mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

changed how regripper runs, still need to modify absolute path

Browse Source 
Signed-off-by: Alex Ebadirad <aebadirad@42six.com>
This commit is contained in:
Alex Ebadirad 2012-03-15 18:29:01 -07:00
parent c3bfcf00cd
commit 25a816adb3
13 changed files with 265 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
RecentActivity/nbproject/genfiles.properties
View File

@ -1,8 +1,8 @@
build.xml.data.CRC32=9be4ed01
build.xml.data.CRC32=6b34b285
build.xml.script.CRC32=d323407a
build.xml.stylesheet.CRC32=a56c6a5b@1.46.1
# This file is used by a NetBeans-based IDE to track changes in generated files such as build-impl.xml.
# Do not edit this file. You may delete it but then the IDE will never regenerate such files for you.
nbproject/build-impl.xml.data.CRC32=9be4ed01
nbproject/build-impl.xml.data.CRC32=6b34b285
nbproject/build-impl.xml.script.CRC32=aef16a21
nbproject/build-impl.xml.stylesheet.CRC32=238281d1@1.46.1

1
RecentActivity/nbproject/project.properties
View File

@ -1,3 +1,4 @@
file.reference.jcalendarbutton-1.4.5.jar=release/modules/ext/jcalendarbutton-1.4.5.jar
file.reference.sqlite-jdbc-3.7.6.3-20110609.081603-3.jar=release/modules/ext/sqlite-jdbc-3.7.6.3-20110609.081603-3.jar
javac.source=1.6
javac.compilerargs=-Xlint -Xlint:-serial

4
RecentActivity/nbproject/project.xml
View File

@ -190,6 +190,10 @@
<runtime-relative-path>ext/sqlite-jdbc-3.7.6.3-20110609.081603-3.jar</runtime-relative-path>
<binary-origin>release/modules/ext/sqlite-jdbc-3.7.6.3-20110609.081603-3.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/jdom-1.1.2.jar</runtime-relative-path>
<binary-origin>release/modules/ext/jdom-1.1.2.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/jcalendarbutton-1.4.5.jar</runtime-relative-path>
<binary-origin>release/modules/ext/jcalendarbutton-1.4.5.jar</binary-origin>

BIN
RecentActivity/release/modules/ext/jdom-1.1.2.jar Normal file
View File

Binary file not shown.

94
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
View File

@ -6,13 +6,19 @@ package org.sleuthkit.autopsy.recentactivity;
import java.io.File;
import java.io.IOException;
import java.io.StringReader;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Scanner;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.jdom.Document;
import org.jdom.Element;
import org.jdom.input.SAXBuilder;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.datamodel.ContentUtils;
import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
@ -24,6 +30,8 @@ import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
/**
*
* @author Alex \System32\Config
@ -76,7 +84,7 @@ public void getregistryfiles(List<String> image, IngestImageWorkerController con
if(Success)
{
//Delete dat file since it was succcessfully by Pasco
//regFile.delete();
regFile.delete();
}
j++;
@ -134,7 +142,7 @@ public void getregistryfiles(List<String> image, IngestImageWorkerController con
type = "security";
}
String command = rrpath + "rip.exe -r " + regFilePath +" -f " + type + " >> " + txtPath;
String command = rrpath + "rip.exe -r " + regFilePath +" -f " + type + "> " + txtPath;
JavaSystemCaller.Exec.execute(command);
@ -153,49 +161,53 @@ public void getregistryfiles(List<String> image, IngestImageWorkerController con
{
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String[] result = regRecord.split("----------------------------------------");
for(String tempresult : result)
{
try{
try {
String regString = new Scanner(new File(regRecord)).useDelimiter("\\Z").next();
String startdoc = "<document>";
String result = regString.replaceAll("----------------------------------------","");
String enddoc = "</document>";
String stringdoc = startdoc + result + enddoc;
SAXBuilder sb = new SAXBuilder();
Document document = sb.build(new StringReader(stringdoc));
Element root = document.getRootElement();
List types = root.getChildren();
Iterator iterator = types.iterator();
//for(int i = 0; i < types.size(); i++)
//for(Element tempnode : types)
while (iterator.hasNext()) {
String time = "";
String context = "";
Element tempnode = (Element) iterator.next();
// Element tempnode = types.get(i);
context = tempnode.getName();
Element timenode = tempnode.getChild("time");
time = timenode.getTextTrim();
Element artroot = tempnode.getChild("artifacts");
List artlist = artroot.getChildren();
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time));
Iterator aiterator = artlist.iterator();
while (aiterator.hasNext()) {
Element artnode = (Element) aiterator.next();
String name = artnode.getAttributeValue("name");
String value = artnode.getTextTrim();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", context, name));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", context, value));
}
if(tempresult.contains("not found") || tempresult.contains("no values"))
{
}
else
{
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
if(tempresult.contains("Username"))
{
Pattern p = Pattern.compile("Username\\[.*?\\]");
Matcher m = p.matcher(tempresult);
while (m.find()) {
String s = m.group(1);
BlackboardAttribute bbatturl = new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(), "RecentActivity", "Registry", s);
bbart.addAttribute(bbatturl);
}
}
if(tempresult.contains("Time["))
{
Pattern p = Pattern.compile("Time\\[.*?\\]");
Matcher m = p.matcher(tempresult);
while (m.find()) {
String s = m.group(1);
BlackboardAttribute bbattdate = new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Registry", s);
bbart.addAttribute(bbattdate);
}
}
}
bbart.addAttributes(bbattributes);
}
}
catch (Exception ex)
{
String hi = "";
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + ex);
}
}

