1205: create TSK_DOWNLOAD_SOURCE artifact for downloaded files.

Core/src/org/sleuthkit/autopsy/centralrepository/contentviewer/Bundle.properties-MERGED

@@ -10,6 +10,7 @@ DataContentViewerOtherCases.correlatedArtifacts.failed=Failed to get frequency d
 DataContentViewerOtherCases.correlatedArtifacts.isEmpty=There are no files or artifacts to correlate.
 DataContentViewerOtherCases.correlatedArtifacts.title=Attribute Frequency
 DataContentViewerOtherCases.earliestCaseNotAvailable=\ Not Enabled.
+DataContentViewerOtherCases.foundIn.text=Found %d instances in %d cases and %d data sources.
 DataContentViewerOtherCases.noOpenCase.errMsg=No open case available.
 DataContentViewerOtherCases.selectAllMenuItem.text=Select All
 DataContentViewerOtherCases.showCaseDetailsMenuItem.text=Show Case Details
@@ -22,6 +23,7 @@ DataContentViewerOtherCases.showCommonalityMenuItem.text=Show Frequency
 DataContentViewerOtherCases.earliestCaseDate.text=Earliest Case Date
 DataContentViewerOtherCases.earliestCaseLabel.toolTipText=
 DataContentViewerOtherCases.earliestCaseLabel.text=Central Repository Starting Date:
+DataContentViewerOtherCases.foundInLabel.text=
 DataContentViewerOtherCases.title=Other Occurrences
 DataContentViewerOtherCases.toolTip=Displays instances of the selected file/artifact from other occurrences.
 DataContentViewerOtherCasesTableModel.attribute=Matched Attribute

Core/src/org/sleuthkit/autopsy/contentviewers/Bundle.properties-MERGED

@@ -32,6 +32,8 @@ GstVideoPanel.progress.buffering=Buffering...
 GstVideoPanel.progressLabel.bufferingErr=Error buffering file
 GstVideoPanel.progress.infoLabel.updateErr=Error updating video progress: {0}
 GstVideoPanel.ExtractMedia.progress.buffering=Buffering {0}
+HtmlPanel_showImagesToggleButton_hide=Hide Images
+HtmlPanel_showImagesToggleButton_show=Show Images
 MediaFileViewer.AccessibleContext.accessibleDescription=
 MediaFileViewer.title=Media
 MediaFileViewer.toolTip=Displays supported multimedia files (images, videos, audio)
@@ -44,8 +46,6 @@ MediaViewVideoPanel.infoLabel.text=info
 MediaViewImagePanel.imgFileTooLarge.msg=Could not load image file (too large): {0}
 
 MessageContentViewer.AtrachmentsPanel.title=Attachments
-MessageContentViewer.showImagesToggleButton.hide.text=Hide Images
-MessageContentViewer.showImagesToggleButton.text=Show Images
 MessageContentViewer.title=Message
 MessageContentViewer.toolTip=Displays messages.
 Metadata.nodeText.none=None
@@ -140,6 +140,7 @@ MediaViewImagePanel.zoomResetButton.text=Reset
 MediaViewImagePanel.zoomTextField.text=
 MediaViewImagePanel.rotationTextField.text=
 MediaViewImagePanel.rotateLeftButton.toolTipText=
+HtmlPanel.showImagesToggleButton.text=Show Images
 # {0} - tableName
 SQLiteViewer.readTable.errorText=Error getting rows for table: {0}
 # {0} - tableName

