markmckinnon / autopsy-plugins Goto Github PK
View Code? Open in Web Editor NEWAutopsy Python Plugins
Autopsy Python Plugins
I found to problems with the NSIS install script when run on Windows.
Compilations stop on the License_Agreement.txt file, file saved again as MSDOS (no Unix ending)
Some variables are wrong
CreateDirectory "$APPDATA\Autopsy\Python_modules1\iTunes_Backup"
This for entries SEC45,46 and 47
As stated I have loaded volatility plugin in Python's plugin user directory, to test it out with my new build of Autopsy (for Ubuntu 16.04).
When I load Autopsy, I got an exception (file in attachment).
Just for your information.
Regards,
Danilo.
Autopsy_Crash_Python_Plugin.txt
Following my prior post on process_evtx and other failing i tested export_evtx.exe from a cmd prompt
Any kind of starting this executable resulted in
export_evtx.exe
Traceback (most recent call last):
File "", line 151, in
IndexError: list index out of range
export_evtx returned -1
Hi,
i've tried to use the Parse_Shellbags module and it works fine, but it seems to only load entries from ntuser.dat
registry hive found on the user's profile directory.
From my experience, most of the of shellbags entries are found in the %localappdata%\Microsoft\Windows\UsrClass.dat
file inside the user profile.
I've tried a dirty filename change at https://github.com/markmckinnon/Autopsy-Plugins/blob/master/Parse_Shellbags/Shellbag_Parser.py#L139 and it seems to work just fine.
Can you possibly integrate a change to have both ntuser.dat
and usrclass.dat
scanned when running the module?
Thank you
When running ParseEvtx and specifying the event logs which contain spaces in their names:
The plugin separates the name into multiple items and therefore cannot find the files specified:
2022-04-01 07:01:02.482 ParseEvtxDbIngestModule process INFO: List Of Events ==> ['Other', 'Microsoft-Windows-Windows', 'Defender%4Operational.evtx,', 'Microsoft-Windows-Windows', 'Defender%4WHC.evtx'] <== Number of Events ==> 5
I have tried adding a "%20" instead of the space, adding " and ' around the file name but I cannot figure out how to tell the plugin that it's all one word and not to split it in two.
Is this known or a bit of a bug?
Autopsy 4.19.3 / ParseEvtx version 1.5 / Python 3.9.0
Good afternoon, Mark,
I'm your follower because of Autopsy :-)
I would have some requests for help in using this forensic tool being a RAM DAMP analysis technician and so I would like to try to get some useful results. First I would like to start talking about the results obtained with Volatility Dump Files Module thanks also to your article (https://medium.com/@markmckinnon_80619/volatility-autopsy-plugin-module-8beecea6396) ... in the "Module Output" folder of my processed case I can extract contents with .dat, .iso and other formats ... the question I ask is how can I make them available and usable by retrieving the files (.doc, .docx, .xls, .xlsx, .pdf, .txt ...)? This result would be very important for me!
Mark can I ask you why the results of the (very useful) forms, except "Extracted Contact"
, I don't display them in the Autopsy graphical results tree?
Would love to see a plugin that parses the chat from a RingCentral Session. By default the chat log is stored \Documents\RingCentral\Meetings and then a Separate folder for each session named by Date/Time and Ten Digit Room ID (Ex: 2020-05-27 20.39.09 RingCentral Meeting XXXXXXXXXX).
Hi,
I am running Autopsy 4.14 on Tsurugi, and am trying to parse a Windows image just runing the Jump_List module. getting the following error:
Traceback (most recent call last):
File "/root/.autopsy/dev/python_modules/Jump_List_AD/JumpList_AD.py", line 303, in process
output = subprocess.Popen([self.path_to_exe, temp_dir, os.path.join(Temp_Dir, "JL_AD.db3"), self.path_to_app_id_db], stdout=subprocess.PIPE).communicate()[0]
File "/opt/autopsy/autopsy/modules/ext/jython-standalone-2.7.0.jar/Lib/subprocess.py", line 830, in init
File "/opt/autopsy/autopsy/modules/ext/jython-standalone-2.7.0.jar/Lib/subprocess.py", line 1352, in _execute_child
OSError: Cannot run program "/root/.autopsy/dev/python_modules/Jump_List_AD/Export_JL_Ad" (in directory "/home/jon"): error=13, Permission denied
Hello,
I've been trying to use the FileHistory plugin to no avail. I've tried two different sets of data as logical files (two sets of Catalog1.edb, Catalog2.edb, Config1.xml, Config2.xml from different machines), I've also tried running it on a data source (which I created in a virtual machine specifically as a File History drive) in the form of a raw image file.
