search

markmckinnon / Autopsy-Plugins

Autopsy Python Plugins
332 stars 100 forks source link

Autopsy find dir #42

Closed WildSiphon closed 2 years ago

WildSiphon commented 2 years ago

I encounter an issue trying to make the Volatility plugin work on Autopsy. I have autopsy-4.19.1. volatility and volatility3 are already installed localy on my computer (and working).

When asking in parameters of autopsy to select Excutable Directory I'm not sure of what to do. I tried selecting vol.py in directory of volatility 2.6 or just the parent directory... image

...but every time I get the same error : image

What am I doing wrong ?

markmckinnon commented 2 years ago

When you tested that they worked are you using the executables for volatility or trying to run from source? Did you also select any plugins to run? I can't tell from the screen shot if there are any. Also look in the Autopsy log for the case and see if there are any additional error messages or what line in the module it is having an issue with.

WildSiphon commented 2 years ago

I'm working on Ubuntu 20.04.3 LTS so I installed volatility from source. I have no executables files and I'm using volatility localy since a while. I discovered that you can have access of the timeline and other stuffs in autopsy with the plugin you made so I decided to give it a try. I also installed all of the modules you provide. They are almost all selected when I'm launching a new case in Autopsy.

Looking in the logs give me these output concerning volatility :