Core/src/org/sleuthkit/autopsy/report/Bundle.properties-MERGED

@@ -1,5 +1,5 @@
 # {0} - File name
-CreatePortableCaseModule.addFilesToPortableCase.copyingFile=Copying file {0}
+CreatePortableCaseModule.copyContentToPortableCase.copyingFile=Copying file {0}
 # {0} - case folder
 CreatePortableCaseModule.createCase.caseDirExists=Case folder {0} already exists
 CreatePortableCaseModule.createCase.errorCreatingCase=Error creating case
@@ -7,11 +7,16 @@ CreatePortableCaseModule.createCase.errorCreatingCase=Error creating case
 CreatePortableCaseModule.createCase.errorCreatingFolder=Error creating folder {0}
 CreatePortableCaseModule.generateReport.caseClosed=Current case has been closed
 # {0} - tag name
+CreatePortableCaseModule.generateReport.copyingArtifacts=Copying artifacts tagged as {0}...
+# {0} - tag name
 CreatePortableCaseModule.generateReport.copyingFiles=Copying files tagged as {0}...
 CreatePortableCaseModule.generateReport.copyingTags=Copying tags...
 CreatePortableCaseModule.generateReport.creatingCase=Creating portable case database...
+CreatePortableCaseModule.generateReport.errorCopyingArtifacts=Error copying tagged artifacts
 CreatePortableCaseModule.generateReport.errorCopyingFiles=Error copying tagged files
 CreatePortableCaseModule.generateReport.errorCopyingTags=Error copying tags
+# {0} - attribute type name
+CreatePortableCaseModule.generateReport.errorLookingUpAttrType=Error looking up attribute type {0}
 CreatePortableCaseModule.generateReport.noTagsSelected=No tags selected for export.
 # {0} - output folder
 CreatePortableCaseModule.generateReport.outputDirDoesNotExist=Output folder {0} does not exist

KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/Bundle.properties-MERGED

@@ -34,7 +34,7 @@ KeywordSearchIngestModule.startupMessage.failedToGetIndexSchema=Failed to get sc
 KeywordSearchResultFactory.createNodeForKey.noResultsFound.text=No results found.
 KeywordSearchResultFactory.query.exception.msg=Could not perform the query 
 OpenIDE-Module-Display-Category=Ingest Module
-OpenIDE-Module-Long-Description=Keyword Search ingest module.\n\nThe module indexes files found in the disk image at ingest time.\nIt then periodically runs the search on the indexed files using one or more keyword lists (containing pure words and/or regular expressions) and posts results.\n\nThe module also contains additional tools integrated in the main GUI, such as keyword list configuration, keyword seach bar in the top-right corner, extracted text viewer and search results viewer showing highlighted keywords found.
+OpenIDE-Module-Long-Description=Keyword Search ingest module.\n\n\The module indexes files found in the disk image at ingest time.\n\It then periodically runs the search on the indexed files using one or more keyword lists (containing pure words and/or regular expressions) and posts results.\n\n\The module also contains additional tools integrated in the main GUI, such as keyword list configuration, keyword seach bar in the top-right corner, extracted text viewer and search results viewer showing highlighted keywords found.
 OpenIDE-Module-Name=KeywordSearch
 OptionsCategory_Name_KeywordSearchOptions=Keyword Search
 OptionsCategory_Keywords_KeywordSearchOptions=Keyword Search

RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED

@@ -2,11 +2,16 @@ cannotBuildXmlParser=Unable to build XML parser:
 cannotLoadSEUQA=Unable to load Search Engine URL Query Analyzer settings file, SEUQAMappings.xml: 
 cannotParseXml=Unable to parse XML file: 
 ChromeCacheExtractor.moduleName=ChromeCacheExtractor
-# {0} - OS name
 DataSourceUsageAnalyzer.customVolume.label=OS Drive ({0})
 DataSourceUsageAnalyzer.parentModuleName=Recent Activity
 Extract.indexError.message=Failed to index artifact for keyword search.
 Extract.noOpenCase.errMsg=No open case available.
+ExtractEdge_getHistory_containerFileNotFound=Error while trying to analyze Edge history
+ExtractEdge_Module_Name=Microsoft Edge
+ExtractEdge_process_errMsg_errGettingWebCacheFiles=Error trying to retrieving Edge WebCacheV01 file
+ExtractEdge_process_errMsg_spartanFail=Failure processing Microsoft Edge spartan.edb file
+ExtractEdge_process_errMsg_unableFindESEViewer=Unable to find ESEDatabaseViewer
+ExtractEdge_process_errMsg_webcacheFail=Failure processing Microsoft Edge WebCacheV01.dat file
 ExtractOs.androidOs.label=Android
 ExtractOs.androidVolume.label=OS Drive (Android)
 ExtractOs.debianLinuxOs.label=Linux (Debian)
@@ -37,6 +42,10 @@ ExtractOs.unitedLinuxVolume.label=OS Drive (Linux United Linux)
 ExtractOs.windowsVolume.label=OS Drive (Windows)
 ExtractOs.yellowDogLinuxOs.label=Linux (Yellow Dog)
 ExtractOs.yellowDogLinuxVolume.label=OS Drive (Linux Yellow Dog)
+ExtractSafari_Error_Getting_History=An error occurred while processing Safari history files.
+ExtractSafari_Error_Parsing_Bookmark=An error occured while processing Safari Bookmark files
+ExtractSafari_Error_Parsing_Cookies=An error occured while processing Safari Cookies files
+ExtractSafari_Module_Name=Safari
 OpenIDE-Module-Display-Category=Ingest Module
 OpenIDE-Module-Long-Description=Recent Activity ingest module.\n\nThe module extracts useful information about the recent user activity on the disk image being ingested, such as:\n\n- Recently open documents,\n- Web acitivity (sites visited, stored cookies, bookmarked sites, search engine queries, file downloads),\n- Recently attached devices,\n- Installed programs.\n\nThe module currently supports Windows only disk images.\nThe plugin is also fully functional when deployed on Windows version of Autopsy.
 OpenIDE-Module-Name=RecentActivity
@@ -131,7 +140,6 @@ RecentDocumentsByLnk.parentModuleName.noSpace=RecentActivity
 RecentDocumentsByLnk.parentModuleName=Recent Activity
 RegRipperFullNotFound=Full version RegRipper executable not found.
 RegRipperNotFound=Autopsy RegRipper executable not found.
-# {0} - file name
 SearchEngineURLQueryAnalyzer.init.exception.msg=Unable to find {0}.
 SearchEngineURLQueryAnalyzer.moduleName.text=Search Engine
 SearchEngineURLQueryAnalyzer.engineName.none=NONE

RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java

@@ -37,6 +37,7 @@ import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.FileReader;
 import java.io.IOException;
+import org.apache.commons.io.FilenameUtils;
 import org.sleuthkit.autopsy.casemodule.Case;
 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
 import org.sleuthkit.autopsy.casemodule.services.FileManager;
@@ -493,9 +494,10 @@ class Chrome extends Extract {
             logger.log(Level.INFO, "{0}- Now getting downloads from {1} with {2}artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS
             for (HashMap<String, Object> result : tempList) {
                 Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
+                String fullPath = result.get("full_path").toString(); //NON-NLS
                 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH,
-                        RecentActivityExtracterModuleFactory.getModuleName(), (result.get("full_path").toString()))); //NON-NLS
+                        RecentActivityExtracterModuleFactory.getModuleName(), fullPath)); 
-                long pathID = Util.findID(dataSource, (result.get("full_path").toString())); //NON-NLS
+                long pathID = Util.findID(dataSource, fullPath); 
                 if (pathID != -1) {
                     bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID,
                             NbBundle.getMessage(this.getClass(),
@@ -522,6 +524,20 @@ class Chrome extends Extract {
                 if (bbart != null) {
                     bbartifacts.add(bbart);
                 }
+                
+                // find the downloaded file and create a TSK_DOWNLOAD_SOURCE for it..
+                try {
+                    for (AbstractFile downloadedFile : fileManager.findFiles(dataSource, FilenameUtils.getName(fullPath), FilenameUtils.getPath(fullPath))) {
+                        BlackboardArtifact downloadSourceArt =  downloadedFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_DOWNLOAD_SOURCE);
+                        downloadSourceArt.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
+                            NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
+                            ((result.get("url").toString() != null) ? result.get("url").toString() : ""))); //NON-NLS
+                        bbartifacts.add(downloadSourceArt);
+                        break;   
+                    }
+                } catch (TskCoreException ex) {
+                     logger.log(Level.SEVERE, String.format("Error creating download source artifact for file  '%s'", fullPath), ex); //NON-NLS
+                }
             }
 
             dbFile.delete();

RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractSafari.java

@@ -36,6 +36,7 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.logging.Level;
 import javax.xml.parsers.ParserConfigurationException;
+import org.apache.commons.io.FilenameUtils;
 import org.openide.util.NbBundle.Messages;
 import org.sleuthkit.autopsy.casemodule.services.FileManager;
 import org.sleuthkit.autopsy.coreutils.Logger;
@@ -47,6 +48,7 @@ import org.sleuthkit.autopsy.ingest.ModuleDataEvent;
 import org.sleuthkit.autopsy.recentactivity.BinaryCookieReader.Cookie;
 import org.sleuthkit.datamodel.AbstractFile;
 import org.sleuthkit.datamodel.BlackboardArtifact;
+import org.sleuthkit.datamodel.BlackboardAttribute;
 import org.sleuthkit.datamodel.Content;
 import org.sleuthkit.datamodel.TskCoreException;
 import org.xml.sax.SAXException;
@@ -494,7 +496,7 @@ final class ExtractSafari extends Extract {
 
                 for(NSObject obj: objectArray){
                     if(obj instanceof NSDictionary){
-                        bbartifacts.add(parseDownloadDictionary(dataSource, origFile, (NSDictionary)obj));
+                        bbartifacts.addAll(parseDownloadDictionary(dataSource, origFile, (NSDictionary)obj));
                     }
                 }
                 break;
@@ -603,12 +605,15 @@ final class ExtractSafari extends Extract {
      * @return a Blackboard Artifact for the download.
      * @throws TskCoreException
      */
-    private BlackboardArtifact parseDownloadDictionary(Content dataSource, AbstractFile origFile, NSDictionary entry) throws TskCoreException {
+    private Collection<BlackboardArtifact> parseDownloadDictionary(Content dataSource, AbstractFile origFile, NSDictionary entry) throws TskCoreException {
+        Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
         String url = null;
         String path = null;
         Long time = null;
         Long pathID = null;
-
+        
+        FileManager fileManager = getCurrentCase().getServices().getFileManager();
+        
         NSString nsstring = (NSString) entry.get(PLIST_KEY_DOWNLOAD_URL);
         if (nsstring != null) {
             url = nsstring.toString();
@@ -627,7 +632,19 @@ final class ExtractSafari extends Extract {
 
         BlackboardArtifact bbart = origFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD);
         bbart.addAttributes(this.createDownloadAttributes(path, pathID, url, time, NetworkUtils.extractDomain(url), getName()));
-
+        bbartifacts.add(bbart);
-        return bbart;
+        
+        // find the downloaded file and create a TSK_DOWNLOAD_SOURCE for it.
+        for (AbstractFile downloadedFile : fileManager.findFiles(dataSource, FilenameUtils.getName(path), FilenameUtils.getPath(path))) {
+            BlackboardArtifact downloadSourceArt =  downloadedFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_DOWNLOAD_SOURCE);
+            if (url != null) {
+                downloadSourceArt.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL,
+                                            RecentActivityExtracterModuleFactory.getModuleName(), url));
+            }
+            bbartifacts.add(downloadSourceArt);
+            break;
+        }
+        
+        return bbartifacts;
     }
 }

RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java

@@ -42,6 +42,7 @@ import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 import java.util.logging.Level;
+import org.apache.commons.io.FilenameUtils;
 
 import org.openide.util.NbBundle;
 import org.sleuthkit.autopsy.casemodule.Case;
@@ -476,14 +477,14 @@ class Firefox extends Extract {
                         (Long.valueOf(result.get("startTime").toString())))); //NON-NLS
 