Unfortunately, it just doesn't seem to take... I'll get the ingest message/notification that the plugin is done, but no artifacts are generated and I don't see anything in the Extracted Content "folder". I've also tested this on Autopsy 4.3 as well as 4.15, for what it's worth.
I would be grateful for any ideas, but could you let me know which version of Python the plugin was designed with or perhaps which version you know works? The more I can replicate a known configuration would be very appreciated.
Thank you for all your work with these plugins!
Autopsy ver 4.16.0
Sleuthkit 4.10.0
O/S: Debian 10
Have extracted a user's Mail directory from a Mac to a TAR archive.
Then ingested that archive to Autopsy.
The log file says:
INFO: Mac_Mail analysis of LogicalFileSet1 (pipeline=7) starting
2020-11-25 13:51:54.54 ProcessMacMailIngestModule process
INFO: found 0 files
2020-11-25 13:51:54.546 ProcessMacMailIngestModule process
INFO: User Paths to get emlx files from ==> []
2020-11-25 13:51:54.547 org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline process
INFO: Mac_Mail analysis of LogicalFileSet1 (pipeline=7) finished
Checked the python code and see that the "/Users" directory in parsed.
Would be enough to copy the Mail directory using the complete PATH from / instead?
Regards,
Johan
I tried your new VSS plugin with Autopsy 4.5
Unfortunately after nearly 3 days, it showed no progress and no CPU or Disk activity. I had to kill Autopsy via the Task Manager to get out.
SEVERE: Failed to load PlasoIngestModuleFactory from C:\Users\Administrator\AppData\Roaming\autopsy\python_modules\Plaso\Plaso.py
Traceback (most recent call last):
File "", line 1, in
File "C:\Users\Administrator\AppData\Roaming\autopsy\python_modules\Plaso\Plaso.py", line 74, in
from org.sleuthkit.autopsy.ingest import GenericIngestModuleJobSettings
ImportError: cannot import name GenericIngestModuleJobSettings
org.python.core.Py.ImportError(Py.java:328)
org.python.core.imp.importFromAs(imp.java:1168)
org.python.core.imp.importFrom(imp.java:1132)
Plaso$py.f$0(C:\Users\Administrator\AppData\Roaming\autopsy\python_modules\Plaso\Plaso.py:435)
Plaso$py.call_function(C:\Users\Administrator\AppData\Roaming\autopsy\python_modules\Plaso\Plaso.py)
org.python.core.PyTableCode.call(PyTableCode.java:167)
org.python.core.PyCode.call(PyCode.java:18)
org.python.core.imp.createFromCode(imp.java:436)
org.python.core.imp.createFromSource(imp.java:396)
org.python.core.imp.loadFromSource(imp.java:658)
org.python.core.imp.find_module(imp.java:543)
org.python.core.imp.import_next(imp.java:840)
org.python.core.imp.import_module_level(imp.java:959)
org.python.core.imp.importName(imp.java:1062)
org.python.core.ImportFunction.__call__(__builtin__.java:1280)
org.python.core.PyObject.__call__(PyObject.java:431)
org.python.core.__builtin__.__import__(__builtin__.java:1232)
org.python.core.imp.importOne(imp.java:1081)
org.python.pycode._pyx2.f$0(<string>:1)
org.python.pycode._pyx2.call_function(<string>)
org.python.core.PyTableCode.call(PyTableCode.java:167)
org.python.core.PyCode.call(PyCode.java:18)
org.python.core.Py.runCode(Py.java:1386)
org.python.core.Py.exec(Py.java:1430)
org.python.util.PythonInterpreter.exec(PythonInterpreter.java:267)
org.sleuthkit.autopsy.python.JythonModuleLoader.createObjectFromScript(JythonModuleLoader.java:126)
org.sleuthkit.autopsy.python.JythonModuleLoader.getInterfaceImplementations(JythonModuleLoader.java:94)
org.sleuthkit.autopsy.python.JythonModuleLoader.getIngestModuleFactories(JythonModuleLoader.java:57)
org.sleuthkit.autopsy.ingest.IngestModuleFactoryLoader.getIngestModuleFactories(IngestModuleFactoryLoader.java:123)
org.sleuthkit.autopsy.ingest.IngestJobSettings.load(IngestJobSettings.java:298)
org.sleuthkit.autopsy.ingest.IngestJobSettings.<init>(IngestJobSettings.java:150)
