SQLite plugin questions #4
Comments
|
Hi Joe. It is on my list of things to do to add readme's to all the plugins. If you want to add them before I get to them you are more then welcome. As for the SQLite plugin have you entered the SQLite databases that you want to parse in the text area control? If you have then you need to check the check box so that it will read the text area into a variable to pass. Does that make sense? I was playing around with getting a listener to work with the text area but did not have success at the time so it was the simplest solution. I need to go back and get it to work properly. As for Autopsy on Linux I am starting to use it as well and I have plans to make it so the plugins that will not run on Linux will. There are a few I do not have to do anything with but quite a few I have to make work on Linux. Mark |
|
@markmckinnon Thanks for the quick response. The first part that I am struggling with is that I can't see the plugins. |
|
Is the directory /home/development/autopsy/build/testuserdir/python_modules the same directory if you go into Autopsy and look at the menu option tools/python plugins? If it is then I am not sure what the issue is. As for the plugins the only ones that will work are the volatility plugins, parse sqlite databases and the amazon echosystem parser. The gui_tests will also work but those are just sample code. You can also get rid of the "Executable Programs for Plugins" directory it is not needed. Also get rid of all the .class files in the plugin directory(s) as they will be rebuilt on the fly. |
|
@markmckinnon Thanks again for the quick response. After removing the other plugins and the Executable Programs for Plugins directory I was able to get the SQLite plugins to appear in the list. So when I want to reference a sqlite db file should I put the relative file path into the box? I attempted to put **/*.db into the box and I didn't see anything under Extracted Content so I assumed that it regular expressions won't work. |
|
Just use the file name, I thought about using the directory/file name but then if you have a SQLite file that goes over multiple users then you may miss something so I just left it as file name. |
|
Hmm no dice on the filename. I tried with the checkbox checked and without it checked. I am getting a few warnings in the Netbeans debugger console.
It doesn't mean a lot to me and since it is a warning and not an error I'm not even sure it is relevant to the problem. |
|
I will take a look at it and get back with you. |
|
Just to make sure that I am doing it right and I am not sending you down a rabbit hole here is an image of how I filled out the form. |
|
I just got everything setup to run Autopsy in Linux and copied the plugin over and ran it against the mozilla places.sqlite database and it ran fine. I noticed in the screen shot that you posted you also have the "Parse SQLite Del Rec" plugin checked as well. That maybe the problem. Can you try just the "Parse SQLite DB" plugin? Below is the screenshot from the run I just did with the plugin.
|
|
So I did as you asked and removed the SQLite Del Rec from the list of running plugins. Just to be sure I ran a query against my db file to ensure that it had content inside of it. I am running my Autopsy out of Netbeans. Do you think this is having an negative impact on the plugin running? |
|
Not sure what the problem is. Can you send me the trace files generated from the run. They are located in the logs folder of your case. |
|
Sure no problem. I am sending them via email. |
|
I just tried to get it to load on my Windows PC and I got the same results. I noticed that the files are SQLite3. Does this plugin support SQLite 3? |
|
@markmckinnon Is there any chance you have a small example database that you know works in your plugin that I can use? |
|
Try this one. |
|
It worked no problem.... No idea what is going on. |
|
Does the database that you used have a wal file associated with it. If it does then you would need to bring that into the logical files as well. More then likely the data is still in the wal file and has not been flushed to the database proper. |
|
So I got my file to work. And now I am wondering what the deal is. So I had the files a few directories down. I was putting the file name in after right clicking the folder I wanted to run the plugin against. It wasn't able to find it. After changing my logical file system to just the folder that contained the db file I was able to type in the name of the file and it worked fine. Is this how it should work? |
|
Is this still an error for you? |
|
hi, @markmckinnon I am also using it for the first time. I only checked the "Parse SQLite DB" plugin. I downloaded your database file to run it, but there is nothing in extracting the content. Is there any problem with my operation? Is there a wrong file name in the box on the right, or fill in the name of the table? |
|
When you checked the box was there data in the text area or did you check the box and then enter text into the the text area? Depending on the version of Autopsy there is a SQLite viewer now available within Autopsy. |
|
the latter,check the box and then enter text into the the text area |
|
Try it the other way around. Type in the text area then check the box and see if that helps. You should only have to put the file name in not the path. |
Hi @markmckinnon; I'm a bit new to Autopsy. I can't figure out how to get your SQLite python plugins to work (or maybe they are and I can't tell). I think your plugins give me a way of displaying SQLite content directly in Autopsy. Unfortunately I can't figure out how to run them and every time I run the ingest module I get nothing under Extracted Content. Could you create a readme file on how to run some of your modules. If you don't want to write them down and would prefer to just tell me I can write README files for the plugins I use. Thanks!
Edit:
I guess it is also worth mentioning that I am currently running on Ubuntu and have Autopsy running out of Netbeans. I am developing some plugins of my own.
The text was updated successfully, but these errors were encountered: