From 78b6a06e58734db398eb3913a8caf1e4d6578d03 Mon Sep 17 00:00:00 2001 From: Brian Carrier Date: Thu, 12 Apr 2018 23:48:59 -0400 Subject: [PATCH 1/9] Fix the remembering selection and add outputs as files instead of eport --- .../volatilityDSP/MemoryDSInputPanel.java | 12 ++--- .../volatilityDSP/VolatilityProcessor.java | 50 ++++++++----------- 2 files changed, 28 insertions(+), 34 deletions(-) diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java index f96a9cc801..f006687c3e 100644 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java @@ -53,7 +53,6 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { private final PluginListTableModel tableModel = new PluginListTableModel(); private final List PluginListNames = new ArrayList<>(); private final Map pluginListStates = new HashMap<>(); // is set by listeners when users select and deselect items - private final Boolean isEnabled = true; /** * Creates new MemoryDSInputPanel panel for user input @@ -157,8 +156,10 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { PluginListNames.add(plugin); if (allEnabled) { pluginListStates.put(plugin, true); + } else if ((pluginMap.containsKey(plugin) && pluginMap.get(plugin).equals("false"))) { + pluginListStates.put(plugin, false); } else { - pluginListStates.put(plugin, pluginMap.containsKey(plugin)); + pluginListStates.put(plugin, true); } } tableModel.fireTableDataChanged(); @@ -327,15 +328,14 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { List getPluginsToRun() { List enabledPlugins = new ArrayList<>(); - Map pluginMap = new HashMap<>(); + Map pluginSettingsToSave = new HashMap<>(); for (String plugin : PluginListNames) { if (pluginListStates.get(plugin)) { enabledPlugins.add(plugin); - pluginMap.put(plugin, ""); } + pluginSettingsToSave.put(plugin, pluginListStates.get(plugin).toString()); } - - ModuleSettings.setConfigSettings(this.contextName, pluginMap); + ModuleSettings.setConfigSettings(this.contextName, pluginSettingsToSave); // @@ Could return keys of set return enabledPlugins; } diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java index 50246f5255..59293de566 100644 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java @@ -29,7 +29,7 @@ import java.util.List; import java.util.Set; import java.util.logging.Level; import org.openide.modules.InstalledFileLocator; -import org.openide.util.Lookup; +import org.openide.util.Exceptions; import org.openide.util.NbBundle; import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException; @@ -41,13 +41,13 @@ import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.coreutils.PlatformUtil; import org.sleuthkit.autopsy.ingest.IngestServices; import org.sleuthkit.autopsy.ingest.ModuleDataEvent; -import org.sleuthkit.autopsy.keywordsearchservice.KeywordSearchService; import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardAttribute; +import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.Image; -import org.sleuthkit.datamodel.Report; import org.sleuthkit.datamodel.TskCoreException; +import org.sleuthkit.datamodel.TskData.EncodingType; import org.sleuthkit.datamodel.TskData.TSK_DB_FILES_TYPE_ENUM; /** @@ -70,6 +70,7 @@ class VolatilityProcessor { private String moduleOutputPath; private FileManager fileManager; private volatile boolean isCancelled; + private Content outputVirtDir; /** * Constructs a processor that runs Volatility on a given memory image file @@ -117,6 +118,13 @@ class VolatilityProcessor { fileManager = currentCase.getServices().getFileManager(); + try { + // make a virtual directory to store the reports + outputVirtDir = currentCase.getSleuthkitCase().addVirtualDirectory(dataSource.getId(), "ModuleOutput"); + } catch (TskCoreException ex) { + throw new VolatilityProcessorException("Error creating virtual directory", ex); + } + /* * Make an output folder unique to this data source. */ @@ -129,6 +137,7 @@ class VolatilityProcessor { runVolatilityPlugin("imageinfo"); //NON-NLS } + progressMonitor.setIndeterminate(false); progressMonitor.setProgressMax(pluginsToRun.size()); for (int i = 0; i < pluginsToRun.size(); i++) { @@ -186,14 +195,15 @@ class VolatilityProcessor { commandLine.add(pluginToRun); - String outputFile = moduleOutputPath + "\\" + pluginToRun + ".txt"; //NON-NLS + String outputFileAsString = moduleOutputPath + "\\" + pluginToRun + ".txt"; //NON-NLS ProcessBuilder processBuilder = new ProcessBuilder(commandLine); /* * Add an environment variable to force Volatility to run with the same * permissions Autopsy uses. */ processBuilder.environment().put("__COMPAT_LAYER", "RunAsInvoker"); //NON-NLS - processBuilder.redirectOutput(new File(outputFile)); + File outputFile = new File(outputFileAsString); + processBuilder.redirectOutput(outputFile); processBuilder.redirectError(new File(moduleOutputPath + "\\Volatility_Run.err")); //NON-NLS processBuilder.directory(new File(memoryImage.getParent())); @@ -210,32 +220,16 @@ class VolatilityProcessor { if (isCancelled) { return; } - - /* - * Add the plugin output file to the case as a report. - */ + try { - Report report = currentCase.getSleuthkitCase().addReport(outputFile, VOLATILITY, VOLATILITY + " " + pluginToRun + " Plugin"); //NON-NLS - try { - KeywordSearchService searchService = Lookup.getDefault().lookup(KeywordSearchService.class); - if (searchService != null) { - searchService.index(report); - } else { - errorMsgs.add(Bundle.VolatilityProcessor_exceptionMessage_searchServiceNotFound(pluginToRun)); - /* - * Log the exception as well as add it to the error - * messages, to ensure that the stack trace is not lost. - */ - logger.log(Level.WARNING, Bundle.VolatilityProcessor_exceptionMessage_errorIndexingOutput(pluginToRun)); - } - } catch (TskCoreException ex) { - throw new VolatilityProcessorException(Bundle.VolatilityProcessor_exceptionMessage_errorIndexingOutput(pluginToRun), ex); - } + String relativePath = new File(currentCase.getCaseDirectory()).toURI().relativize(new File(outputFileAsString).toURI()).getPath(); + fileManager.addDerivedFile(pluginToRun, relativePath, outputFile.length(), 0, 0, 0, 0, true, outputVirtDir, null, null, null, null, EncodingType.NONE); } catch (TskCoreException ex) { - throw new VolatilityProcessorException(Bundle.VolatilityProcessor_exceptionMessage_errorAddingOutput(pluginToRun), ex); + errorMsgs.add("Error adding " + pluginToRun + " volatility report as a file"); + logger.log(Level.WARNING, "Error adding report as derived file", ex); } - - createArtifactsFromPluginOutput(pluginToRun, new File(outputFile)); + + createArtifactsFromPluginOutput(pluginToRun, new File(outputFileAsString)); } /** From 1f178b2363b6799df5a7fc20b06ebf81b9553f83 Mon Sep 17 00:00:00 2001 From: Brian Carrier Date: Sat, 14 Apr 2018 22:54:44 -0400 Subject: [PATCH 2/9] Allow user to specify profile --- .../volatilityDSP/AddMemoryImageTask.java | 7 +- .../volatilityDSP/Bundle.properties | 6 +- .../volatilityDSP/MemoryDSInputPanel.form | 62 ++++----- .../volatilityDSP/MemoryDSInputPanel.java | 119 +++++++++++------- .../volatilityDSP/MemoryDSProcessor.java | 7 +- .../volatilityDSP/VolatilityProcessor.java | 34 +++-- 6 files changed, 141 insertions(+), 94 deletions(-) diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/AddMemoryImageTask.java b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/AddMemoryImageTask.java index 7490c3e7b1..e5f67909da 100644 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/AddMemoryImageTask.java +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/AddMemoryImageTask.java @@ -49,6 +49,7 @@ final class AddMemoryImageTask implements Runnable { private final DataSourceProcessorCallback callback; private volatile VolatilityProcessor volatilityProcessor; private volatile boolean isCancelled; + private final String profile; // empty for autodetect /** * Constructs a runnable that adds a memory image to a case database. @@ -57,6 +58,7 @@ final class AddMemoryImageTask implements Runnable { * associated with the data source that is intended * to be unique across multiple cases (e.g., a UUID). * @param memoryImagePath Path to the memory image file. + * @param profile Volatility profile to run or empty string to autodetect * @param pluginsToRun The Volatility plugins to run. * @param timeZone The time zone to use when processing dates and * times for the image, obtained from @@ -65,9 +67,10 @@ final class AddMemoryImageTask implements Runnable { * during processing. * @param callback Callback to call when processing is done. */ - AddMemoryImageTask(String deviceId, String memoryImagePath, List pluginsToRun, String