mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-12 16:06:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

normalized timestamps in registry analysis, updated reports

Browse Source
This commit is contained in:
Brian Carrier 2013-10-26 23:37:48 -04:00
parent 6767cc42ab
commit 2d80d2ee21
11 changed files with 57 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java
View File

@ -842,7 +842,7 @@ public class ReportGenerator {
columnHeaders = new ArrayList<>(Arrays.asList(new String[] {"Destination", "Source URL", "Date Accessed", "Program", "Source File"})); columnHeaders = new ArrayList<>(Arrays.asList(new String[] {"Destination", "Source URL", "Date Accessed", "Program", "Source File"}));
break; break;
case TSK_RECENT_OBJECT: case TSK_RECENT_OBJECT:
columnHeaders = new ArrayList<>(Arrays.asList(new String[] {"Path", "Source File"})); columnHeaders = new ArrayList<>(Arrays.asList(new String[] {"Path", "Date/Time", "Source File"}));
break; break;
case TSK_INSTALLED_PROG: case TSK_INSTALLED_PROG:
columnHeaders = new ArrayList<>(Arrays.asList(new String[] {"Program Name", "Install Date/Time", "Source File"})); columnHeaders = new ArrayList<>(Arrays.asList(new String[] {"Program Name", "Install Date/Time", "Source File"}));
@ -1030,6 +1030,7 @@ public class ReportGenerator {
case TSK_RECENT_OBJECT: case TSK_RECENT_OBJECT:
List<String> recent = new ArrayList<>(); List<String> recent = new ArrayList<>();
recent.add(attributes.get(ATTRIBUTE_TYPE.TSK_PATH.getTypeID())); recent.add(attributes.get(ATTRIBUTE_TYPE.TSK_PATH.getTypeID()));
recent.add(attributes.get(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID()));
recent.add(getFileUniquePath(artifactData.getObjectID())); recent.add(getFileUniquePath(artifactData.getObjectID()));
return recent; return recent;
case TSK_INSTALLED_PROG: case TSK_INSTALLED_PROG:

4
RecentActivity/release/rr/plugins/arunmru.pl
View File

@ -47,7 +47,7 @@ sub pluginmain {
my @vals = $key->get_list_of_values(); my @vals = $key->get_list_of_values();
::rptMsg("<runMRU>"); ::rptMsg("<runMRU>");
::rptMsg("<time>".gmtime($key->get_timestamp())."</time>"); ::rptMsg("<mtime>".gmtime($key->get_timestamp())."</mtime>");
::rptMsg("<artifacts>"); ::rptMsg("<artifacts>");
my %runvals; my %runvals;
my $mru; my $mru;
@ -75,4 +75,4 @@ sub pluginmain {
} }
1; 1;

4
RecentActivity/release/rr/plugins/autopsylogin.pl
View File

@ -48,7 +48,7 @@ sub pluginmain {
#::rptMsg("Logon User Name"); #::rptMsg("Logon User Name");
#::rptMsg($key_path); #::rptMsg($key_path);
::rptMsg("<logon>"); ::rptMsg("<logon>");
::rptMsg("<time>".gmtime($key->get_timestamp())."</time><artifacts>"); ::rptMsg("<mtime>".gmtime($key->get_timestamp())."</mtime><artifacts>");
foreach my $v (@vals) { foreach my $v (@vals) {
if ($v->get_name() eq $logon_name) { if ($v->get_name() eq $logon_name) {
::rptMsg("<user name=\"".$logon_name."\"> ".$v->get_data() ."</user>"); ::rptMsg("<user name=\"".$logon_name."\"> ".$v->get_data() ."</user>");
@ -67,4 +67,4 @@ sub pluginmain {
} }
} }
1; 1;

4
RecentActivity/release/rr/plugins/autopsyrecentdocs.pl
View File

@ -49,7 +49,7 @@ sub pluginmain {
#::rptMsg("RecentDocs"); #::rptMsg("RecentDocs");
#::rptMsg("**All values printed in MRUList\\MRUListEx order."); #::rptMsg("**All values printed in MRUList\\MRUListEx order.");
#::rptMsg($key_path); #::rptMsg($key_path);
::rptMsg("<recentdocs><time>".gmtime($key->get_timestamp())."</time><artifacts>"); ::rptMsg("<recentdocs><mtime>".gmtime($key->get_timestamp())."</mtime><artifacts>");
# Get RecentDocs values # Get RecentDocs values
my %rdvals = getRDValues($key); my %rdvals = getRDValues($key);
if (%rdvals) { if (%rdvals) {
@ -158,4 +158,4 @@ sub getRDValues {
} }
} }
1; 1;

