mirror of
https://github.com/overcuriousity/autopsy-flatpak.git
synced 2025-07-12 16:06:15 +00:00
normalized timestamps in registry analysis, updated reports
This commit is contained in:
Brian Carrier
parent
6767cc42ab
commit
2d80d2ee21
@ -842,7 +842,7 @@ public class ReportGenerator {
|
||||
columnHeaders = new ArrayList<>(Arrays.asList(new String[] {"Destination", "Source URL", "Date Accessed", "Program", "Source File"}));
|
||||
break;
|
||||
case TSK_RECENT_OBJECT:
|
||||
columnHeaders = new ArrayList<>(Arrays.asList(new String[] {"Path", "Source File"}));
|
||||
columnHeaders = new ArrayList<>(Arrays.asList(new String[] {"Path", "Date/Time", "Source File"}));
|
||||
break;
|
||||
case TSK_INSTALLED_PROG:
|
||||
columnHeaders = new ArrayList<>(Arrays.asList(new String[] {"Program Name", "Install Date/Time", "Source File"}));
|
||||
@ -1030,6 +1030,7 @@ public class ReportGenerator {
|
||||
case TSK_RECENT_OBJECT:
|
||||
List<String> recent = new ArrayList<>();
|
||||
recent.add(attributes.get(ATTRIBUTE_TYPE.TSK_PATH.getTypeID()));
|
||||
recent.add(attributes.get(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID()));
|
||||
recent.add(getFileUniquePath(artifactData.getObjectID()));
|
||||
return recent;
|
||||
case TSK_INSTALLED_PROG:
|
||||
|
||||
@ -47,7 +47,7 @@ sub pluginmain {
|
||||
|
||||
my @vals = $key->get_list_of_values();
|
||||
::rptMsg("<runMRU>");
|
||||
::rptMsg("<time>".gmtime($key->get_timestamp())."</time>");
|
||||
::rptMsg("<mtime>".gmtime($key->get_timestamp())."</mtime>");
|
||||
::rptMsg("<artifacts>");
|
||||
my %runvals;
|
||||
my $mru;
|
||||
|
||||
@ -48,7 +48,7 @@ sub pluginmain {
|
||||
#::rptMsg("Logon User Name");
|
||||
#::rptMsg($key_path);
|
||||
::rptMsg("<logon>");
|
||||
::rptMsg("<time>".gmtime($key->get_timestamp())."</time><artifacts>");
|
||||
::rptMsg("<mtime>".gmtime($key->get_timestamp())."</mtime><artifacts>");
|
||||
foreach my $v (@vals) {
|
||||
if ($v->get_name() eq $logon_name) {
|
||||
::rptMsg("<user name=\"".$logon_name."\"> ".$v->get_data() ."</user>");
|
||||
|
||||
@ -49,7 +49,7 @@ sub pluginmain {
|
||||
#::rptMsg("RecentDocs");
|
||||
#::rptMsg("**All values printed in MRUList\\MRUListEx order.");
|
||||
#::rptMsg($key_path);
|
||||
::rptMsg("<recentdocs><time>".gmtime($key->get_timestamp())."</time><artifacts>");
|
||||
::rptMsg("<recentdocs><mtime>".gmtime($key->get_timestamp())."</mtime><artifacts>");
|
||||
# Get RecentDocs values
|
||||
my %rdvals = getRDValues($key);
|
||||
if (%rdvals) {
|
||||
|
||||
@ -48,7 +48,7 @@ sub pluginmain {
|
||||
my $key;
|
||||
if ($key = $root_key->get_subkey($key_path)) {
|
||||
::rptMsg("<shellfolders>");
|
||||
::rptMsg("<time>".gmtime($key->get_timestamp())."</time>");
|
||||
::rptMsg("<mtime>".gmtime($key->get_timestamp())."</mtime>");
|
||||
|
||||
my @vals = $key->get_list_of_values();
|
||||
::rptMsg("<artifacts>");
|
||||
|
||||
@ -51,7 +51,7 @@ sub pluginmain {
|
||||
#::rptMsg($key_path);
|
||||
#::rptMsg("");
|
||||
::rptMsg("<uninstall>");
|
||||
::rptMsg("<time>".gmtime($key->get_timestamp())."</time>");
|
||||
