Open in app

Sign in

Write

Sign in

CCM_RecentlyUsedApps

markmckinnon
2 min readMar 9, 2017

After reading James Habben’s post about recently used apps on his blog 4n6ir. I thought I would look into this and see how this could become a plugin for Autopsy. Heck if Encase can have an EnScript for it why not create a Python plugin for Autopsy.

From reading James post there was already a project that was put together to get the information for this. All I needed to do was to extend the python script so that it would output the data to a SQLite database and then make it an executable program. I added the code for SQLite and then used pyinstaller to create an executable file. You can find the code for the program here.

Once this was created I then created the Autopsy plugin for it. What the plugin does is that it exports the files needed from the \Windows\System32\wbem\repository directory then runs the show_CCM_RecentlyUsedApps.exe program against it and creates a SQLlite database that is then imported into a custom artifact. Most of the attributes for the artifact are custom, only a few are the attributes provided by Autopsy.

If you look at the code you may notice that when I execute the SQL to get the data out of the database I use a column alias for each column in my select.

SQL and Metadata

The reason I do this is so that I can get the metadata from the resultset and get the column names associated with each column. I then put those columns in a list and for each row of the result set I get each column and then get the associated Attribute type and value type of that column. This allows me to easily add the correct attribute to blackboard. The code is below:

Code to add attribute to Blackboard

This seems to work pretty well and the code can be reused easily, all that needs to be done to reuse the code is to change the select statement to something else and make sure I have created the attributes prior to running the select statement.

You can find the plugin here. Enjoy!

One last thing if you can spare a few minutes could you take the short survey I put out to get some feedback on existing modules and what you would like to see as the next plugins to create in Autopsy. The survey can be found here. Thanks for those that have taken the survey.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Autopsy
Python
Autopsy Python Plugin
markmckinnon
markmckinnon

Written by markmckinnon

107 Followers
60 Following

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams