markmckinnon / autopsy-plugins Goto Github PK

I found to problems with the NSIS install script when run on Windows.

1. Compilations stop on the License_Agreement.txt file, file saved again as MSDOS (no Unix ending)

2. Some variables are wrong
   CreateDirectory "$APPDATA\Autopsy\Python_modules1\iTunes_Backup"
   This for entries SEC45,46 and 47

Hi @markmckinnon

As stated I have loaded volatility plugin in Python's plugin user directory, to test it out with my new build of Autopsy (for Ubuntu 16.04).

When I load Autopsy, I got an exception (file in attachment).

Just for your information.

Regards,

Danilo.
Autopsy_Crash_Python_Plugin.txt

Following my prior post on process_evtx and other failing i tested export_evtx.exe from a cmd prompt

Any kind of starting this executable resulted in

export_evtx.exe
Traceback (most recent call last):
File "", line 151, in
IndexError: list index out of range
export_evtx returned -1

Hi,
i've tried to use the Parse_Shellbags module and it works fine, but it seems to only load entries from ntuser.dat registry hive found on the user's profile directory.
From my experience, most of the of shellbags entries are found in the %localappdata%\Microsoft\Windows\UsrClass.dat file inside the user profile.
I've tried a dirty filename change at https://github.com/markmckinnon/Autopsy-Plugins/blob/master/Parse_Shellbags/Shellbag_Parser.py#L139 and it seems to work just fine.
Can you possibly integrate a change to have both ntuser.dat and usrclass.dat scanned when running the module?
Thank you

When running ParseEvtx and specifying the event logs which contain spaces in their names:

• Microsoft-Windows-Windows Defender%4Operational.evtx
• Microsoft-Windows-Windows Defender%4WHC.evtx

The plugin separates the name into multiple items and therefore cannot find the files specified:
2022-04-01 07:01:02.482 ParseEvtxDbIngestModule process INFO: List Of Events ==> ['Other', 'Microsoft-Windows-Windows', 'Defender%4Operational.evtx,', 'Microsoft-Windows-Windows', 'Defender%4WHC.evtx'] <== Number of Events ==> 5

I have tried adding a "%20" instead of the space, adding " and ' around the file name but I cannot figure out how to tell the plugin that it's all one word and not to split it in two.

Is this known or a bit of a bug?

Autopsy 4.19.3 / ParseEvtx version 1.5 / Python 3.9.0

Good afternoon, Mark,
I'm your follower because of Autopsy :-)
I would have some requests for help in using this forensic tool being a RAM DAMP analysis technician and so I would like to try to get some useful results. First I would like to start talking about the results obtained with Volatility Dump Files Module thanks also to your article (https://medium.com/@markmckinnon_80619/volatility-autopsy-plugin-module-8beecea6396) ... in the "Module Output" folder of my processed case I can extract contents with .dat, .iso and other formats ... the question I ask is how can I make them available and usable by retrieving the files (.doc, .docx, .xls, .xlsx, .pdf, .txt ...)? This result would be very important for me!
Mark can I ask you why the results of the (very useful) forms, except "Extracted Contact"

, I don't display them in the Autopsy graphical results tree?

Would love to see a plugin that parses the chat from a RingCentral Session. By default the chat log is stored \Documents\RingCentral\Meetings and then a Separate folder for each session named by Date/Time and Ten Digit Room ID (Ex: 2020-05-27 20.39.09 RingCentral Meeting XXXXXXXXXX).

Hi,

I am running Autopsy 4.14 on Tsurugi, and am trying to parse a Windows image just runing the Jump_List module. getting the following error:
Traceback (most recent call last):
File "/root/.autopsy/dev/python_modules/Jump_List_AD/JumpList_AD.py", line 303, in process
output = subprocess.Popen([self.path_to_exe, temp_dir, os.path.join(Temp_Dir, "JL_AD.db3"), self.path_to_app_id_db], stdout=subprocess.PIPE).communicate()[0]
File "/opt/autopsy/autopsy/modules/ext/jython-standalone-2.7.0.jar/Lib/subprocess.py", line 830, in init
File "/opt/autopsy/autopsy/modules/ext/jython-standalone-2.7.0.jar/Lib/subprocess.py", line 1352, in _execute_child
OSError: Cannot run program "/root/.autopsy/dev/python_modules/Jump_List_AD/Export_JL_Ad" (in directory "/home/jon"): error=13, Permission denied

Hello,

I've been trying to use the FileHistory plugin to no avail. I've tried two different sets of data as logical files (two sets of Catalog1.edb, Catalog2.edb, Config1.xml, Config2.xml from different machines), I've also tried running it on a data source (which I created in a virtual machine specifically as a File History drive) in the form of a raw image file.

Unfortunately, it just doesn't seem to take... I'll get the ingest message/notification that the plugin is done, but no artifacts are generated and I don't see anything in the Extracted Content "folder". I've also tested this on Autopsy 4.3 as well as 4.15, for what it's worth.

I would be grateful for any ideas, but could you let me know which version of Python the plugin was designed with or perhaps which version you know works? The more I can replicate a known configuration would be very appreciated.

Thank you for all your work with these plugins!

Environment

Autopsy ver 4.16.0
Sleuthkit 4.10.0
O/S: Debian 10

Problem description

Have extracted a user's Mail directory from a Mac to a TAR archive.
Then ingested that archive to Autopsy.

The log file says:

INFO: Mac_Mail analysis of LogicalFileSet1 (pipeline=7) starting
2020-11-25 13:51:54.54 ProcessMacMailIngestModule process
INFO: found 0 files
2020-11-25 13:51:54.546 ProcessMacMailIngestModule process
INFO: User Paths to get emlx files from ==> []
2020-11-25 13:51:54.547 org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline process
INFO: Mac_Mail analysis of LogicalFileSet1 (pipeline=7) finished

Checked the python code and see that the "/Users" directory in parsed.
Would be enough to copy the Mail directory using the complete PATH from / instead?

Regards,
Johan

Hi (and thanks for you great job on this famous plugins).
I'm getting an error in executing, inside autopsy (latest version, but also by running the module parseusn.exe manually from cmd), the module on a E01 image of a relative small disk. The USNJ txt file is around 45GB.

I tried your new VSS plugin with Autopsy 4.5

Unfortunately after nearly 3 days, it showed no progress and no CPU or Disk activity. I had to kill Autopsy via the Task Manager to get out.

SEVERE: Failed to load PlasoIngestModuleFactory from C:\Users\Administrator\AppData\Roaming\autopsy\python_modules\Plaso\Plaso.py
Traceback (most recent call last):
File "", line 1, in
File "C:\Users\Administrator\AppData\Roaming\autopsy\python_modules\Plaso\Plaso.py", line 74, in
from org.sleuthkit.autopsy.ingest import GenericIngestModuleJobSettings
ImportError: cannot import name GenericIngestModuleJobSettings

