Comments (23)
commandline-be
commented on July 18, 2024
from autopsy-plugins.
markmckinnon
commented on July 18, 2024
You cannot run the Autopsy Python modules outside of Autopsy. They will only run utilizing Autopsy. If a module has an exe file in it then you can run that passing it any parameters that are needed, these programs are specific to run with Autopsy so they may have issues running outside of begin called by Autopsy. The plugin modules will only run with jython 2.7 which is what Autopsy uses. As for the ingest module startup error when you ran the two (2) modules did you provide any input in the ingest options panel for them? That might be why you are getting that issue.
from autopsy-plugins.
commandline-be
commented on July 18, 2024
You cannot run the Autopsy Python modules outside of Autopsy. They will only run utilizing Autopsy. If a module has an exe file in it then you can run that passing it any parameters that are needed, these programs are specific to run with Autopsy so they may have issues running outside of begin called by Autopsy. The plugin modules will only run with jython 2.7 which is what Autopsy uses. As for the ingest module startup error when you ran the two (2) modules did you provide any input in the ingest options panel for them? That might be why you are getting that issue.
I'll try again. To my understanding the source renamed the .evtx files to include a hostname so, "security.evtx" now reads "hostname security.evtx" I assume that is where it breaks
from autopsy-plugins.
markmckinnon
commented on July 18, 2024
If the event logs have been renamed to something else you can also specify them in the other field and that should handle them being renamed.
from autopsy-plugins.
commandline-be
commented on July 18, 2024
If the event logs have been renamed to something else you can also specify them in the other field and that should handle them being renamed.
Sadly, no. In despair i also clicked on 'extract file(s)' to no avail.
What i do is i select 'other' and write hostname_security.evtx in the box below, result is the same.
To make sure i also ran 'repair' to make sure Autopsy is not broken
from autopsy-plugins.
commandline-be
commented on July 18, 2024
2021-02-15 13:57:24.974 org.sleuthkit.autopsy.ingest.IngestManager startIngestJob
SEVERE: Error starting ParseEvtx ingest module for job 0
Traceback (most recent call last):
File "C:\Users\myforensicuser\AppData\Roaming\autopsy\python_modules\Process_EVTX\ParseEvtx.py", line 159, in startUp
if self.local_settings.getSetting('All') == 'true':
AttributeError: 'NoneType' object has no attribute 'getSetting'
org.python.core.Py.AttributeError(Py.java:205)
org.python.core.PyObject.noAttributeError(PyObject.java:1013)
org.python.core.PyObject.__getattr__(PyObject.java:1008)
ParseEvtx$py.startUp$14(C:\Users\myforensicuser\AppData\Roaming\autopsy\python_modules\Process_EVTX\ParseEvtx.py:178)
ParseEvtx$py.call_function(C:\Users\myforensicuser\AppData\Roaming\autopsy\python_modules\Process_EVTX\ParseEvtx.py)
org.python.core.PyTableCode.call(PyTableCode.java:167)
org.python.core.PyBaseCode.call(PyBaseCode.java:307)
org.python.core.PyBaseCode.call(PyBaseCode.java:198)
org.python.core.PyFunction.__call__(PyFunction.java:482)
org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
org.python.core.PyMethod.__call__(PyMethod.java:228)
org.python.core.PyMethod.__call__(PyMethod.java:218)
org.python.core.PyMethod.__call__(PyMethod.java:213)
org.python.core.PyObject._jcallexc(PyObject.java:3626)
org.python.proxies.ParseEvtx$ParseEvtxDbIngestModule$683.startUp(Unknown Source)
org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$PipelineModule.startUp(DataSourceIngestPipeline.java:192)
org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline.startUp(DataSourceIngestPipeline.java:81)
org.sleuthkit.autopsy.ingest.IngestJobPipeline.startUpIngestPipelines(IngestJobPipeline.java:551)
org.sleuthkit.autopsy.ingest.IngestJobPipeline.start(IngestJobPipeline.java:515)
