lastbuild module not executed first in the CLI about ileapp HOT 25 CLOSED

@stark4n6 Thank you very much for your feedback. Adding multiple parsers at a time is now implemented.
@abrignoni Sure, it is obvious 🤪

from ileapp.

The load profile file feature is now fully supported in the CLI.
Generated profile files have now the .ilprofile extension and are identified as iLEAPP profile files. Checking when it is loaded that this is a profile file for iLEAPP.
In the logs (CLI and GUI), it is indicated that a profile file has been loaded and the filename is displayed.
Info available in the Screen Output.html file.

from ileapp.

@Johann-PLW would it make sense to be able to add multiple parsers at a time? Like separated by a comma or something? If you want to added a bunch you'd have to type a number and hit enter a lot haha. I know it could get a bit clustered

from ileapp.

@abrignoni , @stark4n6
I was frustrated to have an 'Load Case Data' button that was useless in the GUI.
If you want to have a try and test it (https://github.com/Johann-PLW/iLEAPP/tree/case_data), I have implemented Load Case Data and Save Case Data in the GUI.
Input path, output path, profiles and timezone are saved in the .ilcasedata file.
Less click in the GUI.
Let me know if you are interested in having this feature (an maybe include it in other LEAPP tools).

from ileapp.

from ileapp.

This is fantastic. Having profiles at the CLI enables faster testing of specific modules without having to click around in the GUI.

Thank you so much. This is fantastic.

from ileapp.

If you agree, since load profile from the CLI and the .ilprofile files are fully functional, I can merge my cli_profiles branch with main and integrate these changes right away into iLEAPP by opening a pull request.
These features could be ported to other LEAPPs too.
I'll wait a bit before closing this issue in case there are any comments.

from ileapp.

@abrignoni
I've just finished the implementation of creating an ilprofile file in the CLI.
The code is available in my cli_profiles branch: https://github.com/Johann-PLW/iLEAPP/tree/cli_profiles.
The -l argument is used to load a profile file and need to be used in conjonction with -t -i and -o parameters.
The -c argument is meant to be used alone, without any other arguments. You just have to provide the output_path of the ilprofile file.

In the profile file creation menu:
'l' display all the available plugins, sorted by category as in the GUI. Each plugin has a corresponding number

You can type the number to add a remove a plugin from the ilprofile file.

'p' displays the parsers added to the profile file

'q' is used to quit and save the profile file after choosing a filename. (ilprofile extension is automatically added).

This created profile file can also be used in the GUI.
I've chosen to use numbers to add or remove plugins from the profile file, rather than typing their names directly, because it's less prone to typos.
Tell me what do you think about this implementation or if you can suggest a better way to manage profile file creation.
This feature is easily removable if you only want to keep the load profile feature.

from ileapp.

This looks fantastic. I dig it quite a lot. The main thing is being able apply a profile via the CLI. It will be awesome for automation. It will help also so much when developing artifacts. No more clicking around to just run one parser. This is really good stuff.

The edit via numbers is perfect btw.

from ileapp.

@Johann-PLW Love this, let me know if you need me to test. This will be a huge time saver for running tests on new parsers.

from ileapp.

@stark4n6
Thank you Kevin.
If you had time to test and give me your comments or suggestions, it would be great before merging to the main branch.

from ileapp.

@Johann-PLW Just staying the obvious, all LEAPPs will benefit from profiles at the CLI. 🙏

from ileapp.

@Johann-PLW worked like a charm, seems good to me to merge, much appreciated!

from ileapp.

sure would be nice if the modules had more details about them than just the filename and module name........

Nice add! @Johann-PLW I will be taking advantage of this as well in doing focused module testing.

from ileapp.

from ileapp.

See the content of the zCaseDataExample.alprofile at the root of the repo. Being able to add a case number and other data points is necessary. Is that supported still? If no we need to add it again.

from ileapp.

Ah OK!
In fact, I hadn't even noticed the 'zCaseDataExample.alprofile' file at the root of the repo.
So I didn't go in the right direction at all.
I finally replaced the 'Load Case Data' Button with a 'Add Case Data' Button opening a new windows.

From this window, we can load an existing case data file, checking that it is the right filetype, create case data by filling in the 'case number', 'Agency' and 'Examiner' fields, and save a case file.

If case data is existing, data is added to the index.html file.

Do you think it would be useful to add other information?
Would it be useful to add the paths (input/output) and the time zone, or could this confuse the user?

from ileapp.

from ileapp.

I agree to only add fields that are not already in the interface.

My first attempt with the "Case Data" button was to quickly get the input and output paths without having to click on the buttons to save time, but it wasn't a good idea.
I also tried to integrate them into the profile file, but this should only be used to select the desired modules.

We need to keep things simple and not confuse the user with our own needs as a developer.

So I'll stick to the current version, which lets you manage the 'Case Number', 'Agency' and 'Examiner' fields in the GUI, without having to manually edit the json file. I will have a try with the CLI too.

But perhaps these fields should appear in the upper part of the table, before Extraction location, extraction type, report directory and processing time rows.

from ileapp.

Case Data is also available from the CLI (load/create a LEAPP case data file)
Also added a clear button in the case data window in the GUI
'Case Number', 'Agency' and 'Examiner' rows appear first in Index.html report if case data was loaded.

Note: A LEAP case data file can be used with any xLEAPP tool as fields are generic.

@abrignoni Maybe some suggestions about parameters chosen:
options:
-d LOAD_CASE_DATA, --load_case_data LOAD_CASE_DATA
Path to LEAPP Case Data file (.lcasedata).
-p LOAD_PROFILE, --load_profile LOAD_PROFILE
Path to iLEAPP Profile file (.ilprofile).
-cp CREATE_PROFILE, --create_profile CREATE_PROFILE
Generate an iLEAPP Profile file (.ilprofile) into the specified path.
This argument is meant to be used alone, without any other arguments.
-cd CREATE_CASE_DATA, --create_case_data CREATE_CASE_DATA
Generate a LEAPP Case Data file (.lcasedata) into the specified path.
This argument is meant to be used alone, without any other arguments.
-a, --artifact_paths Generate a text file list of artifact paths. This argument is meant to
be used alone, without any other arguments.

from ileapp.

If I'm not mistaken the -p arguments stands for a lists of artifacts paths and names. This cannot be mapped to a different functionality since Autopsy and Paraben software depend on that - p argument for their LEAPP integrations.

from ileapp.

I haven't used Paraben or Autopsy integration with xLEAPP. do they rely on the table output in some way, or do they just generate the HTML report? @abrignoni

from ileapp.

from ileapp.

Good to know that the -p argument is used by Autopsy and Paraben.

So I decided to use only one argument for file creation. As it is used alone, you have the choice in the menu to create a profile file and/or a case data file:

I finally chose the following args:
-m LOAD_PROFILE, --load_profile LOAD_PROFILE
Path to iLEAPP Profile file (.ilprofile).
-d LOAD_CASE_DATA, --load_case_data LOAD_CASE_DATA
Path to LEAPP Case Data file (.lcasedata).
-c CREATE_PROFILE_CASEDATA, --create_profile_casedata CREATE_PROFILE_CASEDATA
Generate an iLEAPP Profile file (.ilprofile) or LEAPP Case Data
file (.lcasedata) into the specified path. This argument is
meant to be used alone, without any other arguments.
-p, --artifact_paths Generate a text file list of artifact paths. This argument is
meant to be used alone, without any other arguments.

m for profiles as we also speak about modules, d for data in case_data & c to create a profile/casedata file.

@abrignoni Please let me know if this suits you. Otherwise everything seems to work both in the GUI and the CLI.

from ileapp.

from ileapp.