timeZone, DataSourceProcessorProgressMonitor progressMonitor, DataSourceProcessorCallback callback) { + AddMemoryImageTask(String deviceId, String memoryImagePath, String profile, List pluginsToRun, String timeZone, DataSourceProcessorProgressMonitor progressMonitor, DataSourceProcessorCallback callback) { this.deviceId = deviceId; this.memoryImagePath = memoryImagePath; + this.profile = profile; this.pluginsToRun = pluginsToRun; this.timeZone = timeZone; this.callback = callback; @@ -94,7 +97,7 @@ final class AddMemoryImageTask implements Runnable { try { Image dataSource = addImageToCase(); dataSources.add(dataSource); - volatilityProcessor = new VolatilityProcessor(memoryImagePath, dataSource, pluginsToRun, progressMonitor); + volatilityProcessor = new VolatilityProcessor(memoryImagePath, dataSource, profile, pluginsToRun, progressMonitor); volatilityProcessor.run(); } catch (NoCurrentCaseException | TskCoreException | VolatilityProcessor.VolatilityProcessorException ex) { criticalErrorOccurred = true; diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/Bundle.properties b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/Bundle.properties index 007b78dc5a..1908725bcb 100755 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/Bundle.properties +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/Bundle.properties @@ -3,11 +3,11 @@ # and open the template in the editor. MemoryDSInputPanel.pathLabel.AccessibleContext.accessibleName=Browse for a memory image file: -MemoryDSInputPanel.PluginsToRunLabel.text=Available plugins to run: -MemoryDSInputPanel.volExecutableLabel.text=Version of Volatility to Run: +MemoryDSInputPanel.PluginsToRunLabel.text=Plugins to run: MemoryDSInputPanel.pathLabel.text=Browse for a memory image file: MemoryDSInputPanel.pathTextField.text= MemoryDSInputPanel.errorLabel.text=Error Label MemoryDSInputPanel.browseButton.text=Browse MemoryDSImputPanel.pathTextField.text= -MemoryDSInputPanel.timeZoneLabel.text=Please select the input timezone: \ No newline at end of file +MemoryDSInputPanel.timeZoneLabel.text=Please select the input timezone: +MemoryDSInputPanel.jLabel1.text=Profile: diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.form b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.form index 123f9b308b..a05b8261a0 100644 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.form +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.form @@ -32,9 +32,9 @@ - + @@ -43,8 +43,8 @@ - + @@ -66,17 +66,17 @@ - + - - + + - + - + @@ -139,27 +139,6 @@ - - - - - - - - - - - - - - - - - - - - - @@ -174,7 +153,7 @@ - + @@ -189,5 +168,30 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java index f006687c3e..48244cb896 100644 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java @@ -26,7 +26,9 @@ import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.SimpleTimeZone; +import java.util.SortedSet; import java.util.TimeZone; +import java.util.TreeSet; import javax.swing.JFileChooser; import javax.swing.JPanel; import javax.swing.JTable; @@ -54,6 +56,20 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { private final List PluginListNames = new ArrayList<>(); private final Map pluginListStates = new HashMap<>(); // is set by listeners when users select and deselect items + private final SortedSet profileList = new TreeSet<>(Arrays.asList( + "VistaSP0x64", "VistaSP0x86", "VistaSP1x64", "VistaSP1x86", + "VistaSP2x64", "VistaSP2x86", "Win10x64", "Win10x64_10586", + "Win10x64_14393", "Win10x86", "Win10x86_10586", "Win10x86_14393", + "Win2003SP0x86", "Win2003SP1x64", "Win2003SP1x86", "Win2003SP2x64", + "Win2003SP2x86", "Win2008R2SP0x64", "Win2008R2SP1x64", "Win2008R2SP1x64_23418", + "Win2008SP1x64", "Win2008SP1x86", "Win2008SP2x64", "Win2008SP2x86", + "Win2012R2x64", "Win2012R2x64_18340", "Win2012x64", "Win2016x64_14393", + "Win7SP0x64", "Win7SP0x86", "Win7SP1x64", "Win7SP1x64_23418", "Win7SP1x86_23418", + "Win81U1x64", "Win81U1x86", "Win8SP0x64", "Win8SP0x86", "Win8SP1x64", + "Win8SP1x64_18340", "Win8SP1x86", "WinXPSP1x64", "WinXPSP2x64", "WinXPSP2x86", + "WinXPSP3x86")); + private final String AUTODETECT_PROFILE = "Auto Detect"; + /** * Creates new MemoryDSInputPanel panel for user input */ @@ -81,7 +97,7 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { instance.postInit(); instance.customizePluginListTable(); instance.createTimeZoneList(); - instance.createVolatilityVersionList(); + instance.populateProfileCombobox(); instance.createPluginList(); return instance; @@ -94,14 +110,14 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { } private void customizePluginListTable() { - PluginList.setModel(tableModel); - PluginList.setTableHeader(null); - PluginList.setSelectionMode(ListSelectionModel.SINGLE_SELECTION); + pluginTable.setModel(tableModel); + pluginTable.setTableHeader(null); + pluginTable.setSelectionMode(ListSelectionModel.SINGLE_SELECTION); final int width = listsScrollPane.getPreferredSize().width; - PluginList.setAutoResizeMode(JTable.AUTO_RESIZE_NEXT_COLUMN); + pluginTable.setAutoResizeMode(JTable.AUTO_RESIZE_NEXT_COLUMN); TableColumn column; - for (int i = 0; i < PluginList.getColumnCount(); i++) { - column = PluginList.getColumnModel().getColumn(i); + for (int i = 0; i < pluginTable.getColumnCount(); i++) { + column = pluginTable.getColumnModel().getColumn(i); if (i == 0) { column.setPreferredWidth(((int) (width * 0.07))); } else { @@ -137,11 +153,12 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { timeZoneComboBox.setSelectedItem(formatted); } - private void createVolatilityVersionList() { - - volExecutableComboBox.addItem("2.6"); - volExecutableComboBox.addItem("2.5"); - + + private void populateProfileCombobox() { + profileComboBox.addItem(AUTODETECT_PROFILE); + profileList.forEach((profile) -> { + profileComboBox.addItem(profile); + }); } private void createPluginList() { @@ -182,17 +199,17 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { errorLabel = new javax.swing.JLabel(); timeZoneLabel = new javax.swing.JLabel(); timeZoneComboBox = new javax.swing.JComboBox<>(); - volExecutableLabel = new javax.swing.JLabel(); - volExecutableComboBox = new javax.swing.JComboBox<>(); PluginsToRunLabel = new javax.swing.JLabel(); listsScrollPane = new javax.swing.JScrollPane(); - PluginList = new javax.swing.JTable(); + pluginTable = new javax.swing.JTable(); + jLabel1 = new javax.swing.JLabel(); + profileComboBox = new javax.swing.JComboBox<>(); - org.openide.awt.Mnemonics.setLocalizedText(pathLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.pathLabel.text")); // NOI18N + org.openide.awt.Mnemonics.setLocalizedText(pathLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "RawDSInputPanel.pathLabel.text")); // NOI18N - pathTextField.setText(org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.pathTextField.text")); // NOI18N + pathTextField.setText(org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "RawDSInputPanel.pathTextField.text")); // NOI18N - org.openide.awt.Mnemonics.setLocalizedText(browseButton, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.browseButton.text")); // NOI18N + org.openide.awt.Mnemonics.setLocalizedText(browseButton, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "RawDSInputPanel.browseButton.text")); // NOI18N browseButton.addActionListener(new java.awt.event.ActionListener() { public void actionPerformed(java.awt.event.ActionEvent evt) { browseButtonActionPerformed(evt); @@ -200,24 +217,15 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { }); errorLabel.setForeground(new java.awt.Color(255, 0, 0)); - org.openide.awt.Mnemonics.setLocalizedText(errorLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.errorLabel.text")); // NOI18N + org.openide.awt.Mnemonics.setLocalizedText(errorLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "RawDSInputPanel.errorLabel.text")); // NOI18N - org.openide.awt.Mnemonics.setLocalizedText(timeZoneLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.timeZoneLabel.text")); // NOI18N + org.openide.awt.Mnemonics.setLocalizedText(timeZoneLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "RawDSInputPanel.timeZoneLabel.text")); // NOI18N timeZoneComboBox.setMaximumRowCount(30); - org.openide.awt.Mnemonics.setLocalizedText(volExecutableLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.volExecutableLabel.text")); // NOI18N - - volExecutableComboBox.setEnabled(false); - volExecutableComboBox.addActionListener(new java.awt.event.ActionListener() { - public void actionPerformed(java.awt.event.ActionEvent