diff --git a/RecentActivity/nbproject/genfiles.properties b/RecentActivity/nbproject/genfiles.properties
index 17abdd94dc..5ed1794ff3 100644
--- a/RecentActivity/nbproject/genfiles.properties
+++ b/RecentActivity/nbproject/genfiles.properties
@@ -1,8 +1,8 @@
-build.xml.data.CRC32=9be4ed01
+build.xml.data.CRC32=6b34b285
build.xml.script.CRC32=d323407a
build.xml.stylesheet.CRC32=a56c6a5b@1.46.1
# This file is used by a NetBeans-based IDE to track changes in generated files such as build-impl.xml.
# Do not edit this file. You may delete it but then the IDE will never regenerate such files for you.
-nbproject/build-impl.xml.data.CRC32=9be4ed01
+nbproject/build-impl.xml.data.CRC32=6b34b285
nbproject/build-impl.xml.script.CRC32=aef16a21
nbproject/build-impl.xml.stylesheet.CRC32=238281d1@1.46.1
diff --git a/RecentActivity/nbproject/project.properties b/RecentActivity/nbproject/project.properties
index 0feca1f89d..95cab07bcd 100644
--- a/RecentActivity/nbproject/project.properties
+++ b/RecentActivity/nbproject/project.properties
@@ -1,3 +1,4 @@
file.reference.jcalendarbutton-1.4.5.jar=release/modules/ext/jcalendarbutton-1.4.5.jar
+file.reference.sqlite-jdbc-3.7.6.3-20110609.081603-3.jar=release/modules/ext/sqlite-jdbc-3.7.6.3-20110609.081603-3.jar
javac.source=1.6
javac.compilerargs=-Xlint -Xlint:-serial
diff --git a/RecentActivity/nbproject/project.xml b/RecentActivity/nbproject/project.xml
index 7c27bb375a..0fad8c88c2 100644
--- a/RecentActivity/nbproject/project.xml
+++ b/RecentActivity/nbproject/project.xml
@@ -190,6 +190,10 @@
ext/sqlite-jdbc-3.7.6.3-20110609.081603-3.jar
release/modules/ext/sqlite-jdbc-3.7.6.3-20110609.081603-3.jar
+
+ ext/jdom-1.1.2.jar
+ release/modules/ext/jdom-1.1.2.jar
+
ext/jcalendarbutton-1.4.5.jar
release/modules/ext/jcalendarbutton-1.4.5.jar
diff --git a/RecentActivity/release/modules/ext/jdom-1.1.2.jar b/RecentActivity/release/modules/ext/jdom-1.1.2.jar
new file mode 100644
index 0000000000..b8091efa2f
Binary files /dev/null and b/RecentActivity/release/modules/ext/jdom-1.1.2.jar differ
diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
index 395416397b..7d1602af7e 100644
--- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
+++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
@@ -6,13 +6,19 @@ package org.sleuthkit.autopsy.recentactivity;
import java.io.File;
import java.io.IOException;
+import java.io.StringReader;
import java.sql.ResultSet;
import java.sql.SQLException;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Iterator;
import java.util.List;
+import java.util.Scanner;
import java.util.logging.Level;
import java.util.logging.Logger;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
+import org.jdom.Document;
+import org.jdom.Element;
+import org.jdom.input.SAXBuilder;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.datamodel.ContentUtils;
import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
@@ -24,6 +30,8 @@ import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
+
+
/**
*
* @author Alex \System32\Config
@@ -76,7 +84,7 @@ public void getregistryfiles(List image, IngestImageWorkerController con
if(Success)
{
//Delete dat file since it was succcessfully by Pasco
- //regFile.delete();
+ regFile.delete();
}
j++;
@@ -134,7 +142,7 @@ public void getregistryfiles(List image, IngestImageWorkerController con
type = "security";
}
- String command = rrpath + "rip.exe -r " + regFilePath +" -f " + type + " >> " + txtPath;
+ String command = rrpath + "rip.exe -r " + regFilePath +" -f " + type + "> " + txtPath;
JavaSystemCaller.Exec.execute(command);
@@ -153,49 +161,53 @@ public void getregistryfiles(List image, IngestImageWorkerController con
{
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
-
- String[] result = regRecord.split("----------------------------------------");
- for(String tempresult : result)
- {
- try{
+ try {
+ String regString = new Scanner(new File(regRecord)).useDelimiter("\\Z").next();
+ String startdoc = "";
+ String result = regString.replaceAll("----------------------------------------","");
+ String enddoc = "";
+ String stringdoc = startdoc + result + enddoc;
+ SAXBuilder sb = new SAXBuilder();
+ Document document = sb.build(new StringReader(stringdoc));
+ Element root = document.getRootElement();
+ List types = root.getChildren();
+ Iterator iterator = types.iterator();
+ //for(int i = 0; i < types.size(); i++)
+ //for(Element tempnode : types)
+ while (iterator.hasNext()) {
+ String time = "";
+ String context = "";
+ Element tempnode = (Element) iterator.next();
+ // Element tempnode = types.get(i);
+ context = tempnode.getName();
+ Element timenode = tempnode.getChild("time");
+ time = timenode.getTextTrim();
+
+ Element artroot = tempnode.getChild("artifacts");
+ List artlist = artroot.getChildren();
+ BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
+ Collection bbattributes = new ArrayList();
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time));
+ Iterator aiterator = artlist.iterator();
+ while (aiterator.hasNext()) {
+ Element artnode = (Element) aiterator.next();
+ String name = artnode.getAttributeValue("name");
+ String value = artnode.getTextTrim();
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", context, name));
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", context, value));
+ }
- if(tempresult.contains("not found") || tempresult.contains("no values"))
- {
-
- }
- else
- {
- BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
- if(tempresult.contains("Username"))
- {
- Pattern p = Pattern.compile("Username\\[.*?\\]");
- Matcher m = p.matcher(tempresult);
- while (m.find()) {
- String s = m.group(1);
-
- BlackboardAttribute bbatturl = new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(), "RecentActivity", "Registry", s);
- bbart.addAttribute(bbatturl);
- }
- }
-
- if(tempresult.contains("Time["))
- {
- Pattern p = Pattern.compile("Time\\[.*?\\]");
- Matcher m = p.matcher(tempresult);
- while (m.find()) {
- String s = m.group(1);
- BlackboardAttribute bbattdate = new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Registry", s);
- bbart.addAttribute(bbattdate);
- }
-
- }
- }
+
+
+
+ bbart.addAttributes(bbattributes);
+ }
}
catch (Exception ex)
{
+ String hi = "";
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + ex);
}
- }
diff --git a/thirdparty/rr/plugins/arunmru.pl b/thirdparty/rr/plugins/arunmru.pl
index 8577aa2b37..7370685b45 100644
--- a/thirdparty/rr/plugins/arunmru.pl
+++ b/thirdparty/rr/plugins/arunmru.pl
@@ -43,9 +43,12 @@ sub pluginmain {
my $key;
if ($key = $root_key->get_subkey($key_path)) {
#::rptMsg("RunMru");
- ::rptMsg($key_path);
- #::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ #::rptMsg($key_path);
+
my @vals = $key->get_list_of_values();
+ ::rptMsg("");
+ ::rptMsg("");
+ ::rptMsg("");
my %runvals;
my $mru;
if (scalar(@vals) > 0) {
@@ -53,20 +56,22 @@ sub pluginmain {
$runvals{$v->get_name()} = $v->get_data() unless ($v->get_name() =~ m/^MRUList/i);
$mru = $v->get_data() if ($v->get_name() =~ m/^MRUList/i);
}
- ::rptMsg("MRUList = ".$mru);
+ ::rptMsg("".$mru."");
foreach my $r (sort keys %runvals) {
- ::rptMsg($r." ".$runvals{$r});
+ ::rptMsg("".$r." ".$runvals{$r}."");
}
}
else {
- ::rptMsg($key_path." has no values.");
- ::logMsg($key_path." has no values.");
+ #::rptMsg($key_path." has no values.");
+ #::logMsg($key_path." has no values.");
}
+ ::rptMsg("");
}
else {
- ::rptMsg($key_path." not found.");
- ::logMsg($key_path." not found.");
+ #::rptMsg($key_path." not found.");
+ #::logMsg($key_path." not found.");
}
+ ::rptMsg("");
}
1;
\ No newline at end of file
diff --git a/thirdparty/rr/plugins/autopsy b/thirdparty/rr/plugins/autopsy
index f64ad0616b..49ef69b395 100644
--- a/thirdparty/rr/plugins/autopsy
+++ b/thirdparty/rr/plugins/autopsy
@@ -2,6 +2,7 @@
#-------------------------------------
# NTUSER.DAT
-autopsy
