diff --git a/Core/src/org/sleuthkit/autopsy/datasourceprocessors/VolatilityProcessor.java b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/VolatilityProcessor.java index 38f673ac3e..12e7ddff6b 100644 --- a/Core/src/org/sleuthkit/autopsy/datasourceprocessors/VolatilityProcessor.java +++ b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/VolatilityProcessor.java @@ -248,6 +248,10 @@ class VolatilityProcessor { // if there is already the same entry with ".exe" in the set, just use that one if (fileSet.contains(file + ".exe")) continue; + // if plugin is handles then skip if filename does not have an extension helps with + // cases when there really is no just a directory or if it truly does not have an extension + if (pluginName.matches("handles")) + continue; fileName = fileName + ".%"; } @@ -307,35 +311,35 @@ class VolatilityProcessor { private void scanOutputFile(String pluginName, File PluginOutput) { if (pluginName.matches("dlllist")) { - Set fileSet = parse_DllList(PluginOutput); + Set fileSet = parseDllList(PluginOutput); flagFiles(fileSet, pluginName); } else if (pluginName.matches("handles")) { Set fileSet = parseHandles(PluginOutput); flagFiles(fileSet, pluginName); } else if (pluginName.matches("cmdline")) { - Set fileSet = parse_Cmdline(PluginOutput); + Set fileSet = parseCmdline(PluginOutput); flagFiles(fileSet, pluginName); } else if (pluginName.matches("psxview")){ - Set fileSet = parse_Psxview(PluginOutput); + Set fileSet = parsePsxview(PluginOutput); flagFiles(fileSet, pluginName); } else if (pluginName.matches("pslist")) { - Set fileSet = parse_Pslist(PluginOutput); + Set fileSet = parsePslist(PluginOutput); flagFiles(fileSet, pluginName); } else if (pluginName.matches("psscan")) { - Set fileSet = parse_Psscan(PluginOutput); + Set fileSet = parsePsscan(PluginOutput); flagFiles(fileSet, pluginName); } else if (pluginName.matches("pstree")) { - Set fileSet = parse_Pstree(PluginOutput); + Set fileSet = parsePstree(PluginOutput); flagFiles(fileSet, pluginName); } else if (pluginName.matches("svcscan")) { - Set fileSet = parse_Svcscan(PluginOutput); + Set fileSet = parseSvcscan(PluginOutput); flagFiles(fileSet, pluginName); } else if (pluginName.matches("filescan")) { // BC: Commented out. Too many hits to flag - //Set fileSet = Parse_Filescan(PluginOutput); + //Set fileSet = ParseFilescan(PluginOutput); //lookupFiles(fileSet, pluginName); } else if (pluginName.matches("shimcache")) { - Set fileSet = parse_Shimcache(PluginOutput); + Set fileSet = parseShimcache(PluginOutput); flagFiles(fileSet, pluginName); } } @@ -355,8 +359,11 @@ class VolatilityProcessor { filePath = filePath.replaceAll("\\\\", "/"); filePath = filePath.toLowerCase(); filePath = filePath.replaceAll("/systemroot/", "/windows/"); + // catches 1 type of file in cmdline + filePath = filePath.replaceAll("%systemroot%", "/windows/"); filePath = filePath.replaceAll("device/",""); - filePath = filePath.replaceAll("harddiskvolume[0-9]/", ""); + // helps with finding files in handles plugin + filePath = filePath.substring(filePath.indexOf("harddiskvolume[0-9]/") -1); // no point returning these. We won't map to them if (filePath.startsWith("/namedpipe/")) return ""; @@ -397,9 +404,8 @@ class VolatilityProcessor { return fileSet; } - private Set parse_DllList(File PluginFile) { + private Set parseDllList(File PluginFile) { Set fileSet = new HashSet<>(); - int counter = 0; // read the first line from the text file try (BufferedReader br = new BufferedReader(new FileReader(PluginFile))) { String line; @@ -407,7 +413,6 @@ class VolatilityProcessor { String TAG = "Command line : "; if (line.startsWith(TAG)) { - counter = counter + 1; String file_path; // Command line : "C:\Program Files\VMware\VMware Tools\vmacthlp.exe" @@ -433,7 +438,6 @@ class VolatilityProcessor { // 0x4a680000 0x5000 0xffff \??\C:\WINDOWS\system32\csrss.exe // 0x7c900000 0xb2000 0xffff C:\WINDOWS\system32\ntdll.dll else if (line.startsWith("0x") && line.length() > 33) { - counter = counter + 1; // These lines do not have arguments String file_path = line.substring(33); fileSet.add(normalizePath(file_path)); @@ -447,7 +451,7 @@ class VolatilityProcessor { return fileSet; } - private Set parse_Filescan(File PluginFile) { + private Set parseFilescan(File PluginFile) { String line; Set fileSet = new HashSet<>(); try { @@ -469,7 +473,7 @@ class VolatilityProcessor { return fileSet; } - private Set parse_Cmdline(File PluginFile) { + private Set parseCmdline(File PluginFile) { Set fileSet = new HashSet<>(); // read the first line from the text file try (BufferedReader br = new BufferedReader(new FileReader(PluginFile))) { @@ -510,7 +514,7 @@ class VolatilityProcessor { return fileSet; } - private Set parse_Shimcache(File PluginFile) { + private Set parseShimcache(File PluginFile) { String line; Set fileSet = new HashSet<>(); try { @@ -540,7 +544,7 @@ class VolatilityProcessor { return fileSet; } - private Set parse_Psscan(File PluginFile) { + private Set parsePsscan(File PluginFile) { String line; Set fileSet = new HashSet<>(); try { @@ -567,7 +571,7 @@ class VolatilityProcessor { return fileSet; } - private Set parse_Pslist(File PluginFile) { + private Set parsePslist(File PluginFile) { String line; Set fileSet = new HashSet<>(); try { @@ -594,7 +598,7 @@ class VolatilityProcessor { return fileSet; } - private Set parse_Psxview(File PluginFile) { + private Set parsePsxview(File PluginFile) { String line; Set fileSet = new HashSet<>(); try { @@ -621,7 +625,7 @@ class VolatilityProcessor { return fileSet; } - private Set parse_Pstree(File PluginFile) { + private Set parsePstree(File PluginFile) { String line; Set fileSet = new HashSet<>(); try { @@ -648,7 +652,7 @@ class VolatilityProcessor { return fileSet; } - private Set parse_Svcscan(File PluginFile) { + private Set parseSvcscan(File PluginFile) { String line; Set fileSet = new HashSet<>(); try {