evt) { - volExecutableComboBoxActionPerformed(evt); - } - }); - org.openide.awt.Mnemonics.setLocalizedText(PluginsToRunLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.PluginsToRunLabel.text")); // NOI18N - PluginList.setModel(new javax.swing.table.DefaultTableModel( + pluginTable.setModel(new javax.swing.table.DefaultTableModel( new Object [][] { {}, {}, @@ -228,7 +236,16 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { } )); - listsScrollPane.setViewportView(PluginList); + listsScrollPane.setViewportView(pluginTable); + + org.openide.awt.Mnemonics.setLocalizedText(jLabel1, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.jLabel1.text")); // NOI18N + + profileComboBox.setModel(new javax.swing.DefaultComboBoxModel<>(new String[] { "Item 1", "Item 2", "Item 3", "Item 4" })); + profileComboBox.addActionListener(new java.awt.event.ActionListener() { + public void actionPerformed(java.awt.event.ActionEvent evt) { + profileComboBoxActionPerformed(evt); + } + }); javax.swing.GroupLayout layout = new javax.swing.GroupLayout(this); this.setLayout(layout); @@ -245,15 +262,15 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { .addComponent(timeZoneLabel, javax.swing.GroupLayout.PREFERRED_SIZE, 168, javax.swing.GroupLayout.PREFERRED_SIZE) .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED) .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) - .addComponent(volExecutableComboBox, javax.swing.GroupLayout.PREFERRED_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE) .addComponent(timeZoneComboBox, javax.swing.GroupLayout.PREFERRED_SIZE, 199, javax.swing.GroupLayout.PREFERRED_SIZE) - .addComponent(listsScrollPane, javax.swing.GroupLayout.PREFERRED_SIZE, 248, javax.swing.GroupLayout.PREFERRED_SIZE)))) + .addComponent(listsScrollPane, javax.swing.GroupLayout.PREFERRED_SIZE, 248, javax.swing.GroupLayout.PREFERRED_SIZE) + .addComponent(profileComboBox, javax.swing.GroupLayout.PREFERRED_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE)))) .addGap(0, 163, Short.MAX_VALUE)) .addGroup(layout.createSequentialGroup() .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) .addComponent(errorLabel) - .addComponent(volExecutableLabel) - .addComponent(PluginsToRunLabel)) + .addComponent(PluginsToRunLabel) + .addComponent(jLabel1)) .addContainerGap(javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)) ); layout.setVerticalGroup( @@ -270,15 +287,15 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { .addComponent(timeZoneComboBox, javax.swing.GroupLayout.PREFERRED_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE)) .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED) .addComponent(errorLabel) - .addGap(18, 18, 18) + .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.UNRELATED) .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE) - .addComponent(volExecutableLabel) - .addComponent(volExecutableComboBox, javax.swing.GroupLayout.PREFERRED_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE)) + .addComponent(jLabel1) + .addComponent(profileComboBox, javax.swing.GroupLayout.PREFERRED_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE)) .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.UNRELATED) .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) .addComponent(PluginsToRunLabel) - .addComponent(listsScrollPane, javax.swing.GroupLayout.PREFERRED_SIZE, 132, javax.swing.GroupLayout.PREFERRED_SIZE)) - .addContainerGap(30, Short.MAX_VALUE)) + .addComponent(listsScrollPane, javax.swing.GroupLayout.PREFERRED_SIZE, 122, javax.swing.GroupLayout.PREFERRED_SIZE)) + .addContainerGap(59, Short.MAX_VALUE)) ); pathLabel.getAccessibleContext().setAccessibleName(org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.pathLabel.AccessibleContext.accessibleName")); // NOI18N @@ -299,23 +316,23 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { } }//GEN-LAST:event_browseButtonActionPerformed - private void volExecutableComboBoxActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_volExecutableComboBoxActionPerformed + private void profileComboBoxActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_profileComboBoxActionPerformed // TODO add your handling code here: - }//GEN-LAST:event_volExecutableComboBoxActionPerformed + }//GEN-LAST:event_profileComboBoxActionPerformed // Variables declaration - do not modify//GEN-BEGIN:variables - private