SQLite plugin questions about autopsy-plugins HOT 23 CLOSED

It worked no problem.... No idea what is going on.

from autopsy-plugins.

I will take a look at it and get back with you.

from autopsy-plugins.

So I got my file to work. And now I am wondering what the deal is. So I had the files a few directories down. I was putting the file name in after right clicking the folder I wanted to run the plugin against. It wasn't able to find it. After changing my logical file system to just the folder that contained the db file I was able to type in the name of the file and it worked fine. Is this how it should work?
😕 <-Confused

from autopsy-plugins.

Hi Joe.

It is on my list of things to do to add readme's to all the plugins. If you want to add them before I get to them you are more then welcome.

As for the SQLite plugin have you entered the SQLite databases that you want to parse in the text area control? If you have then you need to check the check box so that it will read the text area into a variable to pass. Does that make sense? I was playing around with getting a listener to work with the text area but did not have success at the time so it was the simplest solution. I need to go back and get it to work properly.

As for Autopsy on Linux I am starting to use it as well and I have plans to make it so the plugins that will not run on Linux will. There are a few I do not have to do anything with but quite a few I have to make work on Linux.

Mark

from autopsy-plugins.

@markmckinnon Thanks for the quick response. The first part that I am struggling with is that I can't see the plugins.

I think i put them in the right location based on https://wiki.sleuthkit.org/index.php?title=Autopsy_3rd_Party_Modules. I created a 'hello world' python plugin that I was able to get running in this directory.

from autopsy-plugins.

Is the directory /home/development/autopsy/build/testuserdir/python_modules the same directory if you go into Autopsy and look at the menu option tools/python plugins? If it is then I am not sure what the issue is. As for the plugins the only ones that will work are the volatility plugins, parse sqlite databases and the amazon echosystem parser. The gui_tests will also work but those are just sample code. You can also get rid of the "Executable Programs for Plugins" directory it is not needed. Also get rid of all the .class files in the plugin directory(s) as they will be rebuilt on the fly.

from autopsy-plugins.

@markmckinnon Thanks again for the quick response. After removing the other plugins and the Executable Programs for Plugins directory I was able to get the SQLite plugins to appear in the list. So when I want to reference a sqlite db file should I put the relative file path into the box? I attempted to put **/*.db into the box and I didn't see anything under Extracted Content so I assumed that it regular expressions won't work.

from autopsy-plugins.

Just use the file name, I thought about using the directory/file name but then if you have a SQLite file that goes over multiple users then you may miss something so I just left it as file name.

from autopsy-plugins.

Hmm no dice on the filename. I tried with the checkbox checked and without it checked. I am getting a few warnings in the Netbeans debugger console.

INFO: Found ingest module factory: name = Parse SQLite DB, version = 1.0 WARNING [org.openide.util.io.NbObjectOutputStream]: Serializable class org.python.proxies.ParseSQLiteDBDelRecords$GUI_PSQLiteUISettings$226 does not declare serialVersionUID field. Encountered while storing: [] See also http://www.netbeans.org/issues/show_bug.cgi?id=19915 WARNING [org.openide.util.io.NbObjectOutputStream]: Serializable class org.python.proxies.Gui_Test$GUI_TestWithUISettings$230 does not declare serialVersionUID field. Encountered while storing: [] See also http://www.netbeans.org/issues/show_bug.cgi?id=19915 WARNING [org.openide.util.io.NbObjectOutputStream]: Serializable class org.python.proxies.ParseSQLiteDBs$GUI_PSQLiteUISettings$234 does not declare serialVersionUID field. Encountered while storing: [] See also http://www.netbeans.org/issues/show_bug.cgi?id=19915

It doesn't mean a lot to me and since it is a warning and not an error I'm not even sure it is relevant to the problem.

from autopsy-plugins.

Just to make sure that I am doing it right and I am not sending you down a rabbit hole here is an image of how I filled out the form.

from autopsy-plugins.

I just got everything setup to run Autopsy in Linux and copied the plugin over and ran it against the mozilla places.sqlite database and it ran fine. I noticed in the screen shot that you posted you also have the "Parse SQLite Del Rec" plugin checked as well. That maybe the problem. Can you try just the "Parse SQLite DB" plugin? Below is the screenshot from the run I just did with the plugin.

from autopsy-plugins.

So I did as you asked and removed the SQLite Del Rec from the list of running plugins. Just to be sure I ran a query against my db file to ensure that it had content inside of it. I am running my Autopsy out of Netbeans. Do you think this is having an negative impact on the plugin running?

from autopsy-plugins.

Not sure what the problem is. Can you send me the trace files generated from the run. They are located in the logs folder of your case.

from autopsy-plugins.

Sure no problem. I am sending them via email.

from autopsy-plugins.

I just tried to get it to load on my Windows PC and I got the same results. I noticed that the files are SQLite3. Does this plugin support SQLite 3?

from autopsy-plugins.

@markmckinnon Is there any chance you have a small example database that you know works in your plugin that I can use?

from autopsy-plugins.

Try this one.
places.zip

from autopsy-plugins.

Does the database that you used have a wal file associated with it. If it does then you would need to bring that into the logical files as well. More then likely the data is still in the wal file and has not been flushed to the database proper.

from autopsy-plugins.

Is this still an error for you?

from autopsy-plugins.

hi， @markmckinnon I am also using it for the first time. I only checked the "Parse SQLite DB" plugin. I downloaded your database file to run it, but there is nothing in extracting the content. Is there any problem with my operation?

Is there a wrong file name in the box on the right, or fill in the name of the table?

from autopsy-plugins.

When you checked the box was there data in the text area or did you check the box and then enter text into the the text area? Depending on the version of Autopsy there is a SQLite viewer now available within Autopsy.

from autopsy-plugins.

the latter，check the box and then enter text into the the text area

from autopsy-plugins.

Try it the other way around. Type in the text area then check the box and see if that helps. You should only have to put the file name in not the path.

from autopsy-plugins.