From 3824f90a0ee2770843a6894ab6ad3ad7dd40aea6 Mon Sep 17 00:00:00 2001 From: Tim McIver Date: Tue, 27 Nov 2012 17:34:38 -0500 Subject: [PATCH] Refactored ExtractRegistry.getregistryfiles() to use several FileManager.findFiles calls in order to remove the raw SQL used to retrieve registry files. Also renamed method to getRegistryFiles(). --- .../recentactivity/ExtractRegistry.java | 93 +++++++++---------- 1 file changed, 42 insertions(+), 51 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index 66210a1e6c..67e6db6c80 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -105,70 +105,61 @@ public class ExtractRegistry extends Extract implements IngestModuleImage { public void setArguments(String args) { this.args = args; } - - private void getregistryfiles(Image image, IngestImageWorkerController controller) { - Case currentCase = Case.getCurrentCase(); // get the most updated case - SleuthkitCase tempDb = currentCase.getSleuthkitCase(); - Collection imageFS = tempDb.getFileSystems(image); - List fsIds = new LinkedList(); - for (FileSystem img : imageFS) { - Long tempID = img.getId(); - fsIds.add(tempID.toString()); - } - - String allFS = new String(); - for (int i = 0; i < fsIds.size(); i++) { - if (i == 0) { - allFS += " AND (0"; - } - allFS += " OR fs_obj_id = '" + fsIds.get(i) + "'"; - if (i == fsIds.size() - 1) { - allFS += ")"; - } - } - List Regfiles = new ArrayList(); + + private void getRegistryFiles(Image image, IngestImageWorkerController controller) { + + org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); + List allRegistryFiles = new ArrayList(); try { - ResultSet rs = tempDb.runQuery("select * from tsk_files where lower(name) = 'ntuser.dat' OR lower(parent_path) LIKE '%/system32/config%' and (name LIKE 'system' OR name LIKE 'software' OR name = 'SECURITY' OR name = 'SAM' OR name = 'default')" + allFS); - Regfiles = tempDb.resultSetToFsContents(rs); - } catch (SQLException ex) { - logger.log(Level.SEVERE, "Error querying the database for registry files: {0}", ex); + allRegistryFiles.addAll(fileManager.findFiles("ntuser.dat")); + } catch (TskCoreException ex) { + logger.log(Level.WARNING, "Error fetching 'ntuser.dat' file."); } -// org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); -// List Regfiles = null; -// try { -// Regfiles = fileManager.findFiles("ntuser.dat", "Recent"); -// } catch (TskCoreException ex) { -// logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); -// } + // try to find each of the listed registry files whose parent directory + // is like '%/system32/config%' + String[] regFileNames = new String[] {"system", "software", "security", "sam", "default"}; + for (String regFileName : regFileNames) { + try { + allRegistryFiles.addAll(fileManager.findFiles(regFileName, "%/system32/config%")); + } catch (TskCoreException ex) { + logger.log(Level.WARNING, "Error fetching registry file: " + regFileName); + } + } + + // filter out those registry files that are not from this image + List regFiles = new ArrayList(); + for (FsContent regFile : allRegistryFiles) { + try { + if (regFile.getImage().equals(image)) { + regFiles.add(regFile); + } + } catch (TskCoreException ex) { + logger.log(Level.WARNING, "Error when trying to get image from FsContent object."); + } + } int j = 0; - - while (j < Regfiles.size()) { - boolean Success; - Content orgFS = Regfiles.get(j); - long orgId = orgFS.getId(); - String temps = currentCase.getTempDirectory() + "\\" + Regfiles.get(j).getName().toString(); + for (FsContent regFile : regFiles) { + String regFileName = regFile.getName(); + String temps = currentCase.getTempDirectory() + "\\" + regFileName; try { - ContentUtils.writeToFile(Regfiles.get(j), new File(currentCase.getTempDirectory() + "\\" + Regfiles.get(j).getName())); + ContentUtils.writeToFile(regFile, new File(currentCase.getTempDirectory() + "\\" + regFileName)); } catch (IOException ex) { logger.log(Level.SEVERE, "Error writing the temp registry file. {0}", ex); } - File regFile = new File(temps); + File aRegFile = new File(temps); logger.log(Level.INFO, moduleName + "- Now getting registry information from " + temps); - String txtPath = executeRegRip(temps, j); + String txtPath = executeRegRip(temps, j++); if (txtPath.length() > 0) { - Success = parseReg(txtPath, orgId); - } else { - Success = false; + if (parseReg(txtPath, regFile.getId()) == false) { + continue; + } } + //At this point pasco2 proccessed the index files. //Now fetch the results, parse them and the delete the files. - if (Success) { - //Delete dat file since it was succcessful - regFile.delete(); - } - j++; + aRegFile.delete(); } } @@ -404,7 +395,7 @@ public class ExtractRegistry extends Extract implements IngestModuleImage { @Override public void process(Image image, IngestImageWorkerController controller) { - this.getregistryfiles(image, controller); + this.getRegistryFiles(image, controller); } @Override