From 48a8afec6f6474cc2cf7263e021771d78a2a0da4 Mon Sep 17 00:00:00 2001 From: Jeff Wallace Date: Thu, 31 Oct 2013 11:25:20 -0400 Subject: [PATCH] Report if any browser data was found, not just history. --- .../autopsy/recentactivity/Chrome.java | 48 ++++++++++++++----- .../autopsy/recentactivity/Extract.java | 8 ++-- .../autopsy/recentactivity/ExtractIE.java | 25 ++++++++-- .../autopsy/recentactivity/Firefox.java | 32 +++++++++++-- .../recentactivity/RAImageIngestModule.java | 2 +- 5 files changed, 89 insertions(+), 26 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java index 5f80fb7e1e..c405e92fda 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java @@ -82,7 +82,7 @@ public class Chrome extends Extract { @Override public void process(PipelineContextpipelineContext, Content dataSource, IngestDataSourceWorkerController controller) { - historyFound = true; + dataFound = false; this.getHistory(dataSource, controller); this.getBookmark(dataSource, controller); this.getCookie(dataSource, controller); @@ -105,7 +105,6 @@ public class Chrome extends Extract { String msg = "Error when trying to get Chrome history files."; logger.log(Level.SEVERE, msg, ex); this.addErrorMessage(this.getName() + ": " + msg); - historyFound = false; return; } @@ -121,11 +120,10 @@ public class Chrome extends Extract { if (allocatedHistoryFiles.isEmpty()) { String msg = "Could not find any allocated Chrome history files."; logger.log(Level.INFO, msg); - addErrorMessage(getName() + ": " + msg); - historyFound = false; return; } + dataFound = true; int j = 0; while (j < historyFiles.size()) { String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + historyFiles.get(j).getName().toString() + j + ".db"; @@ -187,6 +185,12 @@ public class Chrome extends Extract { return; } + if (bookmarkFiles.isEmpty()) { + logger.log(Level.INFO, "Didn't find any Chrome bookmark files."); + return; + } + + dataFound = true; int j = 0; while (j < bookmarkFiles.size()) { @@ -306,6 +310,12 @@ public class Chrome extends Extract { return; } + if (cookiesFiles.isEmpty()) { + logger.log(Level.INFO, "Didn't find any Chrome cookies files."); + return; + } + + dataFound = true; int j = 0; while (j < cookiesFiles.size()) { AbstractFile cookiesFile = cookiesFiles.get(j++); @@ -355,9 +365,9 @@ public class Chrome extends Extract { private void getDownload(Content dataSource, IngestDataSourceWorkerController controller) { FileManager fileManager = currentCase.getServices().getFileManager(); - List historyFiles = null; + List downloadFiles = null; try { - historyFiles = fileManager.findFiles(dataSource, "History", "Chrome"); + downloadFiles = fileManager.findFiles(dataSource, "History", "Chrome"); } catch (TskCoreException ex) { String msg = "Error when trying to get Chrome history files."; logger.log(Level.SEVERE, msg, ex); @@ -365,18 +375,24 @@ public class Chrome extends Extract { return; } + if (downloadFiles.isEmpty()) { + logger.log(Level.INFO, "Didn't find any Chrome download files."); + return; + } + + dataFound = true; int j = 0; - while (j < historyFiles.size()) { - AbstractFile historyFile = historyFiles.get(j++); - if (historyFile.getSize() == 0) { + while (j < downloadFiles.size()) { + AbstractFile downloadFile = downloadFiles.get(j++); + if (downloadFile.getSize() == 0) { continue; } - String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + historyFile.getName().toString() + j + ".db"; + String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + downloadFile.getName().toString() + j + ".db"; try { - ContentUtils.writeToFile(historyFile, new File(temps)); + ContentUtils.writeToFile(downloadFile, new File(temps)); } catch (IOException ex) { logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome download artifacts.{0}", ex); - this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + historyFile.getName()); + this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + downloadFile.getName()); continue; } File dbFile = new File(temps); @@ -409,7 +425,7 @@ public class Chrome extends Extract { String domain = Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : ""); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", domain)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "Recent Activity", "Chrome")); - this.addArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, historyFile, bbattributes); + this.addArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadFile, bbattributes); } dbFile.delete(); @@ -436,6 +452,12 @@ public class Chrome extends Extract { return; } + if (signonFiles.isEmpty()) { + logger.log(Level.INFO, "Didn't find any Chrome signon files."); + return; + } + + dataFound = true; int j = 0; while (j < signonFiles.size()) { AbstractFile signonFile = signonFiles.get(j++); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extract.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extract.java index 374b7767fb..8f3bce5716 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extract.