From 3e3f6c8cda122fbc2a3e1239ac4af2a61540ae1c Mon Sep 17 00:00:00 2001 From: Ann Priestman Date: Mon, 8 Apr 2019 12:44:25 -0400 Subject: [PATCH 1/2] Added cancellation checks to EncryptionDetection --- ...yptionDetectionDataSourceIngestModule.java | 19 ++++++++++++++++--- .../EncryptionDetectionFileIngestModule.java | 8 +++++++- .../EncryptionDetectionTools.java | 13 ++++++++++++- 3 files changed, 35 insertions(+), 5 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionDataSourceIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionDataSourceIngestModule.java index f7806db5a7..cac099c964 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionDataSourceIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionDataSourceIngestModule.java @@ -52,6 +52,7 @@ final class EncryptionDetectionDataSourceIngestModule implements DataSourceInges private Blackboard blackboard; private double calculatedEntropy; private final double minimumEntropy; + private IngestJobContext context; /** * Create an EncryptionDetectionDataSourceIngestModule object that will @@ -67,6 +68,7 @@ final class EncryptionDetectionDataSourceIngestModule implements DataSourceInges public void startUp(IngestJobContext context) throws IngestModule.IngestModuleException { validateSettings(); blackboard = Case.getCurrentCase().getServices().getBlackboard(); + this.context = context; } @Messages({ @@ -77,8 +79,6 @@ final class EncryptionDetectionDataSourceIngestModule implements DataSourceInges @Override public ProcessResult process(Content dataSource, DataSourceIngestModuleProgress progressBar) { - - try { if (dataSource instanceof Image) { @@ -92,10 +92,23 @@ final class EncryptionDetectionDataSourceIngestModule implements DataSourceInges int numVolSystemsChecked = 0; progressBar.progress(Bundle.EncryptionDetectionDataSourceIngestModule_processing_message(), 0); for (VolumeSystem volumeSystem : volumeSystems) { + + if (context.dataSourceIngestIsCancelled()) { + return ProcessResult.OK; + } + for (Volume volume : volumeSystem.getVolumes()) { + + if (context.dataSourceIngestIsCancelled()) { + return ProcessResult.OK; + } if (BitlockerDetection.isBitlockerVolume(volume)) { return flagVolume(volume, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED, Bundle.EncryptionDetectionDataSourceIngestModule_artifactComment_bitlocker()); } + + if (context.dataSourceIngestIsCancelled()) { + return ProcessResult.OK; + } if (isVolumeEncrypted(volume)) { return flagVolume(volume, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_SUSPECTED, String.format(Bundle.EncryptionDetectionDataSourceIngestModule_artifactComment_suspected(), calculatedEntropy)); } @@ -198,7 +211,7 @@ final class EncryptionDetectionDataSourceIngestModule implements DataSourceInges * http://www.forensicswiki.org/wiki/TrueCrypt#Detection */ if (volume.getFileSystems().isEmpty()) { - calculatedEntropy = EncryptionDetectionTools.calculateEntropy(volume); + calculatedEntropy = EncryptionDetectionTools.calculateEntropy(volume, context); if (calculatedEntropy >= minimumEntropy) { return true; } diff --git a/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java index 3e454daff8..e884baa55c 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java @@ -82,6 +82,7 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter private final Logger logger = services.getLogger(EncryptionDetectionModuleFactory.getModuleName()); private FileTypeDetector fileTypeDetector; private Blackboard blackboard; + private IngestJobContext context; private double calculatedEntropy; private final double minimumEntropy; @@ -107,6 +108,7 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter public void startUp(IngestJobContext context) throws IngestModule.IngestModuleException { try { validateSettings(); + this.context = context; blackboard = Case.getCurrentCaseThrows().getServices().getBlackboard(); fileTypeDetector = new FileTypeDetector(); } catch (FileTypeDetector.FileTypeDetectorInitException ex) { @@ -194,6 +196,10 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter */ private IngestModule.ProcessResult flagFile(AbstractFile file, BlackboardArtifact.ARTIFACT_TYPE artifactType, String comment) { try { + if (context.fileIngestIsCancelled()) { + return IngestModule.ProcessResult.OK; + } + BlackboardArtifact artifact = file.newArtifact(artifactType); artifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, EncryptionDetectionModuleFactory.getModuleName(), comment)); @@ -397,7 +403,7 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter /* * Qualify the entropy. */ - calculatedEntropy = EncryptionDetectionTools.calculateEntropy(file); + calculatedEntropy = EncryptionDetectionTools.calculateEntropy(file, context); if (calculatedEntropy >= minimumEntropy) { possiblyEncrypted = true; } diff --git a/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionTools.java b/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionTools.java index 99dbc0aaeb..af3a54a379 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionTools.java +++ b/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionTools.java @@ -22,6 +22,7 @@ import java.io.BufferedInputStream; import java.io.IOException; import java.io.InputStream; import org.openide.util.NbBundle; +import org.sleuthkit.autopsy.ingest.IngestJobContext; import org.sleuthkit.autopsy.ingest.IngestModule; import org.sleuthkit.datamodel.ReadContentInputStream; import org.sleuthkit.datamodel.Content; @@ -69,6 +70,7 @@ final class EncryptionDetectionTools { * content as possibly encrypted. * * @param content The content to be calculated against. + * @param context The ingest job context for cancellation checks * * @return The entropy of the content. * @@ -77,7 +79,7 @@ final class EncryptionDetectionTools { * @throws IOException If there is a failure closing or * reading from the InputStream. */ - static double calculateEntropy(Content content) throws ReadContentInputStream.ReadContentInputStreamException, IOException { + static double calculateEntropy(Content content, IngestJobContext context) throws ReadContentInputStream.ReadContentInputStreamException, IOException { /* * Logic in this method is based on * https://github.com/willjasen/entropy/blob/master/entropy.java @@ -95,8 +97,17 @@ final class EncryptionDetectionTools { */ int[] byteOccurences = new int[BYTE_OCCURENCES_BUFFER_SIZE]; int readByte; + long bytesRead = 0; while ((readByte = bin.read()) != -1) { byteOccurences[readByte]++; + + // Do a cancellation check every 10,000 bytes + bytesRead++; + if (bytesRead % 10000 == 0) { + if (context.dataSourceIngestIsCancelled() || context.fileIngestIsCancelled()) { + return 0; + } + } } /* From c0fa9f9caf17b02b48ce485caa150f15ecf17e1b Mon Sep 17 00:00:00 2001 From: Ann Priestman Date: Mon, 8 Apr 2019 12:48:11 -0400 Subject: [PATCH 2/2] Added one more check --- .../EncryptionDetectionDataSourceIngestModule.java | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionDataSourceIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionDataSourceIngestModule.java index cac099c964..01b97b6254 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionDataSourceIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionDataSourceIngestModule.java @@ -152,6 +152,11 @@ final class EncryptionDetectionDataSourceIngestModule implements DataSourceInges * there was a problem. */ private IngestModule.ProcessResult flagVolume(Volume volume, BlackboardArtifact.ARTIFACT_TYPE artifactType, String comment) { + + if (context.dataSourceIngestIsCancelled()) { + return ProcessResult.OK; + } + try { BlackboardArtifact artifact = volume.newArtifact(artifactType); artifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, EncryptionDetectionModuleFactory.getModuleName(), comment));