org.python.core.Py.ImportError(Py.java:328)
org.python.core.imp.importFromAs(imp.java:1168)
org.python.core.imp.importFrom(imp.java:1132)
Plaso$py.f$0(C:\Users\Administrator\AppData\Roaming\autopsy\python_modules\Plaso\Plaso.py:435)
Plaso$py.call_function(C:\Users\Administrator\AppData\Roaming\autopsy\python_modules\Plaso\Plaso.py)
org.python.core.PyTableCode.call(PyTableCode.java:167)
org.python.core.PyCode.call(PyCode.java:18)
org.python.core.imp.createFromCode(imp.java:436)
org.python.core.imp.createFromSource(imp.java:396)
org.python.core.imp.loadFromSource(imp.java:658)
org.python.core.imp.find_module(imp.java:543)
org.python.core.imp.import_next(imp.java:840)
org.python.core.imp.import_module_level(imp.java:959)
org.python.core.imp.importName(imp.java:1062)
org.python.core.ImportFunction.__call__(__builtin__.java:1280)
org.python.core.PyObject.__call__(PyObject.java:431)
org.python.core.__builtin__.__import__(__builtin__.java:1232)
org.python.core.imp.importOne(imp.java:1081)
org.python.pycode._pyx2.f$0(<string>:1)
org.python.pycode._pyx2.call_function(<string>)
org.python.core.PyTableCode.call(PyTableCode.java:167)
org.python.core.PyCode.call(PyCode.java:18)
org.python.core.Py.runCode(Py.java:1386)
org.python.core.Py.exec(Py.java:1430)
org.python.util.PythonInterpreter.exec(PythonInterpreter.java:267)
org.sleuthkit.autopsy.python.JythonModuleLoader.createObjectFromScript(JythonModuleLoader.java:126)
org.sleuthkit.autopsy.python.JythonModuleLoader.getInterfaceImplementations(JythonModuleLoader.java:94)
org.sleuthkit.autopsy.python.JythonModuleLoader.getIngestModuleFactories(JythonModuleLoader.java:57)
org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader.getIngestModuleFactories(IngestModuleFactoryLoader.java:123)
org.sleuthkit.autopsy.ingest.IngestJobSettings.load(IngestJobSettings.java:298)
org.sleuthkit.autopsy.ingest.IngestJobSettings.<init>(IngestJobSettings.java:150)
org.sleuthkit.autopsy.ingest.runIngestModuleWizard.IngestModulesConfigWizardPanel.getComponent(IngestModulesConfigWizardPanel.java:70)
org.sleuthkit.autopsy.ingest.runIngestModuleWizard.RunIngestModulesWizardIterator.<init>(RunIngestModulesWizardIterator.java:60)
org.sleuthkit.autopsy.ingest.runIngestModuleWizard.RunIngestModulesAction.actionPerformed(RunIngestModulesAction.java:112)
javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
javax.swing.DefaultButtonModel.setPressed(Unknown Source)
javax.swing.AbstractButton.doClick(Unknown Source)
javax.swing.plaf.basic.BasicMenuItemUI.doClick(Unknown Source)
javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseReleased(Unknown Source)
java.awt.Component.processMouseEvent(Unknown Source)
javax.swing.JComponent.processMouseEvent(Unknown Source)
java.awt.Component.processEvent(Unknown Source)
java.awt.Container.processEvent(Unknown Source)
java.awt.Component.dispatchEventImpl(Unknown Source)
java.awt.Container.dispatchEventImpl(Unknown Source)
java.awt.Component.dispatchEvent(Unknown Source)
java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
java.awt.Container.dispatchEventImpl(Unknown Source)
java.awt.Window.dispatchEventImpl(Unknown Source)
java.awt.Component.dispatchEvent(Unknown Source)
java.awt.EventQueue.dispatchEventImpl(Unknown Source)
java.awt.EventQueue.access$500(Unknown Source)
java.awt.EventQueue$3.run(Unknown Source)
java.awt.EventQueue$3.run(Unknown Source)
java.security.AccessController.doPrivileged(Native Method)
java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
java.awt.EventQueue$4.run(Unknown Source)
java.awt.EventQueue$4.run(Unknown Source)
java.security.AccessController.doPrivileged(Native Method)
java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
java.awt.EventQueue.dispatchEvent(Unknown Source)
org.netbeans.core.TimableEventQueue.dispatchEvent(TimableEventQueue.java:159)
java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
java.awt.EventDispatchThread.pumpEvents(Unknown Source)
java.awt.EventDispatchThread.pumpEvents(Unknown Source)
java.awt.EventDispatchThread.run(Unknown Source)

Good day sir!

When running the Parse SAM option within the Windows Internals plugin, the plugin runs with no problem. However, the source is the SAM file in the RegBack folder and not config. Is this intentional?

I encounter an issue trying to make the Volatility plugin work on Autopsy.
I have autopsy-4.19.1. volatility and volatility3 are already installed localy on my computer (and working).

