mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-12 16:06:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

reorganized logic inside of IE parser and order of modules in RecentActivity.

Browse Source
This commit is contained in:
Brian Carrier 2013-10-25 20:53:08 -04:00
parent 2e8e5b1405
commit 170f40b77d
2 changed files with 183 additions and 204 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

356
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java
View File

@ -73,9 +73,6 @@ public class ExtractIE extends Extract {
private String PASCO_LIB_PATH; private String PASCO_LIB_PATH;
private String JAVA_PATH; private String JAVA_PATH;
// List of Pasco result files for this data source
private List<String> pascoResults;
boolean pascoFound = false;
final public static String MODULE_VERSION = "1.0"; final public static String MODULE_VERSION = "1.0";
private static final SimpleDateFormat dateFormatter = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"); private static final SimpleDateFormat dateFormatter = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'");
@ -96,27 +93,34 @@ public class ExtractIE extends Extract {
@Override @Override
public void process(PipelineContext<IngestModuleDataSource>pipelineContext, Content dataSource, IngestDataSourceWorkerController controller) { public void process(PipelineContext<IngestModuleDataSource>pipelineContext, Content dataSource, IngestDataSourceWorkerController controller) {
this.extractAndRunPasco(dataSource, controller); this.getBookmark(dataSource, controller);
this.getBookmark(dataSource, controller); this.getCookie(dataSource, controller);
this.getCookie(dataSource, controller); this.getRecentDocuments(dataSource, controller);
this.getRecentDocuments(dataSource, controller); this.getHistory(dataSource, controller);
this.getHistory(pascoResults);
} }
//Favorites section /**
// This gets the favorite info * Finds the files storing bookmarks and creates artifacts
* @param dataSource
* @param controller
*/
private void getBookmark(Content dataSource, IngestDataSourceWorkerController controller) { private void getBookmark(Content dataSource, IngestDataSourceWorkerController controller) {
org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
List<AbstractFile> favoritesFiles = null; List<AbstractFile> favoritesFiles = null;
try { try {
favoritesFiles = fileManager.findFiles(dataSource, "%.url", "Favorites"); favoritesFiles = fileManager.findFiles(dataSource, "%.url", "Favorites");
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history.", ex); logger.log(Level.WARNING, "Error fetching 'url' files for Internet Explorer bookmarks.", ex);
this.addErrorMessage(this.getName() + ": Error getting Internet Explorer Bookmarks."); this.addErrorMessage(this.getName() + ": Error getting Internet Explorer Bookmarks.");
return; return;
} }
for (AbstractFile favoritesFile : favoritesFiles) { for (AbstractFile favoritesFile : favoritesFiles) {
if (favoritesFile.getSize() == 0) {
continue;
}
// @@@ WHY DON"T WE PARSE THIS FILE more intelligently. It's text-based
if (controller.isCancelled()) { if (controller.isCancelled()) {
break; break;
} }
@ -145,8 +149,6 @@ public class ExtractIE extends Extract {
String domain = Util.extractDomain(url); String domain = Util.extractDomain(url);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
//TODO revisit usage of deprecated constructor as per TSK-583
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", datetime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", datetime)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", datetime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", url)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", url));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", EscapeUtil.decodeURL(url))); //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", EscapeUtil.decodeURL(url)));
@ -154,21 +156,22 @@ public class ExtractIE extends Extract {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "Internet Explorer")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "Internet Explorer"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", domain)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", domain));
this.addArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, favoritesFile, bbattributes); this.addArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, favoritesFile, bbattributes);
services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK));
} }
services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK));
} }
//Cookies section /**
// This gets the cookies info * Finds files that store cookies and adds artifacts for them.
* @param dataSource
* @param controller
*/
private void getCookie(Content dataSource, IngestDataSourceWorkerController controller) { private void getCookie(Content dataSource, IngestDataSourceWorkerController controller) {
org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
List<AbstractFile> cookiesFiles = null; List<AbstractFile> cookiesFiles = null;
try { try {
cookiesFiles = fileManager.findFiles(dataSource, "%.txt", "Cookies"); cookiesFiles = fileManager.findFiles(dataSource, "%.txt", "Cookies");
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); logger.log(Level.WARNING, "Error finding cookie files for IE");
this.addErrorMessage(this.getName() + ": " + "Error getting Internet Explorer cookie files."); this.addErrorMessage(this.getName() + ": " + "Error getting Internet Explorer cookie files.");
return; return;
} }
@ -177,10 +180,13 @@ public class ExtractIE extends Extract {
if (controller.isCancelled()) { if (controller.isCancelled()) {
break; break;
} }
Content fav = cookiesFile; if (cookiesFile.getSize() == 0) {
byte[] t = new byte[(int) fav.getSize()]; continue;
}
byte[] t = new byte[(int) cookiesFile.getSize()];
try { try {
final int bytesRead = fav.read(t, 0, fav.getSize()); final int bytesRead = cookiesFile.read(t, 0, cookiesFile.getSize());
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Error reading bytes of Internet Explorer cookie.", ex); logger.log(Level.SEVERE, "Error reading bytes of Internet Explorer cookie.", ex);
this.addErrorMessage(this.getName() + ": Error reading Internet Explorer cookie " + cookiesFile.getName()); this.addErrorMessage(this.getName() + ": Error reading Internet Explorer cookie " + cookiesFile.getName());
@ -197,25 +203,23 @@ public class ExtractIE extends Extract {
String domain = Util.extractDomain(url); String domain = Util.extractDomain(url);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", url)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", (name != null) ? name : ""));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", EscapeUtil.decodeURL(url)));
//TODO Revisit usage of deprecated Constructor as of TSK-583
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Last Visited", datetime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", datetime)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", datetime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", value)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", value));
//TODO Revisit usage of deprecated Constructor as of TSK-583
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "Title", (name != null) ? name : ""));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", (name != null) ? name : ""));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "Internet Explorer")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "Internet Explorer"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", url));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", EscapeUtil.decodeURL(url)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", domain)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", domain));
this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes); this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes);
} }
services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE)); services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE));
} }
//Recent Documents section /**
// This gets the recent object info * Find the documents that Windows stores about recent documents and make artifacts.
* @param dataSource
* @param controller
*/
private void getRecentDocuments(Content dataSource, IngestDataSourceWorkerController controller) { private void getRecentDocuments(Content dataSource, IngestDataSourceWorkerController controller) {
org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
@ -232,12 +236,12 @@ public class ExtractIE extends Extract {
if (controller.isCancelled()) { if (controller.isCancelled()) {
break; break;
} }
Content fav = recentFile;
if (fav.getSize() == 0) { if (recentFile.getSize() == 0) {
continue; continue;
} }
JLNK lnk = null; JLNK lnk = null;
JLnkParser lnkParser = new JLnkParser(new ReadContentInputStream(fav), (int) fav.getSize()); JLnkParser lnkParser = new JLnkParser(new ReadContentInputStream(recentFile), (int) recentFile.getSize());
try { try {
lnk = lnkParser.parse(); lnk = lnkParser.parse();
} catch (JLnkParserException e) { } catch (JLnkParserException e) {
@ -258,28 +262,26 @@ public class ExtractIE extends Extract {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", Util.getFileName(path))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", Util.getFileName(path)));
long id = Util.findID(dataSource, path); long id = Util.findID(dataSource, path);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", id)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", id));
//TODO Revisit usage of deprecated constructor as per TSK-583
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Date Created", datetime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", datetime)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", datetime));
this.addArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT, recentFile, bbattributes); this.addArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT, recentFile, bbattributes);
} }
services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT)); services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT));
} }
/**
private void extractAndRunPasco(Content dataSource, IngestDataSourceWorkerController controller) { * Locates index.dat files, runs Pasco on them, and creates artifacts.