[...]
 201   │ 2021-09-23 21:16:34.673 org.sleuthkit.autopsy.ingest.IngestManager startIngestJob
 202   │ SEVERE: Error starting Volatility Module ingest module for job 1
 203   │ Traceback (most recent call last):
 204   │   File "/home/siphon/.autopsy/dev/python_modules/Volatility/Volatility.py", line 156, in startUp
 205   │     Plugins = Plugins.replace("[", "")
 206   │ AttributeError: 'NoneType' object has no attribute 'replace'
 207   │ 
 208   │     org.python.core.Py.AttributeError(Py.java:178)
 209   │     org.python.core.PyObject.noAttributeError(PyObject.java:965)
 210   │     org.python.core.PyObject.__getattr__(PyObject.java:959)
 211   │     Volatility$py.startUp$14(/home/siphon/.autopsy/dev/python_modules/Volatility/Volatility.py:193)
 212   │     Volatility$py.call_function(/home/siphon/.autopsy/dev/python_modules/Volatility/Volatility.py)
 213   │     org.python.core.PyTableCode.call(PyTableCode.java:173)
 214   │     org.python.core.PyBaseCode.call(PyBaseCode.java:306)
 215   │     org.python.core.PyBaseCode.call(PyBaseCode.java:197)
 216   │     org.python.core.PyFunction.__call__(PyFunction.java:485)
 217   │     org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
 218   │     org.python.core.PyMethod.__call__(PyMethod.java:228)
 219   │     org.python.core.PyMethod.__call__(PyMethod.java:218)
 220   │     org.python.core.PyMethod.__call__(PyMethod.java:213)
 221   │     org.python.core.PyObject._jcallexc(PyObject.java:3565)
 222   │     org.python.proxies.Volatility$VolatilityIngestModule$337.startUp(Unknown Source)
 223   │     org.sleuthkit.autopsy.ingest.IngestTaskPipeline$PipelineModule.startUp(IngestTaskPipeline.java:378)
 224   │     org.sleuthkit.autopsy.ingest.IngestTaskPipeline.startUpIngestModules(IngestTaskPipeline.java:140)
 225   │     org.sleuthkit.autopsy.ingest.IngestTaskPipeline.startUp(IngestTaskPipeline.java:98)
 226   │     org.sleuthkit.autopsy.ingest.IngestJobPipeline.startUpIngestPipelines(IngestJobPipeline.java:564)
 227   │     org.sleuthkit.autopsy.ingest.IngestJobPipeline.start(IngestJobPipeline.java:528)
 228   │     org.sleuthkit.autopsy.ingest.IngestJob.start(IngestJob.java:213)
 229   │     org.sleuthkit.autopsy.ingest.IngestManager.startIngestJob(IngestManager.java:458)
 230   │     org.sleuthkit.autopsy.ingest.IngestJobInputStream.<init>(IngestJobInputStream.java:42)
 231   │     org.sleuthkit.autopsy.ingest.IngestManager.openIngestStream(IngestManager.java:308)
 232   │     org.sleuthkit.autopsy.casemodule.ImageDSProcessor.runWithIngestStream(ImageDSProcessor.java:284)
 233   │     org.sleuthkit.autopsy.casemodule.AddImageWizardAddingProgressPanel.lambda$startDataSourceProcessing$0(AddImageWizardAddingProgressPanel.java:371)
 234   │     java.lang.Thread.run(Thread.java:748)
 235   │ 2021-09-23 21:16:34.674 org.sleuthkit.autopsy.ingest.IngestManager startIngestJob
 236   │ SEVERE: Error starting Volatility Dump File Module ingest module for job 1
 237   │ Traceback (most recent call last):
 238   │   File "/home/siphon/.autopsy/dev/python_modules/Volatility/Volatility_Dump.py", line 157, in startUp
 239   │     Plugins = Plugins.replace("[", "")
 240   │ AttributeError: 'NoneType' object has no attribute 'replace'
 241   │ 
 242   │     org.python.core.Py.AttributeError(Py.java:178)
 243   │     org.python.core.PyObject.noAttributeError(PyObject.java:965)
 244   │     org.python.core.PyObject.__getattr__(PyObject.java:959)
 245   │     Volatility_Dump$py.startUp$14(/home/siphon/.autopsy/dev/python_modules/Volatility/Volatility_Dump.py:198)
 246   │     Volatility_Dump$py.call_function(/home/siphon/.autopsy/dev/python_modules/Volatility/Volatility_Dump.py)
 247   │     org.python.core.PyTableCode.call(PyTableCode.java:173)
 248   │     org.python.core.PyBaseCode.call(PyBaseCode.java:306)
 249   │     org.python.core.PyBaseCode.call(PyBaseCode.java:197)
 250   │     org.python.core.PyFunction.__call__(PyFunction.java:485)
 251   │     org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
 252   │     org.python.core.PyMethod.__call__(PyMethod.java:228)
 253   │     org.python.core.PyMethod.__call__(PyMethod.java:218)
 254   │     org.python.core.PyMethod.__call__(PyMethod.java:213)
 255   │     org.python.core.PyObject._jcallexc(PyObject.java:3565)
 256   │     org.python.proxies.Volatility_Dump$VolatilityDumpIngestModule$344.startUp(Unknown Source)
 257   │     org.sleuthkit.autopsy.ingest.IngestTaskPipeline$PipelineModule.startUp(IngestTaskPipeline.java:378)
 258   │     org.sleuthkit.autopsy.ingest.IngestTaskPipeline.startUpIngestModules(IngestTaskPipeline.java:140)
 259   │     org.sleuthkit.autopsy.ingest.IngestTaskPipeline.startUp(IngestTaskPipeline.java:98)
 260   │     org.sleuthkit.autopsy.ingest.IngestJobPipeline.startUpIngestPipelines(IngestJobPipeline.java:564)
 261   │     org.sleuthkit.autopsy.ingest.IngestJobPipeline.start(IngestJobPipeline.java:528)
 262   │     org.sleuthkit.autopsy.ingest.IngestJob.start(IngestJob.java:213)
 263   │     org.sleuthkit.autopsy.ingest.IngestManager.startIngestJob(IngestManager.java:458)
 264   │     org.sleuthkit.autopsy.ingest.IngestJobInputStream.<init>(IngestJobInputStream.java:42)
 265   │     org.sleuthkit.autopsy.ingest.IngestManager.openIngestStream(IngestManager.java:308)
 266   │     org.sleuthkit.autopsy.casemodule.ImageDSProcessor.runWithIngestStream(ImageDSProcessor.java:284)
 267   │     org.sleuthkit.autopsy.casemodule.AddImageWizardAddingProgressPanel.lambda$startDataSourceProcessing$0(AddImageWizardAddingProgressPanel.java:371)
 268   │     java.lang.Thread.run(Thread.java:748)
[...]
markmckinnon commented 2 years ago

What Volatility plugins have you selected to run? This is the list of volatility plugins you can choose from. image

WildSiphon commented 2 years ago

Oh I see, I didn't understand that I should select one of them. I selected "connection" in Volatility Module when creating a new case to try and error seems to be vanished.

So I have to choose which module I want to run before opening a case ? Can I still change modules or use volatility like usual but in autopsy after importing a memory dump ?

Thank you for your time

markmckinnon commented 2 years ago

You can pick as many volatitliy plugins that you want. If you decide to run more after the initial ingest then you rerun it with different volatility plugins picked.

WildSiphon commented 2 years ago

Cool, thanks for your time