mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-12 07:56:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

reorganized logic inside of IE parser and order of modules in RecentActivity.

Browse Source
This commit is contained in:
Brian Carrier 2013-10-25 20:53:08 -04:00
parent 2e8e5b1405
commit 170f40b77d
2 changed files with 183 additions and 204 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

178
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java
View File

@ -73,9 +73,6 @@ public class ExtractIE extends Extract {
private String PASCO_LIB_PATH;
private String JAVA_PATH;
// List of Pasco result files for this data source
private List<String> pascoResults;
boolean pascoFound = false;
final public static String MODULE_VERSION = "1.0";
private static final SimpleDateFormat dateFormatter = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'");
@ -96,27 +93,34 @@ public class ExtractIE extends Extract {
@Override
public void process(PipelineContext<IngestModuleDataSource>pipelineContext, Content dataSource, IngestDataSourceWorkerController controller) {
this.extractAndRunPasco(dataSource, controller);
this.getBookmark(dataSource, controller);
this.getCookie(dataSource, controller);
this.getRecentDocuments(dataSource, controller);
this.getHistory(pascoResults);
this.getHistory(dataSource, controller);
}
//Favorites section
// This gets the favorite info
/**
* Finds the files storing bookmarks and creates artifacts
* @param dataSource
* @param controller
*/
private void getBookmark(Content dataSource, IngestDataSourceWorkerController controller) {
org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
List<AbstractFile> favoritesFiles = null;
try {
favoritesFiles = fileManager.findFiles(dataSource, "%.url", "Favorites");
} catch (TskCoreException ex) {
logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history.", ex);
logger.log(Level.WARNING, "Error fetching 'url' files for Internet Explorer bookmarks.", ex);
this.addErrorMessage(this.getName() + ": Error getting Internet Explorer Bookmarks.");
return;
}
for (AbstractFile favoritesFile : favoritesFiles) {
if (favoritesFile.getSize() == 0) {
continue;
}
// @@@ WHY DON"T WE PARSE THIS FILE more intelligently. It's text-based
if (controller.isCancelled()) {
break;
}
@ -145,8 +149,6 @@ public class ExtractIE extends Extract {
String domain = Util.extractDomain(url);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
//TODO revisit usage of deprecated constructor as per TSK-583
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", datetime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", datetime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", url));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", EscapeUtil.decodeURL(url)));
@ -154,21 +156,22 @@ public class ExtractIE extends Extract {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "Internet Explorer"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", domain));
this.addArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, favoritesFile, bbattributes);
}
services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK));
}
}
//Cookies section
// This gets the cookies info
/**
* Finds files that store cookies and adds artifacts for them.
* @param dataSource
* @param controller
*/
private void getCookie(Content dataSource, IngestDataSourceWorkerController controller) {
org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
List<AbstractFile> cookiesFiles = null;
try {
cookiesFiles = fileManager.findFiles(dataSource, "%.txt", "Cookies");
} catch (TskCoreException ex) {
logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history.");
logger.log(Level.WARNING, "Error finding cookie files for IE");
this.addErrorMessage(this.getName() + ": " + "Error getting Internet Explorer cookie files.");
return;
}
@ -177,10 +180,13 @@ public class ExtractIE extends Extract {
if (controller.isCancelled()) {
break;
}
Content fav = cookiesFile;
byte[] t = new byte[(int) fav.getSize()];
if (cookiesFile.getSize() == 0) {
continue;
}
byte[] t = new byte[(int) cookiesFile.getSize()];
try {
final int bytesRead = fav.read(t, 0, fav.getSize());
final int bytesRead = cookiesFile.read(t, 0, cookiesFile.getSize());
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Error reading bytes of Internet Explorer cookie.", ex);
this.addErrorMessage(this.getName() + ": Error reading Internet Explorer cookie " + cookiesFile.getName());
@ -197,25 +203,23 @@ public class ExtractIE extends Extract {
String domain = Util.extractDomain(url);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", url));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", EscapeUtil.decodeURL(url)));
//TODO Revisit usage of deprecated Constructor as of TSK-583
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Last Visited", datetime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", (name != null) ? name : ""));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", datetime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", value));
