A Plugin For Developers— Remove Artifacts
When I started down my path of creating Autopsy plugins one of the biggest issues I had was in testing them. I would create a case, backup the autopsy.db file and then test my plugin. If I was good enough to code it perfectly I would only have to test it once, but sorry to say that is not the case. I would then have to close the case, copy the autopsy.db file back and then reopen the case and start to test again. Now this really does not take much time to do but when you do it often enough it does waste cycles. So what to do about the problem?
Enter the Remove Artifacts/Attributes plugin. I created this so I would not have to close the case and start over again and it has help to speed up the process of testing plugins. This plugin allows the user to do the following:
- Remove Custom Artifacts.
- Remove Custom Attributes
- Remove Selected Artifacts
The options panel for the plugin looks like this.
Now the first two (2) options are pretty straight forward as these are ones that you would use in order to remove your custom artifacts and attributes and all the extracted content they represent. The last option will show all artifacts that have been created and allow you to delete the data associated with them. Now there is a caveat here, if there are any tags or other things associated with an artifact that you are deleting it may mess up your case as you may be deleting data that has associated records with it. Below is a before and after screenshots of a case after removing certain artifacts.
In the above screenshot you can see that the “Devices Attached”, “Installed Programs”, “Operating System Information” and “Operating System User Account” are artifacts that exist in the case. When you run the plugin and select the above mentioned artifacts you can see that they are removed per the screenshot below.
And Viola they are gone. Now you can stop restoring your database and get to writing your plugins without having to continually close your case and restore and reopen. This has saved me time in my testing process and it is why I wrote it.
Now as I stated before this was created for developers but it does not stop you from using it in live case work. Just be warned if it does mess up your case you may have to start processing your case all over again. As developers we do not care much about this as we will just create the case again and move on.
You can download the plugin module here. Hopefully this will make some developers life easier and speed up their process of developing Autopsy plugins. If there are any questions, comments or issues please let me know. As always enjoy!
