Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • irt/sleuthkit
1 result
Show changes
Commits on Source (10276)
10,176 additional commits have been omitted to prevent performance issues.
Expand all Hide whitespace changes
Inline Side-by-side
Showing
with 1517 additions and 0 deletions
.gitattributes 0 → 100644
View file @ a73ef106
*.h text diff=cpp
*.c text diff=cpp
*.cpp text diff=cpp
*.java text diff=java
*.txt text
*.xml text
*.properties-MERGED text
*.html text diff=html
*.dox text
*.am text
*.ac text
*.m4 text
*.pro text
*.in text
*.1 text
Makefile text
Doxyfile text
*.py text diff=python
*.pl text diff=perl
*.pm text diff=perl
*.base text diff=perl
*.vcproj text eol=crlf
*.vcxproj* text eol=crlf
*.sln text eol=crlf
*.bat text eol=crlf
.gitignore text
.gitignore 0 → 100755
View file @ a73ef106
# NetBeans user-specific settings
/bindings/java/nbproject/private/
# Bindings dependecies and build folders
/bindings/java/lib/
/bindings/java/build/
/bindings/java/dist
/bindings/java/doxygen/tskjni_doxygen.tag
/bindings/java/test/output/results
/bindings/java/test/output/gold/dummy
/bindings/java/test/output/gold/*_BU.txt
/bindings/java/test/output/gold/*_CPP.txt
/bindings/java/test/output/gold/*_CPP_SRT.txt
/bindings/java/test/input
/bindings/java/nbproject/genfiles.properties
/bindings/java/nbproject/nbjdk.properties
/bindings/java/nbproject/jdk.xml
/bindings/java/nbproject/nbjdk.xml
/bindings/java/libts*
*~
*.class
/bindings/java/build/
/bindings/java/dist/
/bindings/java/nbproject/*
!/bindings/java/nbproject/project.xml
!/bindings/java/nbproject/project.properties
# Nuget packages
/win32/packages/
# CASE-UCO build and release folder
/case-uco/java/build/
/case-uco/java/dist/
/case-uco/java/nbproject/private/
/case-uco/java/nbproject/genfiles.properties
# Windows build folders
/win32/Debug_NoLibs/
/win32/*/Debug_NoLibs/
/win32/Debug/
/win32/Debug_PostgreSQL/
/win32/*/Debug/
/win32/*/Debug_PostgreSQL/
/win32/Release/
/win32/Release_PostgreSQL/
/win32/*/Release/
/win32/*/Release_PostgreSQL/
/win32/Release_NoLibs/
/win32/*/Release_NoLibs/
/win32/*/x64/
/win32/x64/
/win32/*/*.user
win32/ipch
win32/BuildErrors.txt
win32/BuildErrors-64bit.txt
win32/.vs
win32/tsk-win.VC.VC.opendb
win32/tsk-win.VC.opendb
win32/tsk-win.VC.db
framework/msvcpp/framework/Debug/
framework/msvcpp/framework/Release/
framework/msvcpp/*/*.user
framework/msvcpp/*/Debug/
framework/msvcpp/*/Release/
framework/msvcpp/BuildLog.txt
framework/msvcpp/*/ipch
framework/runtime/
framework/SampleConfig/to_install/
framework/modules/*/win32/Debug/
framework/modules/*/win32/Release/
framework/modules/*/win32/*.user
framework/modules/c_InterestingFilesModule/tsk
framework/config.h
framework/tools/tsk_analyzeimg/tsk_analyzeimg
framework/tools/tsk_validatepipeline/tsk_validatepipeline
rejistry++/msvcpp/*/Debug
rejistry++/msvcpp/*/Release
rejistry++/msvcpp/*/Release_NoLibs
rejistry++/msvcpp/*/x64
rejistry++/msvcpp/*/*.user
rejistry++/msvcpp/rejistry++/ipch
# Release files
release/sleuthkit-*
release/clone
# IntelliSense data
/win32/*.ncb
/win32/*.sdf
framework/msvcpp/framework/*.ncb
framework/msvcpp/framework/*sdf
rejistry++/msvcpp/rejistry++/*.ncb
rejistry++/msvcpp/rejistry++/*sdf
# Visual Studio user options
/win32/tsk-win.suo
framework/msvcpp/framework/*.suo
rejistry++/msvcpp/rejistry++/*suo
*.sln.cache
win32/tsk-win.opensdf
# Make crud
*.o
*.lo
*.la
*.jar
Makefile
.deps
.libs
*.swp
#javadoc generated
/bindings/java/javadoc
# Files generated by running configure
*.in
stamp-h1
tsk/tsk_config.h
tsk/tsk_incs.h
tsk/tsk.pc
aclocal.m4
autom4te.cache
config.log
config.status
configure
libtool
m4/libtool.m4
m4/lt*.m4
config/*
# Executables
samples/callback_cpp_style
samples/callback_style
samples/posix_cpp_style
samples/posix_style
samples/*.exe
tests/*.exe
tests/*.log
tests/*.trs
tests/fs_attrlist_apis
tests/fs_fname_apis
tests/fs_thread_test
tests/read_apis
tools/autotools/tsk_comparedir
tools/autotools/tsk_gettimes
tools/autotools/tsk_imageinfo
tools/autotools/tsk_loaddb
tools/autotools/tsk_recover
tools/fiwalk/plugins/jpeg_extract
tools/fiwalk/src/fiwalk
tools/fiwalk/src/test_arff
tools/fstools/blkcat
tools/fstools/blkcalc
tools/fstools/blkls
tools/fstools/blkstat
tools/fstools/fcat
tools/fstools/ffind
tools/fstools/fls
tools/fstools/fsstat
tools/fstools/icat
tools/fstools/ifind
tools/fstools/ils
tools/fstools/istat
tools/fstools/jcat
tools/fstools/jls
tools/fstools/usnjls
tools/hashtools/hfind
tools/imgtools/img_cat
tools/imgtools/img_stat
tools/pooltools/pstat
tools/sorter/sorter
tools/srchtools/sigfind
tools/srchtools/srch_strings
tools/timeline/mactime
tools/vstools/mmcat
tools/vstools/mmls
tools/vstools/mmstat
tools/*/*.exe
tools/*/*/*.exe
unit_tests/base/*.log
unit_tests/base/*.trs
unit_tests/base/test_base
# EMACS backup files
*~
# Mac Junk
.DS_Store
# Test images
*.img
*.vhd
*.E01
*.vmdk
sleuthkit-*.tar.gz
#Test data folder
tests/data
.travis.yml 0 → 100644
View file @ a73ef106
language: cpp
matrix:
include:
- compiler: clang
os: linux
dist: bionic
sudo: required
group: edge
- compiler: gcc
os: linux
dist: bionic
sudo: required
group: edge
- compiler: clang
os: osx
- compiler: gcc
os: osx
addons:
apt:
update: true
packages:
- libafflib-dev
- libewf-dev
- libpq-dev
- autopoint
- libsqlite3-dev
- ant
- ant-optional
- libcppunit-dev
- wget
- openjdk-8-jdk
homebrew:
update: true
packages:
- ant
- wget
- libewf
- gettext
- cppunit
- afflib
taps: homebrew/cask-versions
casks: adoptopenjdk8
python:
- "2.7"
install:
- ./travis_install_libs.sh
before_script:
- if [ $TRAVIS_OS_NAME = linux ]; then
sudo update-alternatives --set java /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java;
sudo update-alternatives --set javac /usr/lib/jvm/java-8-openjdk-amd64/bin/javac;
export PATH=/usr/bin:$PATH;
unset JAVA_HOME;
fi
- if [ $TRAVIS_OS_NAME = "osx" ]; then
export PATH=${PATH}:/usr/local/opt/gettext/bin;
brew uninstall java --force;
brew cask uninstall java --force;
fi
script:
- javac -version
- ./bootstrap && ./configure --prefix=/usr && make
- pushd bindings/java/ && ant -q dist
# don't run tests on osx; libtsk not present due to SIP on osx: VIK-6971
- if test ${TRAVIS_OS_NAME} != "osx"; then
ant -q test;
fi
- popd
- pushd case-uco/java/ && ant -q && popd
- make check && if [ -f "tests/test-suite.log" ];then cat tests/test-suite.log; fi ; if [ -f "unit_tests/base/test-suite.log" ];then cat unit_tests/base/test-suite.log; fi
- if test ${TRAVIS_OS_NAME} = "linux"; then
pushd release && ./release-unix.pl ci && popd;
fi
API-CHANGES.txt 0 → 100644
View file @ a73ef106
Changes to make once we are ready to do a backwards incompatible change.
