mirror of
https://github.com/overcuriousity/autopsy-flatpak.git
synced 2025-07-06 21:00:22 +00:00
more comment updates
This commit is contained in:
Brian Carrier
parent
f9485d3ba2
commit
08e324a635
@ -5,3 +5,4 @@ Changes to make to API when we are ready to make backward incompatible changes:
|
|||||||
- DataContentViewerHex and Strings can have the public setDataView methods removed in favor of the new private ones
|
- DataContentViewerHex and Strings can have the public setDataView methods removed in favor of the new private ones
|
||||||
- Content.getUniquePath() should not thrown TskException. We should deal with it in the method.
|
- Content.getUniquePath() should not thrown TskException. We should deal with it in the method.
|
||||||
- Make the list of events that Case fires off to be part of an enum to group them together (like IngestManager does).
|
- Make the list of events that Case fires off to be part of an enum to group them together (like IngestManager does).
|
||||||
|
- Sub-modules in RecentActivity have a bunch of public/protected variables that do not need to be. (i.e. ExtractRegistry.rrFullFound).
|
||||||
|
|||||||
@ -32,7 +32,6 @@ import javax.xml.parsers.DocumentBuilder;
|
|||||||
import javax.xml.parsers.DocumentBuilderFactory;
|
import javax.xml.parsers.DocumentBuilderFactory;
|
||||||
import javax.xml.parsers.ParserConfigurationException;
|
import javax.xml.parsers.ParserConfigurationException;
|
||||||
import org.openide.modules.InstalledFileLocator;
|
import org.openide.modules.InstalledFileLocator;
|
||||||
import org.sleuthkit.autopsy.casemodule.Case;
|
|
||||||
import org.sleuthkit.autopsy.coreutils.ExecUtil;
|
import org.sleuthkit.autopsy.coreutils.ExecUtil;
|
||||||
import org.sleuthkit.autopsy.coreutils.Logger;
|
import org.sleuthkit.autopsy.coreutils.Logger;
|
||||||
import org.sleuthkit.autopsy.coreutils.PlatformUtil;
|
import org.sleuthkit.autopsy.coreutils.PlatformUtil;
|
||||||
@ -40,7 +39,6 @@ import org.sleuthkit.autopsy.datamodel.ContentUtils;
|
|||||||
import org.sleuthkit.autopsy.ingest.IngestDataSourceWorkerController;
|
import org.sleuthkit.autopsy.ingest.IngestDataSourceWorkerController;
|
||||||
import org.sleuthkit.autopsy.ingest.IngestModuleDataSource;
|
import org.sleuthkit.autopsy.ingest.IngestModuleDataSource;
|
||||||
import org.sleuthkit.autopsy.ingest.IngestModuleInit;
|
import org.sleuthkit.autopsy.ingest.IngestModuleInit;
|
||||||
import org.sleuthkit.autopsy.ingest.IngestServices;
|
|
||||||
import org.sleuthkit.autopsy.ingest.PipelineContext;
|
import org.sleuthkit.autopsy.ingest.PipelineContext;
|
||||||
import org.sleuthkit.autopsy.recentactivity.ExtractUSB.USBInfo;
|
import org.sleuthkit.autopsy.recentactivity.ExtractUSB.USBInfo;
|
||||||
import org.sleuthkit.datamodel.*;
|
import org.sleuthkit.datamodel.*;
|
||||||
@ -54,17 +52,18 @@ import org.xml.sax.InputSource;
|
|||||||
import org.xml.sax.SAXException;
|
import org.xml.sax.SAXException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Extracting windows registry data using regripper
|
* Extract windows registry data using regripper.
|
||||||
|
* Runs two versions of regripper. One is the generally available set of plug-ins
|
||||||
|
* and the second is a set that were customized for Autopsy to produce a more structured
|
||||||
|
* output of XML so that we can parse and turn into blackboard artifacts.
|
||||||
*/
|
*/
|
||||||
public class ExtractRegistry extends Extract {
|
public class ExtractRegistry extends Extract {
|
||||||
|
|
||||||
public Logger logger = Logger.getLogger(this.getClass().getName());
|
public Logger logger = Logger.getLogger(this.getClass().getName());
|
||||||
private String RR_PATH;
|
private String RR_PATH;
|
||||||
private String RR_FULL_PATH;
|
private String RR_FULL_PATH;
|
||||||
boolean rrFound = false;
|
boolean rrFound = false; // true if we found the Autopsy-specific version of regripper
|
||||||
boolean rrFullFound = false;
|
boolean rrFullFound = false; // true if we found the full version of regripper
|
||||||
private int sysid;
|
|
||||||
private IngestServices services;
|
|
||||||
final public static String MODULE_VERSION = "1.0";
|
final public static String MODULE_VERSION = "1.0";
|
||||||
private ExecUtil execRR;
|
private ExecUtil execRR;
|
||||||
|
|
||||||
@ -130,7 +129,7 @@ public class ExtractRegistry extends Extract {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// find the system hives'
|
// find the system hives'
|
||||||
String[] regFileNames = new String[] {"system", "software", "security", "sam", "default"};
|
String[] regFileNames = new String[] {"system", "software", "security", "sam"};
|
||||||
for (String regFileName : regFileNames) {
|
for (String regFileName : regFileNames) {
|
||||||
try {
|
try {
|
||||||
allRegistryFiles.addAll(fileManager.findFiles(dataSource, regFileName, "/system32/config"));
|
allRegistryFiles.addAll(fileManager.findFiles(dataSource, regFileName, "/system32/config"));
|
||||||
@ -261,17 +260,17 @@ public class ExtractRegistry extends Extract {
|
|||||||
public String fullPlugins = "";
|
public String fullPlugins = "";
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO: Hardcoded command args/path needs to be removed. Maybe set some constants and set env variables for classpath
|
|
||||||
/**
|
/**
|
||||||
* Execute regripper on the given registry.