+autopsylogin
autopsyrecentdocs
-arunmru
\ No newline at end of file
+arunmru
+autopsyshellfolders
\ No newline at end of file
diff --git a/thirdparty/rr/plugins/autopsy.pl b/thirdparty/rr/plugins/autopsylogin.pl
similarity index 75%
rename from thirdparty/rr/plugins/autopsy.pl
rename to thirdparty/rr/plugins/autopsylogin.pl
index e0f9eb0e1a..5f83827176 100644
--- a/thirdparty/rr/plugins/autopsy.pl
+++ b/thirdparty/rr/plugins/autopsylogin.pl
@@ -10,7 +10,7 @@
#
# copyright 2008 H. Carvey
#-----------------------------------------------------------
-package autopsy;
+package autopsylogin;
use strict;
my %config = (hive => "NTUSER\.DAT",
@@ -34,7 +34,7 @@ my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
- ::logMsg("||logonusername||");
+ #::logMsg("||logonusername||");
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
@@ -47,21 +47,23 @@ sub pluginmain {
if (scalar(@vals) > 0) {
#::rptMsg("Logon User Name");
#::rptMsg($key_path);
- ::rptMsg("Time[".gmtime($key->get_timestamp())."]");
+ ::rptMsg("");
+ ::rptMsg("");
foreach my $v (@vals) {
if ($v->get_name() eq $logon_name) {
- ::rptMsg($logon_name."[".$v->get_data() ."]");
+ ::rptMsg(" ".$v->get_data() ."");
}
}
+ ::rptMsg("");
}
else {
- ::rptMsg($key_path." has no values.");
- ::logMsg($key_path." has no values.");
+ #::rptMsg($key_path." has no values.");
+ #::logMsg($key_path." has no values.");
}
}
else {
- ::rptMsg($key_path." not found.");
- ::logMsg($key_path." not found.");
+ #::rptMsg($key_path." not found.");
+ #::logMsg($key_path." not found.");
}
}
diff --git a/thirdparty/rr/plugins/autopsyrecentdocs.pl b/thirdparty/rr/plugins/autopsyrecentdocs.pl
index ea468aed01..34e3bf1034 100644
--- a/thirdparty/rr/plugins/autopsyrecentdocs.pl
+++ b/thirdparty/rr/plugins/autopsyrecentdocs.pl
@@ -40,17 +40,16 @@ my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
- ::logMsg("||recentdocs||");
+ #::logMsg("||recentdocs||");
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
-
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
#::rptMsg("RecentDocs");
#::rptMsg("**All values printed in MRUList\\MRUListEx order.");
- ::rptMsg($key_path);
- ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+ #::rptMsg($key_path);
+ ::rptMsg("");
# Get RecentDocs values
my %rdvals = getRDValues($key);
if (%rdvals) {
@@ -67,14 +66,15 @@ sub pluginmain {
my @list = split(/,/,$rdvals{$tag});
foreach my $i (@list) {
- ::rptMsg(" ".$i." = ".$rdvals{$i});
+ ::rptMsg("".$i." = ".$rdvals{$i} . "");
}
- ::rptMsg("");
+
}
else {
- ::rptMsg($key_path." has no values.");
- ::logMsg("Error: ".$key_path." has no values.");
+ #::rptMsg($key_path." has no values.");
+ #::logMsg("Error: ".$key_path." has no values.");
}
+ ::rptMsg("");
# Get RecentDocs subkeys' values
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
@@ -104,16 +104,16 @@ sub pluginmain {
::rptMsg("");
}
else {
- ::rptMsg($key_path." has no values.");
+ #::rptMsg($key_path." has no values.");
}
}
}
else {
- ::rptMsg($key_path." has no subkeys.");
+ #::rptMsg($key_path." has no subkeys.");
}
}
else {
- ::rptMsg($key_path." not found.");
+ #::rptMsg($key_path." not found.");
}
}
diff --git a/thirdparty/rr/plugins/autopsyshellfolders.pl b/thirdparty/rr/plugins/autopsyshellfolders.pl
new file mode 100644
index 0000000000..de3115f9dd
--- /dev/null
+++ b/thirdparty/rr/plugins/autopsyshellfolders.pl
@@ -0,0 +1,72 @@
+#-----------------------------------------------------------
+# shellfolders.pl
+#
+# Retrieve the Shell Folders values from user's hive; while
+# this may not be important in every instance, it may give the
+# examiner indications as to where to look for certain items;
+# for example, if the user's "My Documents" folder has been redirected
+# as part of configuration changes (corporate policies, etc.). Also,
+# this may be important as part of data leakage exams, as XP and Vista
+# allow users to drop and drag files to the CD Burner.