- TSK_SERVICE_ACCOUNT to TSK_ACCOUNT
- HashDB to use new TSK_BASE_HASHDB enum instead of its own ENUM
- Java SleuthkitCase.addArtifactType should return different if artifact already exists or getArtifactId should....
- Java SleuthkitCase.findFilesWhere should return AbstractFile like findFiles
- getUniquePath() should not throw exception.
- findFilesInImage should return an enum like TskDB methods differentiating if any data was found or not.
- remove addImageInfo in db_Sqlite that does not take MD5, and/or make it take IMG_INFO as argument
\ No newline at end of file
ChangeLog.txt 0 → 100644
View file @ a73ef106
This program does not distribute an official ChangeLog file. You
can generate one from the subversion repository though using the
following command:
svn log http://svn.sleuthkit.org/repos/sleuthkit/
For a specific release, try something like:
svn log http://svn.sleuthkit.org/repos/sleuthkit/tags/sleuthkit-3.0.0
and replace 3.0.0 with the version you are interested in.
INSTALL.txt 0 → 100644
View file @ a73ef106
The Sleuth Kit
http://www.sleuthkit.org/sleuthkit
Installation Instructions
Last Modified: Oct 2022
REQUIREMENTS
=============================================================================
Tested Platform:
- FreeBSD 2-6.*
- Linux 2.*
- OpenBSD 2-3.*
- Mac OS X
- SunOS 4-5.*
- Windows
Build System (to compile from a source distribution):
- C/C++ compiler (C++ 14 required)
- GNU Make
- Java compiler / JDK (if you want the java bindings)
Development System (to extend TSK or compile from the repository):
- GNU autoconf, automake, and libtool
- Plus the build system requirements
Optional Programs:
- Autopsy: Provides a graphical HTML-based interface to The
Sleuth Kit (which makes it much easier to use). Install this AFTER
installing The Sleuth Kit.
Available at: http://www.sleuthkit.org/autopsy
Optional Libraries:
There are optional features that TSK can use if you have installed
them before you build and install TSK.
- AFFLIB: Allows you to process disk images that are stored in the
AFF format. Version 3.3.6 has been tested to compile and work with this
release.
Available at: http://www.afflib.org
- LibEWF: Allows you to process disk images that are stored in the
Expert Witness format (EnCase Format). Version 20130128 has been
tested to compile and work with this release. It is the last
stable release of libewf and therefore the only one that we
currently support. You can download it from:
https://github.com/sleuthkit/libewf_64bit
The official repository is available here, but there is not
a package of the last stable release:
https://github.com/libyal/libewf-legacy
Available at: http://sourceforge.net/projects/libewf/
- Libvhdi: Allows you to process disk images that are stored in the
Virtual Hard Disk format (VHD).
The official repository is available here:
https://github.com/libyal/libvhdi
- Libvmdk: Allows you to process disk images that are stored in the
VMware Virtual Disk format (VMDK).
The official repository is available here:
https://github.com/libyal/libvmdk
- Libvslvm: Allows you to access the Linux Logical Volume Manager (LVM) format
that is sotred on a disk image. A stand-alone version of libbfio is needed
to allow libvslvm to directly read from a TSK_IMAGE.
The official repository is available here:
https://github.com/libyal/libvslvm
https://github.com/libyal/libbfio
INSTALLATION
=============================================================================
Refer to the README_win32.txt file for details on Windows.
The Sleuth Kit uses the GNU autotools for building and installation.
There are a few steps to this process. First, run the 'configure'
script in the root TSK directory. See the CONFIGURE OPTIONS section
for useful arguments that can be given to 'configure.
$ ./configure
If there were no errors, then run 'make'. If you do not have a
'configure' script, then it is probably because you cloned the
source code repository. If so, you will need to have automake,
autoconf, and libtool installed and you can create the configure
script using the 'bootstrap' script in the root directory.
$ make
The 'make' process will take a while and will build the TSK tools.
When this process is complete, the libraries and executables will
be located in the TSK sub-directories. To install them, type
'make install'.
$ make install
By default, this will copy everything in to the /usr/local/ structure.
So, the executables will be in '/usr/local/bin'. This directory will
need to be in your PATH if you want to run the TSK commands without
specifying '/usr/local/bin' everytime.
If you get an error like:
libtool: Version mismatch error. This is libtool 2.2.10, but the
libtool: definition of this LT_INIT comes from libtool 2.2.4.
libtool: You should recreate aclocal.m4 with macros from libtool 2.2.10
libtool: and run autoconf again.
Run:
./bootstrap
and then go back to running configure and make. To run 'bootstrap',
you'll need to have the autotools installed (see the list at the
top of this page).
CONFIGURE OPTIONS
-----------------------------------------------------------------------------
There are some arguments to 'configure' that you can supply to
customize the setup. Currently, they focus on the optional disk
image format libraries.
--without-afflib: Supply this if you want TSK to ignore AFFLIB even
if it is installed.
--with-afflib=dir: Supply this if you want TSK to look in 'dir' for
the AFFLIB installation (the directory should have 'lib' and 'include'
directories in it).
--without-ewf: Supply this if you want TSK to ignore libewf even
if it is installed.
--with-libewf=dir: Supply this if you want TSK to look in 'dir' for
the libewf installation (the directory should have 'lib' and 'include'
directories in it).
--without-libvhdi: Supply this if you want TSK to ignore libvhdi even
if it is installed.
--with-libvhdi=dir: Supply this if you want TSK to look in 'dir' for
the libvhdi installation (the directory should have 'lib' and 'include'
directories in it).
--without-libvmdk: Supply this if you want TSK to ignore libvmdk even
if it is installed.
--with-libvmdk=dir: Supply this if you want TSK to look in 'dir' for
the libvmdk installation (the directory should have 'lib' and 'include'
directories in it).
--without-libvslvm: Supply this if you want TSK to ignore libvslvm even
if it is installed.
--with-libvslvm=dir: Supply this if you want TSK to look in 'dir' for
the libvslvm installation (the directory should have 'lib' and 'include'
directories in it).
--without-libbfio: Supply this if you want TSK to ignore libbfio even
if it is installed.
--with-libbfio=dir: Supply this if you want TSK to look in 'dir' for
the libbfio installation (the directory should have 'lib' and 'include'
directories in it).