//TODO Revisit usage of deprecated Constructor as of TSK-583
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "Title", (name != null) ? name : ""));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", (name != null) ? name : ""));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "Internet Explorer"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", url));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", EscapeUtil.decodeURL(url)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", domain));
this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes);
}
services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE));
}
//Recent Documents section
// This gets the recent object info
/**
* Find the documents that Windows stores about recent documents and make artifacts.
* @param dataSource
* @param controller
*/
private void getRecentDocuments(Content dataSource, IngestDataSourceWorkerController controller) {
org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
@ -232,12 +236,12 @@ public class ExtractIE extends Extract {
if (controller.isCancelled()) {
break;
}
Content fav = recentFile;
if (fav.getSize() == 0) {
if (recentFile.getSize() == 0) {
continue;
}
JLNK lnk = null;
JLnkParser lnkParser = new JLnkParser(new ReadContentInputStream(fav), (int) fav.getSize());
JLnkParser lnkParser = new JLnkParser(new ReadContentInputStream(recentFile), (int) recentFile.getSize());
try {
lnk = lnkParser.parse();
} catch (JLnkParserException e) {
@ -258,28 +262,26 @@ public class ExtractIE extends Extract {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", Util.getFileName(path)));
long id = Util.findID(dataSource, path);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", id));
//TODO Revisit usage of deprecated constructor as per TSK-583
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Date Created", datetime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", datetime));
this.addArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT, recentFile, bbattributes);
}
services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT));
}
private void extractAndRunPasco(Content dataSource, IngestDataSourceWorkerController controller) {
pascoResults = new ArrayList<String>();
/**
* Locates index.dat files, runs Pasco on them, and creates artifacts.
* @param dataSource
* @param controller
*/
private void getHistory(Content dataSource, IngestDataSourceWorkerController controller) {
logger.log(Level.INFO, "Pasco results path: " + moduleTempResultsDir);
boolean foundHistory = false;
final File pascoRoot = InstalledFileLocator.getDefault().locate("pasco2", ExtractIE.class.getPackage().getName(), false);
if (pascoRoot == null) {
logger.log(Level.SEVERE, "Pasco2 not found");
pascoFound = false;
this.addErrorMessage(this.getName() + ": Unable to get IE History: pasco not found");
logger.log(Level.SEVERE, "Error finding pasco program ");
return;
} else {
pascoFound = true;
}
final String pascoHome = pascoRoot.getAbsolutePath();
@ -291,7 +293,6 @@ public class ExtractIE extends Extract {
File resultsDir = new File(moduleTempResultsDir);
resultsDir.mkdirs();
// get index.dat files
org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
List<AbstractFile> indexFiles = null;
@ -316,7 +317,6 @@ public class ExtractIE extends Extract {
temps = RAImageIngestModule.getRATempPath(currentCase, "IE") + File.separator + indexFileName;
File datFile = new File(temps);
if (controller.isCancelled()) {
datFile.delete();
break;
}
try {
@ -333,7 +333,9 @@ public class ExtractIE extends Extract {
//At this point pasco2 proccessed the index files.
//Now fetch the results, parse them and the delete the files.
if (bPascProcSuccess) {
pascoResults.add(filename);
parsePascoOutput(indexFile, filename);
foundHistory = true;
//Delete index<n>.dat file since it was succcessfully by Pasco
datFile.delete();
} else {
@ -341,22 +343,26 @@ public class ExtractIE extends Extract {
this.addErrorMessage(this.getName() + ": Error processing Internet Explorer history.");
}
}
if (foundHistory) {
services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
}
}
//Simple wrapper to JavaSystemCaller.Exec() to execute pasco2 jar
// TODO: Hardcoded command args/path needs to be removed. Maybe set some constants and set env variables for classpath
// I'm not happy with this code. Can't stand making a system call, is not an acceptable solution but is a hack for now.
private boolean executePasco(String indexFilePath, String filename) {
if (pascoFound == false) {
return false;
}
/**
* Execute pasco on a single file that has been saved to disk.
* @param indexFilePath Path to local index.dat file to analyze
* @param outputFileName Name of file to save output to
* @return false on error
*/
