mirror of
https://github.com/overcuriousity/autopsy-flatpak.git
synced 2025-07-19 11:07:43 +00:00
cleanup remove unneeded code to filter out WEBHIST and PE events
This commit is contained in:
parent
b8757321db
commit
388e92b991
@ -25,10 +25,12 @@ import java.nio.file.Paths;
|
|||||||
import java.sql.ResultSet;
|
import java.sql.ResultSet;
|
||||||
import java.sql.SQLException;
|
import java.sql.SQLException;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
|
import static java.util.Arrays.asList;
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.logging.Level;
|
import java.util.logging.Level;
|
||||||
import java.util.stream.Collectors;
|
import java.util.stream.Collectors;
|
||||||
|
import org.apache.commons.lang3.StringUtils;
|
||||||
import org.openide.modules.InstalledFileLocator;
|
import org.openide.modules.InstalledFileLocator;
|
||||||
import org.openide.util.NbBundle;
|
import org.openide.util.NbBundle;
|
||||||
import org.sleuthkit.autopsy.casemodule.Case;
|
import org.sleuthkit.autopsy.casemodule.Case;
|
||||||
@ -65,11 +67,13 @@ public class PlasoIngestModule implements DataSourceIngestModule {
|
|||||||
private static final Logger logger = Logger.getLogger(PlasoIngestModule.class.getName());
|
private static final Logger logger = Logger.getLogger(PlasoIngestModule.class.getName());
|
||||||
private static final String MODULE_NAME = PlasoModuleFactory.getModuleName();
|
private static final String MODULE_NAME = PlasoModuleFactory.getModuleName();
|
||||||
|
|
||||||
private static final String PLASO = "plaso";
|
private static final String PLASO = "plaso"; //NON-NLS
|
||||||
private static final String PLASO64 = "plaso//plaso-20180818-amd64";
|
private static final String PLASO64 = "plaso//plaso-20180818-amd64";//NON-NLS
|
||||||
private static final String PLASO32 = "plaso//plaso-20180818-win32";
|
private static final String PLASO32 = "plaso//plaso-20180818-win32";//NON-NLS
|
||||||
private static final String LOG2TIMELINE_EXECUTABLE = "Log2timeline.exe";
|
private static final String LOG2TIMELINE_EXECUTABLE = "Log2timeline.exe";//NON-NLS
|
||||||
private static final String PSORT_EXECUTABLE = "psort.exe";
|
private static final String PSORT_EXECUTABLE = "psort.exe";//NON-NLS
|
||||||
|
|
||||||
|
private static final String COOKIE = "cookie";
|
||||||
|
|
||||||
private final Case currentCase = Case.getCurrentCase();
|
private final Case currentCase = Case.getCurrentCase();
|
||||||
private final FileManager fileManager = currentCase.getServices().getFileManager();
|
private final FileManager fileManager = currentCase.getServices().getFileManager();
|
||||||
@ -130,7 +134,7 @@ public class PlasoIngestModule implements DataSourceIngestModule {
|
|||||||
}
|
}
|
||||||
image = (Image) dataSource;
|
image = (Image) dataSource;
|
||||||
|
|
||||||
String currentTime = TimeUtilities.epochToTime(System.currentTimeMillis() / 1000) .replaceAll(":", "-");
|
String currentTime = TimeUtilities.epochToTime(System.currentTimeMillis() / 1000).replaceAll(":", "-");//NON-NLS
|
||||||
String moduleOutputPath = Paths.get(currentCase.getModuleDirectory(), PLASO, currentTime).toString();
|
String moduleOutputPath = Paths.get(currentCase.getModuleDirectory(), PLASO, currentTime).toString();
|
||||||
File directory = new File(String.valueOf(moduleOutputPath));
|
File directory = new File(String.valueOf(moduleOutputPath));
|
||||||
if (!directory.exists()) {
|
if (!directory.exists()) {
|
||||||
@ -167,9 +171,9 @@ public class PlasoIngestModule implements DataSourceIngestModule {
