From 24e310374dcf137f14bb28db14801a527e01df5b Mon Sep 17 00:00:00 2001 From: Raman Date: Tue, 5 Mar 2019 15:25:38 -0500 Subject: [PATCH] 1205: create TSK_DOWNLOAD_SOURCE artifact for downloaded files. --- .../contentviewer/Bundle.properties-MERGED | 2 + .../contentviewers/Bundle.properties-MERGED | 5 ++- .../autopsy/report/Bundle.properties-MERGED | 7 ++- .../keywordsearch/Bundle.properties-MERGED | 2 +- .../recentactivity/Bundle.properties-MERGED | 12 ++++- .../autopsy/recentactivity/Chrome.java | 20 ++++++++- .../autopsy/recentactivity/ExtractSafari.java | 27 +++++++++--- .../autopsy/recentactivity/Firefox.java | 44 ++++++++++++++++--- 8 files changed, 99 insertions(+), 20 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/contentviewer/Bundle.properties-MERGED b/Core/src/org/sleuthkit/autopsy/centralrepository/contentviewer/Bundle.properties-MERGED index 68904ecb93..3734fc5a3e 100755 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/contentviewer/Bundle.properties-MERGED +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/contentviewer/Bundle.properties-MERGED @@ -10,6 +10,7 @@ DataContentViewerOtherCases.correlatedArtifacts.failed=Failed to get frequency d DataContentViewerOtherCases.correlatedArtifacts.isEmpty=There are no files or artifacts to correlate. DataContentViewerOtherCases.correlatedArtifacts.title=Attribute Frequency DataContentViewerOtherCases.earliestCaseNotAvailable=\ Not Enabled. +DataContentViewerOtherCases.foundIn.text=Found %d instances in %d cases and %d data sources. DataContentViewerOtherCases.noOpenCase.errMsg=No open case available. DataContentViewerOtherCases.selectAllMenuItem.text=Select All DataContentViewerOtherCases.showCaseDetailsMenuItem.text=Show Case Details @@ -22,6 +23,7 @@ DataContentViewerOtherCases.showCommonalityMenuItem.text=Show Frequency DataContentViewerOtherCases.earliestCaseDate.text=Earliest Case Date DataContentViewerOtherCases.earliestCaseLabel.toolTipText= DataContentViewerOtherCases.earliestCaseLabel.text=Central Repository Starting Date: +DataContentViewerOtherCases.foundInLabel.text= DataContentViewerOtherCases.title=Other Occurrences DataContentViewerOtherCases.toolTip=Displays instances of the selected file/artifact from other occurrences. DataContentViewerOtherCasesTableModel.attribute=Matched Attribute diff --git a/Core/src/org/sleuthkit/autopsy/contentviewers/Bundle.properties-MERGED b/Core/src/org/sleuthkit/autopsy/contentviewers/Bundle.properties-MERGED index 6c3d0b1d5c..5cd40a900d 100755 --- a/Core/src/org/sleuthkit/autopsy/contentviewers/Bundle.properties-MERGED +++ b/Core/src/org/sleuthkit/autopsy/contentviewers/Bundle.properties-MERGED @@ -32,6 +32,8 @@ GstVideoPanel.progress.buffering=Buffering... GstVideoPanel.progressLabel.bufferingErr=Error buffering file GstVideoPanel.progress.infoLabel.updateErr=Error updating video progress: {0} GstVideoPanel.ExtractMedia.progress.buffering=Buffering {0} +HtmlPanel_showImagesToggleButton_hide=Hide Images +HtmlPanel_showImagesToggleButton_show=Show Images MediaFileViewer.AccessibleContext.accessibleDescription= MediaFileViewer.title=Media MediaFileViewer.toolTip=Displays supported multimedia files (images, videos, audio) @@ -44,8 +46,6 @@ MediaViewVideoPanel.infoLabel.text=info MediaViewImagePanel.imgFileTooLarge.msg=Could not load image file (too large): {0} MessageContentViewer.AtrachmentsPanel.title=Attachments -MessageContentViewer.showImagesToggleButton.hide.text=Hide Images -MessageContentViewer.showImagesToggleButton.text=Show Images MessageContentViewer.title=Message MessageContentViewer.toolTip=Displays messages. Metadata.nodeText.none=None @@ -140,6 +140,7 @@ MediaViewImagePanel.zoomResetButton.text=Reset MediaViewImagePanel.zoomTextField.text= MediaViewImagePanel.rotationTextField.text= MediaViewImagePanel.rotateLeftButton.toolTipText= +HtmlPanel.showImagesToggleButton.text=Show Images # {0} - tableName SQLiteViewer.readTable.errorText=Error getting