private boolean executePasco(String indexFilePath, String outputFileName) {
boolean success = true;
Writer writer = null;
try {
final String pascoOutFile = moduleTempResultsDir + File.separator + filename;
logger.log(Level.INFO, "Writing pasco results to: " + pascoOutFile);
writer = new FileWriter(pascoOutFile);
final String outputFileFullPath = moduleTempResultsDir + File.separator + outputFileName;
logger.log(Level.INFO, "Writing pasco results to: " + outputFileFullPath);
writer = new FileWriter(outputFileFullPath);
execPasco = new ExecUtil();
execPasco.execute(writer, JAVA_PATH,
"-cp", PASCO_LIB_PATH,
@ -379,40 +385,38 @@ public class ExtractIE extends Extract {
}
}
}
return success;
}
private void getHistory(List<String> filenames) {
// Make sure pasco and the results exist
File rFile = new File(moduleTempResultsDir);
if (pascoFound == false || ! rFile.exists()) {
return;
}
/**
* parse Pasco output and create artifacts
* @param origFile Original index.dat file that was analyzed to get this output
* @param pascoOutputFileName name of pasco output file
*/
private void parsePascoOutput(AbstractFile origFile, String pascoOutputFileName) {
//Give me a list of pasco results in that directory
File[] pascoFiles = rFile.listFiles();
for (File file : pascoFiles) {
String fileName = file.getName();
if (!filenames.contains(fileName)) {
logger.log(Level.INFO, "Found a temp Pasco result file not in the list: {0}", fileName);
continue;
String fnAbs = moduleTempResultsDir + File.separator + pascoOutputFileName;
File file = new File(fnAbs);
if (file.exists() == false) {
this.addErrorMessage(this.getName() + ": Pasco output not found: " + file.getName());
logger.log(Level.WARNING, "Pasco Output not found: " + file.getPath());
return;
}
// Make sure the file the is not empty or the Scanner will
// throw a "No Line found" Exception
if (file.length() == 0) {
continue;
return;
}
long artObjId = Long.parseLong(fileName.substring(fileName.indexOf(".") + 1, fileName.lastIndexOf(".")));
Scanner fileScanner;
try {
fileScanner = new Scanner(new FileInputStream(file.toString()));
} catch (FileNotFoundException ex) {
this.addErrorMessage(this.getName() + ": Error parsing IE history entry " + file.getName());
logger.log(Level.WARNING, "Unable to find the Pasco file at " + file.getPath(), ex);
continue;
return;
}
while (fileScanner.hasNext()) {
@ -475,17 +479,14 @@ public class ExtractIE extends Extract {
}
try {
BlackboardArtifact bbart = tskCase.getContentById(artObjId).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
BlackboardArtifact bbart = origFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", realurl));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", EscapeUtil.decodeURL(realurl)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", ftime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(), "RecentActivity", ""));
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", ddtime));
// @@@ NOte that other browser modules are adding NAME in hre for the title
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "Internet Explorer"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", domain));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID(), "RecentActivity", user));
@ -496,8 +497,6 @@ public class ExtractIE extends Extract {
}
fileScanner.close();
}
services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
}
@Override
public void init(IngestModuleInit initContext) {
@ -506,23 +505,6 @@ public class ExtractIE extends Extract {
@Override
public void complete() {
// Delete all the results when complete
/*for (String file : pascoResults) {
String filePath = moduleTempResultsDir + File.separator + file;
try {
File f = new File(filePath);
if (f.exists() && f.canWrite()) {
f.delete();
} else {
logger.log(Level.WARNING, "Unable to delete file " + filePath);
}
} catch (SecurityException ex) {
logger.log(Level.WARNING, "Incorrect permission to delete file " + filePath, ex);
}
}
*/
pascoResults.clear();
logger.info("Internet Explorer extract has completed.");
}
@Override

17
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java
View File

@ -142,17 +142,14 @@ public final class RAImageIngestModule extends IngestModuleDataSource {
logger.log(Level.INFO, "init() {0}", this.toString());
services = IngestServices.getDefault();
final Extract registry = new ExtractRegistry();
final Extract iexplore = new ExtractIE();
final Extract chrome = new Chrome();
final Extract firefox = new Firefox();
final Extract SEUQA = new SearchEngineURLQueryAnalyzer();
modules.add(new Chrome());
modules.add(new Firefox());
modules.add(new ExtractIE());
// this needs to run after the web browser modules
modules.add(new SearchEngineURLQueryAnalyzer());
modules.add(chrome);
modules.add(firefox);
modules.add(registry);
modules.add(iexplore);
modules.add(SEUQA);
// this runs last because it is slowest
modules.add(new ExtractRegistry());
for (Extract module : modules) {
try {