When asking in parameters of autopsy to select Excutable Directory I'm not sure of what to do. I tried selecting vol.py in directory of volatility 2.6 or just the parent directory...

...but every time I get the same error :

What am I doing wrong ?

Short on time i meant to run Autopsy and the Autopsy-Plugins on MS WIndows since these have installers.

• binary installer cannot install into a custom folder, only installs in the folder for the admin user
• Python Modules throw all kind of warnings and errors

Two moduels of intereset at this time (with Python 3.9)

• Process_EVTX: null
• Process_EVTX_By_EventID: null

Running the modules from the commandline shows for both modules (one example only)

Parse_Evtx_By_EventID.py", line 42, in
import jarray
ModuleNotFoundError: No module named 'jarray'

As shown, when the eml file into Chinese, I can't read correctly in the autopsy plug-in module information, excuse me is there a way to solve.
Thank you!

Got an index out of range error on an image at this line:

https://github.com/markmckinnon/Autopsy-Plugins/blob/master/Process_EVTX/ParseEvtx.py#L283

I used default settings, which looks like it didn't select any types. Looks like the process() method should do nothing in that case.

Hi @markmckinnon; I'm a bit new to Autopsy. I can't figure out how to get your SQLite python plugins to work (or maybe they are and I can't tell). I think your plugins give me a way of displaying SQLite content directly in Autopsy. Unfortunately I can't figure out how to run them and every time I run the ingest module I get nothing under Extracted Content. Could you create a readme file on how to run some of your modules. If you don't want to write them down and would prefer to just tell me I can write README files for the plugins I use. Thanks!
Edit:
I guess it is also worth mentioning that I am currently running on Ubuntu and have Autopsy running out of Netbeans. I am developing some plugins of my own.

dead link points to
https://medium.com/@markmckinnon_80619

Here is the traceback:

Traceback (most recent call last):
File "/home/sansforensics/.autopsy/dev/python_modules/Volatility/Volatility_Dump.py", line 120, in getIngestJobSettingsPanel
return VolatilitySettingsWithUISettingsPanel(self.settings)
File "/home/sansforensics/.autopsy/dev/python_modules/Volatility/Volatility_Dump.py", line 613, in init
self.initComponents()
File "/home/sansforensics/.autopsy/dev/python_modules/Volatility/Volatility_Dump.py", line 938, in initComponents
self.Plugin_LB = JList( self.Plugin_list, valueChanged=self.onchange_plugins_lb)
TypeError: javax.swing.JList(): 1st arg can't be coerced to java.util.Vector, java.lang.Object[], javax.swing.ListModel

