File: main.dox

package info (click to toggle)
sleuthkit 4.10.1%2Bdfsg-1
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 17,248 kB
  • sloc: ansic: 142,208; cpp: 50,346; java: 27,140; xml: 2,419; perl: 882; python: 508; makefile: 416; sh: 184
file content (49 lines) | stat: -rw-r--r-- 3,024 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
 
/*! \mainpage The Sleuth Kit Java Bindings Developer's Guide and API Reference

<h3>Overview</h3>

These classes allow Java programs to access data extracted by The Sleuth Kit.

The Sleuth Kit is primarily a C/C++ library and set of command line tools. These classes allow programs to obtain the data that TSK can produce.   The typical steps would be to use JNI to cause the TSK library to create and populate a SQLite or PostgreSQL database.  The Java classes then directly open the database and perform queries on it. 


\section main_classes Types of Classes

There are three broad types of classes in this package:
- org.sleuthkit.datamodel.SleuthkitCase contains all of the code that deals with the backend database. 
- org.sleuthkit.datamodel.SleuthkitJNI deals with the JNI bindings with the C/C++ code (that primarily populate the database or allow file content to be read)
- Lots of classes that store information about specific files or volumes.  Nearly all of them implement the org.sleuthkit.datamodel.Content interface.   Files from file systems or carved files will extend org.sleuthkit.datamodel.AbstractFile. 


\section main_workflow Basic Workflow 

\subsection basics_add Adding Data to Case 

To get data into the database (which is needed before you get it into a Java object), you need to call some org.sleuthkit.datamodel.SleuthkitCase methods. 

To open or create a case, call org.sleuthkit.datamodel.SleuthkitCase.newCase() or org.sleuthkit.datamodel.SleuthkitCase.openCase(). 

To add a <b>disk image</b> to the case, use org.sleuthkit.datamodel.SleuthkitCase.makeAddImageProcess() to get a org.sleuthkit.datamodel.SleuthkitJNI.CaseDbHandle.AddImageProcess object that allows you to populate the database in the scope of a transaction and get feedback on its update process. 

To add a <b>local file</b> (logical file) you can use methods such as org.sleuthkit.datamodel.SleuthkitCase.addLocalFile(). 


\subsection basics_analyzing Analyzing Data in Case

You can either access files directly using methods such as org.sleuthkit.datamodel.SleuthkitCase.findFiles() or org.sleuthkit.datamodel.SleuthkitCase.getAbstractFileById(). 

You can also access the data in its tree form by starting with org.sleuthkit.datamodel.SleuthkitCase.getImages() and then calling getChildren() on each of the returned objects.  See the section below on basics of the datamodel structure. 


\section main_other Other Topics

- \subpage mod_bbpage is where analysis modules (such as those in Autopsy) can post and save their results. 
- The \subpage artifact_catalog_page gives a list of the current artifacts and attributes used on \ref mod_bbpage.
- \subpage mod_compage is where analysis modules can store and retrieve communications-related data. 
- Refer to \subpage query_database_page if you are going to use one of the SleuthkitCase methods that requires you to specify a query. 
- Refer to \subpage insert_and_update_database_page if you are a Sleuth Kit developer and want to avoid database issues.


*/