+#
+# References:
+# http://support.microsoft.com/kb/279157
+# http://support.microsoft.com/kb/326982
+#
+# copyright 2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package autopsyshellfolders;
+use strict;
+
+my %config = (hive => "NTUSER\.DAT",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20090115);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Retrieve user Shell Folders values";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ #::logMsg("Launching shellfolders v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ ::rptMsg("");
+ ::rptMsg("");
+
+ my @vals = $key->get_list_of_values();
+ ::rptMsg("");
+ if (scalar(@vals) > 0) {
+ foreach my $v (@vals) {
+ my $str = sprintf "%-20s %-40s","get_name()."\">",$v->get_data()."";
+ ::rptMsg($str);
+ }
+ ::rptMsg("");
+ }
+ else {
+ #::rptMsg($key_path." has no values.");
+ }
+ ::rptMsg("");
+ }
+ else {
+ #::rptMsg($key_path." not found.");
+ #::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/thirdparty/rr/plugins/autopsysoftware b/thirdparty/rr/plugins/autopsysoftware
new file mode 100644
index 0000000000..1b515928ca
--- /dev/null
+++ b/thirdparty/rr/plugins/autopsysoftware
@@ -0,0 +1,5 @@
+ List of plugins for the Registry Ripper
+
+#-------------------------------------
+# SOFTWARE
+autopsyuninstall
\ No newline at end of file
diff --git a/thirdparty/rr/plugins/autopsyuninstall.pl b/thirdparty/rr/plugins/autopsyuninstall.pl
new file mode 100644
index 0000000000..2ec0f50e2e
--- /dev/null
+++ b/thirdparty/rr/plugins/autopsyuninstall.pl
@@ -0,0 +1,89 @@
+#-----------------------------------------------------------
+# uninstall.pl
+# Gets contents of Uninstall key from Software hive; sorts
+# display names based on key LastWrite time
+#
+# References:
+# http://support.microsoft.com/kb/247501
+# http://support.microsoft.com/kb/314481
+# http://msdn.microsoft.com/en-us/library/ms954376.aspx
+#
+# Change History:
+# 20100116 - Minor updates
+# 20090413 - Extract DisplayVersion info
+# 20090128 - Added references
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package autopsyuninstall;
+use strict;
+
+my %config = (hive => "Software",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20100116);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Gets contents of Uninstall key from Software hive";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ #::logMsg("Launching uninstall v.".$VERSION);
+ my $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+ my $key_path = 'Microsoft\\Windows\\CurrentVersion\\Uninstall';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ #::rptMsg("Uninstall");
+ #::rptMsg($key_path);
+ #::rptMsg("");
+
+ my %uninst;
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ my $lastwrite = $s->get_timestamp();
+ my $display;
+ eval {
+ $display = $s->get_value("DisplayName")->get_data();
+ };
+ $display = $s->get_name() if ($display eq "");
+
+ my $ver;
+ eval {
+ $ver = $s->get_value("DisplayVersion")->get_data();
+ };
+ $display .= " v\.".$ver unless ($@);
+
+ push(@{$uninst{$lastwrite}},$display);
+ }
+ foreach my $t (reverse sort {$a <=> $b} keys %uninst) {
+ ::rptMsg(gmtime($t)." (UTC)");
+ foreach my $item (@{$uninst{$t}}) {
+ ::rptMsg("\t$item");
+ }
+ ::rptMsg("");
+ }
+ }
+ else {
+ #::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ #::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/thirdparty/rr/rip.pl b/thirdparty/rr/rip.pl
index 4172d5941d..ffbd632d7a 100644
--- a/thirdparty/rr/rip.pl
+++ b/thirdparty/rr/rip.pl
@@ -99,7 +99,7 @@ if ($config{file}) {
#logMsg("Parsed Plugins file.");
}
else {
- logMsg("Plugins file not parsed.");
+ #logMsg("Plugins file not parsed.");
exit;
}
foreach my $i (sort {$a <=> $b} keys %plugins) {
@@ -111,7 +111,7 @@ if ($config{file}) {
logMsg("Error in ".$plugins{$i}.": ".$@);
}
#logMsg($plugins{$i}." complete.");
- #rptMsg("-" x 40);
+
}
}