mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-13 00:16:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

FileExtMismatchIngestModule now has its own artifact type. Also moved file type id detector up in the pipeline.

Browse Source
This commit is contained in:
Samuel H. Kenyon 2013-12-12 18:57:46 -05:00
parent 2cc40406b4
commit 2fef207333
2 changed files with 14 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Core/src/org/sleuthkit/autopsy/ingest/pipeline_config.xml
View File

@ -4,11 +4,11 @@ Contains only the core ingest modules that ship with Autopsy -->
<PIPELINE_CONFIG> <PIPELINE_CONFIG>
<PIPELINE type="FileAnalysis"> <PIPELINE type="FileAnalysis">
<MODULE order="1" type="plugin" location="org.sleuthkit.autopsy.hashdatabase.HashDbIngestModule" arguments="" /> <MODULE order="1" type="plugin" location="org.sleuthkit.autopsy.hashdatabase.HashDbIngestModule" arguments="" />
<MODULE order="2" type="plugin" location="org.sleuthkit.autopsy.sevenzip.SevenZipIngestModule" arguments="" /> <MODULE order="2" type="plugin" location="org.sleuthkit.autopsy.filetypeid.FileTypeIdIngestModule" arguments=""/>
<MODULE order="3" type="plugin" location="org.sleuthkit.autopsy.exifparser.ExifParserFileIngestModule"/> <MODULE order="3" type="plugin" location="org.sleuthkit.autopsy.sevenzip.SevenZipIngestModule" arguments="" />
<MODULE order="4" type="plugin" location="org.sleuthkit.autopsy.keywordsearch.KeywordSearchIngestModule"/> <MODULE order="4" type="plugin" location="org.sleuthkit.autopsy.exifparser.ExifParserFileIngestModule"/>
<MODULE order="5" type="plugin" location="org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule" arguments=""/> <MODULE order="5" type="plugin" location="org.sleuthkit.autopsy.keywordsearch.KeywordSearchIngestModule"/>
<MODULE order="6" type="plugin" location="org.sleuthkit.autopsy.filetypeid.FileTypeIdIngestModule" arguments=""/> <MODULE order="6" type="plugin" location="org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule" arguments=""/>
<MODULE order="7" type="plugin" location="org.sleuthkit.autopsy.fileextmismatch.FileExtMismatchIngestModule" arguments=""/> <MODULE order="7" type="plugin" location="org.sleuthkit.autopsy.fileextmismatch.FileExtMismatchIngestModule" arguments=""/>
</PIPELINE> </PIPELINE>

15
FileExtMismatch/src/org/sleuthkit/autopsy/fileextmismatch/FileExtMismatchIngestModule.java
View File

@ -63,6 +63,7 @@ public class FileExtMismatchIngestModule extends org.sleuthkit.autopsy.ingest.In
public final static String MODULE_NAME = "File Extension Mismatch Detection"; public final static String MODULE_NAME = "File Extension Mismatch Detection";
public final static String MODULE_DESCRIPTION = "Flags mismatched filename extensions based on file signature."; public final static String MODULE_DESCRIPTION = "Flags mismatched filename extensions based on file signature.";
public final static String MODULE_VERSION = Version.getVersion(); public final static String MODULE_VERSION = Version.getVersion();
private static final String ART_NAME = "TSK_MISMATCH";
private static final String ATTR_NAME = "TSK_FILE_TYPE_EXT_WRONG"; private static final String ATTR_NAME = "TSK_FILE_TYPE_EXT_WRONG";
private static final byte[] ATTR_VALUE_WRONG = {1}; private static final byte[] ATTR_VALUE_WRONG = {1};
private static final Logger logger = Logger.getLogger(FileExtMismatchIngestModule.class.getName()); private static final Logger logger = Logger.getLogger(FileExtMismatchIngestModule.class.getName());
@ -72,7 +73,8 @@ public class FileExtMismatchIngestModule extends org.sleuthkit.autopsy.ingest.In
private static long numFiles = 0; private static long numFiles = 0;
private static boolean skipKnown = false; private static boolean skipKnown = false;
private int attrId = -1; private int artId = -1;
private int attrId = -1;
private FileExtMismatchSimpleConfigPanel simpleConfigPanel; private FileExtMismatchSimpleConfigPanel simpleConfigPanel;
private IngestServices services; private IngestServices services;
private HashMap<String, String[]> SigTypeToExtMap = new HashMap<>(); private HashMap<String, String[]> SigTypeToExtMap = new HashMap<>();
@ -96,7 +98,7 @@ public class FileExtMismatchIngestModule extends org.sleuthkit.autopsy.ingest.In
public void init(IngestModuleInit initContext) { public void init(IngestModuleInit initContext) {
services = IngestServices.getDefault(); services = IngestServices.getDefault();
// Add a new attribute type // Add a new artifact and attribute type
SleuthkitCase sleuthkitCase = Case.getCurrentCase().getSleuthkitCase(); SleuthkitCase sleuthkitCase = Case.getCurrentCase().getSleuthkitCase();
@ -106,13 +108,14 @@ public class FileExtMismatchIngestModule extends org.sleuthkit.autopsy.ingest.In
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
// create it if not // create it if not
try { try {
artId = sleuthkitCase.addArtifactType(ART_NAME, "A filename extension mismatch detection hit.");
attrId = sleuthkitCase.addAttrType(ATTR_NAME, "Flag for detected mismatch between filename extension and file signature."); attrId = sleuthkitCase.addAttrType(ATTR_NAME, "Flag for detected mismatch between filename extension and file signature.");
} catch (TskCoreException ex1) { } catch (TskCoreException ex1) {
logger.log(Level.SEVERE, "Error adding attribute type: " + ex1.getLocalizedMessage()); logger.log(Level.SEVERE, "Error adding artifact and attribute types: " + ex1.getLocalizedMessage());
attrId = -1; attrId = -1;
} }
} }
// Set up default mapping (eventually this will be loaded from a config file) // Set up default mapping (eventually this will be loaded from a config file)
// MS Office: For now, since we don't detect specific MS office openxml formats, we just assume that // MS Office: For now, since we don't detect specific MS office openxml formats, we just assume that
@ -197,11 +200,11 @@ public class FileExtMismatchIngestModule extends org.sleuthkit.autopsy.ingest.In
if (flag) { if (flag) {
// add artifact // add artifact
BlackboardArtifact bart = abstractFile.newArtifact(ARTIFACT_TYPE.TSK_GEN_INFO); BlackboardArtifact bart = abstractFile.newArtifact(artId);
BlackboardAttribute batt = new BlackboardAttribute(attrId, MODULE_NAME, "", ATTR_VALUE_WRONG); BlackboardAttribute batt = new BlackboardAttribute(attrId, MODULE_NAME, "", ATTR_VALUE_WRONG);
bart.addAttribute(batt); bart.addAttribute(batt);
services.fireModuleDataEvent(new ModuleDataEvent(MODULE_NAME, ARTIFACT_TYPE.TSK_GEN_INFO, Collections.singletonList(bart))); services.fireModuleDataEvent(new ModuleDataEvent(MODULE_NAME, ARTIFACT_TYPE.fromID(artId), Collections.singletonList(bart)));
} }
return ProcessResult.OK; return ProcessResult.OK;
} catch (TskException ex) { } catch (TskException ex) {