rows for table: {0} # {0} - tableName diff --git a/Core/src/org/sleuthkit/autopsy/report/Bundle.properties-MERGED b/Core/src/org/sleuthkit/autopsy/report/Bundle.properties-MERGED index 6a7d5876d0..68a553dd27 100755 --- a/Core/src/org/sleuthkit/autopsy/report/Bundle.properties-MERGED +++ b/Core/src/org/sleuthkit/autopsy/report/Bundle.properties-MERGED @@ -1,5 +1,5 @@ # {0} - File name -CreatePortableCaseModule.addFilesToPortableCase.copyingFile=Copying file {0} +CreatePortableCaseModule.copyContentToPortableCase.copyingFile=Copying file {0} # {0} - case folder CreatePortableCaseModule.createCase.caseDirExists=Case folder {0} already exists CreatePortableCaseModule.createCase.errorCreatingCase=Error creating case @@ -7,11 +7,16 @@ CreatePortableCaseModule.createCase.errorCreatingCase=Error creating case CreatePortableCaseModule.createCase.errorCreatingFolder=Error creating folder {0} CreatePortableCaseModule.generateReport.caseClosed=Current case has been closed # {0} - tag name +CreatePortableCaseModule.generateReport.copyingArtifacts=Copying artifacts tagged as {0}... +# {0} - tag name CreatePortableCaseModule.generateReport.copyingFiles=Copying files tagged as {0}... CreatePortableCaseModule.generateReport.copyingTags=Copying tags... CreatePortableCaseModule.generateReport.creatingCase=Creating portable case database... +CreatePortableCaseModule.generateReport.errorCopyingArtifacts=Error copying tagged artifacts CreatePortableCaseModule.generateReport.errorCopyingFiles=Error copying tagged files CreatePortableCaseModule.generateReport.errorCopyingTags=Error copying tags +# {0} - attribute type name +CreatePortableCaseModule.generateReport.errorLookingUpAttrType=Error looking up attribute type {0} CreatePortableCaseModule.generateReport.noTagsSelected=No tags selected for export. # {0} - output folder CreatePortableCaseModule.generateReport.outputDirDoesNotExist=Output folder {0} does not exist diff --git a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/Bundle.properties-MERGED b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/Bundle.properties-MERGED index 61c0d2d2c7..f4febc1d7c 100755 --- a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/Bundle.properties-MERGED +++ b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/Bundle.properties-MERGED @@ -34,7 +34,7 @@ KeywordSearchIngestModule.startupMessage.failedToGetIndexSchema=Failed to get sc KeywordSearchResultFactory.createNodeForKey.noResultsFound.text=No results found. KeywordSearchResultFactory.query.exception.msg=Could not perform the query OpenIDE-Module-Display-Category=Ingest Module -OpenIDE-Module-Long-Description=Keyword Search ingest module.\n\nThe module indexes files found in the disk image at ingest time.\nIt then periodically runs the search on the indexed files using one or more keyword lists (containing pure words and/or regular expressions) and posts results.\n\nThe module also contains additional tools integrated in the main GUI, such as keyword list configuration, keyword seach bar in the top-right corner, extracted text viewer and search results viewer showing highlighted keywords found. +OpenIDE-Module-Long-Description=Keyword Search ingest module.\n\n\The module indexes files found in the disk image at ingest time.\n\It then periodically runs the search on the indexed files using one or more keyword lists (containing pure words and/or regular expressions) and posts results.