::rptMsg("<mtime>".gmtime($key->get_timestamp())."</mtime>");
|
||||
::rptMsg("<artifacts>");
|
||||
my %uninst;
|
||||
my @subkeys = $key->get_list_of_subkeys();
|
||||
@ -73,9 +73,9 @@ sub pluginmain {
|
||||
push(@{$uninst{$lastwrite}},$display);
|
||||
}
|
||||
foreach my $t (reverse sort {$a <=> $b} keys %uninst) {
|
||||
#::rptMsg("<item name=\"". gmtime($t)."\">");
|
||||
#::rptMsg("<item mtime=\"". gmtime($t)."\">");
|
||||
foreach my $item (@{$uninst{$t}}) {
|
||||
::rptMsg("<item name=\"". gmtime($t)."\">" .$item."</item>");
|
||||
::rptMsg("<item mtime=\"". gmtime($t)."\">" .$item."</item>");
|
||||
}
|
||||
#::rptMsg("");
|
||||
}
|
||||
|
||||
@ -59,7 +59,7 @@ sub pluginmain {
|
||||
my $key_path = $ccs."\\Enum\\USB";
|
||||
my $key;
|
||||
if ($key = $root_key->get_subkey($key_path)) {
|
||||
::rptMsg("<usb><time>N/A</time><artifacts>");
|
||||
::rptMsg("<usb><mtime></mtime><artifacts>");
|
||||
|
||||
my @subkeys = $key->get_list_of_subkeys();
|
||||
if (scalar(@subkeys) > 0) {
|
||||
@ -69,8 +69,8 @@ sub pluginmain {
|
||||
if (scalar(@sk) > 0) {
|
||||
foreach my $k (@sk) {
|
||||
my $serial = $k->get_name();
|
||||
my $sn_lw = $k->get_timestamp();
|
||||
my $str = $comp_name.",".$dev_class.",".$serial.",".$sn_lw;
|
||||
my $mtime = $k->get_timestamp();
|
||||
my $str = $comp_name.",".$dev_class.",".$serial.",".$mtime;
|
||||
|
||||
my $loc;
|
||||
eval {
|
||||
@ -94,7 +94,7 @@ sub pluginmain {
|
||||
};
|
||||
|
||||
|
||||
::rptMsg("<device name=\"" . $sn_lw. "\" dev=\"" . $dev_class . "\" >" . $serial . "</device>");
|
||||
::rptMsg("<device mtime=\"" . $mtime. "\" dev=\"" . $dev_class . "\" >" . $serial . "</device>");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -32,7 +32,7 @@ sub pluginmain {
|
||||
my $reg = Parse::Win32Registry->new($hive);
|
||||
my $root_key = $reg->get_root_key;
|
||||
::rptMsg("<WinVersion>");
|
||||
::rptMsg("<time>Not Available</time>");
|
||||
::rptMsg("<mtime></mtime>");
|
||||
::rptMsg("<artifacts>");
|
||||
my $key_path = "Microsoft\\Windows NT\\CurrentVersion";
|
||||
my $key;
|
||||
|
||||
@ -56,8 +56,8 @@ sub pluginmain {
|
||||
#::rptMsg("MSOffice version ".$version." located.");
|
||||
my $key_path = "Software\\Microsoft\\Office\\".$version;
|
||||
my $of_key = $root_key->get_subkey($key_path);
|
||||
::rptMsg("<mtime> ".gmtime($of_key->get_timestamp())."</mtime>");
|
||||
::rptMsg("<artifacts>");
|
||||
::rptMsg("<time> ".gmtime($of_key->get_timestamp())."</time>");
|
||||
if ($of_key) {
|
||||
# Attempt to retrieve Word docs
|
||||
my @funcs = ("Open","Save As","File Save");
|
||||
|
||||
@ -144,7 +144,7 @@ public class ExtractRegistry extends Extract {
|
||||
}
|
||||
|
||||
/**
|
||||
* Identifies registry files in the database by name, runs regripper on them, and parses the output.
|
||||
* Identifies registry files in the database by mtimeItem, runs regripper on them, and parses the output.
|
||||
*
|
||||
* @param dataSource
|
||||
* @param controller
|
||||
@ -263,7 +263,7 @@ public class ExtractRegistry extends Extract {
|
||||
/**
|
||||
* Execute regripper on the given registry.
