From 2d80d2ee2113031929a8977ac3ffa24b6bea5c09 Mon Sep 17 00:00:00 2001 From: Brian Carrier Date: Sat, 26 Oct 2013 23:37:48 -0400 Subject: [PATCH] normalized timestamps in registry analysis, updated reports --- .../autopsy/report/ReportGenerator.java | 3 +- RecentActivity/release/rr/plugins/arunmru.pl | 4 +- .../release/rr/plugins/autopsylogin.pl | 4 +- .../release/rr/plugins/autopsyrecentdocs.pl | 4 +- .../release/rr/plugins/autopsyshellfolders.pl | 4 +- .../release/rr/plugins/autopsyuninstall.pl | 8 +-- .../release/rr/plugins/autopsyusb.pl | 10 +-- .../release/rr/plugins/autopsywinver.pl | 4 +- .../release/rr/plugins/officedocs.pl | 4 +- .../release/rr/plugins/officedocs2010.pl | 2 +- .../recentactivity/ExtractRegistry.java | 66 +++++++++---------- 11 files changed, 57 insertions(+), 56 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java b/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java index 889ca07328..56f4f8780f 100644 --- a/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java +++ b/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java @@ -842,7 +842,7 @@ public class ReportGenerator { columnHeaders = new ArrayList<>(Arrays.asList(new String[] {"Destination", "Source URL", "Date Accessed", "Program", "Source File"})); break; case TSK_RECENT_OBJECT: - columnHeaders = new ArrayList<>(Arrays.asList(new String[] {"Path", "Source File"})); + columnHeaders = new ArrayList<>(Arrays.asList(new String[] {"Path", "Date/Time", "Source File"})); break; case TSK_INSTALLED_PROG: columnHeaders = new ArrayList<>(Arrays.asList(new String[] {"Program Name", "Install Date/Time", "Source File"})); @@ -1030,6 +1030,7 @@ public class ReportGenerator { case TSK_RECENT_OBJECT: List recent = new ArrayList<>(); recent.add(attributes.get(ATTRIBUTE_TYPE.TSK_PATH.getTypeID())); + recent.add(attributes.get(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID())); recent.add(getFileUniquePath(artifactData.getObjectID())); return recent; case TSK_INSTALLED_PROG: diff --git a/RecentActivity/release/rr/plugins/arunmru.pl b/RecentActivity/release/rr/plugins/arunmru.pl index 8edea6e515..504700f145 100644 --- a/RecentActivity/release/rr/plugins/arunmru.pl +++ b/RecentActivity/release/rr/plugins/arunmru.pl @@ -47,7 +47,7 @@ sub pluginmain { my @vals = $key->get_list_of_values(); ::rptMsg(""); - ::rptMsg(""); + ::rptMsg("".gmtime($key->get_timestamp()).""); ::rptMsg(""); my %runvals; my $mru; @@ -75,4 +75,4 @@ sub pluginmain { } -1; \ No newline at end of file +1; diff --git a/RecentActivity/release/rr/plugins/autopsylogin.pl b/RecentActivity/release/rr/plugins/autopsylogin.pl index 5f83827176..ab0365817e 100644 --- a/RecentActivity/release/rr/plugins/autopsylogin.pl +++ b/RecentActivity/release/rr/plugins/autopsylogin.pl @@ -48,7 +48,7 @@ sub pluginmain { #::rptMsg("Logon User Name"); #::rptMsg($key_path); ::rptMsg(""); - ::rptMsg(""); + ::rptMsg("".gmtime($key->get_timestamp()).""); foreach my $v (@vals) { if ($v->get_name() eq $logon_name) { ::rptMsg(" ".$v->get_data() .""); @@ -67,4 +67,4 @@ sub pluginmain { } } -1; \ No newline at end of file +1; diff --git a/RecentActivity/release/rr/plugins/autopsyrecentdocs.pl b/RecentActivity/release/rr/plugins/autopsyrecentdocs.pl index 538555ef8d..776126175b 100644 --- a/RecentActivity/release/rr/plugins/autopsyrecentdocs.pl +++ b/RecentActivity/release/rr/plugins/autopsyrecentdocs.pl @@ -49,7 +49,7 @@ sub pluginmain { #::rptMsg("RecentDocs"); #::rptMsg("**All values printed in MRUList\\MRUListEx order."); #::rptMsg($key_path); - ::rptMsg(""); + ::rptMsg("".gmtime($key->get_timestamp()).""); # Get RecentDocs values my %rdvals = getRDValues($key); if (%rdvals) { @@ -158,4 +158,4 @@ sub getRDValues { } } -1; \ No newline at end of file +1; diff --git a/RecentActivity/release/rr/plugins/autopsyshellfolders.pl b/RecentActivity/release/rr/plugins/autopsyshellfolders.pl index de3115f9dd..d625820ec5 100644 --- a/RecentActivity/release/rr/plugins/autopsyshellfolders.pl +++ b/RecentActivity/release/rr/plugins/autopsyshellfolders.pl @@ -48,7 +48,7 @@ sub pluginmain { my $key; if ($key = $root_key->get_subkey($key_path)) { ::rptMsg(""); - ::rptMsg(""); + ::rptMsg("".gmtime($key->get_timestamp()).""); my @vals = $key->get_list_of_values(); ::rptMsg(""); @@ -69,4 +69,4 @@ sub pluginmain { #::logMsg($key_path." not found."); } } -1; \ No newline at end of file +1; diff --git a/RecentActivity/release/rr/plugins/autopsyuninstall.pl b/RecentActivity/release/rr/plugins/autopsyuninstall.pl index 30fc0dcd74..d3f114dc5e 100644 --- a/RecentActivity/release/rr/plugins/autopsyuninstall.pl +++ b/RecentActivity/release/rr/plugins/autopsyuninstall.pl @@ -51,7 +51,7 @@ sub pluginmain { #::rptMsg($key_path); #::rptMsg(""); ::rptMsg(""); - ::rptMsg(""); + ::rptMsg("".gmtime($key->get_timestamp()).""); ::rptMsg(""); my %uninst; my @subkeys = $key->get_list_of_subkeys(); @@ -73,9 +73,9 @@ sub pluginmain { push(@{$uninst{$lastwrite}},$display); } foreach my $t (reverse sort {$a <=> $b} keys %uninst) { - #::rptMsg(""); + #::rptMsg(""); foreach my $item (@{$uninst{$t}}) { - ::rptMsg("" .