Import pictures back from Module Output folder

Alan_Browne · August 19, 2020, 1:00pm

I have created a python plugin that identifies files by mimetype such as sqlite and data streams and carves them for jpgs, bmps, pngs, and gifs. The images are outputted into separate folders named by the fileid of the file they were carved from. For example
ModuleOutput/Carved/123/1.jpg
ModuleOutput/Carved/123/2.jpg
ModuleOutput/Carved/123/1.gif

ModuleOutput/Carved/456/1.jpg
ModuleOutput/Carved/456/2.jpg

Im able to automatically import the carved folder back into autopsy as a new logical device, but I am looking for a way similar to the extract archive module that displays the files under the parent file they were carved from.

Mark_McKinnon · August 19, 2020, 1:30pm

You will need to add the file as a Derived File. Here is what you need to do.

'# Add derived file
'# Parameters Are:
'# File Name, Local Path, size, ctime, crtime, atime, mtime, isFile,
'# Parent File - Abstract File,
'# rederive Details - maybe blank,
'# Tool Name, Tool Version,
'# Other Details - maybe blank,
'# Encoding Type
derivedFile = skCase.addDerivedFile(fileName, localPath, os.path.getsize(file), +
0, 0, 0, 0, True, parentAbstractFile, “”, plugName, pluginVersion, “”, +
TskData.EncodingType.NONE)

IngestServices.getInstance().fireModuleContentEvent(ModuleContentEvent(derived_file))

The single quotes are used for editing so you can remove them otherwise it makes the text very large.

Alan_Browne · August 19, 2020, 3:29pm

Thanks Mark but unfortunately Im just not getting the results back in
My results are stored in ModuleOutput\Carved-Foremost which has the variable name resultsdir and the derived images are stored in folders named as the fileid of the parent file where is was carved from. My code is as follows:

    for i in os.listdir(resultsdir):
        eachresults = os.path.join(resultsdir,i)
        extractedfiles = next(os.walk(eachresults))[2]
        for extractfile in extractedfiles:
            fileCount=fileCount+1
            self.log(Level.INFO, " File Name is ==> " + extractfile)
            local_file = os.path.join(eachresults, extractfile)
            self.log(Level.INFO, " Local File Name is ==> " + local_file)
            for abstract in allabstractfiles:
                if abstract.getId() == i:
                    abstract_file_info=abstract.getName()			
                    derived_file=skCase.addDerivedFile(extractfile, local_file, os.path.getsize(local_file), + 0, 0, 0, 0, True, abstract_file_info, "", "foremost", "0.53", "", TskData.EncodingType.NONE)
                    
	IngestServices.getInstance().fireModuleContentEvent(ModuleContentEvent(derived_file))
			
    #Post a message to the ingest messages in box.

message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
“File Carver Module”, “Found %d files” % fileCount)
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK

Any help is appreciated

Topic		Replies	Views
Image extraction Autopsy Help	3	1157	October 6, 2020
Retrieve all files Autopsy Development	2	913	September 16, 2020
Ingest module check if file is a image or video Autopsy Development	9	1430	February 23, 2020
In Autopsy: What ingest modules are nessesary for extracting/copying out all images? Autopsy Help	7	3165	March 20, 2020
How do I export all Images and Videoes from Autopsy (so I can import them in Griffeye) Autopsy Help	6	7228	February 21, 2020

Import pictures back from Module Output folder

Related topics