org.sleuthkit.autopsy.ingest.IngestJob.start(IngestJob.java:213)
org.sleuthkit.autopsy.ingest.IngestManager.startIngestJob(IngestManager.java:435)
org.sleuthkit.autopsy.ingest.IngestManager$StartIngestJobTask.call(IngestManager.java:930)
org.sleuthkit.autopsy.ingest.IngestManager$StartIngestJobTask.call(IngestManager.java:893)
java.util.concurrent.FutureTask.run(FutureTask.java:266)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
java.lang.Thread.run(Thread.java:748)
2021-02-15 13:57:24.99 org.sleuthkit.autopsy.ingest.IngestManager startIngestJob
SEVERE: Error starting ParseEvtxByEventID ingest module for job 0
Traceback (most recent call last):
File "C:\Users\myforensicuser\AppData\Roaming\autopsy\python_modules\Process_EVTX_By_EventID\Parse_Evtx_By_EventID.py", line 158, in startUp
if self.local_settings.getSetting('All') == 'true':
AttributeError: 'NoneType' object has no attribute 'getSetting'
org.python.core.Py.AttributeError(Py.java:205)
org.python.core.PyObject.noAttributeError(PyObject.java:1013)
org.python.core.PyObject.__getattr__(PyObject.java:1008)
Parse_Evtx_By_EventID$py.startUp$14(C:\Users\myforensicuser\AppData\Roaming\autopsy\python_modules\Process_EVTX_By_EventID\Parse_Evtx_By_EventID.py:175)
Parse_Evtx_By_EventID$py.call_function(C:\Users\myforensicuser\AppData\Roaming\autopsy\python_modules\Process_EVTX_By_EventID\Parse_Evtx_By_EventID.py)
org.python.core.PyTableCode.call(PyTableCode.java:167)
org.python.core.PyBaseCode.call(PyBaseCode.java:307)
org.python.core.PyBaseCode.call(PyBaseCode.java:198)
org.python.core.PyFunction.__call__(PyFunction.java:482)
org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
org.python.core.PyMethod.__call__(PyMethod.java:228)
org.python.core.PyMethod.__call__(PyMethod.java:218)
org.python.core.PyMethod.__call__(PyMethod.java:213)
org.python.core.PyObject._jcallexc(PyObject.java:3626)
org.python.proxies.Parse_Evtx_By_EventID$ParseEvtxByEventIDIngestModule$686.startUp(Unknown Source)
org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$PipelineModule.startUp(DataSourceIngestPipeline.java:192)
org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline.startUp(DataSourceIngestPipeline.java:81)
org.sleuthkit.autopsy.ingest.IngestJobPipeline.startUpIngestPipelines(IngestJobPipeline.java:551)
org.sleuthkit.autopsy.ingest.IngestJobPipeline.start(IngestJobPipeline.java:515)
org.sleuthkit.autopsy.ingest.IngestJob.start(IngestJob.java:213)
org.sleuthkit.autopsy.ingest.IngestManager.startIngestJob(IngestManager.java:435)
org.sleuthkit.autopsy.ingest.IngestManager$StartIngestJobTask.call(IngestManager.java:930)
org.sleuthkit.autopsy.ingest.IngestManager$StartIngestJobTask.call(IngestManager.java:893)
java.util.concurrent.FutureTask.run(FutureTask.java:266)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
java.lang.Thread.run(Thread.java:748)
2021-02-15 13:57:24.994 org.sleuthkit.autopsy.ingest.IngestManager startIngestJob
from autopsy-plugins.
markmckinnon
commented on July 18, 2024
Try this and see if it works.
Go into the following directories:
C:\Users<user>\AppData\Roaming\autopsy\config\IngestModuleSettings\org.sleuthkit.autopsy.casemodule.AddImageWizardIngestConfigPanel
and
C:\Users<user>\AppData\Roaming\autopsy\config\IngestModuleSettings\org.sleuthkit.autopsy.ingest.RunIngestModulesDialog
and delete all the files that start with org.python.proxies. These are the settings for the modules and because they have been changed and using the new method is why you are getting this error.
from autopsy-plugins.
commandline-be
commented on July 18, 2024
org.sleuthkit.autopsy.casemodule.AddImageWizardIngestConfigPanel contained 2 such files
org.sleuthkit.autopsy.ingest.RunIngestModulesDialog contained 0 such files
Improvement i noticed is the filenames in other are now preserved.
can i delete of all of such org.python.proxies files, i notice there are plenty under autopsy\config\IngestModuleSettings
from autopsy-plugins.