|
* Execute regripper on the given registry.
|
||||||
* @param regFilePath Path to local copy of registry
|
* @param regFilePath Path to local copy of registry
|
||||||
* @param outFilePathBase Path to location to save output file to. Base name that will be extended on
|
* @param outFilePathBase Path to location to save output file to. Base name that will be extended on
|
||||||
*/
|
*/
|
||||||
private RegOutputFiles executeRegRip(String regFilePath, String outFilePathBase) {
|
private RegOutputFiles executeRegRip(String regFilePath, String outFilePathBase) {
|
||||||
|
|
||||||
String autopsyType = ""; // Type argument for rr for autopsy-specific modules
|
String autopsyType = ""; // Type argument for rr for autopsy-specific modules
|
||||||
String fullType = ""; // Type argument for rr for full set of modules
|
String fullType = ""; // Type argument for rr for full set of modules
|
||||||
|
|
||||||
|
RegOutputFiles regOutputFiles = new RegOutputFiles();
|
||||||
|
|
||||||
if (regFilePath.toLowerCase().contains("system")) {
|
if (regFilePath.toLowerCase().contains("system")) {
|
||||||
autopsyType = "autopsysystem";
|
autopsyType = "autopsysystem";
|
||||||
fullType = "system";
|
fullType = "system";
|
||||||
@ -283,10 +282,7 @@ public class ExtractRegistry extends Extract {
|
|||||||
else if (regFilePath.toLowerCase().contains("ntuser")) {
|
else if (regFilePath.toLowerCase().contains("ntuser")) {
|
||||||
autopsyType = "autopsy";
|
autopsyType = "autopsy";
|
||||||
fullType = "ntuser";
|
fullType = "ntuser";
|
||||||
}
|
}
|
||||||
else if (regFilePath.toLowerCase().contains("default")) {
|
|
||||||
//type = "1default";
|
|
||||||
}
|
|
||||||
else if (regFilePath.toLowerCase().contains("sam")) {
|
else if (regFilePath.toLowerCase().contains("sam")) {
|
||||||
fullType = "sam";
|
fullType = "sam";
|
||||||
}
|
}
|
||||||
@ -294,11 +290,8 @@ public class ExtractRegistry extends Extract {
|
|||||||
fullType = "security";
|
fullType = "security";
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
// @@@ Seems like we should error out or something...
|
return regOutputFiles;
|
||||||
autopsyType = "1default";
|
|
||||||
}
|
}
|
||||||
|
|
||||||
RegOutputFiles regOutputFiles = new RegOutputFiles();
|
|
||||||
|
|
||||||
// run the autopsy-specific set of modules
|
// run the autopsy-specific set of modules
|
||||||
if (!autopsyType.isEmpty() && rrFound) {
|
if (!autopsyType.isEmpty() && rrFound) {
|
||||||
@ -326,8 +319,6 @@ public class ExtractRegistry extends Extract {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
|
||||||
logger.log(Level.INFO, "Not running Autopsy-only modules on hive");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// run the full set of rr modules
|
// run the full set of rr modules
|
||||||
@ -355,9 +346,8 @@ public class ExtractRegistry extends Extract {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
|
||||||
logger.log(Level.INFO, "Not running original RR modules on hive");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return regOutputFiles;
|
return regOutputFiles;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -519,13 +509,8 @@ public class ExtractRegistry extends Extract {
|
|||||||
} catch (TskCoreException ex) {
|
} catch (TskCoreException ex) {
|
||||||
logger.log(Level.SEVERE, "Error adding recent object artifact to blackboard.");
|
logger.log(Level.SEVERE, "Error adding recent object artifact to blackboard.");
|
||||||
}
|
}
|
||||||
|
|
||||||
} else {
|
|
||||||
//BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(sysid);
|
|
||||||
//bbart.addAttributes(bbattributes);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return true;
|
return true;
|
||||||
@ -555,7 +540,6 @@ public class ExtractRegistry extends Extract {
|
|||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void init(IngestModuleInit initContext) {
|
public void init(IngestModuleInit initContext) {
|
||||||
services = IngestServices.getDefault();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user