21
thirdparty/rr/plugins/arunmru.pl vendored
View File

@ -43,9 +43,12 @@ sub pluginmain {
my $key;
if ($key = $root_key->get_subkey($key_path)) {
#::rptMsg("RunMru");
::rptMsg($key_path);
#::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
#::rptMsg($key_path);
my @vals = $key->get_list_of_values();
::rptMsg("<runMRU>");
::rptMsg("<time>".gmtime($key->get_timestamp())."</time>");
::rptMsg("<artifacts>");
my %runvals;
my $mru;
if (scalar(@vals) > 0) {
@ -53,20 +56,22 @@ sub pluginmain {
$runvals{$v->get_name()} = $v->get_data() unless ($v->get_name() =~ m/^MRUList/i);
$mru = $v->get_data() if ($v->get_name() =~ m/^MRUList/i);
}
::rptMsg("MRUList = ".$mru);
::rptMsg("<MRUList>".$mru."</MRUList>");
foreach my $r (sort keys %runvals) {
::rptMsg($r." ".$runvals{$r});
::rptMsg("<MRU>".$r." ".$runvals{$r}."</MRU>");
}
}
else {
::rptMsg($key_path." has no values.");
::logMsg($key_path." has no values.");
#::rptMsg($key_path." has no values.");
#::logMsg($key_path." has no values.");
}
::rptMsg("</artifacts>");
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
#::rptMsg($key_path." not found.");
#::logMsg($key_path." not found.");
}
::rptMsg("</runMRU>");
}
1;

5
thirdparty/rr/plugins/autopsy vendored
View File

@ -2,6 +2,7 @@
#-------------------------------------
# NTUSER.DAT
autopsy
autopsylogin
autopsyrecentdocs
arunmru
arunmru
autopsyshellfolders

18
thirdparty/rr/plugins/autopsy.pl → thirdparty/rr/plugins/autopsylogin.pl vendored
View File

@ -10,7 +10,7 @@
#
# copyright 2008 H. Carvey
#-----------------------------------------------------------
package autopsy;
package autopsylogin;
use strict;
my %config = (hive => "NTUSER\.DAT",
@ -34,7 +34,7 @@ my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("||logonusername||");
#::logMsg("||logonusername||");
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
@ -47,21 +47,23 @@ sub pluginmain {
if (scalar(@vals) > 0) {
#::rptMsg("Logon User Name");
#::rptMsg($key_path);
::rptMsg("Time[".gmtime($key->get_timestamp())."]");
::rptMsg("<logon>");
::rptMsg("<time>".gmtime($key->get_timestamp())."</time><artifacts>");
foreach my $v (@vals) {
if ($v->get_name() eq $logon_name) {
::rptMsg($logon_name."[".$v->get_data() ."]");
::rptMsg("<user name=\"".$logon_name."\"> ".$v->get_data() ."</user>");
}
}
::rptMsg("</artifacts></logon>");
}
else {
::rptMsg($key_path." has no values.");
::logMsg($key_path." has no values.");
#::rptMsg($key_path." has no values.");
#::logMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
#::rptMsg($key_path." not found.");
#::logMsg($key_path." not found.");
}
}

