added usb extraction and changed regression.py.

Signed-off-by: Sean-M <Smoss117@gmail.com>
2025-07-12 07:56:16 +00:00 · 2013-06-05 11:05:23 -04:00 · 2013-06-05 11:05:23 -04:00 · 2ac6c66309
commit 2ac6c66309
parent 68e11f0dba
5 changed files with 18194 additions and 7 deletions
--- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
+++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
@ -42,6 +42,7 @@ import org.sleuthkit.autopsy.ingest.IngestModuleImage;
 import org.sleuthkit.autopsy.ingest.IngestModuleInit;
 import org.sleuthkit.autopsy.ingest.IngestServices;
 import org.sleuthkit.autopsy.ingest.PipelineContext;
+import org.sleuthkit.autopsy.recentactivity.ExtractUSB.USB_Info;
 import org.sleuthkit.datamodel.*;
 import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
 import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
@ -135,9 +136,10 @@ public class ExtractRegistry extends Extract {
            }
            File aRegFile = new File(temps);
            logger.log(Level.INFO, moduleName + "- Now getting registry information from " + temps);
+            ExtractUSB extrctr = new ExtractUSB();
            String txtPath = executeRegRip(temps, j++);
            if (txtPath.length() > 0) {
-                if (parseReg(txtPath, regFile.getId()) == false) {
+                if (parseReg(txtPath, regFile.getId(),extrctr) == false) {
                    continue;
                }
            }
@ -202,7 +204,7 @@ public class ExtractRegistry extends Extract {
        return txtPath;
    }