4
RecentActivity/release/rr/plugins/autopsyshellfolders.pl
View File

@ -48,7 +48,7 @@ sub pluginmain {
my $key; my $key;
if ($key = $root_key->get_subkey($key_path)) { if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("<shellfolders>"); ::rptMsg("<shellfolders>");
::rptMsg("<time>".gmtime($key->get_timestamp())."</time>"); ::rptMsg("<mtime>".gmtime($key->get_timestamp())."</mtime>");
my @vals = $key->get_list_of_values(); my @vals = $key->get_list_of_values();
::rptMsg("<artifacts>"); ::rptMsg("<artifacts>");
@ -69,4 +69,4 @@ sub pluginmain {
#::logMsg($key_path." not found."); #::logMsg($key_path." not found.");
} }
} }
1; 1;

8
RecentActivity/release/rr/plugins/autopsyuninstall.pl
View File

@ -51,7 +51,7 @@ sub pluginmain {
#::rptMsg($key_path); #::rptMsg($key_path);
#::rptMsg(""); #::rptMsg("");
::rptMsg("<uninstall>"); ::rptMsg("<uninstall>");
::rptMsg("<time>".gmtime($key->get_timestamp())."</time>"); ::rptMsg("<mtime>".gmtime($key->get_timestamp())."</mtime>");
::rptMsg("<artifacts>"); ::rptMsg("<artifacts>");
my %uninst; my %uninst;
my @subkeys = $key->get_list_of_subkeys(); my @subkeys = $key->get_list_of_subkeys();
@ -73,9 +73,9 @@ sub pluginmain {
push(@{$uninst{$lastwrite}},$display); push(@{$uninst{$lastwrite}},$display);
} }
foreach my $t (reverse sort {$a <=> $b} keys %uninst) { foreach my $t (reverse sort {$a <=> $b} keys %uninst) {
#::rptMsg("<item name=\"". gmtime($t)."\">"); #::rptMsg("<item mtime=\"". gmtime($t)."\">");
foreach my $item (@{$uninst{$t}}) { foreach my $item (@{$uninst{$t}}) {
::rptMsg("<item name=\"". gmtime($t)."\">" .$item."</item>"); ::rptMsg("<item mtime=\"". gmtime($t)."\">" .$item."</item>");
} }
#::rptMsg(""); #::rptMsg("");
} }
@ -89,4 +89,4 @@ sub pluginmain {
} }
::rptMsg("</artifacts></uninstall>"); ::rptMsg("</artifacts></uninstall>");
} }
1; 1;

10
RecentActivity/release/rr/plugins/autopsyusb.pl
View File

@ -59,7 +59,7 @@ sub pluginmain {
my $key_path = $ccs."\\Enum\\USB"; my $key_path = $ccs."\\Enum\\USB";
my $key; my $key;
if ($key = $root_key->get_subkey($key_path)) { if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("<usb><time>N/A</time><artifacts>"); ::rptMsg("<usb><mtime></mtime><artifacts>");
my @subkeys = $key->get_list_of_subkeys(); my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) { if (scalar(@subkeys) > 0) {
@ -69,8 +69,8 @@ sub pluginmain {
if (scalar(@sk) > 0) { if (scalar(@sk) > 0) {
foreach my $k (@sk) { foreach my $k (@sk) {
my $serial = $k->get_name(); my $serial = $k->get_name();
my $sn_lw = $k->get_timestamp(); my $mtime = $k->get_timestamp();
my $str = $comp_name.",".$dev_class.",".$serial.",".$sn_lw; my $str = $comp_name.",".$dev_class.",".$serial.",".$mtime;
my $loc; my $loc;
eval { eval {
@ -94,7 +94,7 @@ sub pluginmain {
}; };
::rptMsg("<device name=\"" . $sn_lw. "\" dev=\"" . $dev_class . "\" >" . $serial . "</device>"); ::rptMsg("<device mtime=\"" . $mtime. "\" dev=\"" . $dev_class . "\" >" . $serial . "</device>");
} }
} }
} }
@ -110,4 +110,4 @@ sub pluginmain {
#::logMsg($key_path." not found."); #::logMsg($key_path." not found.");
} }
} }
1; 1;

