Opening Local Config Files with Python Ingest Modules for Comparison

Autopsy Development
1

I’m writing a Data Ingest plugin for Autopsy and I want to open a local file"IOCs.txt", read the lines into a list and then search that list against the contents of the files ingested.

  1. Partially working: I can iterate through the files I import in Autopsy and find the first value in iocList, however, it won’t step to the next indices in iocList to look for the next IOC(pictured in #1 below). In a normal python script, this would be no problem, but I am having trouble identifying why.

loop through iocList and run some test(s) on the file contents

    iocList = ['\x31\x33\x37\x2e\x31\x33\x35\x2e\x39\x31\x2e\x34\x39',
               '\x77\x69\x70\x72\x6f\x33\x36\x35\x2e\x63\x6f\x6d']

    for ioc in iocList:
               result = testContents(stream1, self, file, ioc)

  1. I have the logic working in a standalone python script. When I implement it with my Autopsy plugin, I receive an error in Autopsy along the lines of “no such file or path”. I do have the “ioc_sample.txt” in the same directory as the plugin module. Is it possible to open a file in a module without importing it through the Autopsy GUI?

     iocList = []
 with open('ioc_sample.txt', 'r') as iocFile:
     ilist = iocFile.readlines()
     for i in ilist:
         i = i.rstrip()
         ih = '\\x'.join(hex(ord(x))[2:] for x in i)
         #print(ih)
         iL = len(ih)
         iocList.append('\'' + ih + '\'')
         #print(iL)

  2. What I wanted the module to do:
    iocList = []
    with open(‘ioc_sample.txt’, ‘r’) as iocFile:
    ilist = iocFile.readlines()
    for i in ilist:
    i = i.rstrip()
    ih = ‘\x’.join(hex(ord(x))[2:] for x in i)
    #print(ih)
    iL = len(ih)
    iocList.append(’’’ + ih + ‘’’)
    #print(iL)

     for ioc in iocList:
            result = testContents(stream1, self, file, ioc)

result passes the values to testContents where it searches for the value in the ingested file.

if found, an ‘if’ statement will add an interesting event to the blackboard.

2

You’ll probably need to specify a full path because the “Current working directory” that Autopsy is running from is not the module directory.

To prove the idea, you should probably just hard code it in a folder like “C:\IOCModule” and give that path.

But, that doesn’t scale for shipping the module. For Java modules, there are some methods built-in that give us the path to where the file was placed.

We don’t have a specific API for this for Python though. There seem to be two options:

  1. You can call PlatformUtil.getUserPythonModulesPath() in Autopsy and you can then append the name of your module folder. This will stop working though if someone renames the module folder.
  2. I seem to recall there is a Python/Jython method that returns the location of a class. You could use that path and strip off the class name at the end to get the parent folder.

@Mark_McKinnon: Do you have any Python modules that had this problem?

3

In your python module here is what you will want to do.

pathIOCFile = os.path.join(os.path.dirname(os.path.abspath(file)), “ioc_sample.txt”)
with open(pathIOCFile, ‘r’) as iocFile:

This is getting the path based on the python script so if you store the ioc_sample.txt file along with your script in the same directory it will it. I have used this many times in my python plugins.

Mark

4

@Mark_McKinnon @carrier Thanks! This is what I needed, It’s working now as intended.