|
|||||||
MessageNotifyUtil.Message.info(Bundle.PlasoIngestModule_psort_cancelled());
|
MessageNotifyUtil.Message.info(Bundle.PlasoIngestModule_psort_cancelled());
|
||||||
return ProcessResult.OK;
|
return ProcessResult.OK;
|
||||||
}
|
}
|
||||||
plasoFile = new File(moduleOutputPath + File.separator + "plasodb.db3");
|
plasoFile = new File(moduleOutputPath + File.separator + "plasodb.db3");//NON-NLS
|
||||||
if (!plasoFile.exists()) {
|
if (!plasoFile.exists()) {
|
||||||
logger.log(Level.INFO, Bundle.PlasoIngestModule_error_running_psort()); //NON-NLS
|
logger.log(Level.INFO, Bundle.PlasoIngestModule_error_running_psort()); //NON-NLS
|
||||||
MessageNotifyUtil.Message.info(Bundle.PlasoIngestModule_error_running_psort());
|
MessageNotifyUtil.Message.info(Bundle.PlasoIngestModule_error_running_psort());
|
||||||
return ProcessResult.OK;
|
return ProcessResult.OK;
|
||||||
}
|
}
|
||||||
@ -178,7 +182,7 @@ public class PlasoIngestModule implements DataSourceIngestModule {
|
|||||||
createPlasoArtifacts(plasoFile.getAbsolutePath(), statusHelper);
|
createPlasoArtifacts(plasoFile.getAbsolutePath(), statusHelper);
|
||||||
|
|
||||||
} catch (IOException ex) {
|
} catch (IOException ex) {
|
||||||
logger.log(Level.SEVERE, Bundle.PlasoIngestModule_error_running(), ex);
|
logger.log(Level.SEVERE, Bundle.PlasoIngestModule_error_running(), ex);//NON-NLS
|
||||||
MessageNotifyUtil.Message.info(Bundle.PlasoIngestModule_error_running());
|
MessageNotifyUtil.Message.info(Bundle.PlasoIngestModule_error_running());
|
||||||
return ProcessResult.ERROR;
|
return ProcessResult.ERROR;
|
||||||
}
|
}
|
||||||
@ -192,31 +196,27 @@ public class PlasoIngestModule implements DataSourceIngestModule {
|
|||||||
|
|
||||||
String parsersString = settings.getParsers().entrySet().stream()
|
String parsersString = settings.getParsers().entrySet().stream()
|
||||||
.filter(entry -> entry.getValue() == false)
|
.filter(entry -> entry.getValue() == false)
|
||||||
.map(entry -> "!" + entry.getKey())
|
.map(entry -> "!" + entry.getKey())//NON-NLS
|
||||||
.collect(Collectors.joining(",", "\"", "\""));
|
.collect(Collectors.joining(","));//NON-NLS
|
||||||
|
|
||||||
List<String> commandLine = Arrays.asList(
|
ProcessBuilder processBuilder = new ProcessBuilder(asList(
|
||||||
"\"" + log2TimeLineExecutable + "\"", //NON-NLS
|
"\"" + log2TimeLineExecutable + "\"", //NON-NLS
|
||||||
"--vss-stores", "all", //NON-NLS
|
"--vss-stores", "all", //NON-NLS
|
||||||
"-d", //TODO: remove after debugging
|
"-z", timeZone,//NON-NLS
|
||||||
"-z", timeZone,
|
"--partitions", "all",//NON-NLS
|
||||||
"--partitions", "all",
|
"--hasher_file_size_limit", "1",//NON-NLS
|
||||||
"--hasher_file_size_limit", "1",
|
"--hashers", "none",//NON-NLS
|
||||||
"--hashers", "none",
|
"--parsers", "\"" + parsersString + "\"",//NON-NLS
|
||||||
"--parsers", parsersString,
|
"--no_dependencies_check",//NON-NLS
|
||||||
"--no_dependencies_check",
|
|
||||||
moduleOutputPath + File.separator + PLASO,
|
moduleOutputPath + File.separator + PLASO,
|
||||||
imageName
|
imageName
|
||||||
);
|
));
|
||||||
|
|
||||||
System.out.println(commandLine); //TODO: remove when done debugging
|
|
||||||
ProcessBuilder processBuilder = new ProcessBuilder(commandLine);
|
|
||||||
/*
|
/*
|
||||||
* Add an environment variable to force log2timeline to run with the
|
* Add an environment variable to force log2timeline to run with the
|
||||||
* same permissions Autopsy uses.
|
* same permissions Autopsy uses.