\n\n\The module also contains additional tools integrated in the main GUI, such as keyword list configuration, keyword seach bar in the top-right corner, extracted text viewer and search results viewer showing highlighted keywords found. OpenIDE-Module-Name=KeywordSearch OptionsCategory_Name_KeywordSearchOptions=Keyword Search OptionsCategory_Keywords_KeywordSearchOptions=Keyword Search diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED index 1e5595024a..54a9b4084d 100755 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED @@ -2,11 +2,16 @@ cannotBuildXmlParser=Unable to build XML parser: cannotLoadSEUQA=Unable to load Search Engine URL Query Analyzer settings file, SEUQAMappings.xml: cannotParseXml=Unable to parse XML file: ChromeCacheExtractor.moduleName=ChromeCacheExtractor -# {0} - OS name DataSourceUsageAnalyzer.customVolume.label=OS Drive ({0}) DataSourceUsageAnalyzer.parentModuleName=Recent Activity Extract.indexError.message=Failed to index artifact for keyword search. Extract.noOpenCase.errMsg=No open case available. +ExtractEdge_getHistory_containerFileNotFound=Error while trying to analyze Edge history +ExtractEdge_Module_Name=Microsoft Edge +ExtractEdge_process_errMsg_errGettingWebCacheFiles=Error trying to retrieving Edge WebCacheV01 file +ExtractEdge_process_errMsg_spartanFail=Failure processing Microsoft Edge spartan.edb file +ExtractEdge_process_errMsg_unableFindESEViewer=Unable to find ESEDatabaseViewer +ExtractEdge_process_errMsg_webcacheFail=Failure processing Microsoft Edge WebCacheV01.dat file ExtractOs.androidOs.label=Android ExtractOs.androidVolume.label=OS Drive (Android) ExtractOs.debianLinuxOs.label=Linux (Debian) @@ -37,6 +42,10 @@ ExtractOs.unitedLinuxVolume.label=OS Drive (Linux United Linux) ExtractOs.windowsVolume.label=OS Drive (Windows) ExtractOs.yellowDogLinuxOs.label=Linux (Yellow Dog) ExtractOs.yellowDogLinuxVolume.label=OS Drive (Linux Yellow Dog) +ExtractSafari_Error_Getting_History=An error occurred while processing Safari history files. +ExtractSafari_Error_Parsing_Bookmark=An error occured while processing Safari Bookmark files +ExtractSafari_Error_Parsing_Cookies=An error occured while processing Safari Cookies files +ExtractSafari_Module_Name=Safari OpenIDE-Module-Display-Category=Ingest Module OpenIDE-Module-Long-Description=Recent Activity ingest module.\n\nThe module extracts useful information about the recent user activity on the disk image being ingested, such as:\n\n- Recently open documents,\n- Web acitivity (sites visited, stored cookies, bookmarked sites, search engine queries, file downloads),\n- Recently attached devices,\n- Installed programs.\n\nThe module currently supports Windows only disk images.\nThe plugin is also fully functional when deployed on Windows version of Autopsy. OpenIDE-Module-Name=RecentActivity @@ -131,7 +140,6 @@ RecentDocumentsByLnk.parentModuleName.noSpace=RecentActivity RecentDocumentsByLnk.parentModuleName=Recent Activity RegRipperFullNotFound=Full version RegRipper executable not found. RegRipperNotFound=Autopsy RegRipper executable not found. -# {0} - file name SearchEngineURLQueryAnalyzer.init.exception.msg=Unable to find {0}. SearchEngineURLQueryAnalyzer.moduleName.text=Search Engine SearchEngineURLQueryAnalyzer.engineName.none=NONE diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java index d97b53426a..d60d7612bf 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java @@ -37,6 +37,7 @@ import java.io.File; import java.io.FileNotFoundException; import java.io.FileReader; import java.io.IOException; +import org.apache.commons.io.FilenameUtils; import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException; import org.sleuthkit.autopsy.casemodule.services.FileManager; @@ -493,9 +494,10 @@ class Chrome extends Extract { logger.log(Level.INFO, "{0}- Now getting downloads from {1} with {2}artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS for (HashMap result : tempList) { Collection bbattributes = new ArrayList<>(); + String fullPath = result.get("full_path").toString(); //NON-NLS bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH, - RecentActivityExtracterModuleFactory.getModuleName(), (result.get("full_path").toString()))); //NON-NLS - long pathID = Util.findID(dataSource, (result.get("full_path").toString())); //NON-NLS + RecentActivityExtracterModuleFactory.getModuleName(), fullPath)); + long pathID = Util.findID(dataSource, fullPath); if (pathID != -1) { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID, NbBundle.getMessage(this.getClass(), @@ -522,6 +524,20 @@ class Chrome extends Extract { if (bbart != null) { bbartifacts.add(bbart); } + + // find the downloaded file and create a TSK_DOWNLOAD_SOURCE for it.. + try { + for (AbstractFile downloadedFile : fileManager.findFiles(dataSource, FilenameUtils.getName(fullPath), FilenameUtils.getPath(fullPath))) { + BlackboardArtifact downloadSourceArt = downloadedFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_DOWNLOAD_SOURCE); + downloadSourceArt.