pascoResults = new ArrayList<String>(); * @param dataSource
* @param controller
*/
private void getHistory(Content dataSource, IngestDataSourceWorkerController controller) {
logger.log(Level.INFO, "Pasco results path: " + moduleTempResultsDir); logger.log(Level.INFO, "Pasco results path: " + moduleTempResultsDir);
boolean foundHistory = false;
final File pascoRoot = InstalledFileLocator.getDefault().locate("pasco2", ExtractIE.class.getPackage().getName(), false); final File pascoRoot = InstalledFileLocator.getDefault().locate("pasco2", ExtractIE.class.getPackage().getName(), false);
if (pascoRoot == null) { if (pascoRoot == null) {
logger.log(Level.SEVERE, "Pasco2 not found"); this.addErrorMessage(this.getName() + ": Unable to get IE History: pasco not found");
pascoFound = false; logger.log(Level.SEVERE, "Error finding pasco program ");
return; return;
} else {
pascoFound = true;
} }
final String pascoHome = pascoRoot.getAbsolutePath(); final String pascoHome = pascoRoot.getAbsolutePath();
@ -291,7 +293,6 @@ public class ExtractIE extends Extract {
File resultsDir = new File(moduleTempResultsDir); File resultsDir = new File(moduleTempResultsDir);
resultsDir.mkdirs(); resultsDir.mkdirs();
// get index.dat files // get index.dat files
org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
List<AbstractFile> indexFiles = null; List<AbstractFile> indexFiles = null;
@ -316,7 +317,6 @@ public class ExtractIE extends Extract {
temps = RAImageIngestModule.getRATempPath(currentCase, "IE") + File.separator + indexFileName; temps = RAImageIngestModule.getRATempPath(currentCase, "IE") + File.separator + indexFileName;
File datFile = new File(temps); File datFile = new File(temps);
if (controller.isCancelled()) { if (controller.isCancelled()) {
datFile.delete();
break; break;
} }
try { try {
@ -333,7 +333,9 @@ public class ExtractIE extends Extract {
//At this point pasco2 proccessed the index files. //At this point pasco2 proccessed the index files.
//Now fetch the results, parse them and the delete the files. //Now fetch the results, parse them and the delete the files.
if (bPascProcSuccess) { if (bPascProcSuccess) {
pascoResults.add(filename); parsePascoOutput(indexFile, filename);
foundHistory = true;
//Delete index<n>.dat file since it was succcessfully by Pasco //Delete index<n>.dat file since it was succcessfully by Pasco
datFile.delete(); datFile.delete();
} else { } else {
@ -341,22 +343,26 @@ public class ExtractIE extends Extract {
this.addErrorMessage(this.getName() + ": Error processing Internet Explorer history."); this.addErrorMessage(this.getName() + ": Error processing Internet Explorer history.");
} }
} }
if (foundHistory) {
services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
}
} }
//Simple wrapper to JavaSystemCaller.Exec() to execute pasco2 jar /**
// TODO: Hardcoded command args/path needs to be removed. Maybe set some constants and set env variables for classpath * Execute pasco on a single file that has been saved to disk.
// I'm not happy with this code. Can't stand making a system call, is not an acceptable solution but is a hack for now. * @param indexFilePath Path to local index.dat file to analyze
private boolean executePasco(String indexFilePath, String filename) { * @param outputFileName Name of file to save output to
if (pascoFound == false) { * @return false on error
return false; */
} private boolean executePasco(String indexFilePath, String outputFileName) {
boolean success = true; boolean success = true;
Writer writer = null; Writer writer = null;
try { try {
final String pascoOutFile = moduleTempResultsDir + File.separator + filename; final String outputFileFullPath = moduleTempResultsDir + File.separator + outputFileName;
logger.log(Level.INFO, "Writing pasco results to: " + pascoOutFile); logger.log(Level.INFO, "Writing pasco results to: " + outputFileFullPath);
writer = new FileWriter(pascoOutFile); writer = new FileWriter(outputFileFullPath);
execPasco = new ExecUtil(); execPasco = new ExecUtil();
execPasco.execute(writer, JAVA_PATH, execPasco.execute(writer, JAVA_PATH,
"-cp", PASCO_LIB_PATH, "-cp", PASCO_LIB_PATH,
@ -379,124 +385,117 @@ public class ExtractIE extends Extract {
} }
} }
} }
return success; return success;
} }
private void getHistory(List<String> filenames) { /**
// Make sure pasco and the results exist * parse Pasco output and create artifacts
File rFile = new File(moduleTempResultsDir); * @param origFile Original index.dat file that was analyzed to get this output