|
||||||
*/
|
*/
|
||||||
processBuilder.environment().put("__COMPAT_LAYER", "RunAsInvoker"); //NON-NLS
|
processBuilder.environment().put("__COMPAT_LAYER", "RunAsInvoker"); //NON-NLS
|
||||||
processBuilder.redirectOutput(new File(moduleOutputPath + File.separator + "log2timeline_output.txt"));
|
processBuilder.redirectOutput(new File(moduleOutputPath + File.separator + "log2timeline_output.txt"));//NON-NLS
|
||||||
processBuilder.redirectError(new File(moduleOutputPath + File.separator + "log2timeline_err.txt")); //NON-NLS
|
processBuilder.redirectError(new File(moduleOutputPath + File.separator + "log2timeline_err.txt")); //NON-NLS
|
||||||
|
|
||||||
return processBuilder;
|
return processBuilder;
|
||||||
@ -224,15 +224,13 @@ public class PlasoIngestModule implements DataSourceIngestModule {
|
|||||||
|
|
||||||
private ProcessBuilder buildPsortCommand(File psortExecutable, String moduleOutputPath) {
|
private ProcessBuilder buildPsortCommand(File psortExecutable, String moduleOutputPath) {
|
||||||
|
|
||||||
List<String> commandLine = Arrays.asList(
|
//NON-NLS
|
||||||
|
ProcessBuilder processBuilder = new ProcessBuilder(asList(
|
||||||
"\"" + psortExecutable + "\"", //NON-NLS
|
"\"" + psortExecutable + "\"", //NON-NLS
|
||||||
"-o", //NON-NLS
|
"-o", "4n6time_sqlite", //NON-NLS
|
||||||
"4n6time_sqlite", //NON-NLS
|
"-w", moduleOutputPath + File.separator + "plasodb.db3",//NON-NLS
|
||||||
"-w",
|
moduleOutputPath + File.separator + PLASO
|
||||||
moduleOutputPath + File.separator + "plasodb.db3",
|
));
|
||||||
moduleOutputPath + File.separator + PLASO);
|
|
||||||
|
|
||||||
ProcessBuilder processBuilder = new ProcessBuilder(commandLine);
|
|
||||||
/*
|
/*
|
||||||
* Add an environment variable to force psort to run with the same
|
* Add an environment variable to force psort to run with the same
|
||||||
* permissions Autopsy uses.
|
* permissions Autopsy uses.
|
||||||
@ -280,8 +278,13 @@ public class PlasoIngestModule implements DataSourceIngestModule {
|
|||||||
SleuthkitCase sleuthkitCase = Case.getCurrentCase().getSleuthkitCase();
|
SleuthkitCase sleuthkitCase = Case.getCurrentCase().getSleuthkitCase();
|
||||||
blackboard = sleuthkitCase.getBlackboard();
|
blackboard = sleuthkitCase.getBlackboard();
|
||||||
String connectionString = "jdbc:sqlite:" + plasoDb; //NON-NLS
|
String connectionString = "jdbc:sqlite:" + plasoDb; //NON-NLS
|
||||||
String sqlStatement = "select substr(filename,1) filename, strftime('%s', datetime) 'epoch_date', description, source, type, sourcetype \n"
|
String sqlStatement = "SELECT substr(filename,1) AS filename, "
|
||||||
+ " from log2timeline where source not in ('FILE') and sourcetype not in ('UNKNOWN');";
|
+ " strftime('%s', datetime) AS epoch_date, "
|
||||||
|
+ " description, "
|
||||||
|
+ " source, "
|
||||||
|
+ " sourcetype, "
|
||||||
|
+ " type "
|
||||||
|
+ " FROM log2timeline WHERE source NOT IN ('FILE') AND sourcetype NOT IN ('UNKNOWN');";//NON-NLS
|
||||||
|
|
||||||
try (SQLiteDBConnect tempdbconnect = new SQLiteDBConnect("org.sqlite.JDBC", connectionString); //NON-NLS
|
try (SQLiteDBConnect tempdbconnect = new SQLiteDBConnect("org.sqlite.JDBC", connectionString); //NON-NLS
|
||||||
ResultSet resultSet = tempdbconnect.executeQry(sqlStatement)) {
|
ResultSet resultSet = tempdbconnect.executeQry(sqlStatement)) {
|
||||||
@ -293,30 +296,26 @@ public class PlasoIngestModule implements DataSourceIngestModule {
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( // lots of bad dates
|
String currentFileName = resultSet.getString("filename"); //NON-NLS
|
||||||
"PE Import Time".equalsIgnoreCase(resultSet.getString("sourcetype"))
|
statusHelper.progress("Adding events to case: " + currentFileName, 66);
|
||||||
// bad dates and duplicates with what we have. // TODO: merge results somehow
|
|
||||||
|| "WEBHIST".equalsIgnoreCase(resultSet.getString("source"))) {
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
String currentFile = resultSet.getString("filename");
|
Content resolvedFile = getAbstractFile(currentFileName);
|
||||||
statusHelper.progress("Adding events to case: " + currentFile, 66);
|
|
||||||
|
|
||||||
Content resolvedFile = getAbstractFile(currentFile);
|
|
||||||
if (resolvedFile == null) {
|
