volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard
verified publisher icon volatilityfoundation

support sqlite output

Open N1neSun opened this issue 5 years ago • 11 comments

Convert csv to sqlite output through pandas module

N1neSun avatar Dec 04 '20 02:12 N1neSun

Thanks for this! There's a few points that I'd suggest doing a different way:

  • The temporary file to hold the csv looks well done and suitably considered, but having a temporary file shouldn't really be necessary, the data could just be written directly to a sqlite database with appropriate sqlite commands?
  • Pandas is an external dependency which would then need to be added to the core requirements just for this one output mechanism, and it's only necessary for the conversion
  • It modifies the core command line interface, meaning it can't just be dropped into an existing installation. I realize this is because it needs to write a file and we don't yet really handle giving options to plugins (although it is on the roadmap, see #370).

Areas to consider include using the already provided output-dir option, rather than adding yet another option for a very specific output method. I'd also contemplate working the file interface handler (for plugins to write out files) into the plugin options, but it needs to support more than just this plugin, we're aiming to only add things to the CLI that are modular rather than specific to a particular output mechanism where possible.

As such, I'm likely to hold off on accepting this as is, I'm afraid...

ikelos avatar Dec 04 '20 10:12 ikelos

Thank you for your suggestion. I was just to implement the function at the time and did not consider the volatility framework. I will rewrite this place to adapt to this framework better.

N1neSun avatar Dec 05 '20 04:12 N1neSun

I realize that you have implemented the renderer option, could I know when it will merge?

N1neSun avatar Dec 06 '20 10:12 N1neSun

Unfortunately the renderer options issue still needs a little more consideration, so I'm afraid there isn't a specific deadline for it getting added, but the issue will be updated when there's any news...

ikelos avatar Dec 06 '20 21:12 ikelos

Thanks a lot, I saw your question about the renderer options, I will continue to pay attention to this #370 and discuss with you.

N1neSun avatar Dec 07 '20 01:12 N1neSun

I changed the sqlite output with reference to volatility2. I don’t know if this is feasible?

N1neSun avatar Jan 08 '21 07:01 N1neSun

That much better, thanks! Unfortunately we're still waiting on getting the renderer options into the tree (due to the filename argument needing to be used), but having this here should be useful for people looking to get sqlite output.... 5:)

ikelos avatar Jan 09 '21 19:01 ikelos

It’s okay, I know there are still some problems that need to be solved, and I also hope I can help with something.

N1neSun avatar Jan 10 '21 09:01 N1neSun

Hello, do we have an estimate as to when this functionality will be made available?

JonathanOuellet1275 avatar Jan 25 '21 21:01 JonathanOuellet1275

@JonathanOuellet1275 We don't has a timeline for this pull request. It alters the CLI in a way that's very specific to sql support, which won't extend nicely if we gets lots of requests for lots of formats. As such we don't think it's the best way of supporting this need.

At the moment there's a straightforward workaround which is to output as csv (-r csv) and then start a new sqlite file, and import the csv data into it (.import FILE TABLE). Hopefully this will help you get the data into sqlite before we're able to come up with a workable solution for adding support directly...

ikelos avatar Jan 25 '21 23:01 ikelos

@ikelos Thank you for the tip

JonathanOuellet1275 avatar Jan 26 '21 15:01 JonathanOuellet1275