if (pascoFound == false || ! rFile.exists()) { * @param pascoOutputFileName name of pasco output file
*/
private void parsePascoOutput(AbstractFile origFile, String pascoOutputFileName) {
String fnAbs = moduleTempResultsDir + File.separator + pascoOutputFileName;
File file = new File(fnAbs);
if (file.exists() == false) {
this.addErrorMessage(this.getName() + ": Pasco output not found: " + file.getName());
logger.log(Level.WARNING, "Pasco Output not found: " + file.getPath());
return; return;
} }
//Give me a list of pasco results in that directory // Make sure the file the is not empty or the Scanner will
File[] pascoFiles = rFile.listFiles(); // throw a "No Line found" Exception
for (File file : pascoFiles) { if (file.length() == 0) {
String fileName = file.getName(); return;
if (!filenames.contains(fileName)) {
logger.log(Level.INFO, "Found a temp Pasco result file not in the list: {0}", fileName);
continue;
}
// Make sure the file the is not empty or the Scanner will
// throw a "No Line found" Exception
if (file.length() == 0) {
continue;
}
long artObjId = Long.parseLong(fileName.substring(fileName.indexOf(".") + 1, fileName.lastIndexOf(".")));
Scanner fileScanner;
try {
fileScanner = new Scanner(new FileInputStream(file.toString()));
} catch (FileNotFoundException ex) {
this.addErrorMessage(this.getName() + ": Error parsing IE history entry " + file.getName());
logger.log(Level.WARNING, "Unable to find the Pasco file at " + file.getPath(), ex);
continue;
}
while (fileScanner.hasNext()) {
String line = fileScanner.nextLine();
if (!line.startsWith("URL")) {
continue;
}
String[] lineBuff = line.split("\\t");
if (lineBuff.length < 4) {
logger.log(Level.INFO, "Found unrecognized IE history format.");
continue;
}
String ddtime = lineBuff[2];
String actime = lineBuff[3];
Long ftime = (long) 0;
String user = "";
String realurl = "";
String domain = "";
/* We've seen two types of lines:
* URL http://XYZ.com ....
* URL Visited: Joe@http://XYZ.com ....
*/
if (lineBuff[1].contains("@")) {
String url[] = lineBuff[1].split("@", 2);
user = url[0];
user = user.replace("Visited:", "");
user = user.replace(":Host:", "");
user = user.replaceAll("(:)(.*?)(:)", "");
user = user.trim();
realurl = url[1];
realurl = realurl.replace("Visited:", "");
realurl = realurl.replaceAll(":(.*?):", "");
realurl = realurl.replace(":Host:", "");
realurl = realurl.trim();
} else {
user = "";
realurl = lineBuff[1].trim();
}
domain = Util.extractDomain(realurl);
if (!ddtime.isEmpty()) {
ddtime = ddtime.replace("T", " ");
ddtime = ddtime.substring(ddtime.length() - 5);
}
if (!actime.isEmpty()) {
try {
Long epochtime = dateFormatter.parse(actime).getTime();
ftime = epochtime.longValue();
ftime = ftime / 1000;
} catch (ParseException e) {
this.addErrorMessage(this.getName() + ": Error parsing Internet Explorer History entry.");
logger.log(Level.SEVERE, "Error parsing Pasco results.", e);
}
}
try {
BlackboardArtifact bbart = tskCase.getContentById(artObjId).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", realurl));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", EscapeUtil.decodeURL(realurl)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", ftime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(), "RecentActivity", ""));
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", ddtime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "Internet Explorer"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", domain));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID(), "RecentActivity", user));
bbart.addAttributes(bbattributes);
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Error writing Internet Explorer web history artifact to the blackboard.", ex);
}
}
fileScanner.close();
} }
services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
Scanner fileScanner;
try {
fileScanner = new Scanner(new FileInputStream(file.toString()));
} catch (FileNotFoundException ex) {
this.addErrorMessage(this.getName() + ": Error parsing IE history entry " + file.getName());
logger.log(Level.WARNING, "Unable to find the Pasco file at " + file.getPath(), ex);
return;
}
while (fileScanner.hasNext()) {
String line = fileScanner.nextLine();
if (!line.startsWith("URL")) {
continue;
}
String[] lineBuff = line.split("\\t");
if (lineBuff.length < 4) {
logger.log(Level.INFO, "Found unrecognized IE history format.");
continue;
}
String ddtime = lineBuff[2];
String actime = lineBuff[3];
Long ftime = (long) 0;
String user = "";
String realurl = "";
String domain = "";
/* We've seen two types of lines:
* URL http://XYZ.com ....