commandline-be
commented on July 18, 2024
2021-02-15 15:35:40.143 org.sleuthkit.autopsy.ingest.IngestManager startIngestJob
SEVERE: Error starting ParseEvtx ingest module for job 0
Traceback (most recent call last):
File "C:\Users\myforensicuser\AppData\Roaming\autopsy\python_modules\Process_EVTX\ParseEvtx.py", line 159, in startUp
if self.local_settings.getSetting('All') == 'true':
AttributeError: 'NoneType' object has no attribute 'getSetting'
org.python.core.Py.AttributeError(Py.java:205)
org.python.core.PyObject.noAttributeError(PyObject.java:1013)
org.python.core.PyObject.__getattr__(PyObject.java:1008)
ParseEvtx$py.startUp$14(C:\Users\myforensicuser\AppData\Roaming\autopsy\python_modules\Process_EVTX\ParseEvtx.py:178)
ParseEvtx$py.call_function(C:\Users\myforensicuser\AppData\Roaming\autopsy\python_modules\Process_EVTX\ParseEvtx.py)
org.python.core.PyTableCode.call(PyTableCode.java:167)
org.python.core.PyBaseCode.call(PyBaseCode.java:307)
org.python.core.PyBaseCode.call(PyBaseCode.java:198)
org.python.core.PyFunction.__call__(PyFunction.java:482)
org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
org.python.core.PyMethod.__call__(PyMethod.java:228)
org.python.core.PyMethod.__call__(PyMethod.java:218)
org.python.core.PyMethod.__call__(PyMethod.java:213)
org.python.core.PyObject._jcallexc(PyObject.java:3626)
org.python.proxies.ParseEvtx$ParseEvtxDbIngestModule$559.startUp(Unknown Source)
org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$PipelineModule.startUp(DataSourceIngestPipeline.java:192)
org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline.startUp(DataSourceIngestPipeline.java:81)
org.sleuthkit.autopsy.ingest.IngestJobPipeline.startUpIngestPipelines(IngestJobPipeline.java:551)
org.sleuthkit.autopsy.ingest.IngestJobPipeline.start(IngestJobPipeline.java:515)
org.sleuthkit.autopsy.ingest.IngestJob.start(IngestJob.java:213)
org.sleuthkit.autopsy.ingest.IngestManager.startIngestJob(IngestManager.java:435)
org.sleuthkit.autopsy.ingest.IngestManager$StartIngestJobTask.call(IngestManager.java:930)
org.sleuthkit.autopsy.ingest.IngestManager$StartIngestJobTask.call(IngestManager.java:893)
java.util.concurrent.FutureTask.run(FutureTask.java:266)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
java.lang.Thread.run(Thread.java:748)
from autopsy-plugins.
markmckinnon
commented on July 18, 2024
Yes, you can. These files store the information from prior runs of the ingest modules so they will be populated with the information on your next run.
from autopsy-plugins.
markmckinnon
commented on July 18, 2024
When you installed the plugins how did you install them?
from autopsy-plugins.
commandline-be
commented on July 18, 2024
I used the installer, however, the installer does not permit me to specify the correct path so i copied them from one profile to the other appdata folder
from autopsy-plugins.
markmckinnon
commented on July 18, 2024
The installer should put it into the correct path for the user that is installing it. It assumes that if you are installing it then you will also have Autopsy installed and be the user. Which version of the installer?
from autopsy-plugins.
commandline-be
commented on July 18, 2024
Pretty sure i downloaded version 1.3 (155MB)
what i also tried was create a backup and copy a .zip download into the python_modules folder under APPDATA
from autopsy-plugins.
commandline-be
commented on July 18, 2024
The installer should put it into the correct path for the user that is installing it. It assumes that if you are installing it then you will also have Autopsy installed and be the user. Which version of the installer?
Thanks again. No specific version mentioned on the filename. 155MB size,
since i don't see mention of 4.17 under https://github.com/markmckinnon/autopsy i'd also want to make sure this should not cause any issue ?
from autopsy-plugins.
markmckinnon
commented on July 18, 2024
I just ran the evtx plugins on Autopsy 4.17 and they did not have issues.
from autopsy-plugins.
commandline-be
commented on July 18, 2024
I've reinstalled Autopsy before, reinstalled the plugins, same problem.
The logs show 'unknown source' and org.python.proxies.ParseEvtx$ParseEvtxDbIngestModule$559.startUp(Unknown Source) and AttributeError: 'NoneType' object has no attribute 'getSetting'
I don't see what i could be doing wrong. The evtx files are not easy to rename because they come from different machines.
My concern is when i reinstall Autopsy now i will loose all the configuration i put into it.
from autopsy-plugins.
commandline-be
commented on July 18, 2024
okay, ParseEvtx is running. I have no idea why. i did renamed 'hostname_security.evtx' to 'security.evtx'
What i did was
[ run ingest modules ] [ custom ... ] [ deselect all ] [ select process evtx ] [ select all log files ] [ select security.evtx ]
from autopsy-plugins.
markmckinnon
commented on July 18, 2024
If you want to use names that are not standard, ie: you have security.evtx from other machines and they are names host1_security.evtx then you could use the other check box and list all the event logs seperated by commas to look at those. If that does not work right deselect and select the "Other" checkbox.
from autopsy-plugins.
commandline-be
commented on July 18, 2024
Thus far i've only had success when i run ingest and select the 'custom' option. Then there is no error.
Ah, i've not picked up the comma separation and listed them line by line.
