Sleuth Kit Java Bindings (JNI)
4.6
Java bindings for using The Sleuth Kit
|
These classes allow Java programs to access data extracted by The Sleuth Kit.
The Sleuth Kit is primarily a C/C++ library and set of command line tools. These classes allow programs to obtain the data that TSK can produce. The typical steps would be to use JNI to cause the TSK library to create and populate a SQLite or PostgreSQL database. The Java classes then directly open the database and perform queries on it.
There are three broad types of classes in this package:
To get data into the database (which is needed before you get it into a Java object), you need to call some org.sleuthkit.datamodel.SleuthkitCase methods.
To open or create a case, call org.sleuthkit.datamodel.SleuthkitCase.newCase() or org.sleuthkit.datamodel.SleuthkitCase.openCase().
To add a disk image to the case, use org.sleuthkit.datamodel.SleuthkitCase.makeAddImageProcess() to get a org.sleuthkit.datamodel.SleuthkitJNI.CaseDbHandle.AddImageProcess object that allows you to populate the database in the scope of a transaction and get feedback on its update process.
To add a local file (logical file) you can use methods such as org.sleuthkit.datamodel.SleuthkitCase.addLocalFile().
You can either access files directly using methods such as org.sleuthkit.datamodel.SleuthkitCase.findFiles() or org.sleuthkit.datamodel.SleuthkitCase.getAbstractFileById().
You can also access the data in its tree form by starting with org.sleuthkit.datamodel.SleuthkitCase.getImages() and then calling getChildren() on each of the returned objects. See the section below on basics of the datamodel structure.
Copyright © 2011-2018 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.