|
||||
* @param regFilePath Path to local copy of registry
|
||||
* @param outFilePathBase Path to location to save output file to. Base name that will be extended on
|
||||
* @param outFilePathBase Path to location to save output file to. Base mtimeItem that will be extended on
|
||||
*/
|
||||
private RegOutputFiles executeRegRip(String regFilePath, String outFilePathBase) {
|
||||
String autopsyType = ""; // Type argument for rr for autopsy-specific modules
|
||||
@ -379,18 +379,19 @@ public class ExtractRegistry extends Extract {
|
||||
int len = children.getLength();
|
||||
for (int i = 0; i < len; i++) {
|
||||
Element tempnode = (Element) children.item(i);
|
||||
String context = tempnode.getNodeName();
|
||||
|
||||
NodeList timenodes = tempnode.getElementsByTagName("time");
|
||||
Long time = null;
|
||||
String dataType = tempnode.getNodeName();
|
||||
|
||||
NodeList timenodes = tempnode.getElementsByTagName("mtime");
|
||||
Long mtime = null;
|
||||
if (timenodes.getLength() > 0) {
|
||||
Element timenode = (Element) timenodes.item(0);
|
||||
String etime = timenode.getTextContent();
|
||||
try {
|
||||
Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(etime).getTime();
|
||||
time = epochtime.longValue();
|
||||
String Tempdate = time.toString();
|
||||
time = Long.valueOf(Tempdate) / 1000;
|
||||
mtime = epochtime.longValue();
|
||||
String Tempdate = mtime.toString();
|
||||
mtime = Long.valueOf(Tempdate) / 1000;
|
||||
} catch (ParseException ex) {
|
||||
logger.log(Level.WARNING, "Failed to parse epoch time when parsing the registry.");
|
||||
}
|
||||
@ -410,27 +411,25 @@ public class ExtractRegistry extends Extract {
|
||||
// If it has attributes, then it is an Element (based off API)
|
||||
if (artchild.hasAttributes()) {
|
||||
Element artnode = (Element) artchild;
|
||||
String name = artnode.getAttribute("name");
|
||||
|
||||
String value = artnode.getTextContent().trim();
|
||||
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
|
||||
|
||||
if ("recentdocs".equals(context)) {
|
||||
if ("recentdocs".equals(dataType)) {
|
||||
// BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
|
||||
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time));
|
||||
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", context, name));
|
||||
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", context, value));
|
||||
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", dataType, mtime));
|
||||
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", dataType, mtimeItem));
|
||||
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", dataType, value));
|
||||
// bbart.addAttributes(bbattributes);
|
||||
// @@@ BC: Why are we ignoring this...
|
||||
}
|
||||
else if ("usb".equals(context)) {
|
||||
else if ("usb".equals(dataType)) {
|
||||
try {
|
||||
Long utime = null;
|
||||
utime = Long.parseLong(name);
|
||||
String Tempdate = utime.toString();
|
||||
utime = Long.valueOf(Tempdate);
|
||||
Long usbMtime = Long.parseLong(artnode.getAttribute("mtime"));
|
||||
usbMtime = Long.valueOf(usbMtime.toString());
|
||||
|
||||
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED);
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", utime));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", usbMtime));
|
||||
String dev = artnode.getAttribute("dev");
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), "RecentActivity", dev));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID.getTypeID(), "RecentActivity", value));
|
||||
@ -446,29 +445,27 @@ public class ExtractRegistry extends Extract {
|
||||
logger.log(Level.SEVERE, "Error adding device attached artifact to blackboard.");
|
||||
}
|
||||
}
|
||||
else if ("uninstall".equals(context)) {
|
||||
Long ftime = null;
|
||||
else if ("uninstall".equals(dataType)) {
|
||||
Long itemMtime = null;
|
||||
try {
|
||||
Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(name).getTime();
|
||||
ftime = epochtime.longValue();
|
||||
ftime = ftime / 1000;
|
||||
Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(artnode.getAttribute("mtime")).getTime();
|
||||
itemMtime = epochtime.longValue();
|
||||
itemMtime = itemMtime / 1000;
|
||||
} catch (ParseException e) {
|
||||
logger.log(Level.WARNING, "Failed to parse epoch time for installed program artifact.");
|
||||
}
|
||||
|
||||
try {
|
||||
if (time != null) {
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", time));
|
||||
}
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", value));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", ftime));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", itemMtime));
|
||||
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG);
|
||||
bbart.addAttributes(bbattributes);
|
||||
} catch (TskCoreException ex) {
|
||||
logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard.");
|
||||
}
|
||||
}
|
||||
else if ("WinVersion".equals(context)) {
|
||||
else if ("WinVersion".equals(dataType)) {
|
||||
String name = artnode.getAttribute("name");
|
||||
|
||||
if (name.contains("ProductName")) {
|
||||
winver = value;
|
||||
@ -496,11 +493,14 @@ public class ExtractRegistry extends Extract {
|
||||
}
|
||||
}
|
||||
}
|
||||
else if ("office".equals(context)) {
|
||||
else if ("office".equals(dataType)) {
|
||||
String name = artnode.getAttribute("name");
|
||||
|
||||
try {
|
||||
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
|
||||
if (time != null) {
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", time));
|
||||
// @@@ BC: Consider removing this after some more testing. It looks like an Mtime associated with the root key and not the individual item
|
||||
if (mtime != null) {
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", mtime));
|
||||
}
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", name));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", value));
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user