I've started an ingest, no idea what the outcome will be.
from autopsy-plugins.
commandline-be
commented on July 18, 2024
Left it running all night, hung in the morning. The hourglass shows up as soon as the mousecursor enters the window. I notice it hangs easily after having executed process_evtx, while it was not fast before it did never hang.
Still cannot get my head around as to why it works when i define a custom profile yet not when i select predefined profiles.
from autopsy-plugins.
shannaniggans
commented on July 18, 2024
I am having what appears to be the same issue with the ParseEvtx module.
- Windows 11 Pro / Autopsy 4.19.3 / ParseEvtx version 1.5 / Python 3.9.0
- Autopsy tends to hang after the plugin has run, and the file view does not update the Data Artifacts.
- Killing the Autopsy process and reopening the case shows the updated file view and artefacts under Data Artifacts.
2022-04-01 05:37:51.045 org.sleuthkit.autopsy.ingest.IngestJobPipeline logErrorMessage
SEVERE: ParseEvtx experienced an error during analysis (data source = LogicalFileSet1, objId = 9852, pipeline id = 0, ingest job id = 1)
java.lang.NullPointerException
org.sleuthkit.datamodel.Blackboard.postArtifacts(Blackboard.java:95)
org.sleuthkit.autopsy.ingest.IngestServices.fireModuleDataEvent(IngestServices.java:118)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:190)
org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:208)
org.python.core.PyObject.__call__(PyObject.java:477)
org.python.core.PyObject.__call__(PyObject.java:481)
org.python.core.PyMethod.__call__(PyMethod.java:141)
ParseEvtx$py.process$15(C:/Users/shanna/AppData/Roaming/autopsy/python_modules/Process_EVTX/ParseEvtx.py:482)
ParseEvtx$py.call_function(C:/Users/shanna/AppData/Roaming/autopsy/python_modules/Process_EVTX/ParseEvtx.py)
org.python.core.PyTableCode.call(PyTableCode.java:173)
org.python.core.PyBaseCode.call(PyBaseCode.java:306)
org.python.core.PyBaseCode.call(PyBaseCode.java:197)
org.python.core.PyFunction.__call__(PyFunction.java:485)
org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
org.python.core.PyMethod.__call__(PyMethod.java:228)
org.python.core.PyMethod.__call__(PyMethod.java:218)
org.python.core.PyMethod.__call__(PyMethod.java:213)
org.python.core.PyObject._jcallexc(PyObject.java:3565)
org.python.core.PyObject._jcall(PyObject.java:3598)
org.python.proxies.ParseEvtx$ParseEvtxDbIngestModule$33.process(Unknown Source)
org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$DataSourcePipelineModule.executeTask(DataSourceIngestPipeline.java:93) org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$DataSourcePipelineModule.executeTask(DataSourceIngestPipeline.java:72)
org.sleuthkit.autopsy.ingest.IngestTaskPipeline.executeTask(IngestTaskPipeline.java:220)
org.sleuthkit.autopsy.ingest.IngestJobPipeline.execute(IngestJobPipeline.java:1085)
org.sleuthkit.autopsy.ingest.DataSourceIngestTask.execute(DataSourceIngestTask.java:41)
org.sleuthkit.autopsy.ingest.IngestManager$ExecuteIngestJobTasksTask.run(IngestManager.java:1019)
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
java.util.concurrent.FutureTask.run(FutureTask.java:266)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
java.lang.Thread.run(Thread.java:748)
from autopsy-plugins.
shannaniggans
commented on July 18, 2024
Should all be fixed in release 1.7 of the plugin - #50
from autopsy-plugins.
Related Issues (20)
- Allow plugins to specify their own icon
- RingCentral Chat Support HOT 4
- FileHistory HOT 4
- iTunes-BackUp installation
- Mac-Mail plugin needs full /Users/ path to evidence? HOT 1
- Mac_mail plugin exception "Input string is not a valid email address: undisclosed-recipients" HOT 3
- Jump_List_JL_Ad error HOT 1
- export_evtx.exe -- IndexError: list index out of range HOT 3
- LevelDB Question HOT 2
- "Other resources" link in Readme is dead HOT 2
- Plaso modules not working on autopsy 4.17/4.18 HOT 4
- Plugin Py HOT 1
- Previously Loaded Plaso Module could not be found HOT 3
- Requesting for simple help (How to install these plugins into Autopsy) HOT 1
- Autopsy find dir HOT 6
- Parse_USNJ sqlite error HOT 1
- Parse_USNJ sqlite error HOT 4
- ParseEvtx handling of evtx log files with a space in the name HOT 2
- QNX Plugin doesnt work HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from autopsy-plugins.