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL, + NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), + ((result.get("url").toString() != null) ? result.get("url").toString() : ""))); //NON-NLS + bbartifacts.add(downloadSourceArt); + break; + } + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, String.format("Error creating download source artifact for file '%s'", fullPath), ex); //NON-NLS + } } dbFile.delete(); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractSafari.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractSafari.java index afb52654b2..1490b3b61f 100755 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractSafari.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractSafari.java @@ -36,6 +36,7 @@ import java.util.Iterator; import java.util.List; import java.util.logging.Level; import javax.xml.parsers.ParserConfigurationException; +import org.apache.commons.io.FilenameUtils; import org.openide.util.NbBundle.Messages; import org.sleuthkit.autopsy.casemodule.services.FileManager; import org.sleuthkit.autopsy.coreutils.Logger; @@ -47,6 +48,7 @@ import org.sleuthkit.autopsy.ingest.ModuleDataEvent; import org.sleuthkit.autopsy.recentactivity.BinaryCookieReader.Cookie; import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.BlackboardArtifact; +import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.TskCoreException; import org.xml.sax.SAXException; @@ -494,7 +496,7 @@ final class ExtractSafari extends Extract { for(NSObject obj: objectArray){ if(obj instanceof NSDictionary){ - bbartifacts.add(parseDownloadDictionary(dataSource, origFile, (NSDictionary)obj)); + bbartifacts.addAll(parseDownloadDictionary(dataSource, origFile, (NSDictionary)obj)); } } break; @@ -603,12 +605,15 @@ final class ExtractSafari extends Extract { * @return a Blackboard Artifact for the download. * @throws TskCoreException */ - private BlackboardArtifact parseDownloadDictionary(Content dataSource, AbstractFile origFile, NSDictionary entry) throws TskCoreException { + private Collection parseDownloadDictionary(Content dataSource, AbstractFile origFile, NSDictionary entry) throws TskCoreException { + Collection bbartifacts = new ArrayList<>(); String url = null; String path = null; Long time = null; Long pathID = null; - + + FileManager fileManager = getCurrentCase().getServices().getFileManager(); + NSString nsstring = (NSString) entry.get(PLIST_KEY_DOWNLOAD_URL); if (nsstring != null) { url = nsstring.toString(); @@ -627,7 +632,19 @@ final class ExtractSafari extends Extract { BlackboardArtifact bbart = origFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD); bbart.addAttributes(this.createDownloadAttributes(path, pathID, url, time, NetworkUtils.extractDomain(url), getName())); - - return bbart; + bbartifacts.add(bbart); + + // find the downloaded file and create a TSK_DOWNLOAD_SOURCE for it. + for (AbstractFile downloadedFile : fileManager.findFiles(dataSource, FilenameUtils.getName(path), FilenameUtils.getPath(path))) { + BlackboardArtifact downloadSourceArt = downloadedFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_DOWNLOAD_SOURCE); + if (url != null) { + downloadSourceArt.