Changed the logic per Brian's comments

2025-07-15 09:17:42 +00:00 · 2019-03-06 17:25:01 -05:00 · 2019-03-06 17:25:01 -05:00 · 05da0c83b5
commit 05da0c83b5
parent c14b8d55fc
2 changed files with 44 additions and 21 deletions
--- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED
+++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED
@ -2,7 +2,6 @@ cannotBuildXmlParser=Unable to build XML parser:
 cannotLoadSEUQA=Unable to load Search Engine URL Query Analyzer settings file, SEUQAMappings.xml: 
 cannotParseXml=Unable to parse XML file: 
 ChromeCacheExtractor.moduleName=ChromeCacheExtractor
-# {0} - OS name
 DataSourceUsageAnalyzer.customVolume.label=OS Drive ({0})
 DataSourceUsageAnalyzer.parentModuleName=Recent Activity
 Extract.indexError.message=Failed to index artifact for keyword search.
@ -48,8 +47,14 @@ ExtractSafari_Error_Getting_History=An error occurred while processing Safari hi
 ExtractSafari_Error_Parsing_Bookmark=An error occured while processing Safari Bookmark files
 ExtractSafari_Error_Parsing_Cookies=An error occured while processing Safari Cookies files
 ExtractSafari_Module_Name=Safari
+ExtractZone_process_errMsg=A error occured processing ':Zone.Indentifier' files.
+ExtractZone_process_errMsg_find=A failure occured while searching for :Zone.Indentifier files.
+ExtractZone_progress_Msg=Extracting :Zone.Identifer files
+INTENET_ZONE=Internet Zone
+LOCAL_INTRANET_ZONE=Local Intranet Zone
+LOCAL_MACHINE_ZONE=Local Machine Zone
 OpenIDE-Module-Display-Category=Ingest Module
-OpenIDE-Module-Long-Description=Recent Activity ingest module.\n\n\The module extracts useful information about the recent user activity on the disk image being ingested, such as:\n\n- Recently open documents,\n- Web acitivity (sites visited, stored cookies, bookmarked sites, search engine queries, file downloads),\n- Recently attached devices,\n- Installed programs.\n\n\The module currently supports Windows only disk images.\n\The plugin is also fully functional when deployed on Windows version of Autopsy.
+OpenIDE-Module-Long-Description=Recent Activity ingest module.\n\nThe module extracts useful information about the recent user activity on the disk image being ingested, such as:\n\n- Recently open documents,\n- Web acitivity (sites visited, stored cookies, bookmarked sites, search engine queries, file downloads),\n- Recently attached devices,\n- Installed programs.\n\nThe module currently supports Windows only disk images.\nThe plugin is also fully functional when deployed on Windows version of Autopsy.
 OpenIDE-Module-Name=RecentActivity
 OpenIDE-Module-Short-Description=Recent Activity finder ingest module
 Chrome.moduleName=Chrome
@ -173,12 +178,13 @@ RecentDocumentsByLnk.parentModuleName.noSpace=RecentActivity
 RecentDocumentsByLnk.parentModuleName=Recent Activity
 RegRipperFullNotFound=Full version RegRipper executable not found.
 RegRipperNotFound=Autopsy RegRipper executable not found.
-# {0} - file name
+RESTRICTED_ZONE=Restricted Sites Zone
 SearchEngineURLQueryAnalyzer.init.exception.msg=Unable to find {0}.
 SearchEngineURLQueryAnalyzer.moduleName.text=Search Engine
 SearchEngineURLQueryAnalyzer.engineName.none=NONE
 SearchEngineURLQueryAnalyzer.domainSubStr.none=NONE
-SearchEngineURLQueryAnalyzer.toString=Name: {0}\nDomain Substring: {1}\n\count: {2}\nSplit Tokens: \n{3}
+SearchEngineURLQueryAnalyzer.toString=Name: {0}\nDomain Substring: {1}\ncount: {2}\nSplit Tokens: \n{3}
 SearchEngineURLQueryAnalyzer.parentModuleName.noSpace=RecentActivity
 SearchEngineURLQueryAnalyzer.parentModuleName=Recent Activity
+TRUSTED_ZONE=Trusted Sites Zone
 UsbDeviceIdMapper.parseAndLookup.text=Product: {0}
--- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractZoneIdentifier.java
+++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractZoneIdentifier.java
@ -74,6 +74,18 @@ final class ExtractZoneIdentifier extends Extract {
            return;
        }
        
+        ArrayList<Long> knownPathIDs = null;
+        try {
+            knownPathIDs = getPathIDsForType(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD);
+        } catch (TskCoreException ex) {
+            addErrorMessage(Bundle.ExtractZone_process_errMsg());
+            LOG.log(Level.SEVERE, "Failed to build PathIDs List for TSK_WEB_DOWNLOAD", ex);
+        }
+
+        if (knownPathIDs == null) {
+            return;
+        }
+
        Collection<BlackboardArtifact> sourceArtifacts = new ArrayList<>();
        Collection<BlackboardArtifact> downloadArtifacts = new ArrayList<>();

@ -129,21 +141,22 @@ final class ExtractZoneIdentifier extends Extract {
        }

        AbstractFile downloadFile = getDownloadFile(dataSource, zoneFile);
+        ArrayList<Long> knownPathIDs = getPathIDsForType(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD);

        if (downloadFile != null) {
-            if (getArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_DOWNLOAD_SOURCE, zoneFile) == null) {
-                BlackboardArtifact sourcebba = createDownloadSourceArtifact(downloadFile, zoneInfo);
-                if (sourcebba != null) {
-                    sourceArtifacts.add(sourcebba);
-                }
-            }
-
-            if (getArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadFile) == null) {
+            if (!knownPathIDs.contains(downloadFile.getDataSourceObjectId())) {
                BlackboardArtifact downloadbba = createDownloadArtifact(zoneFile, zoneInfo);
                if (downloadbba != null) {
                    downloadArtifacts.add(downloadbba);
                }
            }
+
+            if (downloadFile.getArtifactsCount(BlackboardArtifact.ARTIFACT_TYPE.TSK_DOWNLOAD_SOURCE) == 0) {
+                BlackboardArtifact sourcebba = createDownloadSourceArtifact(downloadFile, zoneInfo);
+                if (sourcebba != null) {
+                    sourceArtifacts.add(sourcebba);
+                }
+            }
        }
    }

@ -245,23 +258,27 @@ final class ExtractZoneIdentifier extends Extract {
    }

    /**
-     * Determine if an artifact of the given type exists for the AbstractFile.
+     * Creates a list of PathIDs for the given Artifact type.
     *
-     * @param type BlackboardArtifact type
-     * @param file AbstraceFile
+     * @param type BlackboardArtifact.ARTIFACT_TYPE
     *
-     * @return Returns the existing BlackboardArtifact or null if none exists
+     * @return A list of PathIDs
     *
     * @throws TskCoreException
     */
-    private BlackboardArtifact getArtifact(BlackboardArtifact.ARTIFACT_TYPE type, AbstractFile file) throws TskCoreException {
+    private ArrayList<Long> getPathIDsForType(BlackboardArtifact.ARTIFACT_TYPE type) throws TskCoreException {
+        ArrayList<Long> idList = new ArrayList();
        for (BlackboardArtifact artifact : currentCase.getSleuthkitCase().getBlackboardArtifacts(type)) {
-            if (artifact.getDataSource().getId() == file.getDataSourceObjectId()) {
-                return artifact;
+            BlackboardAttribute pathIDAttribute = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH_ID));
+
+            if (pathIDAttribute != null) {
+                long contentID = pathIDAttribute.getValueLong();
+                if (contentID != -1) {
+                    idList.add(contentID);
+                }
            }
        }
-
-        return null;
+        return idList;
    }

    @Messages({