if (resolvedFile == null) {
|
||||||
logger.log(Level.INFO, "File from Plaso output not found. Associating with data source instead: {0}", resultSet.getString("filename"));
|
logger.log(Level.INFO, "File from Plaso output not found. Associating with data source instead: {0}", currentFileName);//NON-NLS
|
||||||
resolvedFile = image;
|
resolvedFile = image;
|
||||||
}
|
}
|
||||||
|
|
||||||
long eventType = findEventSubtype(resultSet.getString("source"), resultSet.getString("filename"), resultSet.getString("type"), resultSet.getString("description"), resultSet.getString("sourcetype"));
|
long eventType = findEventSubtype(resultSet.getString("source"),
|
||||||
|
currentFileName, resultSet.getString("type"),
|
||||||
|
resultSet.getString("sourcetype"));//NON-NLS
|
||||||
|
|
||||||
Collection<BlackboardAttribute> bbattributes = Arrays.asList(
|
Collection<BlackboardAttribute> bbattributes = Arrays.asList(
|
||||||
new BlackboardAttribute(
|
new BlackboardAttribute(
|
||||||
ATTRIBUTE_TYPE.TSK_DATETIME, MODULE_NAME,
|
ATTRIBUTE_TYPE.TSK_DATETIME, MODULE_NAME,
|
||||||
resultSet.getLong("epoch_date")),
|
resultSet.getLong("epoch_date")),//NON-NLS
|
||||||
new BlackboardAttribute(
|
new BlackboardAttribute(
|
||||||
ATTRIBUTE_TYPE.TSK_DESCRIPTION, MODULE_NAME,
|
ATTRIBUTE_TYPE.TSK_DESCRIPTION, MODULE_NAME,
|
||||||
resultSet.getString("description")),
|
resultSet.getString("description")),//NON-NLS
|
||||||
new BlackboardAttribute(
|
new BlackboardAttribute(
|
||||||
ATTRIBUTE_TYPE.TSK_TL_EVENT_TYPE, MODULE_NAME,
|
ATTRIBUTE_TYPE.TSK_TL_EVENT_TYPE, MODULE_NAME,
|
||||||
eventType));
|
eventType));
|
||||||
@ -349,9 +348,9 @@ public class PlasoIngestModule implements DataSourceIngestModule {
|
|||||||
|
|
||||||
Path path = Paths.get(file);
|
Path path = Paths.get(file);
|
||||||
String fileName = path.getFileName().toString();
|
String fileName = path.getFileName().toString();
|
||||||
String filePath = path.getParent().toString().replaceAll("\\\\", "/");
|
String filePath = path.getParent().toString().replaceAll("\\\\", "/");//NON-NLS
|
||||||
if (filePath.endsWith("/") == false) {
|
if (filePath.endsWith("/") == false) {//NON-NLS
|
||||||
filePath += "/";
|
filePath += "/";//NON-NLS
|
||||||
}
|
}
|
||||||
|
|
||||||
// check the cached file
|
// check the cached file
|
||||||
@ -380,19 +379,22 @@ public class PlasoIngestModule implements DataSourceIngestModule {
|
|||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
private long findEventSubtype(String plasoSource, String fileName, String plasoType, String plasoDescription, String sourceType) {
|
private long findEventSubtype(String plasoSource, String plasoFileName, String plasoType, String plasoSourceType) {
|
||||||
|
|
||||||
if (plasoSource.matches("WEBHIST")) {
|
if (plasoSource.matches("WEBHIST")) {//NON-NLS
|
||||||
if (fileName.toLowerCase().contains("cookie") || plasoType.toLowerCase().contains("cookie") || plasoDescription.toLowerCase().contains("cookie")) {
|
if (plasoFileName.toLowerCase().contains(COOKIE)
|
||||||
|
|| plasoType.toLowerCase().contains(COOKIE)) {
|
||||||
return EventType.WEB_COOKIE.getTypeID();
|
return EventType.WEB_COOKIE.getTypeID();
|
||||||
}
|
}
|
||||||
return EventType.WEB_HISTORY.getTypeID();
|
return EventType.WEB_HISTORY.getTypeID();
|
||||||
}
|
}
|
||||||
if (plasoSource.matches("EVT") || plasoSource.matches("LOG")) {
|
if (plasoSource.matches("EVT") || plasoSource.matches("LOG")) {//NON-NLS
|
||||||
return EventType.LOG_ENTRY.getTypeID();
|
return EventType.LOG_ENTRY.getTypeID();
|
||||||
}
|
}
|
||||||
if (plasoSource.matches("REG")) {
|
if (plasoSource.matches("REG")) {
|
||||||
if (sourceType.toLowerCase().matches("unknown : usb entries") || sourceType.toLowerCase().matches("unknown : usbstor entries")) {
|
String plasoSourceTypeLower = plasoSourceType.toLowerCase();
|
||||||
|
if (plasoSourceTypeLower.matches("unknown : usb entries")//NON-NLS
|
||||||
|
|| plasoSourceTypeLower.matches("unknown : usbstor entries")) {//NON-NLS
|
||||||
return EventType.DEVICES_ATTACHED.getTypeID();
|
return EventType.DEVICES_ATTACHED.getTypeID();
|
||||||
}
|
}
|
||||||
return EventType.REGISTRY.getTypeID();
|
return EventType.REGISTRY.getTypeID();
|
||||||
|
Loading…
x
Reference in New Issue
Block a user