Autopsy
4.20.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
|
For our first example, we're going to write an ingest module. Ingest modules in Autopsy run on the data sources that are added to a case. When you add a disk image (or local drive or logical folder) in Autopsy, you'll be presented with a list of modules to run (such as hash lookup and keyword search).
Those are all ingest modules. We're going to write one of those. There are two types of ingest modules that we can build:
For this first tutorial, we're going to write a file ingest module. The second tutorial will focus on data source ingest modules. Regardless of the type of ingest module you are writing, you will need to work with two classes:
To write your first file ingest module, you'll need:
Some other general notes are that you will be writing in Jython, which converts Python-looking code into Java. It has some limitations, including:
But, Jython will give you access to all of the Java classes and services that Autopsy provides. So, if you want to stray from this example, then refer to the Developer docs on what classes and methods you have access to. The comments in the sample file will identify what type of object is being passed in along with a URL to its documentation.
Every Python module in Autopsy gets its own folder. This reduces naming collisions between modules. To find out where you should put your Python module, launch Autopsy and choose the Tools -> Python Plugins menu item. That will open a folder in your AppData folder, such as "C:\Users\JDoe\AppData\Roaming\Autopsy\python_modules".
Make a folder inside of there to store your module. Call it "DemoScript". Copy the fileIngestModule.py sample file listed above into the this new folder and rename it to FindBigRoundFiles.py. Your folder should look like this:
We are going to write a script that flags any file that is larger than 10MB and whose size is a multiple of 4096. We'll call these big and round files. This kind of technique could be useful for finding encrypted files. An additional check would be for entropy of the file, but we'll keep the example simple.
Open the FindBigRoundFiles.py file in your favorite python text editor. The sample Autopsy Python modules all have TODO entries in them to let you know what you should change. The below steps jump from one TODO to the next.
The process() method is passed in a reference to an AbstractFile Object. With this, you have access to all of a file's contents and metadata. We want to flag files that are larger than 10MB and that are a multiple of 4096 bytes. The following code does that:
if ((file.getSize() > 10485760) and ((file.getSize() % 4096) == 0)):
Now that we have found the files, we want to do something with them. In our situation, we just want to alert the user to them. We do this by making an "Interesting Item" blackboard artifact. The Blackboard is where ingest modules can communicate with each other and with the Autopsy GUI. The blackboard has a set of artifacts on it and each artifact:
A list of standard artifact types can be found in the artifact catalog. It is important to note the catagory for the artifact you want to since this affects which method you will use to create the artifact.
For our example, we are going to make an artifact of type "TSK_INTERESTING_ITEM", which is an analysis result, whenever we find a big and round file. These are one of the most generic artifact types and are simply a way of alerting the user that a file is interesting for some reason. Once you make the artifact, it will be shown in the UI. The below code makes an artifact for the file and puts it into the set of "Big and Round Files". You can create whatever set names you want. The Autopsy GUI organizes Interesting Files by their set name.
art = file.newAnalysisResult(BlackboardArtifact.Type.TSK_INTERESTING_ITEM, Score.SCORE_LIKELY_NOTABLE, None, "Big and Round Files", None, Arrays.asList( BlackboardAttribute(BlackboardAttribute.Type.TSK_SET_NAME, FindBigRoundFilesIngestModuleFactory.moduleName, "Big and Round Files"))).getAnalysisResult()
The above code adds the artifact and a single attribute to the blackboard in the embedded database, but it does not notify other modules or the UI. Calling postArtifact() will let the tree viewer and other parts of the UI know that a refresh may be necessary, and passes the newly created artifacts to other modules that may do further processing on it.
blackboard.postArtifact(art, FindBigRoundFilesIngestModuleFactory.moduleName)
That's it. Your process() method should look something like this:
def process(self, file): # Use blackboard class to index blackboard artifacts for keyword search blackboard = Case.getCurrentCase().getSleuthkitCase().getBlackboard() # Skip non-files if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or (file.isFile() == False)): return IngestModule.ProcessResult.OK # Look for files bigger than 10MB that are a multiple of 4096 if ((file.getSize() > 10485760) and ((file.getSize() % 4096) == 0)): # Make an artifact on the blackboard. TSK_INTERESTING_ITEM is a generic type of # artifact. Refer to the developer docs for other examples. art = file.newAnalysisResult(BlackboardArtifact.Type.TSK_INTERESTING_ITEM, Score.SCORE_LIKELY_NOTABLE, None, "Big and Round Files", None, Arrays.asList( BlackboardAttribute(BlackboardAttribute.Type.TSK_SET_NAME, FindBigRoundFilesIngestModuleFactory.moduleName, "Big and Round Files"))).getAnalysisResult() try: # post the artifact for listeners of artifact events blackboard.postArtifact(art, FindBigRoundFilesIngestModuleFactory.moduleName) except Blackboard.BlackboardException as e: self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()) return IngestModule.ProcessResult.OK
Save this file and run the module on some of your data. If you have any big and round files, you should see an entry under the "Interesting Items" node in the tree.
The full big and round file module along with test data can be found on github.
Whenever you have syntax errors or other errors in your script, you will get some form of dialog from Autopsy when you try to run ingest modules. If that happens, fix the problem and run ingest modules again. You don't need to restart Autopsy each time!
The sample module has some log statements in there to help debug what is going on since we don't know of better ways to debug the scripts while running in Autopsy.
Copyright © 2012-2022 Basis Technology. Generated on: Tue Aug 1 2023
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.