Wednesday, May 11, 2016

Autopsy Python Multi-User Modules

Autopsy allows examiners to collaborate on investigations using the multi-user case feature that shares database, message broker, search and storage resources. 


I wanted to write an Autopsy Module with Python to take advantage of the Multi-User Case collaboration benefits.


Also apply lessons learned from the 2015 Autopsy Module Development Contest to simplify external python library imports and create a flexible user interface.

HashDump was built as a proof of concept that requires the Hash Lookup Ingest Module be run prior to calculate the MD5 hashes.


HashDump.py builds the ingest module for the Autopsy user interface that passes the case file location as an argument to the HashDump.exe python program. 


HashDump.exe uses the case file (.AUT) that contains the information necessary for SQLite single-user database connections.  Multi-user PostgreSQL database connections also require information from the core.properties file in the examiners roaming profile.   

The examiner is presented a python generated user interface to select the hashes for export.


The python user interface closes once the database export is completed.  HashDump.py resumes control adding the HashDump.txt file in the base of the case folder to the report view.


The code is up on GitHub for use or better yet write your own Autopsy Python Multi-User Module for the 2016 Autopsy Module Development Contest at OSDFCon.


Happy Coding!!
John Lukach
@jblukach

2 comments:

  1. HI :D
    i have a question about making autopsy module
    can u help me?

    ReplyDelete
    Replies
    1. Happy to help if I can, what are you attempting?

      Delete