Creating new custom artifact

Mark_McKinnon · August 21, 2022, 2:14pm

The issue is that you were creating a new artifact for every attribute. I made a few changes to your code and see if it does what you want it to. I also moved the createOrAddArtifact and createOrAddAttribute out of the result loop since you only need to do it once in the script, doing it where you had it would make it do those calls everytime and that might slow the script down. If you have any questions please let me know.

def process(self, dataSource, progressBar):

    progressBar.switchToIndeterminate()

    blackboard = Case.getCurrentCase().getSleuthkitCase().getBlackboard()

    fileManager = Case.getCurrentCase().getServices().getFileManager()
    files = fileManager.findFiles(dataSource, "direct.db", ".instagram")

    numFiles = len(files)
    progressBar.switchToDeterminate(numFiles)
    fileCount = 0
    for file in files:

        if self.context.isJobCancelled():
            return IngestModule.ProcessResult.OK

        self.log(Level.INFO, "Processing file: " + file.getName())
        fileCount += 1

        # Save the DB locally in the temp folder. use file id as name to reduce collisions
        lclDbPath = os.path.join(Case.getCurrentCase().getTempDirectory(), str(file.getId()) + ".db")
        ContentUtils.writeToFile(file, File(lclDbPath))

        # Create/Get artifact to use
        artId = blackboard.getOrAddArtifactType("TSK_INSTAGRAM_MESSAGES", "Instagram DMs")

        # Create/Get attributes to use 
        attId = blackboard.getOrAddAttributeType("TSK_MESSAGES", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Instagram DMs")
        attId1 = blackboard.getOrAddAttributeType("TSK_TIME", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME, "Time")
        attId2 = blackboard.getOrAddAttributeType("TSK_MESSAGES_TYPE", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Message Type")
                    
        # Open the DB using JDBC
        try: 
            Class.forName("org.sqlite.JDBC").newInstance()
            dbConn = DriverManager.getConnection("jdbc:sqlite:%s"  % lclDbPath)
        except SQLException as e:
            self.log(Level.INFO, "Could not open database file (not SQLite) " + file.getName() + " (" + e.getMessage() + ")")
            return IngestModule.ProcessResult.OK
        
        # Query the notification table in the database and get all columns. 
        try:
            stmt = dbConn.createStatement()
            resultSet = stmt.executeQuery("SELECT * FROM messages")
        except SQLException as e:
            self.log(Level.INFO, "Error querying database for contacts table (" + e.getMessage() + ")")
            return IngestModule.ProcessResult.OK

        # Cycle through each row and create artifacts
        while resultSet.next():
            try: 
                timestamp  = resultSet.getLong("timestamp")/1000
                text = resultSet.getString("text")
                message_type = resultSet.getString("message_type")
                
            except SQLException as e:
                self.log(Level.INFO, "Error getting values from contacts table (" + e.getMessage() + ")")
        
            artId = blackboard.getOrAddArtifactType("TSK_INSTAGRAM_MESSAGES", "Instagram DMs")

            artifact = file.newArtifact(artId.getTypeID())

            attributes = ArrayList()
			attributes.add(BlackboardAttribute(attId, InstagramDMIngestModuleFactory.moduleName, text))

            attributes.add(BlackboardAttribute(attId1, InstagramDMIngestModuleFactory.moduleName, timestamp))

            attributes.add(BlackboardAttribute(attId2, InstagramDMIngestModuleFactory.moduleName, message_type))

            try:
                artifact.addAttributes(attributes)
            except:
                self.log(Level.INFO, "Error adding attribute to artifact")

            #artifacts try catch
            try:
                blackboard.postArtifact(artifact)
            except:
                self.log(Level.INFO, "Error posting artifact")

            
            '''art = file.newDataArtifact(BlackboardArtifact.Type.TSK_PROG_NOTIFICATIONS, Arrays.asList(
                BlackboardAttribute(BlackboardAttribute.Type.TSK_DATETIME,
                                    InstagramDMIngestModuleFactory.moduleName, timestamp),
                BlackboardAttribute(BlackboardAttribute.Type.TSK_TITLE,
                                    InstagramDMIngestModuleFactory.moduleName, message_type),
                BlackboardAttribute(BlackboardAttribute.Type.TSK_VALUE,
                                    InstagramDMIngestModuleFactory.moduleName, text)
            ))

            try:
                blackboard.postArtifact(art, InstagramDMIngestModuleFactory.moduleName)
            except Blackboard.BlackboardException as e:
                self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName())'''
    
        stmt.close()
        dbConn.close()
        os.remove(lclDbPath)

    message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
        "ContactsDb Analyzer", "Found %d files" % fileCount)
    IngestServices.getInstance().postMessage(message)

    return IngestModule.ProcessResult.OK

heisenberg3008 · August 21, 2022, 7:52pm

I tried this code but the attributes are not getting created at all. Even the line

attributes = ArrayList()

gives an error. I imported yet the error was there.

from array import array

I changed it to following but still I got the same results.

attributes = Arrays.asList()

No attributes are getting created. Have attached the modified code

Mark_McKinnon · August 21, 2022, 9:19pm

Try importing this instead and Lee port back.

from java.util import ArrayList

heisenberg3008 · August 21, 2022, 9:50pm

Thank you so much. It finally works. I was importing a wrong array library. But the timestamps are still weird.
For ex : 54556-08-01 09:57:58 BST whereas when I manually convert it comes to August 2, 2022 9:31:44.278 PM which is the correct value.

Mark_McKinnon · August 21, 2022, 11:03pm

What does the original date actually look like? Is it a Unix Epoch Timestamp or a MS Epoch Time stamp. ? When you store a value in a date attribute it assumes that the timestamp is an Unix Epoch timestamp, so if you have a MS epoch timestamp it will be way off.

heisenberg3008 · August 21, 2022, 11:55pm

The original format is this : 1659472304278109

Mark_McKinnon · August 22, 2022, 12:19am

Try dropping off the last 6 digits from the number you posted and see if the changes to the date time you are expecting.

heisenberg3008 · August 22, 2022, 3:04am

Yes it gives the correct value now. Thank you!

Dinobots · April 13, 2024, 12:29pm

How would I update this?

                BlackboardArtifact artifact = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT);
                BlackboardAttribute attribute = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), FaceRadarIngestModuleFactory.getModuleName(), "FaceRadar Detected Faces");
                artifact.addAttribute(attribute);

                // This method is thread-safe with per ingest job reference counted
                // management of shared data.
                addToBlackboardPostCount(context.getJobId(), 1L);

                // Fire an event to notify any listeners for blackboard postings.
                ModuleDataEvent event = new ModuleDataEvent(FaceRadarIngestModuleFactory.getModuleName(), BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT);
                IngestServices.getInstance().fireModuleDataEvent(event);
            }
            return IngestModule.ProcessResult.OK;

Topic		Replies	Views
Error while creating the new artifact Autopsy Development	1	309	August 19, 2022
new blackboard artifact Autopsy Development	12	656	September 5, 2024
New artifacts not displayed Autopsy Development	25	1916	October 6, 2021
Error creating new case Autopsy Help	1	516	November 12, 2020
Sleuthkit 4.7.0 and Autopsy 4.13.0 error Autopsy Help	2	891	January 6, 2020

Creating new custom artifact

Related topics