4
RecentActivity/release/rr/plugins/autopsywinver.pl
View File

@ -32,7 +32,7 @@ sub pluginmain {
my $reg = Parse::Win32Registry->new($hive); my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key; my $root_key = $reg->get_root_key;
::rptMsg("<WinVersion>"); ::rptMsg("<WinVersion>");
::rptMsg("<time>Not Available</time>"); ::rptMsg("<mtime></mtime>");
::rptMsg("<artifacts>"); ::rptMsg("<artifacts>");
my $key_path = "Microsoft\\Windows NT\\CurrentVersion"; my $key_path = "Microsoft\\Windows NT\\CurrentVersion";
my $key; my $key;
@ -106,4 +106,4 @@ sub pluginmain {
} }
::rptMsg("</artifacts></WinVersion>"); ::rptMsg("</artifacts></WinVersion>");
} }
1; 1;

4
RecentActivity/release/rr/plugins/officedocs.pl
View File

@ -56,8 +56,8 @@ sub pluginmain {
#::rptMsg("MSOffice version ".$version." located."); #::rptMsg("MSOffice version ".$version." located.");
my $key_path = "Software\\Microsoft\\Office\\".$version; my $key_path = "Software\\Microsoft\\Office\\".$version;
my $of_key = $root_key->get_subkey($key_path); my $of_key = $root_key->get_subkey($key_path);
::rptMsg("<mtime> ".gmtime($of_key->get_timestamp())."</mtime>");
::rptMsg("<artifacts>"); ::rptMsg("<artifacts>");
::rptMsg("<time> ".gmtime($of_key->get_timestamp())."</time>");
if ($of_key) { if ($of_key) {
# Attempt to retrieve Word docs # Attempt to retrieve Word docs
my @funcs = ("Open","Save As","File Save"); my @funcs = ("Open","Save As","File Save");
@ -148,4 +148,4 @@ sub pluginmain {
::rptMsg("</artifacts></office>"); ::rptMsg("</artifacts></office>");
} }
1; 1;

2
RecentActivity/release/rr/plugins/officedocs2010.pl
View File

@ -218,4 +218,4 @@ sub pluginmain {
} }
} }
1; 1;

