSet.getString("File_Description")
Item_Name = resultSet.getString("Item_Name")
Command_Line_Arguments = resultSet.getString("command_line_arguments")
Drive_Type = resultSet.getInt("drive_type")
Drive_Serial_Number = resultSet.getInt("drive_serial_number")
Description = resultSet.getString("description")
Environment_Variables_Location = resultSet.getString("environment_variables_location")
File_Access_Time = resultSet.getString("file_access_time")
File_Attribute_Flags = resultSet.getInt("file_attribute_flags")
File_Creation_Time = resultSet.getString("file_creation_time")
File_Modification_Time = resultSet.getString("file_modification_time")
File_Size = resultSet.getInt("file_size")
Icon_Location = resultSet.getString("icon_location")
Link_Target_Identifier_Data = resultSet.getString("link_target_identifier_data")
Local_Path = resultSet.getString("local_path")
Machine_Identifier = resultSet.getString("machine_identifier")
Network_Path = resultSet.getString("network_path")
Relative_Path = resultSet.getString("relative_path")
Volume_Label = resultSet.getString("volume_label")
Working_Directory = resultSet.getString("working_directory")
except SQLException as e:
self.log(Level.INFO, "Error getting values from contacts table (" + e.getMessage() + ")")
#fileManager = Case.getCurrentCase().getServices().getFileManager()
#files = fileManager.findFiles(dataSource, Prefetch_File_Name)
#for file in files:
# Make artifact for TSK_PREFETCH, this can happen when custom attributes are fully supported
#art = file.newArtifact(artID_pf)
# Make an artifact on the blackboard, TSK_PROG_RUN and give it attributes for each of the fields
# Not the proper way to do it but it will work for the time being.
art = file.newArtifact(artID_jl_ad)
# This is for when proper atributes can be created.
art.addAttributes(((BlackboardAttribute(attID_jl_fn, JumpListADDbIngestModuleFactory.moduleName, File_Name)), \
(BlackboardAttribute(attID_jl_fg, JumpListADDbIngestModuleFactory.moduleName, File_Description)), \
(BlackboardAttribute(attID_jl_in, JumpListADDbIngestModuleFactory.moduleName, Item_Name)), \
(BlackboardAttribute(attID_jl_cl, JumpListADDbIngestModuleFactory.moduleName, Command_Line_Arguments)), \
(BlackboardAttribute(attID_jl_dt, JumpListADDbIngestModuleFactory.moduleName, Drive_Type)), \
(BlackboardAttribute(attID_jl_dsn, JumpListADDbIngestModuleFactory.moduleName, Drive_Serial_Number)), \
(BlackboardAttribute(attID_jl_des, JumpListADDbIngestModuleFactory.moduleName, Description)), \
(BlackboardAttribute(attID_jl_evl, JumpListADDbIngestModuleFactory.moduleName, Environment_Variables_Location)), \
(BlackboardAttribute(attID_jl_fat, JumpListADDbIngestModuleFactory.moduleName, File_Access_Time)), \
(BlackboardAttribute(attID_jl_faf, JumpListADDbIngestModuleFactory.moduleName, File_Attribute_Flags)), \
(BlackboardAttribute(attID_jl_fct, JumpListADDbIngestModuleFactory.moduleName, File_Creation_Time)), \
(BlackboardAttribute(attID_jl_fmt, JumpListADDbIngestModuleFactory.moduleName, File_Modification_Time)), \
(BlackboardAttribute(attID_jl_fs, JumpListADDbIngestModuleFactory.moduleName, File_Size)), \
(BlackboardAttribute(attID_jl_ic, JumpListADDbIngestModuleFactory.moduleName, Icon_Location)), \
(BlackboardAttribute(attID_jl_ltid, JumpListADDbIngestModuleFactory.moduleName, Link_Target_Identifier_Data)), \
(BlackboardAttribute(attID_jl_lp, JumpListADDbIngestModuleFactory.moduleName, Local_Path)), \
(BlackboardAttribute(attID_jl_mi, JumpListADDbIngestModuleFactory.moduleName, Machine_Identifier)), \
(BlackboardAttribute(attID_jl_np, JumpListADDbIngestModuleFactory.moduleName, Network_Path)), \
(BlackboardAttribute(attID_jl_rp, JumpListADDbIngestModuleFactory.moduleName, Relative_Path)), \
(BlackboardAttribute(attID_jl_vl, JumpListADDbIngestModuleFactory.moduleName, Volume_Label)), \
(BlackboardAttribute(attID_jl_wd, JumpListADDbIngestModuleFactory.moduleName, Working_Directory))))
# Fire an event to notify the UI and others that there are new artifacts
IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(JumpListADDbIngestModuleFactory.moduleName, artID_jl_ad_evt, None))
# Clean up
skCase_Tran.commit()
stmt.close()
dbConn.close()
try:
os.remove(lclDbPath)
except:
self.log(Level.INFO, "Failed to remove the file " + lclDbPath)
#skCase.close()
#Clean up EventLog directory and files
for file in files:
try:
os.remove(os.path.join(temp_dir, file.getName()))
except:
self.log(Level.INFO, "removal of JL_AD file failed " + os.path.join(temp_dir, file.getName()))
try:
os.rmdir(temp_dir)
except:
self.log(Level.INFO, "removal of JL_AD directory failed " + temp_dir)
# After all databases, post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"JumpList AD", " JumpList AD Has Been Analyzed " )
IngestServices.getInstance().postMessage(message)
# Fire an event to notify the UI and others that there are new artifacts
IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(JumpListADDbIngestModuleFactory.moduleName, artID_jl_ad_evt, None))
return IngestModule.ProcessResult.OK