Call us: 10am – 6pm ET

888 540-2010, 416 833-3501

Web API for Workflow Automation

Automation of the digital forensic process becomes not just relevant but increasingly pressing to examiners dealing with ever growing volumes of data involved in forensic cases.

To enable TaskForce users to integrate their imaging system into their automated workflow, we provide the ability to launch, track and stop operations via Web API.

API (application programming interface) helps external software to communicate with TaskForce. It prescribes the type of commands that can be sent to TaskForce and describes the behavior TaskForce should demonstrate and the type of responses it should send back to the automation software.

TaskForce API is based on HTTP GET requests and JSON-encoded responses. See API specification.

To understand how it can be used to communicate with TaskForce, please see the examples below.

Starting imaging of all available source drives

In this scenario, all 12 of TaskForce’s SATA and SAS ports are switched to Source mode and source drives are plugged into them. TaskForce’s firmware version 2019.7 enables you to instantly launch 12 imaging sessions by using Web API.

Python script utilizes /start-image API request and prints task keys of all started imaging sessions.


import sys

if sys.version_info[0] < 3:
    raise Exception("Please use Python 3 to run this script")

import urllib.request

ports = ["SATA1", "SATA2", "SATA3", "SATA4", "SATA5", "SATA6", "SAS1", "SAS2", "SAS3", "SAS4", "SAS5", "SAS6"]
tasks = []
errors = {}

for port in ports:
    try:
        res = urllib.request.urlopen("http://10.0.0.4/api/start-image?source=%s&targetFolder=//Vitaliy/Share" % (port))
        tasks.append(res.read().decode('utf-8'))
    except urllib.error.HTTPError as e:
        errors[port] = e.read()

print("IDs of started imaging tasks:")
print('\n'.join(tasks))

Automatic launch of forensic analysis upon completion of imaging

By sending /check-task API request to TaskForce, you can track the status of the running imaging sessions. TaskForce returns a report about the imaging progress enabling the user (or your code) to find out when the task gets completed. Once this notification is received, the automation tool launches the forensic analysis of the target image. The Powershell script below demonstrates how such automation flow can be created:


try {
    $r = Invoke-WebRequest "http://10.0.0.65/api/start-image?source=SATA4&targetFolder=\\Vitaliy\Share"
}
catch {
    Write-Output "$($_.Exception.Message)"
    exit $_.Exception.Response.StatusCode
}

$taskKey = $r.Content
do {
    $check = (Invoke-WebRequest "http://10.0.0.65/api/check-task?taskKey=$taskKey").Content | ConvertFrom-Json
    Start-Sleep -s 1
} while ($check.state -eq "progress")

$windowsPath = "C:\Share\" + ($check.target -replace '[\/]', '\' | Split-Path -leaf)
$caseName = "Case123"
$autopsyArguments = '--inputPath="' + $windowsPath + '" --caseName=' + $caseName + ' --runFromCommandLine=true'
Start-Process -FilePath "C:\Program Files\Autopsy-4.11.0\bin\autopsy64.exe" -ArgumentList $autopsyArguments

NB. Autopsy Ingest v4.11 does not work with network file paths from the command line. That’s why this example shows a shared folder located at PC where PowerShell script is executed. Therefore \\Vitaliy\Share points to C:\Share folder.