-----------------------------------------------------------------------------
Brian Carrier
carrier <at> sleuthkit <dot> org
Makefile.am 0 → 100644
View file @ a73ef106
# File that we want to include in the dist
EXTRA_DIST = README_win32.txt README.md INSTALL.txt ChangeLog.txt NEWS.txt API-CHANGES.txt \
licenses/README.md licenses/GNUv2-COPYING licenses/GNUv3-COPYING licenses/IBM-LICENSE \
licenses/Apache-LICENSE-2.0.txt licenses/cpl1.0.txt licenses/bsd.txt licenses/mit.txt \
m4/*.m4 \
docs/README.txt \
packages/sleuthkit.spec \
win32/BUILDING.txt \
win32/*/*.vcxproj \
win32/tsk-win.sln \
win32/NugetPackages.props \
win32/docs/* \
bindings/java/README.txt \
bindings/java/*.xml \
bindings/java/doxygen/Doxyfile \
bindings/java/doxygen/*.dox \
bindings/java/doxygen/*.html \
bindings/java/nbproject/project.xml \
bindings/java/src/org/sleuthkit/datamodel/*.java \
bindings/java/src/org/sleuthkit/datamodel/*.html \
bindings/java/src/org/sleuthkit/datamodel/*.properties \
bindings/java/src/org/sleuthkit/datamodel/blackboardutils/*.java \
bindings/java/src/org/sleuthkit/datamodel/blackboardutils/attributes/*.java \
bindings/java/src/org/sleuthkit/datamodel/Examples/*.java \
bindings/java/src/*.html \
case-uco/java/*.xml \
case-uco/java/*.md \
case-uco/java/nbproject/*.xml \
case-uco/java/nbproject/*.properties \
case-uco/java/src/org/sleuthkit/caseuco/*.java \
case-uco/java/test/org/sleuthkit/caseuco/*.java
ACLOCAL_AMFLAGS = -I m4
# directories to compile
if CPPUNIT
UNIT_TESTS=unit_tests
endif
# Compile java bindings if all of the dependencies existed
if X_JNI
JAVA_BINDINGS=bindings/java
JAVA_CASEUCO=case-uco/java
else
JAVA_BINDINGS=
JAVA_CASEUCO=
endif
SUBDIRS = tsk tools tests samples man $(UNIT_TESTS) $(JAVA_BINDINGS) $(JAVA_CASEUCO)
nobase_include_HEADERS = tsk/libtsk.h tsk/tsk_incs.h \
tsk/base/tsk_base.h tsk/base/tsk_os.h \
tsk/img/tsk_img.h tsk/vs/tsk_vs.h tsk/img/pool.hpp tsk/img/logical_img.h \
tsk/vs/tsk_bsd.h tsk/vs/tsk_dos.h tsk/vs/tsk_gpt.h \
tsk/vs/tsk_mac.h tsk/vs/tsk_sun.h \
tsk/fs/tsk_fs.h tsk/fs/tsk_ffs.h tsk/fs/tsk_ext2fs.h tsk/fs/tsk_fatfs.h \
tsk/fs/tsk_ntfs.h tsk/fs/tsk_iso9660.h tsk/fs/tsk_hfs.h tsk/fs/tsk_yaffs.h tsk/fs/tsk_logical_fs.h \
tsk/fs/tsk_apfs.h tsk/fs/tsk_apfs.hpp tsk/fs/apfs_fs.h tsk/fs/apfs_fs.hpp tsk/fs/apfs_compat.hpp \
tsk/fs/decmpfs.h tsk/fs/tsk_exfatfs.h tsk/fs/tsk_fatxxfs.h tsk/fs/tsk_xfs.h \
tsk/hashdb/tsk_hashdb.h tsk/auto/tsk_auto.h \
tsk/auto/tsk_is_image_supported.h tsk/auto/guid.h \
tsk/pool/tsk_pool.h tsk/pool/tsk_pool.hpp tsk/pool/tsk_apfs.h tsk/pool/tsk_apfs.hpp \
tsk/pool/pool_compat.hpp tsk/pool/apfs_pool_compat.hpp \
tsk/pool/lvm_pool_compat.hpp \
tsk/util/crypto.hpp tsk/util/lw_shared_ptr.hpp tsk/util/span.hpp \
tsk/util/detect_encryption.h tsk/util/file_system_utils.h
nobase_dist_data_DATA = tsk/sorter/default.sort tsk/sorter/freebsd.sort \
tsk/sorter/images.sort tsk/sorter/linux.sort tsk/sorter/openbsd.sort \
tsk/sorter/solaris.sort tsk/sorter/windows.sort
api-docs:
doxygen tsk/docs/Doxyfile
cd bindings/java/doxygen; doxygen Doxyfile
man-html:
cd man;build-html
NEWS.txt 0 → 100644
View file @ a73ef106
This diff is collapsed.
README.md 0 → 100644
View file @ a73ef106
[![Build Status](https://travis-ci.org/sleuthkit/sleuthkit.svg?branch=develop)](https://travis-ci.org/sleuthkit/sleuthkit)
[![Build status](https://ci.appveyor.com/api/projects/status/8f7ljj8s2lh5sqfv?svg=true)](https://ci.appveyor.com/project/bcarrier/sleuthkit)
# [The Sleuth Kit](http://www.sleuthkit.org/sleuthkit)
## INTRODUCTION
The Sleuth Kit is an open source forensic toolkit for analyzing
Microsoft and UNIX file systems and disks. The Sleuth Kit enables
investigators to identify and recover evidence from images acquired
during incident response or from live systems. The Sleuth Kit is
open source, which allows investigators to verify the actions of
the tool or customize it to specific needs.
The Sleuth Kit uses code from the file system analysis tools of
The Coroner's Toolkit (TCT) by Wietse Venema and Dan Farmer. The
TCT code was modified for platform independence. In addition,
support was added for the NTFS (see [wiki/ntfs](http://wiki.sleuthkit.org/index.php?title=NTFS_Implementation_Notes))
and FAT (see [wiki/fat](http://wiki.sleuthkit.org/index.php?title=FAT_Implementation_Notes)) file systems. Previously, The Sleuth Kit was
called The @stake Sleuth Kit (TASK). The Sleuth Kit is now independent
of any commercial or academic organizations.
It is recommended that these command line tools can be used with
the Autopsy Forensic Browser. Autopsy, (http://www.sleuthkit.org/autopsy),
is a graphical interface to the tools of The Sleuth Kit and automates
many of the procedures and provides features such as image searching
and MD5 image integrity checks.
As with any investigation tool, any results found with The Sleuth
Kit should be be recreated with a second tool to verify the data.
## OVERVIEW
The Sleuth Kit allows one to analyze a disk or file system image
created by 'dd', or a similar application that creates a raw image.
These tools are low-level and each performs a single task. When
used together, they can perform a full analysis. For a more detailed
description of these tools, refer to [wiki/filesystem](http://wiki.sleuthkit.org/index.php?title=TSK_Tool_Overview).
The tools are briefly described in a file system layered approach. Each
tool name begins with a letter that is assigned to the layer.
### File System Layer:
A disk contains one or more partitions (or slices). Each of these
partitions contain a file system. Examples of file systems include
the Berkeley Fast File System (FFS), Extended 2 File System (EXT2FS),
File Allocation Table (FAT), and New Technologies File System (NTFS).
The fsstat tool displays file system details in an ASCII format.
Examples of data in this display include volume name, last mounting
time, and the details about each "group" in UNIX file systems.
### Content Layer (block):
The content layer of a file system contains the actual file content,
or data. Data is stored in large chunks, with names such as blocks,
fragments, and clusters. All tools in this layer begin with the letters
'blk'.
