Clearing a blackboard folder each time

Autopsy Development
1

Hi

I’m just working through more examples, adapting things to learn the framework. Sorry if my questions are a bit basic!

Every time I run/test my ingest module, it adds artefacts to the blackboard and duplicates those blackboard artefacts that it already has found (the previous time I run the module).

Is there any way of clearing out this “blackboard folder” at the start of running the module?

Thanks!

2

There’s no way to clear the blackboard, but you can add a call to artifactExists() before adding your new artifact. This will stop duplication when you run multiple times.

You can see an example on line 194 here:

3

Thanks again Ann.

I’m creating python modules - and I’m guessing that this method isn’t available in the python port. I’m using Autopsy 4.12.0.

It reports "AttributeError: object has no attribute ‘artifactExists’

the code I’ve used

myBlackboard = Case.getCurrentCase().getServices().getBlackboard()
art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), 
Week18IngestModuleFactory.moduleName, blackboardFolderName)

if (myBlackboard.artifactExists(file, TSK_INTERESTING_FILE_HIT, att)):
    fileCount += 1

BUT…

I’ve fashioned my own way of doing this; it works although the artifactExists is probably better.

            alreadyHasArtifact = False;
            artifactList = file.getArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
            for artifact in artifactList:
                attributeList = artifact.getAttributes();
                for attrib in attributeList:
                    if (attrib.getDisplayString() == blackboardFolderName):
                        alreadyHasArtifact = True

where blackboardFolderName is the name that I also pass into BlackboardAttribute()

4

We’ve recently transitioned to a new Blackboard class (the one you’re using has been deprecated). You can get it like this:

blackboard = Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboard();

Once your artifact is created, you should call also call blackboard.postArtifact()

5

Hi John,

I ran into this same problem when I started doing module development so I created a plugin to delete the artifacts and attributes so I could cleanly test without have to recopy or recreate the case. You can find the plugin on my Autopsy plugin repo and the plugin is called remove_artifacts and it is intended for developers.

Mark

1 Like
6

Thanks Mark.

I had already downloaded your plugins list from Github, but not looked at them all yet :slight_smile: but I have it now!