Creating new custom artifact

Autopsy Development
24

The issue is that you were creating a new artifact for every attribute. I made a few changes to your code and see if it does what you want it to. I also moved the createOrAddArtifact and createOrAddAttribute out of the result loop since you only need to do it once in the script, doing it where you had it would make it do those calls everytime and that might slow the script down. If you have any questions please let me know.

def process(self, dataSource, progressBar):

    progressBar.switchToIndeterminate()

    blackboard = Case.getCurrentCase().getSleuthkitCase().getBlackboard()

    fileManager = Case.getCurrentCase().getServices().getFileManager()
    files = fileManager.findFiles(dataSource, "direct.db", ".instagram")

    numFiles = len(files)
    progressBar.switchToDeterminate(numFiles)
    fileCount = 0
    for file in files:

        if self.context.isJobCancelled():
            return IngestModule.ProcessResult.OK

        self.log(Level.INFO, "Processing file: " + file.getName())
        fileCount += 1

        # Save the DB locally in the temp folder. use file id as name to reduce collisions
        lclDbPath = os.path.join(Case.getCurrentCase().getTempDirectory(), str(file.getId()) + ".db")
        ContentUtils.writeToFile(file, File(lclDbPath))

        # Create/Get artifact to use
        artId = blackboard.getOrAddArtifactType("TSK_INSTAGRAM_MESSAGES", "Instagram DMs")

        # Create/Get attributes to use 
        attId = blackboard.getOrAddAttributeType("TSK_MESSAGES", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Instagram DMs")
        attId1 = blackboard.getOrAddAttributeType("TSK_TIME", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME, "Time")
        attId2 = blackboard.getOrAddAttributeType("TSK_MESSAGES_TYPE", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Message Type")
                    
        # Open the DB using JDBC
        try: 
            Class.forName("org.sqlite.JDBC").newInstance()
            dbConn = DriverManager.getConnection("jdbc:sqlite:%s"  % lclDbPath)
        except SQLException as e:
            self.log(Level.INFO, "Could not open database file (not SQLite) " + file.getName() + " (" + e.getMessage() + ")")
            return IngestModule.ProcessResult.OK
        
        # Query the notification table in the database and get all columns. 
        try:
            stmt = dbConn.createStatement()
            resultSet = stmt.executeQuery("SELECT * FROM messages")
        except SQLException as e:
            self.log(Level.INFO, "Error querying database for contacts table (" + e.getMessage() + ")")
            return IngestModule.ProcessResult.OK

        # Cycle through each row and create artifacts
        while resultSet.next():
            try: 
                timestamp  = resultSet.getLong("timestamp")/1000
                text = resultSet.getString("text")
                message_type = resultSet.getString("message_type")
                
            except SQLException as e:
                self.log(Level.INFO, "Error getting values from contacts table (" + e.getMessage() + ")")
        
            artId = blackboard.getOrAddArtifactType("TSK_INSTAGRAM_MESSAGES", "Instagram DMs")

            artifact = file.newArtifact(artId.getTypeID())

            attributes = ArrayList()
			attributes.add(BlackboardAttribute(attId, InstagramDMIngestModuleFactory.moduleName, text))

            attributes.add(BlackboardAttribute(attId1, InstagramDMIngestModuleFactory.moduleName, timestamp))

            attributes.add(BlackboardAttribute(attId2, InstagramDMIngestModuleFactory.moduleName, message_type))

            try:
                artifact.addAttributes(attributes)
            except:
                self.log(Level.INFO, "Error adding attribute to artifact")

            #artifacts try catch
            try:
                blackboard.postArtifact(artifact)
            except:
                self.log(Level.INFO, "Error posting artifact")

            
            '''art = file.newDataArtifact(BlackboardArtifact.Type.TSK_PROG_NOTIFICATIONS, Arrays.asList(
                BlackboardAttribute(BlackboardAttribute.Type.TSK_DATETIME,
                                    InstagramDMIngestModuleFactory.moduleName, timestamp),
                BlackboardAttribute(BlackboardAttribute.Type.TSK_TITLE,
                                    InstagramDMIngestModuleFactory.moduleName, message_type),
                BlackboardAttribute(BlackboardAttribute.Type.TSK_VALUE,
                                    InstagramDMIngestModuleFactory.moduleName, text)
            ))

            try:
                blackboard.postArtifact(art, InstagramDMIngestModuleFactory.moduleName)
            except Blackboard.BlackboardException as e:
                self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName())'''
    
        stmt.close()
        dbConn.close()
        os.remove(lclDbPath)

    message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
        "ContactsDb Analyzer", "Found %d files" % fileCount)
    IngestServices.getInstance().postMessage(message)

    return IngestModule.ProcessResult.OK
1 Like
25

I tried this code but the attributes are not getting created at all. Even the line

attributes = ArrayList()

gives an error. I imported yet the error was there.

from array import array

I changed it to following but still I got the same results.

attributes = Arrays.asList()

Screenshot (245)
Screenshot (245)1033×295 20.3 KB

No attributes are getting created. Have attached the modified code

26

Try importing this instead and Lee port back.

from java.util import ArrayList

1 Like
27

Thank you so much. It finally works. I was importing a wrong array library. But the timestamps are still weird.
For ex : 54556-08-01 09:57:58 BST whereas when I manually convert it comes to August 2, 2022 9:31:44.278 PM which is the correct value.

28

What does the original date actually look like? Is it a Unix Epoch Timestamp or a MS Epoch Time stamp. ? When you store a value in a date attribute it assumes that the timestamp is an Unix Epoch timestamp, so if you have a MS epoch timestamp it will be way off.

29

The original format is this : 1659472304278109

30

Try dropping off the last 6 digits from the number you posted and see if the changes to the date time you are expecting.

1 Like
32

Yes it gives the correct value now. Thank you!

33

How would I update this?

                BlackboardArtifact artifact = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT);
                BlackboardAttribute attribute = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), FaceRadarIngestModuleFactory.getModuleName(), "FaceRadar Detected Faces");
                artifact.addAttribute(attribute);

                // This method is thread-safe with per ingest job reference counted
                // management of shared data.
                addToBlackboardPostCount(context.getJobId(), 1L);

                // Fire an event to notify any listeners for blackboard postings.
                ModuleDataEvent event = new ModuleDataEvent(FaceRadarIngestModuleFactory.getModuleName(), BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT);
                IngestServices.getInstance().fireModuleDataEvent(event);
            }
            return IngestModule.ProcessResult.OK;