The blkcat tool can be used to display the contents of a specific unit of
the file system (similar to what 'dd' can do with a few arguments).
The unit size is file system dependent. The 'blkls' tool displays the
contents of all unallocated units of a file system, resulting in a
stream of bytes of deleted content. The output can be searched for
deleted file content. The 'blkcalc' program allows one to identify the
unit location in the original image of a unit in the 'blkls' generated
image.
A new feature of The Sleuth Kit from TCT is the '-l' argument to
'blkls' (or 'unrm' in TCT). This argument lists the details for data
units, similar to the 'ils' command. The 'blkstat' tool displays
the statistics of a specific data unit (including allocation status
and group number).
### Metadata Layer (inode):
The metadata layer describes a file or directory. This layer contains
descriptive data such as dates and size as well as the addresses of the
data units. This layer describes the file in terms that the computer
can process efficiently. The structures that the data is stored in
have names such as inode and directory entry. All tools in this layer
begin with an 'i'.
The 'ils' program lists some values of the metadata structures.
By default, it will only list the unallocated ones. The 'istat'
displays metadata information in an ASCII format about a specific
structure. New to The Sleuth Kit is that 'istat' will display the
destination of symbolic links. The 'icat' function displays the
contents of the data units allocated to the metadata structure
(similar to the UNIX cat(1) command). The 'ifind' tool will identify
which metadata structure has allocated a given content unit or
file name.
Refer to the [ntfs wiki](http://wiki.sleuthkit.org/index.php?title=NTFS_Implementation_Notes)
for information on addressing metadata attributes in NTFS.
### Human Interface Layer (file):
The human interface layer allows one to interact with files in a
manner that is more convenient than directly with the metadata
layer. In some operating systems there are separate structures for
the metadata and human interface layers while others combine them.
All tools in this layer begin with the letter 'f'.
The 'fls' program lists file and directory names. This tool will
display the names of deleted files as well. The 'ffind' program will
identify the name of the file that has allocated a given metadata
structure. With some file systems, deleted files will be identified.
#### Time Line Generation
Time lines are useful to quickly get a picture of file activity.
Using The Sleuth Kit a time line of file MAC times can be easily
made. The mactime (TCT) program takes as input the 'body' file
that was generated by fls and ils. To get data on allocated and
unallocated file names, use 'fls -rm dir' and for unallocated inodes
use 'ils -m'. Note that the behavior of these tools are different
than in TCT. For more information, refer to [wiki/mactime](http://wiki.sleuthkit.org/index.php?title=Mactime).
#### Hash Databases
Hash databases are used to quickly identify if a file is known. The
MD5 or SHA-1 hash of a file is taken and a database is used to identify
if it has been seen before. This allows identification to occur even
if a file has been renamed.
The Sleuth Kit includes the 'md5' and 'sha1' tools to generate
hashes of files and other data.
Also included is the 'hfind' tool. The 'hfind' tool allows one to create
an index of a hash database and perform quick lookups using a binary
search algorithm. The 'hfind' tool can perform lookups on the NIST
National Software Reference Library (NSRL) (www.nsrl.nist.gov) and
files created from the 'md5' or 'md5sum' command. Refer to the
[wiki/hfind](http://wiki.sleuthkit.org/index.php?title=Hfind) file for more details.
#### File Type Categories
Different types of files typically have different internal structure.
The 'file' command comes with most versions of UNIX and a copy is
also distributed with The Sleuth Kit. This is used to identify
the type of file or other data regardless of its name and extension.
It can even be used on a given data unit to help identify what file
used that unit for storage. Note that the 'file' command typically
uses data in the first bytes of a file so it may not be able to
identify a file type based on the middle blocks or clusters.
The 'sorter' program in The Sleuth Kit will use other Sleuth Kit
tools to sort the files in a file system image into categories.
The categories are based on rule sets in configuration files. The
'sorter' tool will also use hash databases to flag known bad files
and ignore known good files. Refer to the [wiki/sorter](http://wiki.sleuthkit.org/index.php?title=Sorter)
file for more details.
## LICENSE
There are a variety of licenses used in TSK based on where they
were first developed. The licenses are located in the [licenses
directory](https://github.com/sleuthkit/sleuthkit/tree/develop/licenses).
- The file system tools (in the
[tools/fstools](https://github.com/sleuthkit/sleuthkit/tree/develop/tools/fstools)
directory) are released under the IBM open source license and Common
Public License.
- srch_strings and fiwalk are released under the GNU Public License
- Other tools in the tools directory are Common Public License
- The modifications to 'mactime' from the original 'mactime' in TCT
and 'mac-daddy' are released under the Common Public License.
The library uses utilities that were released under MIT and BSD 3-clause.
## INSTALL
For installation instructions, refer to the INSTALL.txt document.
## OTHER DOCS
The [wiki](http://wiki.sleuthkit.org/index.php?title=Main_Page) contains documents that
describe the provided tools in more detail. The Sleuth Kit Informer is a newsletter that contains
new documentation and articles.
> www.sleuthkit.org/informer/
## MAILING LIST
Mailing lists exist on SourceForge, for both users and a low-volume
announcements list.
> http://sourceforge.net/mail/?group_id=55685
Brian Carrier
carrier at sleuthkit dot org
README_win32.txt 0 → 100644
View file @ a73ef106
The Sleuth Kit
Win32 README File
http://www.sleuthkit.org/sleuthkit
Last Modified: Jan 2014
====================================================================
The Sleuth Kit (TSK) runs on Windows. If you simply want the
executables, you can download them from the www.sleuthkit.org
website.
If you want to build your own executables, you have two options.
1) Microsoft Visual Studio. The VS solution file is in the win32
directory. Refer to the win32\BUILDING.txt file for details for
building the 32-bit and 64-bit versions.
2) mingw32. See below for more details.
---------------------------------------------------------------
MINGW32
If you're using mingw32 on Linux, simply give the
"--host=i586-mingw32msvc" argument when running the './configure'
script and use 'make' to compile. If you're using mingw32 on Windows,
'./configure' and 'make' will work directly.
Note that to compile the Java bindings you will need to have a JDK
to be installed, and by default the Oracle JDK on Windows is installed
in a path such as C:\Program Files\Java\jdk1.6.0_16\. GNU autotools
(which is used if you do a mingw32 compile, but not a Visual Studio
compile) do not handle paths containing spaces, so you will need
to copy the JDK to a directory without spaces in the name, such as
C:\jdk1.6.0_16\, then add C:\jdk1.6.0_16\bin to $PATH before running
'./configure'
Note also that libtool may fail on mingw32 on Windows if
C:\Windows\system32 is on $PATH before /usr/bin. The fix is to have
the C:\Windows directories at the _end_ of your mingw $PATH.