66
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
View File

@ -144,7 +144,7 @@ public class ExtractRegistry extends Extract {
} }
/** /**
* Identifies registry files in the database by name, runs regripper on them, and parses the output. * Identifies registry files in the database by mtimeItem, runs regripper on them, and parses the output.
* *
* @param dataSource * @param dataSource
* @param controller * @param controller
@ -263,7 +263,7 @@ public class ExtractRegistry extends Extract {
/** /**
* Execute regripper on the given registry. * Execute regripper on the given registry.
* @param regFilePath Path to local copy of registry * @param regFilePath Path to local copy of registry
* @param outFilePathBase Path to location to save output file to. Base name that will be extended on * @param outFilePathBase Path to location to save output file to. Base mtimeItem that will be extended on
*/ */
private RegOutputFiles executeRegRip(String regFilePath, String outFilePathBase) { private RegOutputFiles executeRegRip(String regFilePath, String outFilePathBase) {
String autopsyType = ""; // Type argument for rr for autopsy-specific modules String autopsyType = ""; // Type argument for rr for autopsy-specific modules
@ -379,18 +379,19 @@ public class ExtractRegistry extends Extract {
int len = children.getLength(); int len = children.getLength();
for (int i = 0; i < len; i++) { for (int i = 0; i < len; i++) {
Element tempnode = (Element) children.item(i); Element tempnode = (Element) children.item(i);
String context = tempnode.getNodeName();
String dataType = tempnode.getNodeName();
NodeList timenodes = tempnode.getElementsByTagName("time"); NodeList timenodes = tempnode.getElementsByTagName("mtime");
Long time = null; Long mtime = null;
if (timenodes.getLength() > 0) { if (timenodes.getLength() > 0) {
Element timenode = (Element) timenodes.item(0); Element timenode = (Element) timenodes.item(0);
String etime = timenode.getTextContent(); String etime = timenode.getTextContent();
try { try {
Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(etime).getTime(); Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(etime).getTime();
time = epochtime.longValue(); mtime = epochtime.longValue();
String Tempdate = time.toString(); String Tempdate = mtime.toString();
time = Long.valueOf(Tempdate) / 1000; mtime = Long.valueOf(Tempdate) / 1000;
} catch (ParseException ex) { } catch (ParseException ex) {
logger.log(Level.WARNING, "Failed to parse epoch time when parsing the registry."); logger.log(Level.WARNING, "Failed to parse epoch time when parsing the registry.");
} }
@ -410,27 +411,25 @@ public class ExtractRegistry extends Extract {
// If it has attributes, then it is an Element (based off API) // If it has attributes, then it is an Element (based off API)
if (artchild.hasAttributes()) { if (artchild.hasAttributes()) {
Element artnode = (Element) artchild; Element artnode = (Element) artchild;
String name = artnode.getAttribute("name");
String value = artnode.getTextContent().trim(); String value = artnode.getTextContent().trim();
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
if ("recentdocs".equals(context)) { if ("recentdocs".equals(dataType)) {
// BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); // BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time)); // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", dataType, mtime));
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", context, name)); // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", dataType, mtimeItem));
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", context, value)); // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", dataType, value));
// bbart.addAttributes(bbattributes); // bbart.addAttributes(bbattributes);
// @@@ BC: Why are we ignoring this... // @@@ BC: Why are we ignoring this...
} }
else if ("usb".equals(context)) { else if ("usb".equals(dataType)) {
try { try {
Long utime = null; Long usbMtime = Long.parseLong(artnode.getAttribute("mtime"));
utime = Long.parseLong(name); usbMtime = Long.valueOf(usbMtime.toString());
String Tempdate = utime.toString();
utime = Long.valueOf(Tempdate);
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED); BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", utime)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", usbMtime));
String dev = artnode.getAttribute("dev"); String dev = artnode.getAttribute("dev");
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), "RecentActivity", dev)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), "RecentActivity", dev));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID.getTypeID(), "RecentActivity", value)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID.getTypeID(), "RecentActivity", value));
@ -446,29 +445,27 @@ public class ExtractRegistry extends Extract {
logger.log(Level.SEVERE, "Error adding device attached artifact to blackboard."); logger.log(Level.SEVERE, "Error adding device attached artifact to blackboard.");
} }
} }
else if ("uninstall".equals(context)) { else if ("uninstall".equals(dataType)) {
Long ftime = null; Long itemMtime = null;
try { try {
Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(name).getTime(); Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(artnode.getAttribute("mtime")).getTime();
ftime = epochtime.longValue(); itemMtime = epochtime.longValue();
ftime = ftime / 1000; itemMtime = itemMtime / 1000;
} catch (ParseException e) { } catch (ParseException e) {
logger.log(Level.WARNING, "Failed to parse epoch time for installed program artifact."); logger.log(Level.WARNING, "Failed to parse epoch time for installed program artifact.");
} }
try { try {
if (time != null) {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", time));
}
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", value)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", value));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", ftime)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", itemMtime));
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG); BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG);
bbart.addAttributes(bbattributes); bbart.addAttributes(bbattributes);
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard."); logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard.");
} }
} }
else if ("WinVersion".equals(context)) { else if ("WinVersion".equals(dataType)) {
String name = artnode.getAttribute("name");
if (name.contains("ProductName")) { if (name.contains("ProductName")) {
winver = value; winver = value;
@ -496,11 +493,14 @@ public class ExtractRegistry extends Extract {
} }
} }
} }
else if ("office".equals(context)) { else if ("office".equals(dataType)) {
String name = artnode.getAttribute("name");
try { try {
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
if (time != null) { // @@@ BC: Consider removing this after some more testing. It looks like an Mtime associated with the root key and not the individual item
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", time)); if (mtime != null) {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", mtime));
} }
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", name)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", name));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", value)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", value));