-    private boolean parseReg(String regRecord, long orgId) {
+    private boolean parseReg(String regRecord, long orgId, ExtractUSB extrctr) {
        FileInputStream fstream = null;
        try {
            Case currentCase = Case.getCurrentCase(); // get the most updated case
@ -287,6 +289,9 @@ public class ExtractRegistry extends Extract {
                                //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID.getTypeID(), "RecentActivity", context, value));
                                bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), "RecentActivity", dev));
                                bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID.getTypeID(), "RecentActivity", value));
+                                USB_Info info = extrctr.get(dev);
+                                bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), "RecentActivity", info.get_Vendor()));
+                                bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), "RecentActivity", info.get_Product()));
                                bbart.addAttributes(bbattributes);
                            } catch (TskCoreException ex) {
                                logger.log(Level.SEVERE, "Error adding device attached artifact to blackboard.");
--- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractUSB.java
+++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractUSB.java
@ -0,0 +1,118 @@
+ /*
+ *
+ * Autopsy Forensic Browser
+ * 
+ * Copyright 2012 Basis Technology Corp.
+ * 
+ * Copyright 2012 42six Solutions.
+ * Contact: aebadirad <at> 42six <dot> com
+ * Project Contact/Architect: carrier <at> sleuthkit <dot> org
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.sleuthkit.autopsy.recentactivity;
+
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.util.HashMap;
+import java.util.Scanner;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+public class ExtractUSB {
+
+    private HashMap<String, USB_Info> devices;
+
+    public USB_Info get(String dev) {
+        String[] dtokens = dev.split("[_&]");
+        String mID = dtokens[1];
+        String pID;
+        if (dtokens.length < 4 || dtokens[3].length() < 4) {
+            pID = mID + "0000";
+        } else {
+            pID = mID + dtokens[3];
+        }
+        //if (!devices.containsKey(pID)) {
+        //    return new String[]{"No such Device", null};
+        //} else {
+        return devices.get(pID);
+        //}
+    }
+
+    public ExtractUSB() {
+        try {
+            Devices();
+        } catch (FileNotFoundException ex) {
+            Logger.getLogger(ExtractUSB.class.getName()).log(Level.SEVERE, null, ex);
+            devices = null;
+        }
+    }
+
+    private void Devices() throws FileNotFoundException {
+        devices = new HashMap<String, USB_Info>();
+        try (Scanner dat = new Scanner(new FileInputStream(new java.io.File("src" + java.io.File.separator + "org" + java.io.File.separator + "sleuthkit" + java.io.File.separator + "autopsy" + java.io.File.separator + "recentactivity" + java.io.File.separator + "USB_DATA.txt")))) {
+            String line = dat.nextLine();
+            while (dat.hasNext()) {
+                String dvc = "";
+                if (!(line.startsWith("#") || (line.equals("")))) {
+                    String[] tokens = line.split("[\\t\\s]+");
+                    String vID = tokens[0];
+                    for (int n = 1; n < tokens.length; n++) {
+                        dvc += tokens[n] + " ";
+                    }
+                    line = dat.nextLine();
+                    if (line.startsWith("\t")) {
+                        while (dat.hasNext() && line.startsWith("\t")) {
+                            tokens = line.split("[\\t\\s]+");
+                            String pID = vID + tokens[1];
+                            String device = "";
+                            line = dat.nextLine();
+                            for (int n = 2; n < tokens.length; n++) {
+                                device += tokens[n] + " ";
+                            }
+                            USB_Info info = new USB_Info(dvc, device);
+                            devices.put(pID, info);
+                        }
+                    } else {
+                        String pID = vID + "0000";
+                        USB_Info info = new USB_Info(dvc, null);
+                        devices.put(pID, info);
+                    }
+                } else {
+                    line = dat.nextLine();
+                }
+            }
+        }
+    }
+
+    public class USB_Info {
+
+        private String vendor;
+        private String product;
+
+        private USB_Info(String vend, String prod) {
+            vendor = vend;
+            product = prod;
+        }
+
+        public String get_Vendor() {
+            return vendor;
+        }
+
+        public String get_Product() {
+            return product;
+        }
+        public String toString(){
+            return vendor + product;
+        }
+    }
+}
--- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/OTHER_USB_DATA.txt
+++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/OTHER_USB_DATA.txt
--- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/USB_DATA.txt
+++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/USB_DATA.txt
--- a/test/script/regression.py
+++ b/test/script/regression.py
@ -410,9 +410,9 @@ def retrieve_data(data_file, autopsy_con,autopsy_db_file):
 	try:
 		while (rw != None):
 			if(rw[0] != None):
-				database_log.write(rw[0] + rw[1] + ' <artifact type = "' + rw[2] + '" > ')
+				database_log.write(rw[0] + rw[1] + ' <artifact type="' + rw[2] + '" > ')
 			else:
-				database_log.write(rw[1] + ' <artifact type = "' + rw[2] + '" > ')
+				database_log.write(rw[1] + ' <artifact type="' + rw[2] + '" > ')
 			autopsy_cur1 = autopsy_con.cursor()
 			looptry = True
 			case.artifact_count += 1
@ -458,10 +458,12 @@ def retrieve_data(data_file, autopsy_con,autopsy_db_file):
 							attachl.append(autopsy_db_file)
 							appnd = True
 					try:
-						database_log.write('<attribute source = "' + attr[0] + '" type = "' + attr[1] + '" value = "')
+						database_log.write('<attribute source="' + attr[0] + '" type="' + attr[1] + '" value="')
 						inpval = attr[val]
 						if((type(inpval) != 'unicode') or (type(inpval) != 'str')):
 							inpval = str(inpval)
+						patrn = re.compile("\n")
+						inpval = re.sub(patrn, ' ', inpval)
 						try:
 							database_log.write(inpval)
 						except Exception as e:
@ -473,7 +475,8 @@ def retrieve_data(data_file, autopsy_con,autopsy_db_file):
 			rw = autopsy_cur2.fetchone()
 	except Exception as e:
 		print('outer exception: ' + str(e))
-	errorem += case.image_name + ":There were " + str(case.artifact_count) + " artifacts and " + str(case.artifact_fail) + " threw an exception while loading.\n"
+		if(case.artifact_fail > 0):
+			errorem += case.image_name + ":There were " + str(case.artifact_count) + " artifacts and " + str(case.artifact_fail) + " threw an exception while loading.\n"
 		
 def dbDump():
 	autopsy_db_file = Emailer.make_path(case.output_dir, case.image_name,
@ -1075,7 +1078,7 @@ def compare_data(aut, gld):
 		global errorem
 		global failedbool
 		attachl.append(diff_dir)
-		errorem += case.image_name + ":There was a difference in the Database data for the file " + gld + ".\n"
+		errorem += case.image_name + ":There was a database difference in the file " + gld + ".\n"
 		print("There was a difference in the Database data for " + case.image_name + " for the file " + gld + ".\n")
 		failedbool = True
 		global imgfail