-------------------------------------------------------------------
carrier <at> sleuthkit <dot> org
Brian Carrier
appveyor.yml 0 → 100644
View file @ a73ef106
version: 4.6.0.{build}
environment:
matrix:
- job_name: Windows Build
appveyor_build_worker_image: Visual Studio 2019
- job_name: Linux Build
appveyor_build_worker_image: Ubuntu
- job_name: macOS Build
appveyor_build_worker_image: macos-catalina
matrix:
fast_finish: true
# job-specific configurations
for:
-
matrix:
only:
- job_name: Windows Build
cache:
- C:\Users\appveyor\.ant
- C:\ProgramData\chocolatey\bin
- C:\ProgramData\chocolatey\lib
install:
- ps: choco install nuget.commandline
- ps: choco install ant --ignore-dependencies
- ps: $env:Path="C:\Program Files\Java\jdk1.8.0\bin;$($env:Path);C:\ProgramData\chocolatey\lib\ant"
- set PATH=C:\Python36-x64\';%PATH%
environment:
global:
TSK_HOME: "%APPVEYOR_BUILD_FOLDER%"
PYTHON: "C:\\Python36-x64"
JDK_HOME: C:\Program Files\Java\jdk1.8.0
services:
before_build:
- nuget restore win32\libtsk -PackagesDirectory win32\packages
build_script:
- python win32\updateAndBuildAll.py -m
- ps: ant -version
- ps: pushd bindings/java
- cmd: ant -q dist
- ps: popd
- ps: pushd case-uco/java
- cmd: ant -q
- ps: popd
test_script:
- cmd: ant -q -f bindings/java test
-
matrix:
only:
- job_name: Linux Build
build_script:
- ./bootstrap
- ./configure -q
- make -s
-
matrix:
only:
- job_name: macOS Build
build_script:
- ./bootstrap
- ./configure -q
- make -s
bindings/java/Makefile.am 0 → 100644
View file @ a73ef106
# Compile the sub directories
SUBDIRS = jni
tsk_jar = $(top_builddir)/bindings/java/dist/sleuthkit-$(PACKAGE_VERSION).jar
jardir = $(prefix)/share/java
jar_DATA = $(tsk_jar)
if OFFLINE
ant_args=-Doffline=true
else
endif
$(tsk_jar):
all-local:
ant dist $(ant_args)
CLEANFILES = $(tsk_jar)
clean-local:
ant clean
bindings/java/README.txt 0 → 100644
View file @ a73ef106
Sleuth Kit Java Bindings
Overview
The core functionality of the Sleuth Kit is in the C/C++ library.
The functionality is made available to Java applications by using
JNI. The theory is that a SQLite database is created by the C++
library and then it is queried by native Java code. JNI methods
exist to make the database and to read file content (and other raw
data that is too large to fit into the database).
To use the Java bindings, you must have the Sleuth Kit datamodel
JAR file compiled and have compiled the associated dynamic library
from the C/C++ code.
Requirements:
* Java JDK
* Ant
* Jar files as listed in ivy.xml (which will get downloaded automatically)
The following jar files must be on the classpath for building and
running. Version details can be found in ivy.xml. They will be
automatically downloaded if you do not compile in offline mode.
* sqlite-jdbc
* postgresql-jdbc
* c3p0
Building the Dynamic Library (for JNI)
The win32 Visual Studio solution has a tsk_jni project that will
build the JNI dll. To use this project, you will need to have
JDK_HOME environment variable set to the root directory of JDK.
On non-windows environments, it should just build as part of running
./configure and make. If the needed Java components are not found,
it will not be built.
This library will depend on libewf, zlib, and other libraries that
TSK was built to depend on. In Windows, the core of TSK (libtsk)
is a static library that is fully embedded in the libtsk_jni.dll
file. On non-Windows environments, libtsk_jni will depend on the
libtsk dynamic library.
Building The Jar File
Build with the default ant target (by running 'ant'). This will
download the required libraries (using ivy) and place the jar file
in the dist folder along with the needed dll and library files.
Using the Jar file and Library
There are two categories of things that need to be in the right place:
- The Jar file needs to be on the CLASSPATH.
- The libewf and zlib dynamic libraries need to be loadable. The TSK
JNI native library is inside of the Jar file and it will depend on the
libewf and zlib libraries. On a Unix-like platform, that means that
if you did a 'make install' with libewf and zlib, you should be OK.
On Windows, you should copy these dlls to a place that is found based
on the rules of Windows library loading. Note that these locations are
based on the rules of Windows loading them and not necessarily based on
java's loading paths.
Refer to the javadocs for details on using the API:
http://sleuthkit.org/sleuthkit/docs/jni-docs/
------------
Brian Carrier
Jan 2014
bindings/java/build-unix.xml 0 → 100644
View file @ a73ef106
<?xml version="1.0" encoding="windows-1252"?>
<project name="TSKTestTargets">
<property name="dlls" value="../../win32/x64/Release"/>
<property environment="env"/>
<target name="test" description="Performs regression tests." depends="compile-test, copyTSKLibs">
<junit fork="on" haltonfailure="yes" dir=".">
<env key="path" value="${env.Path}:${dlls}"/>
<sysproperty key="rslt" value="${test-results}"/>
<sysproperty key="gold" value="${test-standards}"/>
<sysproperty key="inpt" value="${test-input}"/>
<classpath refid="libraries"/>
<formatter type="plain" usefile="false"/>
<test name="org.sleuthkit.datamodel.timeline.TimelineTestSuite" />
<test name="org.sleuthkit.datamodel.DataModelTestSuite"/>
</junit>
</target>
<target name="test-rebuild" description="Rebuilds regression tests." depends="compile-test, copyTSKLibs">
<java classname="org.sleuthkit.datamodel.DataModelTestSuite" classpathref="libraries" fork="true" failonerror="true">
<sysproperty key="gold" value="${test-standards}"/>
<sysproperty key="inpt" value="${test-input}"/>
<sysproperty key="types" value="${test-types}"/>
</java>
</target>
<target name="check-native-build" depends="check-native-build-mac,check-native-build-unix"/>
<target name="check-native-build-mac" depends="testTSKLibs" if="tsk_dylib.present">
<uptodate property="native-up-to-date" srcfile="./jni/.libs/libtsk_jni.dylib" targetfile="${amd64}/mac/libtsk_jni.jnilib"/>
</target>
<target name="check-native-build-unix" depends="testTSKLibs" if="tsk_so.present">
<uptodate property="native-up-to-date" srcfile="./jni/.libs/libtsk_jni.so" targetfile="${amd64}/linux/libtsk_jni.so"/>
</target>
<target name="testTSKLibs">
<property environment="env"/>
<available file="./jni/.libs/libtsk_jni.dylib" property="tsk_dylib.present"/>
<available file="./jni/.libs/libtsk_jni.so" property="tsk_so.present"/>
<fail message="JNI native library not built.">
<condition>
<not>
<or>
<isset property="tsk_dylib.present"/>
<isset property="tsk_so.present"/>
</or>
</not>
</condition>
</fail>
<!-- Default location to find zlib and libewf. Overwritten by properties in makefile -->
<property name="lib.z.path" value="/usr/lib"/>
<property name="lib.ewf.path" value="/usr/local/lib"/>
</target>
<!-- OS X -->
<target name="copyTskLibs_dylib" depends="testTSKLibs" if="tsk_dylib.present">
<property environment="env"/>
<copy file="./jni/.libs/libtsk_jni.dylib" tofile="./libtsk_jni.jnilib" overwrite="true"/>
</target>
<target name="copyMacLibs" depends="testTSKLibs" if="tsk_dylib.present">
<property environment="env"/>
<property name="jni.dylib" location="${basedir}/jni/.libs/libtsk_jni.dylib"/>
<property name="jni.jnilib" value="libtsk_jni.jnilib"/>
<!-- x86_64 -->
<copy file="${jni.dylib}" tofile="${x86_64}/mac/${jni.jnilib}" overwrite="true"/>
<!-- amd64 -->
<copy file="${jni.dylib}" tofile="${amd64}/mac/${jni.jnilib}" overwrite="true"/>
</target>
<!-- Non-OS X -->
<target name="copyTskLibs_so" depends="testTSKLibs" if="tsk_so.present">
<property environment="env"/>
<copy file="./jni/.libs/libtsk_jni.so" tofile="./libtsk_jni.so" overwrite="true"/>
</target>
<target name="copyLinuxLibs" depends="testTSKLibs" if="tsk_so.present">
<property environment="env"/>
<property name="jni.so" location="${basedir}/jni/.libs/libtsk_jni.so"/>
<property name="zlib.so" location="${lib.z.path}/libz.so"/>
<property name="libewf.so" location="${lib.ewf.path}/libewf.so"/>
<!-- x86_64 -->
<copy file="${jni.so}" tofile="${x86_64}/linux/libtsk_jni.so" overwrite="true"/>
<!-- amd64 -->
<copy file="${jni.so}" tofile="${amd64}/linux/libtsk_jni.so" overwrite="true"/>
<!-- x86 -->
<copy file="${jni.so}" tofile="${x86}/linux/libtsk_jni.so" overwrite="true"/>
<!-- i386 -->
<copy file="${jni.so}" tofile="${i386}/linux/libtsk_jni.so" overwrite="true"/>
<!-- i586 -->
<copy file="${jni.so}" tofile="${i586}/linux/libtsk_jni.so" overwrite="true"/>
<!-- i686 -->
<copy file="${jni.so}" tofile="${i686}/linux/libtsk_jni.so" overwrite="true"/>
</target>
<target name="copyLibs" depends="copyLinuxLibs,copyMacLibs"/>
<target name="copyLibs-Debug" depends="copyLinuxLibs,copyMacLibs"/>
<target name="copyTSKLibs" depends="copyTskLibs_so,copyTskLibs_dylib">
<!-- depends targets take care of the actual copying since the file differs on OS X and Linux -->
<!-- This assumes that TSK, libewf, and zlib have been installed on the system and those libraries will be with normal loading approaches -->
</target>
</project>
bindings/java/build-windows.xml 0 → 100644
View file @ a73ef106
<?xml version="1.0" encoding="windows-1252"?>
<project name="TSKTestTargets">
<property name="dlls" value="../../win32/x64/Release"/>
<property environment="env"/>
<target name="test"
description="Runs the regression tests."