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extract.java @@ -40,11 +40,11 @@ abstract public class Extract extends IngestModuleDataSource{ public final Logger logger = Logger.getLogger(this.getClass().getName()); protected final ArrayList errorMessages = new ArrayList<>(); protected String moduleName = ""; - protected boolean historyFound = false; + protected boolean dataFound = false; //hide public constructor to prevent from instantiation by ingest module loader Extract() { - historyFound = true; + dataFound = false; } /** @@ -145,7 +145,7 @@ abstract public class Extract extends IngestModuleDataSource{ return moduleName; } - public boolean foundHistory() { - return historyFound; + public boolean foundData() { + return dataFound; } } \ No newline at end of file diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java index b816b600bf..dc3920ab8e 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java @@ -93,7 +93,7 @@ public class ExtractIE extends Extract { @Override public void process(PipelineContextpipelineContext, Content dataSource, IngestDataSourceWorkerController controller) { - historyFound = true; + dataFound = false; this.getBookmark(dataSource, controller); this.getCookie(dataSource, controller); this.getRecentDocuments(dataSource, controller); @@ -116,6 +116,12 @@ public class ExtractIE extends Extract { return; } + if (favoritesFiles.isEmpty()) { + logger.log(Level.INFO, "Didn't find any IE bookmark files."); + return; + } + + dataFound = true; for (AbstractFile favoritesFile : favoritesFiles) { if (favoritesFile.getSize() == 0) { continue; @@ -171,11 +177,17 @@ public class ExtractIE extends Extract { try { cookiesFiles = fileManager.findFiles(dataSource, "%.txt", "Cookies"); } catch (TskCoreException ex) { - logger.log(Level.WARNING, "Error finding cookie files for IE"); + logger.log(Level.WARNING, "Error getting cookie files for IE"); this.addErrorMessage(this.getName() + ": " + "Error getting Internet Explorer cookie files."); return; } + if (cookiesFiles.isEmpty()) { + logger.log(Level.INFO, "Didn't find any IE cookies files."); + return; + } + + dataFound = true; for (AbstractFile cookiesFile : cookiesFiles) { if (controller.isCancelled()) { break; @@ -231,6 +243,12 @@ public class ExtractIE extends Extract { return; } + if (recentFiles.isEmpty()) { + logger.log(Level.INFO, "Didn't find any IE recent files."); + return; + } + + dataFound = true; for (AbstractFile recentFile : recentFiles) { if (controller.isCancelled()) { break; @@ -303,11 +321,10 @@ public class ExtractIE extends Extract { if (indexFiles.isEmpty()) { String msg = "No InternetExplorer history files found."; logger.log(Level.INFO, msg); - addErrorMessage(getName() + ": " + msg); - historyFound = false; return; } + dataFound = true; String temps; String indexFileName; for (AbstractFile indexFile : indexFiles) { diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java index 5f2bd111c4..b558cc9a26 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java @@ -75,7 +75,7 @@ public class Firefox extends Extract { @Override public void process(PipelineContext pipelineContext, Content dataSource, IngestDataSourceWorkerController controller) { - historyFound = true; + dataFound = false; this.getHistory(dataSource, controller); this.getBookmark(dataSource, controller); this.getDownload(dataSource, controller); @@ -95,18 +95,17 @@ public class Firefox extends Extract { String msg = "Error fetching internet history files for Firefox."; logger.log(Level.WARNING, msg); this.addErrorMessage(this.getName() + ": " + msg); - historyFound = false; return; } if (historyFiles.isEmpty()) { String msg = "No FireFox history files found."; logger.log(Level.INFO, msg); - addErrorMessage(getName() + ": " + msg); - historyFound = false; return; } + dataFound = true; + int j = 0; for (AbstractFile historyFile : historyFiles) { if (historyFile.getSize() == 0) { @@ -168,6 +167,13 @@ public class Firefox extends Extract { return; } + if (bookmarkFiles.isEmpty()) { + logger.log(Level.INFO, "Didn't find any firefox bookmark files."); + return; + } + + dataFound = true; + int j = 0; for (AbstractFile bookmarkFile : bookmarkFiles) { if (bookmarkFile.getSize() == 0) { @@ -224,6 +230,12 @@ public class Firefox extends Extract { return; } + if (cookiesFiles.isEmpty()) { + logger.log(Level.INFO, "Didn't find any Firefox cookie files."); + return; + } + + dataFound = true; int j = 0; for (AbstractFile cookiesFile : cookiesFiles) { if (cookiesFile.getSize() == 0) { @@ -308,6 +320,12 @@ public class Firefox extends Extract { return; } + if (downloadsFiles.isEmpty()) { + logger.log(Level.INFO, "Didn't find any pre-version-24.0 Firefox download files."); + return; + } + + dataFound = true; int j = 0; for (AbstractFile downloadsFile : downloadsFiles) { if (downloadsFile.getSize() == 0) { @@ -386,6 +404,12 @@ public class Firefox extends Extract { return; } + if (downloadsFiles.isEmpty()) { + logger.log(Level.INFO, "Didn't find any version-24.0 Firefox download files."); + return; + } + + dataFound = true; int j = 0; for (AbstractFile downloadsFile : downloadsFiles) { if (downloadsFile.getSize() == 0) { diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java index aa969d322b..13d6827cc6 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java @@ -113,7 +113,7 @@ public final class RAImageIngestModule extends IngestModuleDataSource { historyMsg.append("

Browser Data on ").append(dataSource.getName()).append(":

    \n"); for (Extract module : browserModules) { historyMsg.append("
  • ").append(module.getName()); - historyMsg.append(": ").append((module.foundHistory()) ? " Found." : " Not Found."); + historyMsg.append(": ").append((module.foundData()) ? " Found." : " Not Found."); historyMsg.append("
    • "); } historyMsg.append("
");