at org.python.core.Py.TypeError(Py.java:259)
at org.python.core.PyReflectedFunction.throwError(PyReflectedFunction.java:209)
at org.python.core.PyReflectedFunction.throwBadArgError(PyReflectedFunction.java:312)
at org.python.core.PyReflectedFunction.throwError(PyReflectedFunction.java:321)
at org.python.core.PyReflectedConstructor.__call__(PyReflectedConstructor.java:177)
at org.python.core.PyObject.__call__(PyObject.java:419)
at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
at org.python.core.PyMethod.__call__(PyMethod.java:228)
at org.python.core.PyMethod.__call__(PyMethod.java:223)
at org.python.core.Deriveds.dispatch__init__(Deriveds.java:19)
at org.python.core.PyObjectDerived.dispatch__init__(PyObjectDerived.java:1112)
at org.python.core.PyType.type___call__(PyType.java:1713)
at org.python.core.PyType.__call__(PyType.java:1696)
at org.python.core.PyObject.__call__(PyObject.java:394)
at Volatility_Dump$py.initComponents$48(/home/sansforensics/.autopsy/dev/python_modules/Volatility/Volatility_Dump.py:1058)
at Volatility_Dump$py.call_function(/home/sansforensics/.autopsy/dev/python_modules/Volatility/Volatility_Dump.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyBaseCode.call(PyBaseCode.java:138)
at org.python.core.PyFunction.__call__(PyFunction.java:413)
at org.python.core.PyMethod.__call__(PyMethod.java:126)
at Volatility_Dump$py.__init__$37(/home/sansforensics/.autopsy/dev/python_modules/Volatility/Volatility_Dump.py:614)
at Volatility_Dump$py.call_function(/home/sansforensics/.autopsy/dev/python_modules/Volatility/Volatility_Dump.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
at org.python.core.PyBaseCode.call(PyBaseCode.java:198)
at org.python.core.PyFunction.__call__(PyFunction.java:482)
at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
at org.python.core.PyMethod.__call__(PyMethod.java:228)
at org.python.core.PyMethod.__call__(PyMethod.java:223)
at org.python.core.Deriveds.dispatch__init__(Deriveds.java:19)
at org.python.core.PyObjectDerived.dispatch__init__(PyObjectDerived.java:1112)
at org.python.core.PyType.type___call__(PyType.java:1713)
at org.python.core.PyType.__call__(PyType.java:1696)
at org.python.core.PyObject.__call__(PyObject.java:461)
at org.python.core.PyObject.__call__(PyObject.java:465)
at Volatility_Dump$py.getIngestJobSettingsPanel$8(/home/sansforensics/.autopsy/dev/python_modules/Volatility/Volatility_Dump.py:120)
at Volatility_Dump$py.call_function(/home/sansforensics/.autopsy/dev/python_modules/Volatility/Volatility_Dump.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
at org.python.core.PyBaseCode.call(PyBaseCode.java:198)
at org.python.core.PyFunction.__call__(PyFunction.java:482)
at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
at org.python.core.PyMethod.__call__(PyMethod.java:228)
at org.python.core.PyMethod.__call__(PyMethod.java:218)
at org.python.core.PyMethod.__call__(PyMethod.java:213)
at org.python.core.PyObject._jcallexc(PyObject.java:3626)
at org.python.core.PyObject._jcall(PyObject.java:3658)
at org.python.proxies.Volatility_Dump$VolatilityDumpIngestModuleFactory$6.getIngestJobSettingsPanel(Unknown Source)
at org.sleuthkit.autopsy.ingest.IngestModuleTemplate.getModuleSettingsPanel(IngestModuleTemplate.java:61)
at org.sleuthkit.autopsy.ingest.IngestJobSettingsPanel$IngestModuleModel.<init>(IngestJobSettingsPanel.java:531)
at org.sleuthkit.autopsy.ingest.IngestJobSettingsPanel.<init>(IngestJobSettingsPanel.java:84)
at org.sleuthkit.autopsy.casemodule.AddImageWizardIngestConfigPanel.<init>(AddImageWizardIngestConfigPanel.java:62)
at org.sleuthkit.autopsy.casemodule.AddImageWizardIterator.getPanels(AddImageWizardIterator.java:62)
at org.sleuthkit.autopsy.casemodule.AddImageWizardIterator.current(AddImageWizardIterator.java:132)
at org.sleuthkit.autopsy.casemodule.AddImageWizardIterator.current(AddImageWizardIterator.java:37)
at org.openide.WizardDescriptor.updateStateOpen(WizardDescriptor.java:844)
at org.openide.WizardDescriptor.updateState(WizardDescriptor.java:822)
at org.openide.WizardDescriptor._updateState(WizardDescriptor.java:800)
at org.openide.WizardDescriptor.initialize(WizardDescriptor.java:475)
at org.openide.NotifyDescriptor.getterCalled(NotifyDescriptor.java:304)
at org.openide.DialogDescriptor.isModal(DialogDescriptor.java:322)
at org.netbeans.core.windows.services.NbDialog.<init>(NbDialog.java:67)
at org.netbeans.core.windows.services.DialogDisplayerImpl$1.run(DialogDisplayerImpl.java:158)
at org.netbeans.core.windows.services.DialogDisplayerImpl$1.run(DialogDisplayerImpl.java:119)
at org.netbeans.modules.openide.util.NbMutexEventProvider$Event.doEventAccess(NbMutexEventProvider.java:138)
at org.netbeans.modules.openide.util.NbMutexEventProvider$Event.readAccess(NbMutexEventProvider.java:98)
at org.netbeans.modules.openide.util.LazyMutexImplementation.readAccess(LazyMutexImplementation.java:94)
at org.openide.util.Mutex.readAccess(Mutex.java:218)
at org.netbeans.core.windows.services.DialogDisplayerImpl.createDialog(DialogDisplayerImpl.java:119)
at org.netbeans.core.windows.services.DialogDisplayerImpl.createDialog(DialogDisplayerImpl.java:111)
at org.sleuthkit.autopsy.casemodule.AddImageAction.actionPerformed(AddImageAction.java:135)
at org.sleuthkit.autopsy.casemodule.NewCaseWizardAction$1.done(NewCaseWizardAction.java:120)
at javax.swing.SwingWorker$5.run(SwingWorker.java:737)
at javax.swing.SwingWorker$DoSubmitAccumulativeRunnable.run(SwingWorker.java:832)
at sun.swing.AccumulativeRunnable.run(AccumulativeRunnable.java:112)
at javax.swing.SwingWorker$DoSubmitAccumulativeRunnable.actionPerformed(SwingWorker.java:842)
at javax.swing.Timer.fireActionPerformed(Timer.java:313)
at javax.swing.Timer$DoPostEvent.run(Timer.java:245)
at java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:311)
at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:758)
at java.awt.EventQueue.access$500(EventQueue.java:97)
at java.awt.EventQueue$3.run(EventQueue.java:709)
at java.awt.EventQueue$3.run(EventQueue.java:703)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:74)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:728)
at org.netbeans.core.TimableEventQueue.dispatchEvent(TimableEventQueue.java:159)