org.sleuthkit.autopsy.ingest.runIngestModuleWizard.IngestModulesConfigWizardPanel.getComponent(IngestModulesConfigWizardPanel.java:70)
org.sleuthkit.autopsy.ingest.runIngestModuleWizard.RunIngestModulesWizardIterator.<init>(RunIngestModulesWizardIterator.java:60)
org.sleuthkit.autopsy.ingest.runIngestModuleWizard.RunIngestModulesAction.actionPerformed(RunIngestModulesAction.java:112)
javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
javax.swing.DefaultButtonModel.setPressed(Unknown Source)
javax.swing.AbstractButton.doClick(Unknown Source)
javax.swing.plaf.basic.BasicMenuItemUI.doClick(Unknown Source)
javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseReleased(Unknown Source)
java.awt.Component.processMouseEvent(Unknown Source)
javax.swing.JComponent.processMouseEvent(Unknown Source)
java.awt.Component.processEvent(Unknown Source)
java.awt.Container.processEvent(Unknown Source)
java.awt.Component.dispatchEventImpl(Unknown Source)
java.awt.Container.dispatchEventImpl(Unknown Source)
java.awt.Component.dispatchEvent(Unknown Source)
java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
java.awt.Container.dispatchEventImpl(Unknown Source)
java.awt.Window.dispatchEventImpl(Unknown Source)
java.awt.Component.dispatchEvent(Unknown Source)
java.awt.EventQueue.dispatchEventImpl(Unknown Source)
java.awt.EventQueue.access$500(Unknown Source)
java.awt.EventQueue$3.run(Unknown Source)
java.awt.EventQueue$3.run(Unknown Source)
java.security.AccessController.doPrivileged(Native Method)
java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
java.awt.EventQueue$4.run(Unknown Source)
java.awt.EventQueue$4.run(Unknown Source)
java.security.AccessController.doPrivileged(Native Method)
java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
java.awt.EventQueue.dispatchEvent(Unknown Source)
org.netbeans.core.TimableEventQueue.dispatchEvent(TimableEventQueue.java:159)
java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
java.awt.EventDispatchThread.pumpEvents(Unknown Source)
java.awt.EventDispatchThread.pumpEvents(Unknown Source)
java.awt.EventDispatchThread.run(Unknown Source)
Good day sir!
When running the Parse SAM option within the Windows Internals plugin, the plugin runs with no problem. However, the source is the SAM file in the RegBack folder and not config. Is this intentional?
I encounter an issue trying to make the Volatility plugin work on Autopsy.
I have autopsy-4.19.1
. volatility
and volatility3
are already installed localy on my computer (and working).
When asking in parameters of autopsy
to select Excutable Directory I'm not sure of what to do. I tried selecting vol.py
in directory of volatility 2.6 or just the parent directory...
...but every time I get the same error :
What am I doing wrong ?
Short on time i meant to run Autopsy and the Autopsy-Plugins on MS WIndows since these have installers.
Two moduels of intereset at this time (with Python 3.9)
Running the modules from the commandline shows for both modules (one example only)
Parse_Evtx_By_EventID.py", line 42, in
import jarray
ModuleNotFoundError: No module named 'jarray'
Got an index out of range error on an image at this line:
https://github.com/markmckinnon/Autopsy-Plugins/blob/master/Process_EVTX/ParseEvtx.py#L283
I used default settings, which looks like it didn't select any types. Looks like the process() method should do nothing in that case.
Hi @markmckinnon; I'm a bit new to Autopsy. I can't figure out how to get your SQLite python plugins to work (or maybe they are and I can't tell). I think your plugins give me a way of displaying SQLite content directly in Autopsy. Unfortunately I can't figure out how to run them and every time I run the ingest module I get nothing under Extracted Content. Could you create a readme file on how to run some of your modules. If you don't want to write them down and would prefer to just tell me I can write README files for the plugins I use. Thanks!