* URL Visited: Joe@http://XYZ.com ....
*/
if (lineBuff[1].contains("@")) {
String url[] = lineBuff[1].split("@", 2);
user = url[0];
user = user.replace("Visited:", "");
user = user.replace(":Host:", "");
user = user.replaceAll("(:)(.*?)(:)", "");
user = user.trim();
realurl = url[1];
realurl = realurl.replace("Visited:", "");
realurl = realurl.replaceAll(":(.*?):", "");
realurl = realurl.replace(":Host:", "");
realurl = realurl.trim();
} else {
user = "";
realurl = lineBuff[1].trim();
}
domain = Util.extractDomain(realurl);
if (!ddtime.isEmpty()) {
ddtime = ddtime.replace("T", " ");
ddtime = ddtime.substring(ddtime.length() - 5);
}
if (!actime.isEmpty()) {
try {
Long epochtime = dateFormatter.parse(actime).getTime();
ftime = epochtime.longValue();
ftime = ftime / 1000;
} catch (ParseException e) {
this.addErrorMessage(this.getName() + ": Error parsing Internet Explorer History entry.");
logger.log(Level.SEVERE, "Error parsing Pasco results.", e);
}
}
try {
BlackboardArtifact bbart = origFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", realurl));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", EscapeUtil.decodeURL(realurl)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", ftime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(), "RecentActivity", ""));
// @@@ NOte that other browser modules are adding NAME in hre for the title
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "Internet Explorer"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", domain));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID(), "RecentActivity", user));
bbart.addAttributes(bbattributes);
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Error writing Internet Explorer web history artifact to the blackboard.", ex);
}
}
fileScanner.close();
} }
@Override @Override
@ -506,23 +505,6 @@ public class ExtractIE extends Extract {
@Override @Override
public void complete() { public void complete() {
// Delete all the results when complete
/*for (String file : pascoResults) {
String filePath = moduleTempResultsDir + File.separator + file;
try {
File f = new File(filePath);
if (f.exists() && f.canWrite()) {
f.delete();
} else {
logger.log(Level.WARNING, "Unable to delete file " + filePath);
}
} catch (SecurityException ex) {
logger.log(Level.WARNING, "Incorrect permission to delete file " + filePath, ex);
}
}
*/
pascoResults.clear();
logger.info("Internet Explorer extract has completed.");
} }
@Override @Override

17
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java
View File

@ -142,17 +142,14 @@ public final class RAImageIngestModule extends IngestModuleDataSource {
logger.log(Level.INFO, "init() {0}", this.toString()); logger.log(Level.INFO, "init() {0}", this.toString());
services = IngestServices.getDefault(); services = IngestServices.getDefault();
final Extract registry = new ExtractRegistry(); modules.add(new Chrome());
final Extract iexplore = new ExtractIE(); modules.add(new Firefox());
final Extract chrome = new Chrome(); modules.add(new ExtractIE());
final Extract firefox = new Firefox(); // this needs to run after the web browser modules
final Extract SEUQA = new SearchEngineURLQueryAnalyzer(); modules.add(new SearchEngineURLQueryAnalyzer());
modules.add(chrome); // this runs last because it is slowest
modules.add(firefox); modules.add(new ExtractRegistry());
modules.add(registry);
modules.add(iexplore);
modules.add(SEUQA);
for (Extract module : modules) { for (Extract module : modules) {
try { try {