Hang when adding new artifact type or attribute type

Get help with module writing or platform code changes.

Moderator: carrier

Hang when adding new artifact type or attribute type

Postby bdallen » Wed May 20, 2015 8:12 pm

Execution hangs when I attempt to create a new artifact type or attribute type. I am using Autopsy 3.1.2 with NetBeans IDE 8.0.2. The hang also happens when I export my code as an .nbm module and run it directly in Autopsy 3.1.2 (64-bit). The code runs fine and adds artifacts properly if I use existing artifact and attribute types.

Here is the problem code:
Code: Select all
// add artifact and attribute to Sleuthkit
logger.log(Level.INFO, "checkpoint A");
artifactID = sleuthkitCase.addArtifactType("ARTIFACT_TEST", "Artifact for Artifact Test");
logger.log(Level.INFO, "checkpoint B");


For completeness, I provide a simple Java test module that attempts to create and add one artifact with one attribute. It includes:

Help appreciated,
Thanks,
-Bruce
bdallen
 
Posts: 3
Joined: Tue May 19, 2015 11:54 pm

Re: Hang when adding new artifact type or attribute type

Postby carrier » Thu Jun 04, 2015 6:48 pm

I haven't seen this before - though we just define new ones in the enum and don't exercise this code often. I'll have someone on our team look at it.
carrier
 
Posts: 45
Joined: Thu May 15, 2014 3:31 pm

Re: Hang when adding new artifact type or attribute type

Postby sidheshenator » Fri Jun 05, 2015 7:16 pm

The problem is fixed.
sidheshenator
 
Posts: 3
Joined: Fri Jun 05, 2015 7:14 pm

Re: Hang when adding new artifact type or attribute type

Postby carrier » Sat Jun 06, 2015 1:56 am

As Sid mentioned, the fix is in develop. It will be part of the 3.1.3 release(next week probably).
carrier
 
Posts: 45
Joined: Thu May 15, 2014 3:31 pm

Re: Hang when adding new artifact type or attribute type

Postby bdallen » Mon Jul 06, 2015 9:33 pm

Okay, good, the hang is fixed in 3.1.3. But my new artifact fails to show up. I expect to see it under new artifact category "Artifact for Artifact Test" under the Results tree node. Perhaps there is further setup that I am missing?

My simple artifact test module is still available on GitHub at https://github.com/BruceMty/Autopsy-artifact-test. The interesting spot is in file ArtifactTestIngestModule.java where the "startUp()" function calls "setArtifactAndAttribute()". Note that when "startUp()" is changed to instead use existing attribute and artifact IDs by calling the alternate "setExistingArtifactAndAttribute()" function, the test correctly adds the artifact under the existing artifact tree node.

More help appreciated,
Thanks,
-Bruce
bdallen
 
Posts: 3
Joined: Tue May 19, 2015 11:54 pm

Re: Hang when adding new artifact type or attribute type

Postby carrier » Fri Jul 10, 2015 1:46 pm

Hi Bruce,

My guess is that you've hit a short-coming of our custom artifact / attribute support. We are using an enum to store the "official" artifact types. In the C++ world (where these started from), the custom types were find being stored in enum (it was just an int after all). In the Java world, this approach stopped working. If you look in the logs, there is probably an error about converting the type ID to an enum value that doesn't exist.

Long-term, we need to change the use of the enum. I'll revisit the topic again to see how much work it would be to do this in a backward compatible way. Many of the newer methods do not rely solely on the enum, but some do. We had been ignoring this issue because we didn't know the "Correct" way to solve it because I like having all of the types in an enum for documentation reasons.

The easiest fixes to this are:
- Tell us what artifact / attribute you want (if you can) and we'll add them into the official version.
- Use the INTERESTING_FILES artifact. It is generic and simple and can be used for anything. Use SET_NAME to group them together.
carrier
 
Posts: 45
Joined: Thu May 15, 2014 3:31 pm

Re: Hang when adding new artifact type or attribute type

Postby bdallen » Mon Jul 20, 2015 6:15 pm

Okay, thanks,

For my case, I do not want to clutter the artifact and attribute namespace since I am using specific names for a prototype. I would be happy to get by with generic names.

For the "INTERESTING_FILES" artifact, are you referring to "TSK_INTERESTING_FILE_HIT" in TSK_ARTIFACT_TYPE?

Could you please clarify "SET_NAME"? Does this refer to an attribute or a function? I was unable to find a reference to it.

Thanks,
-Bruce
bdallen
 
Posts: 3
Joined: Tue May 19, 2015 11:54 pm

Re: Hang when adding new artifact type or attribute type

Postby carrier » Mon Jul 27, 2015 6:31 pm

> For the "INTERESTING_FILES" artifact, are you referring to "TSK_INTERESTING_FILE_HIT" in TSK_ARTIFACT_TYPE?

Yes.

> Could you please clarify "SET_NAME"? Does this refer to an attribute or a function? I was unable to find a reference to it.

It refers to the TSK_SET_NAME attribute. (http://sleuthkit.org/sleuthkit/docs/jni ... c5b9359644)
carrier
 
Posts: 45
Joined: Thu May 15, 2014 3:31 pm

Re: Hang when adding new artifact type or attribute type

Postby mary » Tue Aug 09, 2016 10:39 am

I haven't seen this before - though we just define new ones in the enum and don't exercise this code often. I'll have someone on our team look at it.
mary
 
Posts: 6
Joined: Tue Aug 09, 2016 9:55 am


Return to Autopsy Developers Corner

Who is online

Users browsing this forum: No registered users and 1 guest