depends="compile-test" >
<junit fork="on" haltonfailure="yes" dir=".">
<env key="path" value="${env.Path};${dlls}"/>
<sysproperty key="rslt" value="${test-results}"/>
<sysproperty key="gold" value="${test-standards}"/>
<sysproperty key="inpt" value="${test-input}"/>
<classpath refid="libraries" />
<formatter type="plain" usefile="false" />
<test name="org.sleuthkit.datamodel.timeline.TimelineTestSuite" />
<test name="org.sleuthkit.datamodel.DataModelTestSuite" />
</junit>
</target>
<target name="test-rebuild"
description="Rebuilds gold standards for tests."
depends="compile-test" >
<java classname="org.sleuthkit.datamodel.DataModelTestSuite" classpathref="libraries" fork="true" failonerror="true">
<sysproperty key="java.library.path" value="${dlls}"/>
<sysproperty key="gold" value="${test-standards}"/>
<sysproperty key="inpt" value="${test-input}"/>
<sysproperty key="types" value="${test-types}"/>
</java>
</target>
<target name="check-native-build" depends="check-build-32,check-build-64"/>
<target name="check-build-32" if="win32.TskLib.exists">
<uptodate property="native-up-to-date" srcfile="${basedir}/../../win32/Release/libtsk_jni.dll"
targetfile="${x86}/win/libtsk_jni.dll"/>
</target>
<target name="check-build-64" if="win64.TskLib.exists">
<uptodate property="native-up-to-date" srcfile="${basedir}/../../win32/x64/Release/libtsk_jni.dll"
targetfile="${amd64}/win/libtsk_jni.dll"/>
</target>
<target name="copyLibs" description="Copy native libs to the correct folder">
<property name="tsk.config" value="Release"/>
<antcall target="copyWinTskLibsToBuildSQLite" />
</target>
<target name="copyLibs-Debug" description="Copy native libs to the correct folder">
<property name="tsk.config" value="Debug"/>
<antcall target="copyWinTskLibsToBuildSQLite" />
</target>
<target name="copyWinTskLibsToBuildSQLite" depends="copyWinTskLibs64ToBuildSQLite, copyWinTskLibs32ToBuild-SQLite" description="Copy Windows DLLs to the correct location, SQLite build." />
<target name="checkTskLibDirsSQLite">
<available property="win64.TskLib.exists" type="file" file="${basedir}/../../win32/x64/${tsk.config}/libtsk_jni.dll" />
<available property="win32.TskLib.exists" type="file" file="${basedir}/../../win32/${tsk.config}/libtsk_jni.dll" />
</target>
<target name="copyWinTskLibs64ToBuildSQLite" depends="checkTskLibDirsSQLite" if="win64.TskLib.exists">
<property name="tsk.jni.64" location="${basedir}/../../win32/x64/${tsk.config}/libtsk_jni.dll" />
<copy file="${tsk.jni.64}" todir="${amd64}/win" overwrite="true"/>
<copy file="${tsk.jni.64}" todir="${x86_64}/win" overwrite="true"/>
</target>
<target name="copyWinTskLibs32ToBuild-SQLite" depends="checkTskLibDirs" if="win32.TskLib.exists">
<property name="tsk.jni.32" location="${basedir}/../../win32/${tsk.config}/libtsk_jni.dll" />
<copy file="${tsk.jni.32}" todir="${i386}/win" overwrite="true"/>
<copy file="${tsk.jni.32}" todir="${x86}/win" overwrite="true"/>
<copy file="${tsk.jni.32}" todir="${i586}/win" overwrite="true"/>
<copy file="${tsk.jni.32}" todir="${i686}/win" overwrite="true"/>
</target>
<target name="checkTskLibDirs">
<available property="win64.TskLib.exists" type="file" file="${basedir}/../../win32/x64/${tsk.config}/libtsk_jni.dll" />
<available property="win32.TskLib.exists" type="file" file="${basedir}/../../win32/${tsk.config}/libtsk_jni.dll" />
</target>
</project>
bindings/java/build.xml 0 → 100644
View file @ a73ef106
<project xmlns:ivy="antlib:org.apache.ivy.ant" name="DataModel" default="dist" basedir=".">
<description>
Sleuthkit Java DataModel
</description>
<condition property="os.family" value="unix">
<os family="unix"/>
</condition>
<condition property="os.family" value="windows">
<os family="windows"/>
</condition>
<import file="build-${os.family}.xml"/>
<!-- Careful changing this because release-windows.pl updates it by pattern -->
<property name="VERSION" value="4.12.1"/>
<!-- set global properties for this build -->
<property name="default-jar-location" location="/usr/share/java"/>
<property name="src" location="src/org/sleuthkit/datamodel"/>
<property name="sample" location="src/org/sleuthkit/datamodel/Examples"/>
<property name="build" location="build/"/>
<property name="build-datamodel" location="build/org/sleuthkit/datamodel"/>
<property name="dist" location="dist"/>
<property name="lib" location="lib"/>
<property name="test" location="test"/>
<property name="test-standards" location="test/output/gold"/>
<property name="test-results" location="test/output/results"/>
<property name="test-input" location="test/input"/>
<property name="test-types" location="test/org/sleuthkit/datamodel"/>
<property name="native-libs" location="build/NATIVELIBS"/>
<property name="amd64" location="build/NATIVELIBS/amd64"/>
<property name="x86" location="build/NATIVELIBS/x86"/>
<property name="x86_64" location="build/NATIVELIBS/x86_64"/>
<property name="i386" location="build/NATIVELIBS/i386"/>
<property name="i586" location="build/NATIVELIBS/i586"/>
<property name="i686" location="build/NATIVELIBS/i686"/>
<!-- Only added win folders for now -->
<target name="init">
<mkdir dir="${build}"/>
<mkdir dir="${dist}"/>
<mkdir dir="${lib}"/>
<mkdir dir="${test-input}"/>
<mkdir dir="${test-standards}"/>
<mkdir dir="${test-results}"/>
<mkdir dir="${native-libs}"/>
<mkdir dir="${amd64}"/>
<mkdir dir="${amd64}/win"/>
<mkdir dir="${amd64}/mac"/>
<mkdir dir="${amd64}/linux"/>
<mkdir dir="${x86}"/>
<mkdir dir="${x86}/win"/>
<mkdir dir="${x86}/linux"/>
<mkdir dir="${x86_64}"/>
<mkdir dir="${x86_64}/win"/>
<mkdir dir="${x86_64}/mac"/>
<mkdir dir="${x86_64}/linux"/>
<mkdir dir="${i386}"/>
<mkdir dir="${i386}/win"/>
<mkdir dir="${i386}/linux"/>
<mkdir dir="${i586}"/>