22
thirdparty/rr/plugins/autopsyrecentdocs.pl vendored
View File

@ -40,17 +40,16 @@ my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("||recentdocs||");
#::logMsg("||recentdocs||");
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
#::rptMsg("RecentDocs");
#::rptMsg("**All values printed in MRUList\\MRUListEx order.");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
#::rptMsg($key_path);
::rptMsg("<recentdocs><time>".gmtime($key->get_timestamp())."</time><artifacts>");
# Get RecentDocs values
my %rdvals = getRDValues($key);
if (%rdvals) {
@ -67,14 +66,15 @@ sub pluginmain {
my @list = split(/,/,$rdvals{$tag});
foreach my $i (@list) {
::rptMsg(" ".$i." = ".$rdvals{$i});
::rptMsg("<doc>".$i." = ".$rdvals{$i} . "</doc>");
}
::rptMsg("");
}
else {
::rptMsg($key_path." has no values.");
::logMsg("Error: ".$key_path." has no values.");
#::rptMsg($key_path." has no values.");
#::logMsg("Error: ".$key_path." has no values.");
}
::rptMsg("</artifacts></recentdocs>");
# Get RecentDocs subkeys' values
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
@ -104,16 +104,16 @@ sub pluginmain {
::rptMsg("");
}
else {
::rptMsg($key_path." has no values.");
#::rptMsg($key_path." has no values.");
}
}
}
else {
::rptMsg($key_path." has no subkeys.");
#::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
#::rptMsg($key_path." not found.");
}
}

72
thirdparty/rr/plugins/autopsyshellfolders.pl vendored Normal file
View File

@ -0,0 +1,72 @@
#-----------------------------------------------------------
# shellfolders.pl
#
# Retrieve the Shell Folders values from user's hive; while
# this may not be important in every instance, it may give the
# examiner indications as to where to look for certain items;
# for example, if the user's "My Documents" folder has been redirected
# as part of configuration changes (corporate policies, etc.). Also,
# this may be important as part of data leakage exams, as XP and Vista
# allow users to drop and drag files to the CD Burner.
#
# References:
# http://support.microsoft.com/kb/279157
# http://support.microsoft.com/kb/326982
#
# copyright 2009 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package autopsyshellfolders;
use strict;
my %config = (hive => "NTUSER\.DAT",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20090115);
sub getConfig{return %config}
sub getShortDescr {
return "Retrieve user Shell Folders values";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
#::logMsg("Launching shellfolders v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("<shellfolders>");
::rptMsg("<time>".gmtime($key->get_timestamp())."</time>");
my @vals = $key->get_list_of_values();
::rptMsg("<artifacts>");
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
my $str = sprintf "%-20s %-40s","<shell name=\"".$v->get_name()."\">",$v->get_data()."</shell>";
::rptMsg($str);
}
::rptMsg("");
}
else {
#::rptMsg($key_path." has no values.");
}
::rptMsg("</artifacts></shellfolders>");
}
else {
#::rptMsg($key_path." not found.");
#::logMsg($key_path." not found.");
}
}
1;

5
thirdparty/rr/plugins/autopsysoftware vendored Normal file
View File

@ -0,0 +1,5 @@
List of plugins for the Registry Ripper
#-------------------------------------
# SOFTWARE
autopsyuninstall

89
thirdparty/rr/plugins/autopsyuninstall.pl vendored Normal file
View File

@ -0,0 +1,89 @@
#-----------------------------------------------------------
# uninstall.pl
# Gets contents of Uninstall key from Software hive; sorts
# display names based on key LastWrite time
#
# References:
# http://support.microsoft.com/kb/247501
# http://support.microsoft.com/kb/314481
# http://msdn.microsoft.com/en-us/library/ms954376.aspx
#
# Change History:
# 20100116 - Minor updates
# 20090413 - Extract DisplayVersion info
# 20090128 - Added references
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package autopsyuninstall;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20100116);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of Uninstall key from Software hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
#::logMsg("Launching uninstall v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = 'Microsoft\\Windows\\CurrentVersion\\Uninstall';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
#::rptMsg("Uninstall");
#::rptMsg($key_path);
#::rptMsg("");
my %uninst;
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
my $lastwrite = $s->get_timestamp();
my $display;
eval {
$display = $s->get_value("DisplayName")->get_data();
};
$display = $s->get_name() if ($display eq "");
my $ver;
eval {
$ver = $s->get_value("DisplayVersion")->get_data();
};
$display .= " v\.".$ver unless ($@);
push(@{$uninst{$lastwrite}},$display);
}
foreach my $t (reverse sort {$a <=> $b} keys %uninst) {
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$uninst{$t}}) {
::rptMsg("\t$item");
}
::rptMsg("");
}
}
else {
#::rptMsg($key_path." has no subkeys.");
}
}
else {
#::rptMsg($key_path." not found.");
}
}
1;

4
thirdparty/rr/rip.pl vendored
View File

@ -99,7 +99,7 @@ if ($config{file}) {
#logMsg("Parsed Plugins file.");
}
else {
logMsg("Plugins file not parsed.");
#logMsg("Plugins file not parsed.");
exit;
}
foreach my $i (sort {$a <=> $b} keys %plugins) {
@ -111,7 +111,7 @@ if ($config{file}) {
logMsg("Error in ".$plugins{$i}.": ".$@);
}
#logMsg($plugins{$i}." complete.");
#rptMsg("-" x 40);
}
}