I am trying to determine if a file has been reported as a hash hit and what the hashset it came from was.
I can see in the docs under AbstractFileNode a call to getHashSetHitsCsvList(file) but I am not sure if that is the best way to do this.
has anyone done this or could give me direction to an efficient way in python
Managed to find a way to do this
_blackboard_sql = "SELECT tsk_analysis_results.configuration as hashset FROM blackboard_artifacts INNER JOIN tsk_analysis_results ON blackboard_artifacts.artifact_obj_id = tsk_analysis_results.artifact_obj_id WHERE blackboard_artifacts.artifact_type_id = 10 AND blackboard_artifacts.obj_id = %s;" % int(file.getId())
_blackboard_dbquery = Case.getCurrentCase().getSleuthkitCase().executeQuery(_blackboard_sql)
_hashset_hits = []
resultSet = _blackboard_dbquery.getResultSet()
while resultSet.next():
_hashset_hits.append(resultSet.getString("hashset"))
_blackboard_dbquery.close()
I got the type definition from the tsk_blackboard_artifact_types, it specified type 10 as hashset hit.
Hope this helps someone else