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL, + RecentActivityExtracterModuleFactory.getModuleName(), url)); + } + bbartifacts.add(downloadSourceArt); + break; + } + + return bbartifacts; } } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java index 043e0bf0ff..4a2c828e59 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java @@ -42,6 +42,7 @@ import java.util.HashSet; import java.util.List; import java.util.Set; import java.util.logging.Level; +import org.apache.commons.io.FilenameUtils; import org.openide.util.NbBundle; import org.sleuthkit.autopsy.casemodule.Case; @@ -476,14 +477,14 @@ class Firefox extends Extract { (Long.valueOf(result.get("startTime").toString())))); //NON-NLS String target = result.get("target").toString(); //NON-NLS - + String downloadedFilePath = ""; if (target != null) { try { - String decodedTarget = URLDecoder.decode(target.replaceAll("file:///", ""), "UTF-8"); //NON-NLS + downloadedFilePath = URLDecoder.decode(target.replaceAll("file:///", ""), "UTF-8"); //NON-NLS bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH, RecentActivityExtracterModuleFactory.getModuleName(), - decodedTarget)); - long pathID = Util.findID(dataSource, decodedTarget); + downloadedFilePath)); + long pathID = Util.findID(dataSource, downloadedFilePath); if (pathID != -1) { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID, RecentActivityExtracterModuleFactory.getModuleName(), @@ -509,6 +510,20 @@ class Firefox extends Extract { if (bbart != null) { bbartifacts.add(bbart); } + + // find the downloaded file and create a TSK_DOWNLOAD_SOURCE for it. + try { + for (AbstractFile downloadedFile : fileManager.findFiles(dataSource, FilenameUtils.getName(downloadedFilePath), FilenameUtils.getPath(downloadedFilePath))) { + BlackboardArtifact downloadSourceArt = downloadedFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_DOWNLOAD_SOURCE); + downloadSourceArt.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL, + NbBundle.getMessage(this.getClass(), "Firefox.parentModuleName"), source)); //NON-NLS + bbartifacts.add(downloadSourceArt); + break; + } + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, String.format("Error creating download source artifact for file '%s'", + downloadedFilePath), ex); //NON-NLS + } } if (errors > 0) { this.addErrorMessage( @@ -596,13 +611,14 @@ class Firefox extends Extract { //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", (Long.valueOf(result.get("startTime").toString())))); String target = result.get("target").toString(); //NON-NLS + String downloadedFilePath = ""; if (target != null) { try { - String decodedTarget = URLDecoder.decode(target.replaceAll("file:///", ""), "UTF-8"); //NON-NLS + downloadedFilePath = URLDecoder.decode(target.replaceAll("file:///", ""), "UTF-8"); //NON-NLS bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH, RecentActivityExtracterModuleFactory.getModuleName(), - decodedTarget)); - long pathID = Util.findID(dataSource, decodedTarget); + downloadedFilePath)); + long pathID = Util.findID(dataSource, downloadedFilePath); if (pathID != -1) { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID, RecentActivityExtracterModuleFactory.getModuleName(), @@ -629,6 +645,20 @@ class Firefox extends Extract { if (bbart != null) { bbartifacts.add(bbart); } + + // find the downloaded file and create a TSK_DOWNLOAD_SOURCE for it. + try { + for (AbstractFile downloadedFile : fileManager.findFiles(dataSource, FilenameUtils.getName(downloadedFilePath), FilenameUtils.getPath(downloadedFilePath))) { + BlackboardArtifact downloadSourceArt = downloadedFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_DOWNLOAD_SOURCE); + downloadSourceArt.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL, + NbBundle.getMessage(this.getClass(), "Firefox.parentModuleName"), url)); //NON-NLS + bbartifacts.add(downloadSourceArt); + break; + } + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, String.format("Error creating download source artifact for file '%s'", + downloadedFilePath), ex); //NON-NLS + } } if (errors > 0) { this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Firefox.getDlV24.errMsg.errParsingArtifacts",