<mkdir dir="${i586}/win"/>
<mkdir dir="${i586}/linux"/>
<mkdir dir="${i686}"/>
<mkdir dir="${i686}/win"/>
<mkdir dir="${i686}/linux"/>
</target>
<!-- set classpath for dependencies-->
<target name="set-library-path" description="sets the path of the libraries" depends="set-library-path-online,set-library-path-offline"></target>
<target name="set-library-path-online" description="set this library path when the user is online" unless="offline">
<path id="libraries">
<fileset dir="${lib}">
<include name="*.jar"/>
</fileset>
<pathelement path="${build}"/>
</path>
</target>
<target name="set-library-path-offline" description="set the library path when the user is offline" if="offline">
<path id="libraries">
<fileset dir="${default-jar-location}">
<include name="*.jar"/>
</fileset>
<fileset dir="${lib}">
<include name="*.jar"/>
</fileset>
<pathelement path="${build}"/>
</path>
</target>
<property name="ivy.install.version" value="2.5.0" />
<condition property="ivy.home" value="${env.IVY_HOME}">
<isset property="env.IVY_HOME"/>
</condition>
<property name="ivy.home" value="${user.home}/.ant"/>
<property name="ivy.jar.dir" value="${ivy.home}/lib"/>
<property name="ivy.jar.file" value="${ivy.jar.dir}/ivy.jar"/>
<target name="download-ivy" unless="offline">
<mkdir dir="${ivy.jar.dir}"/>
<get src="https://repo1.maven.org/maven2/org/apache/ivy/ivy/${ivy.install.version}/ivy-${ivy.install.version}.jar"
dest="${ivy.jar.file}" usetimestamp="true"/>
</target>
<target name="init-ivy" depends="download-ivy">
<path id="ivy.lib.path">
<fileset dir="${ivy.jar.dir}" includes="*.jar"/>
</path>
<taskdef resource="org/apache/ivy/ant/antlib.xml"
uri="antlib:org.apache.ivy.ant" classpathref="ivy.lib.path"/>
</target>
<target name="retrieve-deps" description="retrieve dependencies using ivy" depends="init-ivy" unless="offline">
<ivy:settings file="ivysettings.xml"/>
<ivy:resolve/>
<ivy:retrieve sync="true" pattern="lib/[artifact]-[revision](-[classifier]).[ext]"/>
</target>
<target name="compile-test" depends="compile" description="compile the tests">
<javac encoding="iso-8859-1" debug="on" srcdir="${test}" destdir="${build}" includeantruntime="false">
<classpath refid="libraries"/>
<compilerarg value="-Xlint" />
</javac>
</target>
<target name="compile" depends="init, set-library-path, retrieve-deps" description="compile the source">
<!-- Compile the java code from ${src} into ${build} -->
<javac encoding="iso-8859-1" debug="on" srcdir="${src}" destdir="${build}" classpathref="libraries" includeantruntime="false">
<compilerarg value="-Xlint"/>
</javac>
<!-- Copy Bundle*.properties files into DataModel build directory, so they are included in the .jar -->
<copy todir="${build-datamodel}">
<fileset dir="${src}" includes="**/*.properties"/>
</copy>
<!-- Verify sample compiles -->
<javac encoding="iso-8859-1" debug="on" srcdir="${sample}" destdir="${build}" includeantruntime="false">
<classpath refid="libraries"/>
</javac>
<!--Copy .properties to .properties-MERGED -->
<antcall target="copy-bundle" />
</target>
<target name="dist" depends="check-build, init-ivy, compile, copyLibs" unless="up-to-date" description="generate the distribution">
<!-- Put everything in ${build} into the MyProject-${DSTAMP}.jar file -->
<jar jarfile="${dist}/sleuthkit-${VERSION}.jar" basedir="${build}"/>
</target>
<target name="check-build" depends="check-native-build">
<uptodate property="java-up-to-date" targetfile="${dist}/sleuthkit-${VERSION}.jar">
<srcfiles dir="${src}" includes="**/*.java"/>
</uptodate>
<condition property="up-to-date">
<and>
<isset property="java-up-to-date"/>
<isset property="native-up-to-date"/>
</and>
</condition>
</target>
<target name="Debug" depends="check-build, init-ivy, compile, copyLibs-Debug" unless="up-to-date" description="generate the debug distribution">
<!-- Put everything in ${build} into the MyProject-${DSTAMP}.jar file -->
<jar jarfile="${dist}/sleuthkit-${VERSION}.jar" basedir="${build}"/>
</target>
<target name="jni" depends="compile" description="make the jni.h file">
<javah classpath="${build}" outputFile="jni/dataModel_SleuthkitJNI.h" force="yes">
<class name="org.sleuthkit.datamodel.SleuthkitJNI"/>
</javah>
</target>
<target name="clean" description="clean up">
<delete dir="${build}"/>
<delete dir="${dist}"/>
<delete dir="${lib}"/>
</target>
<target name="javadoc" description="Make the API docs">
<mkdir dir="javadoc"/>
<javadoc sourcepath="src" destdir="javadoc" overview="src/overview.html"/>
</target>
<target name="test-download" description="download test images.">
<mkdir dir="${test-input}"/>
<get src="http://digitalcorpora.org/corp/nps/drives/nps-2009-canon2/nps-2009-canon2-gen6.E01" dest="${test-input}"/>
<get src="http://digitalcorpora.org/corp/nps/drives/nps-2009-ntfs1/ntfs1-gen2.E01" dest="${test-input}"/>
<!--<get src="http://www.cfreds.nist.gov/dfr-images/dfr-16-ext.dd.bz2" dest="${test-input}"/> <bunzip2 src="${test-input}/dfr-16-ext.dd.bz2" /> -->
</target>
<!-- NOTE: test and test-rebuild targets are in the OS-specific files -->
<target name="run-sample" depends="compile" description="run the sample">
<java classname="org.sleuthkit.datamodel.Examples.Sample" fork="true" failonerror="true">
<env key="PATH" path="${env.TEMP}:${env.Path}:${env.TSK_HOME}/win32/x64/Release"/>
<arg value="${image}"/>
<classpath refid="libraries"/>
</java>
</target>
<target name="doxygen" description="build doxygen docs, requires doxygen in PATH">
<exec executable="doxygen" dir="${basedir}/doxygen">
<arg value="Doxyfile"/>
</exec>
</target>
<target name="copy-bundle">
<!-- the externalized strings in 'src' are in both the java files as annotations and in the Bundle.property files.