$item.""); + ::rptMsg("" .$item.""); } #::rptMsg(""); } @@ -89,4 +89,4 @@ sub pluginmain { } ::rptMsg(""); } -1; \ No newline at end of file +1; diff --git a/RecentActivity/release/rr/plugins/autopsyusb.pl b/RecentActivity/release/rr/plugins/autopsyusb.pl index 9f5b97fdbd..3c6b788c09 100644 --- a/RecentActivity/release/rr/plugins/autopsyusb.pl +++ b/RecentActivity/release/rr/plugins/autopsyusb.pl @@ -59,7 +59,7 @@ sub pluginmain { my $key_path = $ccs."\\Enum\\USB"; my $key; if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); + ::rptMsg(""); my @subkeys = $key->get_list_of_subkeys(); if (scalar(@subkeys) > 0) { @@ -69,8 +69,8 @@ sub pluginmain { if (scalar(@sk) > 0) { foreach my $k (@sk) { my $serial = $k->get_name(); - my $sn_lw = $k->get_timestamp(); - my $str = $comp_name.",".$dev_class.",".$serial.",".$sn_lw; + my $mtime = $k->get_timestamp(); + my $str = $comp_name.",".$dev_class.",".$serial.",".$mtime; my $loc; eval { @@ -94,7 +94,7 @@ sub pluginmain { }; - ::rptMsg("" . $serial . ""); + ::rptMsg("" . $serial . ""); } } } @@ -110,4 +110,4 @@ sub pluginmain { #::logMsg($key_path." not found."); } } -1; \ No newline at end of file +1; diff --git a/RecentActivity/release/rr/plugins/autopsywinver.pl b/RecentActivity/release/rr/plugins/autopsywinver.pl index 73cb5a3017..758dc45b5c 100644 --- a/RecentActivity/release/rr/plugins/autopsywinver.pl +++ b/RecentActivity/release/rr/plugins/autopsywinver.pl @@ -32,7 +32,7 @@ sub pluginmain { my $reg = Parse::Win32Registry->new($hive); my $root_key = $reg->get_root_key; ::rptMsg(""); - ::rptMsg(""); + ::rptMsg(""); ::rptMsg(""); my $key_path = "Microsoft\\Windows NT\\CurrentVersion"; my $key; @@ -106,4 +106,4 @@ sub pluginmain { } ::rptMsg(""); } -1; \ No newline at end of file +1; diff --git a/RecentActivity/release/rr/plugins/officedocs.pl b/RecentActivity/release/rr/plugins/officedocs.pl index ad9495c407..c7ee407a7f 100644 --- a/RecentActivity/release/rr/plugins/officedocs.pl +++ b/RecentActivity/release/rr/plugins/officedocs.pl @@ -56,8 +56,8 @@ sub pluginmain { #::rptMsg("MSOffice version ".$version." located."); my $key_path = "Software\\Microsoft\\Office\\".$version; my $of_key = $root_key->get_subkey($key_path); + ::rptMsg(" ".gmtime($of_key->get_timestamp()).""); ::rptMsg(""); - ::rptMsg(""); if ($of_key) { # Attempt to retrieve Word docs my @funcs = ("Open","Save As","File Save"); @@ -148,4 +148,4 @@ sub pluginmain { ::rptMsg(""); } -1; \ No newline at end of file +1; diff --git a/RecentActivity/release/rr/plugins/officedocs2010.pl b/RecentActivity/release/rr/plugins/officedocs2010.pl index 632751196c..2783dc01f6 100644 --- a/RecentActivity/release/rr/plugins/officedocs2010.pl +++ b/RecentActivity/release/rr/plugins/officedocs2010.pl @@ -218,4 +218,4 @@ sub pluginmain { } } -1; \ No newline at end of file +1; diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index 840850238a..61b38ce261 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -144,7 +144,7 @@ public class ExtractRegistry extends Extract { } /** - * Identifies registry files in the database by name, runs regripper on them, and parses the output. + * Identifies registry files in the database by mtimeItem, runs regripper on them, and parses the output. * * @param dataSource * @param controller @@ -263,7 +263,7 @@ public class ExtractRegistry extends Extract { /** * Execute regripper on the given registry. * @param regFilePath Path to local copy of registry - * @param outFilePathBase Path to location to save output file to. Base name that will be extended on + * @param outFilePathBase Path to location to save output file to. Base mtimeItem that will be extended on */ private RegOutputFiles executeRegRip(String regFilePath, String outFilePathBase) { String autopsyType = ""; // Type argument for rr for autopsy-specific modules @@ -379,18 +379,19 @@ public class ExtractRegistry extends Extract { int len = children.getLength(); for (int i = 0; i < len; i++) { Element tempnode = (Element) children.item(i); - String