Edit:
I guess it is also worth mentioning that I am currently running on Ubuntu and have Autopsy running out of Netbeans. I am developing some plugins of my own.
dead link points to
https://medium.com/@markmckinnon_80619
Here is the traceback:
Traceback (most recent call last):
File "/home/sansforensics/.autopsy/dev/python_modules/Volatility/Volatility_Dump.py", line 120, in getIngestJobSettingsPanel
return VolatilitySettingsWithUISettingsPanel(self.settings)
File "/home/sansforensics/.autopsy/dev/python_modules/Volatility/Volatility_Dump.py", line 613, in init
self.initComponents()
File "/home/sansforensics/.autopsy/dev/python_modules/Volatility/Volatility_Dump.py", line 938, in initComponents
self.Plugin_LB = JList( self.Plugin_list, valueChanged=self.onchange_plugins_lb)
TypeError: javax.swing.JList(): 1st arg can't be coerced to java.util.Vector, java.lang.Object[], javax.swing.ListModel
at org.python.core.Py.TypeError(Py.java:259)
at org.python.core.PyReflectedFunction.throwError(PyReflectedFunction.java:209)
at org.python.core.PyReflectedFunction.throwBadArgError(PyReflectedFunction.java:312)
at org.python.core.PyReflectedFunction.throwError(PyReflectedFunction.java:321)
at org.python.core.PyReflectedConstructor.__call__(PyReflectedConstructor.java:177)
at org.python.core.PyObject.__call__(PyObject.java:419)
at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
at org.python.core.PyMethod.__call__(PyMethod.java:228)
at org.python.core.PyMethod.__call__(PyMethod.java:223)
at org.python.core.Deriveds.dispatch__init__(Deriveds.java:19)
at org.python.core.PyObjectDerived.dispatch__init__(PyObjectDerived.java:1112)
at org.python.core.PyType.type___call__(PyType.java:1713)
at org.python.core.PyType.__call__(PyType.java:1696)
at org.python.core.PyObject.__call__(PyObject.java:394)
at Volatility_Dump$py.initComponents$48(/home/sansforensics/.autopsy/dev/python_modules/Volatility/Volatility_Dump.py:1058)
at Volatility_Dump$py.call_function(/home/sansforensics/.autopsy/dev/python_modules/Volatility/Volatility_Dump.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyBaseCode.call(PyBaseCode.java:138)
at org.python.core.PyFunction.__call__(PyFunction.java:413)
at org.python.core.PyMethod.__call__(PyMethod.java:126)
at Volatility_Dump$py.__init__$37(/home/sansforensics/.autopsy/dev/python_modules/Volatility/Volatility_Dump.py:614)
at Volatility_Dump$py.call_function(/home/sansforensics/.autopsy/dev/python_modules/Volatility/Volatility_Dump.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
at org.python.core.PyBaseCode.call(PyBaseCode.java:198)
at org.python.core.PyFunction.__call__(PyFunction.java:482)
at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
at org.python.core.PyMethod.__call__(PyMethod.java:228)
at org.python.core.PyMethod.__call__(PyMethod.java:223)
at org.python.core.Deriveds.dispatch__init__(Deriveds.java:19)
at org.python.core.PyObjectDerived.dispatch__init__(PyObjectDerived.java:1112)
at org.python.core.PyType.type___call__(PyType.java:1713)
at org.python.core.PyType.__call__(PyType.java:1696)
at org.python.core.PyObject.__call__(PyObject.java:461)
at org.python.core.PyObject.__call__(PyObject.java:465)
at Volatility_Dump$py.getIngestJobSettingsPanel$8(/home/sansforensics/.autopsy/dev/python_modules/Volatility/Volatility_Dump.py:120)
at Volatility_Dump$py.call_function(/home/sansforensics/.autopsy/dev/python_modules/Volatility/Volatility_Dump.py)
at org.python.core.PyTableCode.call(PyTableCode.java:167)
at org.python.core.PyBaseCode.call(PyBaseCode.java:307)
at org.python.core.PyBaseCode.call(PyBaseCode.java:198)
at org.python.core.PyFunction.__call__(PyFunction.java:482)
at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
at org.python.core.PyMethod.__call__(PyMethod.java:228)
at org.python.core.PyMethod.__call__(PyMethod.java:218)
at org.python.core.PyMethod.__call__(PyMethod.java:213)
at org.python.core.PyObject._jcallexc(PyObject.java:3626)
at org.python.core.PyObject._jcall(PyObject.java:3658)
at org.python.proxies.Volatility_Dump$VolatilityDumpIngestModuleFactory$6.getIngestJobSettingsPanel(Unknown Source)