[catch] at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:205)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)

Hi (and thanks for you great job on this famous plugins).
I'm getting an error in executing, inside autopsy (latest version, but also by running the module parseusn.exe manually from cmd), the module on a E01 image of a relative small disk. The USNJ txt file is around 45GB.

On my system Windows server 2019, Autopsy 4.12 when I try to ingest modules with settings (AM cache,

EVTX...) in the UI, the module will not run and I found this error to be more or less generic

if self.local_settings.getSetting('associateFileEntries') =='true': seem to be the culprit

SEVERE: Error starting Parse Amcache ingest module for job 3
Traceback (most recent call last):
File "C:\Users\Administrator\AppData\Roaming\autopsy\python_modules\Process_Amcache\ParseAmcache.py", line 157, in startUp
if self.local_settings.getSetting('associateFileEntries') =='true':
AttributeError: 'NoneType' object has no attribute 'getSetting'
org.python.core.Py.AttributeError(Py.java:205) org.python.core.PyObject.noAttributeError(PyObject.java:1013) org.python.core.PyObject.__getattr__(PyObject.java:1008) ParseAmcache$py.startUp$14(C:\Users\Administrator\AppData\Roaming\autopsy\python_modules\Process_Amcache\ParseAmcache.py:170) ParseAmcache$py.call_function(C:\Users\Administrator\AppData\Roaming\autopsy\python_modules\Process_Amcache\ParseAmcache.py) org.python.core.PyTableCode.call(PyTableCode.java:167) org.python.core.PyBaseCode.call(PyBaseCode.java:307) org.python.core.PyBaseCode.call(PyBaseCode.java:198) org.python.core.PyFunction.__call__(PyFunction.java:482) org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237) org.python.core.PyMethod.__call__(PyMethod.java:228) org.python.core.PyMethod.__call__(PyMethod.java:218) org.python.core.PyMethod.__call__(PyMethod.java:213) org.python.core.PyObject._jcallexc(PyObject.java:3626) org.python.proxies.ParseAmcache$ParseAmcacheIngestModule$1580.startUp(Unknown Source) org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$PipelineModule.startUp(DataSourceIngestPipeline.java:200) org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline.startUp(DataSourceIngestPipeline.java:83) org.sleuthkit.autopsy.ingest.DataSourceIngestJob.startUpIngestPipelines(DataSourceIngestJob.java:449) org.sleuthkit.autopsy.ingest.DataSourceIngestJob.start(DataSourceIngestJob.java:419) org.sleuthkit.autopsy.ingest.IngestJob.start(IngestJob.java:158) org.sleuthkit.autopsy.ingest.IngestManager.startIngestJob(IngestManager.java:407) org.sleuthkit.autopsy.ingest.IngestManager.access$600(IngestManager.java:111) org.sleuthkit.autopsy.ingest.IngestManager$StartIngestJobTask.call(IngestManager.java:849) org.sleuthkit.autopsy.ingest.IngestManager$StartIngestJobTask.call(IngestManager.java:812) java.util.concurrent.FutureTask.run(FutureTask.java:266) java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) java.lang.Thread.run(Thread.java:748) 2020-03-14 13:31:24.411 org.sleuthkit.autopsy.ingest.IngestManager startIngestJob SEVERE: Ingest job 3 could not be started