context = tempnode.getNodeName(); + + String dataType = tempnode.getNodeName(); - NodeList timenodes = tempnode.getElementsByTagName("time"); - Long time = null; + NodeList timenodes = tempnode.getElementsByTagName("mtime"); + Long mtime = null; if (timenodes.getLength() > 0) { Element timenode = (Element) timenodes.item(0); String etime = timenode.getTextContent(); try { Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(etime).getTime(); - time = epochtime.longValue(); - String Tempdate = time.toString(); - time = Long.valueOf(Tempdate) / 1000; + mtime = epochtime.longValue(); + String Tempdate = mtime.toString(); + mtime = Long.valueOf(Tempdate) / 1000; } catch (ParseException ex) { logger.log(Level.WARNING, "Failed to parse epoch time when parsing the registry."); } @@ -410,27 +411,25 @@ public class ExtractRegistry extends Extract { // If it has attributes, then it is an Element (based off API) if (artchild.hasAttributes()) { Element artnode = (Element) artchild; - String name = artnode.getAttribute("name"); + String value = artnode.getTextContent().trim(); Collection bbattributes = new ArrayList(); - if ("recentdocs".equals(context)) { + if ("recentdocs".equals(dataType)) { // BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); - // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time)); - // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", context, name)); - // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", context, value)); + // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", dataType, mtime)); + // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", dataType, mtimeItem)); + // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", dataType, value)); // bbart.addAttributes(bbattributes); // @@@ BC: Why are we ignoring this... } - else if ("usb".equals(context)) { - try { - Long utime = null; - utime = Long.parseLong(name); - String Tempdate = utime.toString(); - utime = Long.valueOf(Tempdate); + else if ("usb".equals(dataType)) { + try { + Long usbMtime = Long.parseLong(artnode.getAttribute("mtime")); + usbMtime = Long.valueOf(usbMtime.toString()); BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", utime)); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", usbMtime)); String dev = artnode.getAttribute("dev"); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), "RecentActivity", dev)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID.getTypeID(), "RecentActivity", value)); @@ -446,29 +445,27 @@ public class ExtractRegistry extends Extract { logger.log(Level.SEVERE, "Error adding device attached artifact to blackboard."); } } - else if ("uninstall".equals(context)) { - Long ftime = null; + else if ("uninstall".equals(dataType)) { + Long itemMtime = null; try { - Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(name).getTime(); - ftime = epochtime.longValue(); - ftime = ftime / 1000; + Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(artnode.getAttribute("mtime")).getTime(); + itemMtime = epochtime.longValue(); + itemMtime = itemMtime / 1000; } catch (ParseException e) { logger.log(Level.WARNING, "Failed to parse epoch time for installed program artifact."); } try { - if (time != null) { - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", time)); - } bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", value)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", ftime)); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", itemMtime)); BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG); bbart.addAttributes(bbattributes); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard."); } } - else if ("WinVersion".equals(context)) { + else if ("WinVersion".equals(dataType)) { + String name = artnode.getAttribute("name"); if (name.contains("ProductName")) { winver = value; @@ -496,11 +493,14 @@ public class ExtractRegistry extends Extract { } } } - else if ("office".equals(context)) { + else if ("office".equals(dataType)) { + String name = artnode.getAttribute("name"); + try { BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); - if (time != null) { - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", time)); + // @@@ BC: Consider removing this after some more testing. It looks like an Mtime associated with the root key and not the individual item + if (mtime != null) { + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", mtime)); } bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", name)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", value));