at org.sleuthkit.autopsy.ingest.IngestModuleTemplate.getModuleSettingsPanel(IngestModuleTemplate.java:61)
at org.sleuthkit.autopsy.ingest.IngestJobSettingsPanel$IngestModuleModel.<init>(IngestJobSettingsPanel.java:531)
at org.sleuthkit.autopsy.ingest.IngestJobSettingsPanel.<init>(IngestJobSettingsPanel.java:84)
at org.sleuthkit.autopsy.casemodule.AddImageWizardIngestConfigPanel.<init>(AddImageWizardIngestConfigPanel.java:62)
at org.sleuthkit.autopsy.casemodule.AddImageWizardIterator.getPanels(AddImageWizardIterator.java:62)
at org.sleuthkit.autopsy.casemodule.AddImageWizardIterator.current(AddImageWizardIterator.java:132)
at org.sleuthkit.autopsy.casemodule.AddImageWizardIterator.current(AddImageWizardIterator.java:37)
at org.openide.WizardDescriptor.updateStateOpen(WizardDescriptor.java:844)
at org.openide.WizardDescriptor.updateState(WizardDescriptor.java:822)
at org.openide.WizardDescriptor._updateState(WizardDescriptor.java:800)
at org.openide.WizardDescriptor.initialize(WizardDescriptor.java:475)
at org.openide.NotifyDescriptor.getterCalled(NotifyDescriptor.java:304)
at org.openide.DialogDescriptor.isModal(DialogDescriptor.java:322)
at org.netbeans.core.windows.services.NbDialog.<init>(NbDialog.java:67)
at org.netbeans.core.windows.services.DialogDisplayerImpl$1.run(DialogDisplayerImpl.java:158)
at org.netbeans.core.windows.services.DialogDisplayerImpl$1.run(DialogDisplayerImpl.java:119)
at org.netbeans.modules.openide.util.NbMutexEventProvider$Event.doEventAccess(NbMutexEventProvider.java:138)
at org.netbeans.modules.openide.util.NbMutexEventProvider$Event.readAccess(NbMutexEventProvider.java:98)
at org.netbeans.modules.openide.util.LazyMutexImplementation.readAccess(LazyMutexImplementation.java:94)
at org.openide.util.Mutex.readAccess(Mutex.java:218)
at org.netbeans.core.windows.services.DialogDisplayerImpl.createDialog(DialogDisplayerImpl.java:119)
at org.netbeans.core.windows.services.DialogDisplayerImpl.createDialog(DialogDisplayerImpl.java:111)
at org.sleuthkit.autopsy.casemodule.AddImageAction.actionPerformed(AddImageAction.java:135)
at org.sleuthkit.autopsy.casemodule.NewCaseWizardAction$1.done(NewCaseWizardAction.java:120)
at javax.swing.SwingWorker$5.run(SwingWorker.java:737)
at javax.swing.SwingWorker$DoSubmitAccumulativeRunnable.run(SwingWorker.java:832)
at sun.swing.AccumulativeRunnable.run(AccumulativeRunnable.java:112)
at javax.swing.SwingWorker$DoSubmitAccumulativeRunnable.actionPerformed(SwingWorker.java:842)
at javax.swing.Timer.fireActionPerformed(Timer.java:313)
at javax.swing.Timer$DoPostEvent.run(Timer.java:245)
at java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:311)
at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:758)
at java.awt.EventQueue.access$500(EventQueue.java:97)
at java.awt.EventQueue$3.run(EventQueue.java:709)
at java.awt.EventQueue$3.run(EventQueue.java:703)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:74)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:728)
at org.netbeans.core.TimableEventQueue.dispatchEvent(TimableEventQueue.java:159)
[catch] at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:205)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)
On my system Windows server 2019, Autopsy 4.12 when I try to ingest modules with settings (AM cache,
EVTX...) in the UI, the module will not run and I found this error to be more or less generic
if self.local_settings.getSetting('associateFileEntries') =='true': seem to be the culprit
SEVERE: Error starting Parse Amcache ingest module for job 3
Traceback (most recent call last):
File "C:\Users\Administrator\AppData\Roaming\autopsy\python_modules\Process_Amcache\ParseAmcache.py", line 157, in startUp
if self.local_settings.getSetting('associateFileEntries') =='true':
AttributeError: 'NoneType' object has no attribute 'getSetting'