The strings get merged during compilation. This target copies that merged file into src so that it can be checked
in and used as a basis for translation efforts -->
<copy todir="src">
<fileset dir="build">
<include name="**/Bundle.properties"/>
</fileset>
<globmapper from="*" to="*-MERGED"/>
</copy>
</target>
</project>
bindings/java/doxygen/Doxyfile 0 → 100644
View file @ a73ef106
This diff is collapsed.
bindings/java/doxygen/artifact_catalog.dox 0 → 100644
View file @ a73ef106
This diff is collapsed.
bindings/java/doxygen/blackboard.dox 0 → 100644
View file @ a73ef106
This diff is collapsed.
bindings/java/doxygen/communications.dox 0 → 100644
View file @ a73ef106
/*! \page mod_compage Communications
NOTE: This is a work in progress
\section jni_com_overview Overview
The Java code and database in Sleuth Kit contain special classes and tables to deal with communications between two parties. This page outlines what a developer should do when they are parsing communications data so that it can be properly displayed and used by other code (such as the Autopsy Communications UI).
\section jni_com_types Terminology
First, let's cover the terminology that we use.
\subsection jni_com_types_account Accounts
An <b>Account</b> is an entity with a type and an identifier that is unique to the type. Common examples of types include:
- Credit Card (and the unique identifier is the credit card number)
- Email (and the unique identifier is the email address)
- Phone (and the unique identifier is the phone number)
- Twitter (with a unique identifier of the login)
- ...
Accounts are found in a digital investigation when parsing structured data (such as email messages) or keyword searching.
\subsection jni_com_types_relationships Relationships
Two accounts have a <b>relationship</b> if they are believed to have communicated in some way. Examples of interactions that cause a relationship are:
- Being part of the same email message
- Being in a call log
- Being in an address book
When there are multiple people involved with an email message, a relationship is made between each of them. For example, if A sends a message to B and CC:s C, then there will be relationships between A <-> B, A <-> C, and B <-> C. Relationships in The Sleuth Kit are not directional.
A <b>relationship source</b> is where we learned about the relationship. This typically comes from Blackboard Artifacts, but may come from generic files in the future.
\subsection jni_com_types_devaccount Device Accounts
In some situations, we may not know a specific account that a relationship exists with. For example, when we find a contact book a thumb drive, we want to make a relationship between the accounts in the contact book and the accounts associated with the owner of that thumb drive. But, we may not know which accounts are for that owner. The contacts could be just a bunch of vCards and not tied to a specific email or phone number.
In this situation, we make a <b>device account</b> that is associated with the data source or device being analyzed. You should make an account of type Account.Type.DEVICE (instead of something like EMAIL) and the identifier is the device id of the data source where the other accounts were located.
\section jni_com_add Adding Communication Information to Database
Now let's cover what you should do when you are parsing some communications data and want to store it in the TSK database. Let's assume we are parsing a smart phone app that has messages.
\subsection jni_com_add_acct Adding Account Instances
When you encounter a message, the first thing to do is store information about the accounts. TSK wants to know about each <i>file</i> that had a reference of the account. You should call org.sleuthkit.datamodel.CommunicationsManager.createAccountFileInstance() for each file that you encounter a given account.
To make a device account, you'd have logic similar to:
\code
AccountFileInstance deviceAccountInstance = tskCase.getCommunicationsManager().createAccountFileInstance(Account.Type.DEVICE,
abstractFile.getDataSource().getDeviceId(), "Module Name", abstractFile);
\endcode
Behind the scenes, createAccountFileInstance will make an entry in the accounts table for each unique account on a given device and will make a org.sleuthkit.datamodel.BlackboardArtifact for each unique account in a given file.
If you want to create a custom account type, call org.sleuthkit.datamodel.CommunicationsManager.addAccountType().
\subsection jni_com_add_msg Adding The Message (Relationship Source)
You also need to make sure that you store the org.sleuthkit.datamodel.BlackboardArtifact that used the accounts and had the relationship. You can do this before or after calling createAccountFileInstance(). The order does not matter.
For a messaging app, you would make org.sleuthkit.datamodel.BlackboardArtifact objects with a type of org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_MESSAGE. That artifact would store various name and value pairs using org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE values. There is nothing communication-specific about this step. It is the same Blackboard artifacts and attributes that are used in many other places.
\subsection jni_com_add_relationship Adding the Relationship
The final step is to store the relationships between the accounts. You can do this via org.sleuthkit.datamodel.CommunicationsManager.addRelationships(). This method will require you to pass in the org.sleuthkit.datamodel.AccountInstance objects that you created and the org.sleuthkit.datamodel.BlackboardArtifact that you created for the message or other source.
The source of the relationship can be a device account (for things like call logs and contacts) if you are unsure about the specific account (such as phone number) associated with the device.
As an example, you can refer to some code in Autopsy, such as:
- [Email Module addArtifact()] (https://github.com/sleuthkit/autopsy/blob/develop/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/ThunderbirdMboxFileIngestModule.java)
\section jni_com_comm_artifacts_helper Communication Artifacts Helper
An alternative to individually creating artifacts, accounts and relationships is to use the org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper. CommunicationArtifactsHelper provides APIs that create the artifact, create accounts, and create relationships between the accounts, all with a single API call.
\subsection jni_com_comm_artifacts_helper_create_helper Creating a Communications Artifacts Helper
To use the communication artifacts helper, you must first create a new instance of the helper for each source file from which you are extracting communications artifacts. To create a helper, use the constructor org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper.CommunicationArtifactsHelper().
When creating the helper, you must specify the account type for the accounts that will be created by this instance of the helper. Addtionally, you may specify the "self" account identifier - i.e. the application specific account identifier for the owner of the device, if it is known.
If the self account is not known, you may omit it, in which case the helper uses the Device account as proxy for the self account.
\subsection jni_com_comm_artifacts_helper_add_contact Adding Contacts
Use the org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper.addContact() method to add contacts.
The helper creates a TSK_CONTACT artifact. It also creates contact accounts for each of the specified contact method, and finally creates relationships between the contact accounts and the self account.
\subsection jni_com_comm_artifacts_helper_add_calllog Adding Call logs
Use the org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper.addCalllog() method to add call log.
The helper creates a TSK_CALLLOG artifact. It also creates accounts for the caller and each of the callees, if specified. Finally it creates a relationship between the caller and each of the callees.
\subsection jni_com_comm_artifacts_helper_add_message Adding Messages
Use the org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper.addMessage() method to add a message.
The helper creates a TSK_MESSAGE artifact. It also creates accounts for the sender and each of the recipients, if specified. Finally it creates a relationship between the sender and each of the recipients.
\subsection jni_com_comm_artifacts_helper_add_attachments Adding Attachments to message
Use the org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper.addAttachments() method to add org.sleuthkit.datamodel.blackboardutils.attributes.MessageAttachments to a message.
As an example, you can refer to some code in Autopsy, such as:
- [Android Text Messages] (https://github.com/sleuthkit/autopsy/blob/develop/InternalPythonModules/android/textmessage.py)
- [Facebook messenger Messages] (https://github.com/sleuthkit/autopsy/blob/develop/InternalPythonModules/android/fbmessenger.py)
\section jni_com_schema Database Schema
For details of how this is stored in the database, refer to the
<a href="http://wiki.sleuthkit.org/index.php?title=Database_v7.2_Schema#Communications_.2F_Accounts">wiki</a>.
*/