Autopsy addon modules : Process Amcache, Bam Key,Process SRUDB

mandelbrot · May 3, 2020, 7:07pm

IHi all,
i’m processing image “device1_laptop.e01” (COVID-19 Free Autopsy Training)

I have problem (on Autopsy 4.15 ) with these python addon module.
Are they supported on Autopsy 4.15 (4.14) ?

Process Amcache
Process SRUDB
Bam Key

Process Amcache :

…\Temp\amcache directory is created and i can find also Amcache.hve file but Amcache.Db3 is an empty file (and Extracted Content doesn’t have any new refreshed amcache artifact)

Process SRUDB (all Logs checked)

Extracted Content doesn’t have any new refreshed artifact

Bam Key

Bam Key Module crashes (see log):

SEVERE: Bam Key Module experienced an error during analysis (data source = device1_laptop.e01, objId = 1, jobId = 0)
java.util.NoSuchElementException: Cannot find subkey with name UserSettings
com.williballenthin.rejistry.record.SubkeyListRecord.getSubkey(SubkeyListRecord.java:48)
com.williballenthin.rejistry.RegistryKey.getSubkey(RegistryKey.java:42)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.python.core.PyReflectedFunction.call(PyReflectedFunction.java:186)
org.python.core.PyReflectedFunction.call(PyReflectedFunction.java:204)
org.python.core.PyObject.call(PyObject.java:478)
org.python.core.PyObject.call(PyObject.java:482)
org.python.core.PyMethod.call(PyMethod.java:141)
bam_key$py.findRegistryKey$17(C:\Users\Luca\AppData\Roaming\autopsy\python_modules\Bam_Key\bam_key.py:300)
bam_key$py.call_function(C:\Users\Luca\AppData\Roaming\autopsy\python_modules\Bam_Key\bam_key.py)
org.python.core.PyTableCode.call(PyTableCode.java:167)
org.python.core.PyBaseCode.call(PyBaseCode.java:170)
org.python.core.PyFunction.call(PyFunction.java:434)
org.python.core.PyMethod.call(PyMethod.java:156)
bam_key$py.processSYSTEMHive$14(C:\Users\Luca\AppData\Roaming\autopsy\python_modules\Bam_Key\bam_key.py:244)
bam_key$py.call_function(C:\Users\Luca\AppData\Roaming\autopsy\python_modules\Bam_Key\bam_key.py)
org.python.core.PyTableCode.call(PyTableCode.java:167)
org.python.core.PyBaseCode.call(PyBaseCode.java:153)
org.python.core.PyFunction.call(PyFunction.java:423)
org.python.core.PyMethod.call(PyMethod.java:141)
bam_key$py.process$13(C:\Users\Luca\AppData\Roaming\autopsy\python_modules\Bam_Key\bam_key.py:218)
bam_key$py.call_function(C:\Users\Luca\AppData\Roaming\autopsy\python_modules\Bam_Key\bam_key.py)
org.python.core.PyTableCode.call(PyTableCode.java:167)
org.python.core.PyBaseCode.call(PyBaseCode.java:307)
org.python.core.PyBaseCode.call(PyBaseCode.java:198)
org.python.core.PyFunction.call(PyFunction.java:482)
org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
org.python.core.PyMethod.call(PyMethod.java:228)
org.python.core.PyMethod.call(PyMethod.java:218)
org.python.core.PyMethod.call(PyMethod.java:213)
org.python.core.PyObject._jcallexc(PyObject.java:3626)
org.python.core.PyObject._jcall(PyObject.java:3658)
org.python.proxies.bam_key$BamKeyIngestModule$17.process(Unknown Source)
org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$PipelineModule.process(DataSourceIngestPipeline.java:200)
org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline.process(DataSourceIngestPipeline.java:113)
org.sleuthkit.autopsy.ingest.DataSourceIngestJob.process(DataSourceIngestJob.java:744)
org.sleuthkit.autopsy.ingest.DataSourceIngestTask.execute(DataSourceIngestTask.java:30)
org.sleuthkit.autopsy.ingest.IngestManager$ExecuteIngestJobTasksTask.run(IngestManager.java:926)
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
java.util.concurrent.FutureTask.run(FutureTask.java:266)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
java.lang.Thread.run(Thread.java:748)
2020-05-03 20:08:59.216 org.sleuthkit.autopsy.ingest.DataSourceIngestJob logInfoMessage
INFO: Finished first stage analysis (data source = device1_laptop.e01, objId = 1, jobId = 0)
2020-05-03 20:08:59.217 org.sleuthkit.autopsy.ingest.DataSourceIngestJob logInfoMessage
INFO: Finished analysis (data source = device1_laptop.e01, objId = 1, jobId = 0)
2020-05-03 20:08:59.223 org.sleuthkit.autopsy.ingest.IngestManager finishIngestJob
INFO: Ingest job 0 completed

Thanks in advance
Luca

Mark_McKinnon · May 3, 2020, 8:18pm

What OS and version is the image? I have not seen that test image so I do not know if those plugins will work. For the Bam plugin since it says the key does not exist that the OS and version of the OS do not meet the requirements for having the Bam registry key.

mandelbrot · May 4, 2020, 7:11am

Hi Mark,
image OS version is Win 10 Pro (Release ID 1903)

My Autopsy is running on Win 10.

About Process Amcache and Process SRUDB : I have always same “behaviors” (namely Extracted Content without any refreshed artifact) using also different images.

Any suggestion ?
Thanks in advance

Luca

Topic		Replies	Views
Process AmCache Autopsy Help	6	28	October 28, 2024
New artifacts not displayed Autopsy Development	25	1906	October 6, 2021
Building from source? autopsy-4.17.0 and sleuthkit-4.10.1 Autopsy on Linux / macOS	1	898	March 15, 2021
Is it possible to create an Autopsy plugin to add a Data Source Type in Python? Autopsy Development	1	481	October 17, 2022
Virustotal Plug Autopsy Help	8	1839	June 27, 2020

Autopsy addon modules : Process Amcache, Bam Key,Process SRUDB

Related topics