org.python.core.Py.AttributeError(Py.java:205) org.python.core.PyObject.noAttributeError(PyObject.java:1013) org.python.core.PyObject.__getattr__(PyObject.java:1008) ParseAmcache$py.startUp$14(C:\Users\Administrator\AppData\Roaming\autopsy\python_modules\Process_Amcache\ParseAmcache.py:170) ParseAmcache$py.call_function(C:\Users\Administrator\AppData\Roaming\autopsy\python_modules\Process_Amcache\ParseAmcache.py) org.python.core.PyTableCode.call(PyTableCode.java:167) org.python.core.PyBaseCode.call(PyBaseCode.java:307) org.python.core.PyBaseCode.call(PyBaseCode.java:198) org.python.core.PyFunction.__call__(PyFunction.java:482) org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237) org.python.core.PyMethod.__call__(PyMethod.java:228) org.python.core.PyMethod.__call__(PyMethod.java:218) org.python.core.PyMethod.__call__(PyMethod.java:213) org.python.core.PyObject._jcallexc(PyObject.java:3626) org.python.proxies.ParseAmcache$ParseAmcacheIngestModule$1580.startUp(Unknown Source) org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$PipelineModule.startUp(DataSourceIngestPipeline.java:200) org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline.startUp(DataSourceIngestPipeline.java:83) org.sleuthkit.autopsy.ingest.DataSourceIngestJob.startUpIngestPipelines(DataSourceIngestJob.java:449) org.sleuthkit.autopsy.ingest.DataSourceIngestJob.start(DataSourceIngestJob.java:419) org.sleuthkit.autopsy.ingest.IngestJob.start(IngestJob.java:158) org.sleuthkit.autopsy.ingest.IngestManager.startIngestJob(IngestManager.java:407) org.sleuthkit.autopsy.ingest.IngestManager.access$600(IngestManager.java:111) org.sleuthkit.autopsy.ingest.IngestManager$StartIngestJobTask.call(IngestManager.java:849) org.sleuthkit.autopsy.ingest.IngestManager$StartIngestJobTask.call(IngestManager.java:812) java.util.concurrent.FutureTask.run(FutureTask.java:266) java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) java.lang.Thread.run(Thread.java:748) 2020-03-14 13:31:24.411 org.sleuthkit.autopsy.ingest.IngestManager startIngestJob SEVERE: Ingest job 3 could not be started
It looks like the values are undefined when the code gets there, and if I manually edit the code like commenting out the code to select the options I would like to run, the module works
if self.local_settings.getSetting('associateFileEntries') =='true':
self.List_Of_tables.append('associated_file_entries')
if self.local_settings.getSetting('programEntries') == 'true':
self.List_Of_tables.append('program_entries')
if self.local_settings.getSetting('unassociatePrograms') == 'true':
self.List_Of_tables.append('unassociated_programs')
Hi,
I am new to Autopsy and requesting for kind help to have the way to install these plugins into Autopsy.
I have already installed the "NBM" files as well as Python-Plugins, but could not get any for theses, how to install or which physical location to place these plugins.
I am using Autopsy 4.19.1 in Windows 10 OS
Thanks in advance,
Mamun
I got an error on this line on a disk image. I think it needs to be inside the loop so it is closed for each table and only closed if there are tables. I think my image didn't have tables.
https://github.com/markmckinnon/Autopsy-Plugins/blob/master/Process_Amcache/ParseAmcache.py#L322
Trying to run Project vic hash ingest module and receive the message above. I tried repairing the Autopsy install, reloaded the Autopsy Python Plugins, redownloaded and copied files to Plaso folder, moving the Json and local db folder in Project vic options. nothing is working. Do I need to install a previous version of something?
Currently all plugins are represented in the tree using the "puzzle piece" icon.
To make the result nodes easier to distinguish it would be nice if plugin developers could specify their own icon for the created nodes.
Ive installed all the python addons and for some reason I am not getting a section with the results. Can you tell me what is going on?
Hello, what is the source of the Autopsy-Plugins/Leveldb/leveldb-dump.exe
file?
Thanks.
Hello,
when I first used your SQLite plugin, I did't realize that I have to click the checkbox after I filled in the textfield and I wonderd why it did't work.
My suggestion is that you put line 361 in the getSettings(self) method in line 404. Thus, the content is always add.
Kind regards,
FHantke
As a user a quick overview of the plugins and a more detailed summary inside of the plugin directory would be really useful for getting started.