                 String target = result.get("target").toString(); //NON-NLS
-
+                String downloadedFilePath = "";
                 if (target != null) {
                     try {
-                        String decodedTarget = URLDecoder.decode(target.replaceAll("file:///", ""), "UTF-8"); //NON-NLS
+                        downloadedFilePath = URLDecoder.decode(target.replaceAll("file:///", ""), "UTF-8"); //NON-NLS
                         bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH,
                                 RecentActivityExtracterModuleFactory.getModuleName(),
-                                decodedTarget));
+                                downloadedFilePath));
-                        long pathID = Util.findID(dataSource, decodedTarget);
+                        long pathID = Util.findID(dataSource, downloadedFilePath);
                         if (pathID != -1) {
                             bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID,
                                     RecentActivityExtracterModuleFactory.getModuleName(),
@@ -509,6 +510,20 @@ class Firefox extends Extract {
                 if (bbart != null) {
                     bbartifacts.add(bbart);
                 }
+                
+                // find the downloaded file and create a TSK_DOWNLOAD_SOURCE for it.
+                 try {
+                    for (AbstractFile downloadedFile : fileManager.findFiles(dataSource, FilenameUtils.getName(downloadedFilePath), FilenameUtils.getPath(downloadedFilePath))) {
+                        BlackboardArtifact downloadSourceArt =  downloadedFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_DOWNLOAD_SOURCE);
+                        downloadSourceArt.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
+                            NbBundle.getMessage(this.getClass(), "Firefox.parentModuleName"), source)); //NON-NLS
+                        bbartifacts.add(downloadSourceArt);
+                        break;
+                    }
+                } catch (TskCoreException ex) {
+                    logger.log(Level.SEVERE, String.format("Error creating download source artifact for file  '%s'",
+                        downloadedFilePath), ex); //NON-NLS
+                }
             }
             if (errors > 0) {
                 this.addErrorMessage(
@@ -596,13 +611,14 @@ class Firefox extends Extract {
                 //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", (Long.valueOf(result.get("startTime").toString()))));
 
                 String target = result.get("target").toString(); //NON-NLS
+                String downloadedFilePath = "";
                 if (target != null) {
                     try {
-                        String decodedTarget = URLDecoder.decode(target.replaceAll("file:///", ""), "UTF-8"); //NON-NLS
+                        downloadedFilePath = URLDecoder.decode(target.replaceAll("file:///", ""), "UTF-8"); //NON-NLS
                         bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH,
                                 RecentActivityExtracterModuleFactory.getModuleName(),
-                                decodedTarget));
+                                downloadedFilePath));
-                        long pathID = Util.findID(dataSource, decodedTarget);
+                        long pathID = Util.findID(dataSource, downloadedFilePath);
                         if (pathID != -1) {
                             bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID,
                                     RecentActivityExtracterModuleFactory.getModuleName(),
@@ -629,6 +645,20 @@ class Firefox extends Extract {
                 if (bbart != null) {
                     bbartifacts.add(bbart);
                 }
+                
+                // find the downloaded file and create a TSK_DOWNLOAD_SOURCE for it.
+                 try {
+                    for (AbstractFile downloadedFile : fileManager.findFiles(dataSource, FilenameUtils.getName(downloadedFilePath), FilenameUtils.getPath(downloadedFilePath))) {
+                        BlackboardArtifact downloadSourceArt =  downloadedFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_DOWNLOAD_SOURCE);
+                        downloadSourceArt.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
+                            NbBundle.getMessage(this.getClass(), "Firefox.parentModuleName"), url)); //NON-NLS
+                        bbartifacts.add(downloadSourceArt);
+                        break;
+                    }
+                } catch (TskCoreException ex) {
+                    logger.log(Level.SEVERE, String.format("Error creating download source artifact for file  '%s'",
+                        downloadedFilePath), ex); //NON-NLS
+                }
             }
             if (errors > 0) {
                 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Firefox.getDlV24.errMsg.errParsingArtifacts",