It looks like the values are undefined when the code gets there, and if I manually edit the code like commenting out the code to select the options I would like to run, the module works

if self.local_settings.getSetting('associateFileEntries') =='true':
self.List_Of_tables.append('associated_file_entries')
if self.local_settings.getSetting('programEntries') == 'true':
self.List_Of_tables.append('program_entries')
if self.local_settings.getSetting('unassociatePrograms') == 'true':
self.List_Of_tables.append('unassociated_programs')

Hi,
I am new to Autopsy and requesting for kind help to have the way to install these plugins into Autopsy.

I have already installed the "NBM" files as well as Python-Plugins, but could not get any for theses, how to install or which physical location to place these plugins.

I am using Autopsy 4.19.1 in Windows 10 OS

Thanks in advance,
Mamun

I got an error on this line on a disk image. I think it needs to be inside the loop so it is closed for each table and only closed if there are tables. I think my image didn't have tables.

https://github.com/markmckinnon/Autopsy-Plugins/blob/master/Process_Amcache/ParseAmcache.py#L322

Hello,
I have downloaded the volatility plugin in the right folder, but it seems Autopsy can't load it (as well as others plugins). The "Memory Image File" doesn't show up in the "add data source" screen. Can you help me ?
Thank you !

Trying to run Project vic hash ingest module and receive the message above. I tried repairing the Autopsy install, reloaded the Autopsy Python Plugins, redownloaded and copied files to Plaso folder, moving the Json and local db folder in Project vic options. nothing is working. Do I need to install a previous version of something?

Hello, no python script appears in autopsy, you know why ?

Currently all plugins are represented in the tree using the "puzzle piece" icon.
To make the result nodes easier to distinguish it would be nice if plugin developers could specify their own icon for the created nodes.

Ive installed all the python addons and for some reason I am not getting a section with the results. Can you tell me what is going on?

Hello, what is the source of the Autopsy-Plugins/Leveldb/leveldb-dump.exe file?

Thanks.

Hello,

when I first used your SQLite plugin, I did't realize that I have to click the checkbox after I filled in the textfield and I wonderd why it did't work.

My suggestion is that you put line 361 in the getSettings(self) method in line 404. Thus, the content is always add.

Kind regards,

FHantke

As a user a quick overview of the plugins and a more detailed summary inside of the plugin directory would be really useful for getting started.
Edit: Anyone else feel free to edit and help as well.

Hello,

the QNX Plugin doesnt work, it doesnt extract files.

KR

Hi, I cant get iTunes-Backup run . I've installed python files in python plugin folder but I can get functionality over autopsy.
Could you please help me to run this plugin, thanks in advance

how to overcome this? I use autopsy 4.11.0

It would be better to have a "contains" operator for filtering Evet Detail.
For example, one needs to find event logs related to a specific process name.

You are getting the following error after installing the new EXE installer (1.2) of the plugins.

