mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added Metadata Artifact to Keyword Search and TImeline

Browse Source 
Added the Metadata for Documents to TSK_METADATA artifact as well as event types in time line for Metadata.
This commit is contained in:
Mark McKinnon 2020-05-28 15:44:09 -04:00
parent de21dd88c9
commit 06e8890417
2 changed files with 62 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Core/src/org/sleuthkit/autopsy/timeline/ui/EventTypeUtils.java
View File

@ -95,6 +95,12 @@ final public class EventTypeUtils {
imageFileName = "artifact-icon.png"; imageFileName = "artifact-icon.png";
} else if (typeID == TimelineEventType.WEB_FORM_ADDRESSES.getTypeID()) { } else if (typeID == TimelineEventType.WEB_FORM_ADDRESSES.getTypeID()) {
imageFileName = "artifact-icon.png"; imageFileName = "artifact-icon.png";
} else if (typeID == TimelineEventType.METADATA_CREATED.getTypeID()) {
imageFileName = "blue-document-attribute-b.png";
} else if (typeID == TimelineEventType.METADATA_LAST_SAVED.getTypeID()) {
imageFileName = "blue-document-attribute-m.png";
} else if (typeID == TimelineEventType.METADATA_LAST_PRINTED.getTypeID()) {
imageFileName = "blue-document.png";
}else { }else {
imageFileName = "timeline_marker.png"; imageFileName = "timeline_marker.png";
} }

93
KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchIngestModule.java
View File

@ -19,13 +19,18 @@
package org.sleuthkit.autopsy.keywordsearch; package org.sleuthkit.autopsy.keywordsearch;
import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.io.CharSource; import com.google.common.io.CharSource;
import java.io.IOException; import java.io.IOException;
import java.io.Reader; import java.io.Reader;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
import java.util.Date;
import java.util.HashMap; import java.util.HashMap;
import java.util.List; import java.util.List;
import static java.util.Locale.US;
import java.util.Map; import java.util.Map;
import java.util.concurrent.atomic.AtomicInteger; import java.util.concurrent.atomic.AtomicInteger;
import java.util.logging.Level; import java.util.logging.Level;
@ -120,28 +125,24 @@ public final class KeywordSearchIngestModule implements FileIngestModule {
"application/x-z", //NON-NLS "application/x-z", //NON-NLS
"application/x-compress"); //NON-NLS "application/x-compress"); //NON-NLS
private static final List<String> METADATA_TYPES private static final List<String> METADATA_DATE_TYPES
= ImmutableList.of( = ImmutableList.of(
"Total-Time", //NON-NLS
"Template", //NON-NLS
"Revision-Number", //NON-NLS
"Last-Save-Date", //NON-NLS "Last-Save-Date", //NON-NLS
"Last-Printed", //NON-NLS "Last-Printed", //NON-NLS
"Last-Author", //NON-NLS "Creation-Date"); //NON-NLS
"Edit-Time", //NON-NLS
"Creation-Date", //NON-NLS private static final Map<String, BlackboardAttribute.ATTRIBUTE_TYPE> METADATA_TYPES_MAP = ImmutableMap.<String, BlackboardAttribute.ATTRIBUTE_TYPE>builder()
"Company", //NON-NLS .put("Last-Save-Date", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_MODIFIED)
"Author", //NON-NLS .put("Last-Author", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_USER_ID)
"Application-Name", //NON-NLS .put("Creation-Date", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_CREATED)
"protected", //NON-NLS .put("Company", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ORGANIZATION)
"SourceModified", //NON-NLS .put("Author", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_OWNER)
"Last-Modified", //NON-NLS .put("Application-Name", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME)
"Producer", //NON-NLS .put("Last-Printed", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_LAST_PRINTED_DATETIME)
"pdf:docinfo:creator_tool", //NON-NLS .put("Producer", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME)
"Title", //NON-NLS .put("Title", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION)
"pdf:encrypted", //NON-NLS .put("pdf:PDFVersion", BlackboardAttribute.ATTRIBUTE_TYPE.TSK_VERSION)
"Description", //NON-NLS .build();
"pdf:PDFVersion"); //NON-NLS
/** /**
@ -552,31 +553,49 @@ public final class KeywordSearchIngestModule implements FileIngestModule {
private void createMetadataArtifact(AbstractFile aFile, Map<String, String> metadata) { private void createMetadataArtifact(AbstractFile aFile, Map<String, String> metadata) {
String moduleName = KeywordSearchIngestModule.class.getName(); String moduleName = KeywordSearchIngestModule.class.getName();
Collection<BlackboardAttribute> attributes = new ArrayList<>(); Collection<BlackboardAttribute> attributes = new ArrayList<>();
Collection<BlackboardArtifact> bbartifacts = new ArrayList<>(); Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
for (Map.Entry<String, String> entry : metadata.entrySet()) { for (Map.Entry<String, String> entry : metadata.entrySet()) {
if (METADATA_TYPES.contains(entry.getKey())) { if (METADATA_TYPES_MAP.containsKey(entry.getKey())) {
if (!entry.getValue().isEmpty() && !entry.getValue().contentEquals(" ")) { if (!entry.getValue().isEmpty() && !entry.getValue().startsWith(" ")) {
attributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME, moduleName, entry.getKey())); if (METADATA_DATE_TYPES.contains(entry.getKey())) {
attributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_VALUE, moduleName, entry.getValue())); SimpleDateFormat metadataDateFormat = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss", US);
try { Long metadataDateTime = Long.valueOf(0);
BlackboardArtifact bbart = aFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_METADATA); try {
bbart.addAttributes(attributes); String metadataDate = entry.getValue().replaceAll("T"," ").replaceAll("Z", "");
bbartifacts.add(bbart); Date usedDate = metadataDateFormat.parse(metadataDate);
} catch (TskCoreException ex) { metadataDateTime = usedDate.getTime()/1000;
// return and continue processing attributes.add(new BlackboardAttribute(METADATA_TYPES_MAP.get(entry.getKey()), moduleName, metadataDateTime));
return; } catch (ParseException ex) {
// catching error and displaying date that could not be parsed then will continue on.
logger.log(Level.WARNING, String.format("Failed to parse date/time %s for metadata attribute %s.", entry.getValue(), entry.getKey()), ex); //NON-NLS
continue;
}
} else {
attributes.add(new BlackboardAttribute(METADATA_TYPES_MAP.get(entry.getKey()), moduleName, entry.getValue()));
} }
} }
} }
} }
if (!bbartifacts.isEmpty()) { if (!attributes.isEmpty()) {
try{ try {
Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboard().postArtifacts(bbartifacts, moduleName); BlackboardArtifact bbart = aFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_METADATA);
} catch (NoCurrentCaseException | Blackboard.BlackboardException ex) { bbart.addAttributes(attributes);
// Ignore this and continue on bbartifacts.add(bbart);
//logger.log(Level.SEVERE, "Unable to post blackboard artifacts", ex); //NON-NLS } catch (TskCoreException ex) {
return; // Log error and return to continue processing
logger.log(Level.WARNING, String.format("Error creatinkg or adding artifact."), ex); //NON-NLS
return;
}
if (!bbartifacts.isEmpty()) {
try{
Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboard().postArtifacts(bbartifacts, moduleName);
} catch (NoCurrentCaseException | Blackboard.BlackboardException ex) {
// Log error and return to continue processing
logger.log(Level.WARNING, "Unable to post blackboard artifacts", ex); //NON-NLS
return;
}
} }
} }
} }