Edit: Anyone else feel free to edit and help as well.
Hello,
the QNX Plugin doesnt work, it doesnt extract files.
KR
Hi, I cant get iTunes-Backup run . I've installed python files in python plugin folder but I can get functionality over autopsy.
Could you please help me to run this plugin, thanks in advance
It would be better to have a "contains" operator for filtering Evet Detail.
For example, one needs to find event logs related to a specific process name.
You are getting the following error after installing the new EXE installer (1.2) of the plugins.
Workflow to add datasource to case stops and will not continue.
You will need to do the following:
Go into the following directories:
C:\Users<user>\AppData\Roaming\autopsy\config\IngestModuleSettings\org.sleuthkit.autopsy.casemodule.AddImageWizardIngestConfigPanel
and
C:\Users<user>\AppData\Roaming\autopsy\config\IngestModuleSettings\org.sleuthkit.autopsy.ingest.RunIngestModulesDialog
and delete all the files that start with org.python.proxies. These are the settings for the modules and because they have been changed and using the new method is why you are getting this error.
You should then be able to add your data source now. This should only happen once. If it continues to happen open a issue.
Autopsy 4.16.0
Sleuthkit 4.10.0
O/S: Debian 10
Mac_mail plugin exits after exception regarding malformed email address, see attached log (have trunkated som parts).
It looks like it processes a few items before it finds one which which causes the exception.
Source data is a user's emlx email from a MacBook Pro, OSX High Sierra.
Regards,
Johan
Hi there,
having to use autopsy on Linux, I tried to use you Plaso modules. It seems they are both outdated.
My first attempt was to try the Plaso Module:
[REDACTED]/.autopsy/dev/python_modules/Plaso/Plaso.py", line 147, in startUp
self.log(Level.INFO, "Plaso directory ==> " + self.local_settings.getSetting('Plaso_Directory'))
AttributeError: 'NoneType' object has no attribute 'getSetting'
Looking at #33 I think pretty much all your plugins relying on self.local_settings.getSetting
are impacted (thus not working anymore).
I've never coded a plugin for autopsy so I don't know the inner mechanisms but debugging a bit pointed out that PlasoSettingsWithUISettingsPanel(self.settings)
populates correctly the local_settings
class variable within:
Autopsy-Plugins/Plaso/Plaso.py
Lines 112 to 116 in 103f59a
But in the subsequent call, local_settings
is None
:
Autopsy-Plugins/Plaso/Plaso.py
Lines 143 to 148 in 103f59a
Because I don't really have the time to take a deep dive in autopsy code, my second attempt was to try to use the Plaso Import Module:
I first executed log2timeline.py
on command line, then hardcoded paths in Plaso_Import.py
(as it faces the same problem as aformentioned) but encountered another problem:
INFO: Running program ==> /usr/local/bin/psort.py -o 4n6time_sqlite -w [REDACTED]/ModuleOutput\Plaso_Import\plaso_import.db3
[REDACTED]/Plaso/20210623T173814-image.raw.plaso
2021-06-24 10:56:43.326 Plaso_ImportIngestModule process
INFO: Output from run is ==> ERROR: Unsupported output format: 4n6time_sqlite
A look at psort.py
shows that it does not support 4n6time_sqlite
format anymore:
$ /usr/local/bin/psort.py -o list
******************************** Output Modules ********************************
Name : Description
--------------------------------------------------------------------------------
dynamic : Dynamic selection of fields for a separated value output format.
elastic : Saves the events into an Elasticsearch database.
elastic_ts : Saves the events into an Elasticsearch database for use with
Timesketch.
json : Saves the events into a JSON format.
json_line : Saves the events into a JSON line format.
kml : Saves events with geography data into a KML format.
l2tcsv : CSV format used by legacy log2timeline, with 17 fixed fields.
l2ttln : Extended TLN 7 field | delimited output.
null : Output module that does not output anything.
rawpy : native (or "raw") Python output.
tln : TLN 5 field | delimited output.
xlsx : Excel Spreadsheet (XLSX) output
--------------------------------------------------------------------------------
psort.py
version being:
$ /usr/local/bin/psort.py -V
plaso - psort version 20210606
I don't know how much autopsy core changed since this modules were coded but I guess some other similar problems may be encountered.
Would be great if you could make a YARA plugin. For example run x number of YARA rules against the E01 file.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.