Workflow to add datasource to case stops and will not continue.

You will need to do the following:

Go into the following directories:

C:\Users<user>\AppData\Roaming\autopsy\config\IngestModuleSettings\org.sleuthkit.autopsy.casemodule.AddImageWizardIngestConfigPanel
and
C:\Users<user>\AppData\Roaming\autopsy\config\IngestModuleSettings\org.sleuthkit.autopsy.ingest.RunIngestModulesDialog

and delete all the files that start with org.python.proxies. These are the settings for the modules and because they have been changed and using the new method is why you are getting this error.

You should then be able to add your data source now. This should only happen once. If it continues to happen open a issue.

I have 4 disks, 2x Ubuntu and 2x Windows 7.
Even when ingesting Ubuntu datasource, I get VSS record in the Datasources section.
Another problem is that every time I run ingest on datasource, new VSS record is created with the same parameters.

Environment

Autopsy 4.16.0
Sleuthkit 4.10.0
O/S: Debian 10

Problem description

Mac_mail plugin exits after exception regarding malformed email address, see attached log (have trunkated som parts).
It looks like it processes a few items before it finds one which which causes the exception.

Source data is a user's emlx email from a MacBook Pro, OSX High Sierra.

Regards,
Johan

autopsy.log.0.txt

Hi there,

having to use autopsy on Linux, I tried to use you Plaso modules. It seems they are both outdated.

My first attempt was to try the Plaso Module:

[REDACTED]/.autopsy/dev/python_modules/Plaso/Plaso.py", line 147, in startUp
    self.log(Level.INFO, "Plaso directory ==> " + self.local_settings.getSetting('Plaso_Directory'))
AttributeError: 'NoneType' object has no attribute 'getSetting'

Looking at #33 I think pretty much all your plugins relying on self.local_settings.getSetting are impacted (thus not working anymore).

I've never coded a plugin for autopsy so I don't know the inner mechanisms but debugging a bit pointed out that PlasoSettingsWithUISettingsPanel(self.settings) populates correctly the local_settings class variable within:

But in the subsequent call, local_settings is None:

Because I don't really have the time to take a deep dive in autopsy code, my second attempt was to try to use the Plaso Import Module:

I first executed log2timeline.py on command line, then hardcoded paths in Plaso_Import.py (as it faces the same problem as aformentioned) but encountered another problem:

INFO: Running program ==> /usr/local/bin/psort.py -o 4n6time_sqlite -w [REDACTED]/ModuleOutput\Plaso_Import\plaso_import.db3 
[REDACTED]/Plaso/20210623T173814-image.raw.plaso
2021-06-24 10:56:43.326 Plaso_ImportIngestModule process
INFO: Output from run is ==> ERROR: Unsupported output format: 4n6time_sqlite

A look at psort.py shows that it does not support 4n6time_sqlite format anymore:

$ /usr/local/bin/psort.py -o list

******************************** Output Modules ********************************
      Name : Description
--------------------------------------------------------------------------------
   dynamic : Dynamic selection of fields for a separated value output format.
   elastic : Saves the events into an Elasticsearch database.
elastic_ts : Saves the events into an Elasticsearch database for use with
             Timesketch.
      json : Saves the events into a JSON format.
 json_line : Saves the events into a JSON line format.
       kml : Saves events with geography data into a KML format.
    l2tcsv : CSV format used by legacy log2timeline, with 17 fixed fields.
    l2ttln : Extended TLN 7 field | delimited output.
      null : Output module that does not output anything.
     rawpy : native (or "raw") Python output.
       tln : TLN 5 field | delimited output.
      xlsx : Excel Spreadsheet (XLSX) output
--------------------------------------------------------------------------------

psort.py version being:

$ /usr/local/bin/psort.py -V
plaso - psort version 20210606

I don't know how much autopsy core changed since this modules were coded but I guess some other similar problems may be encountered.

Would be great if you could make a YARA plugin. For example run x number of YARA rules against the E01 file.