javax.swing.JTable PluginList; private javax.swing.JLabel PluginsToRunLabel; private javax.swing.JButton browseButton; private javax.swing.JLabel errorLabel; private javax.swing.ButtonGroup infileTypeButtonGroup; + private javax.swing.JLabel jLabel1; private javax.swing.JScrollPane listsScrollPane; private javax.swing.JLabel pathLabel; private javax.swing.JTextField pathTextField; + private javax.swing.JTable pluginTable; + private javax.swing.JComboBox profileComboBox; private javax.swing.JComboBox timeZoneComboBox; private javax.swing.JLabel timeZoneLabel; - private javax.swing.JComboBox volExecutableComboBox; - private javax.swing.JLabel volExecutableLabel; // End of variables declaration//GEN-END:variables /** * Get the path of the user selected image. @@ -326,6 +343,18 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { return pathTextField.getText(); } + /** + * + * @return Profile or empty string if auto detect + */ + String getProfile() { + String profile = (String)profileComboBox.getSelectedItem(); + if (profile.equals(AUTODETECT_PROFILE)) { + return ""; + } + return profile; + } + List getPluginsToRun() { List enabledPlugins = new ArrayList<>(); Map pluginSettingsToSave = new HashMap<>(); diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSProcessor.java b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSProcessor.java index 9791ad1f09..dc05cb8376 100644 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSProcessor.java +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSProcessor.java @@ -117,7 +117,7 @@ public class MemoryDSProcessor implements DataSourceProcessor { @Override public void run(DataSourceProcessorProgressMonitor progressMonitor, DataSourceProcessorCallback callback) { configPanel.storeSettings(); - run(UUID.randomUUID().toString(), configPanel.getImageFilePath(), configPanel.getPluginsToRun(), configPanel.getTimeZone(), progressMonitor, callback); + run(UUID.randomUUID().toString(), configPanel.getImageFilePath(), configPanel.getProfile(), configPanel.getPluginsToRun(), configPanel.getTimeZone(), progressMonitor, callback); } /** @@ -131,6 +131,7 @@ public class MemoryDSProcessor implements DataSourceProcessor { * associated with the data source that is intended * to be unique across multiple cases (e.g., a UUID). * @param memoryImagePath Path to the memory image file. + * @param profile Volatility profile to run or empty string to autodetect * @param pluginsToRun The Volatility plugins to run. * @param timeZone The time zone to use when processing dates and * times for the image, obtained from @@ -139,8 +140,8 @@ public class MemoryDSProcessor implements DataSourceProcessor { * processing. * @param callback Callback to call when processing is done. */ - private void run(String deviceId, String memoryImagePath, List pluginsToRun, String timeZone, DataSourceProcessorProgressMonitor progressMonitor, DataSourceProcessorCallback callback) { - addImageTask = new AddMemoryImageTask(deviceId, memoryImagePath, pluginsToRun, timeZone, progressMonitor, callback); + private void run(String deviceId, String memoryImagePath, String profile, List pluginsToRun, String timeZone, DataSourceProcessorProgressMonitor progressMonitor, DataSourceProcessorCallback callback) { + addImageTask = new AddMemoryImageTask(deviceId, memoryImagePath, profile, pluginsToRun, timeZone, progressMonitor, callback); new Thread(addImageTask).start(); } diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java index 59293de566..ec85fc21e5 100644 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java @@ -71,6 +71,7 @@ class VolatilityProcessor { private FileManager fileManager; private volatile boolean isCancelled; private Content outputVirtDir; + private String profile; /** * Constructs a processor that runs Volatility on a given memory image file @@ -78,11 +79,13 @@ class VolatilityProcessor { * * @param memoryImagePath Path to memory image file. * @param dataSource The memory image data source. + * @param profile Volatility profile to run or empty string to autodetect * @param plugInToRuns Volatility plugins to run. * @param progressMonitor Progress monitor for reporting progress during * processing. */ - VolatilityProcessor(String memoryImagePath, Image dataSource, List plugInToRun, DataSourceProcessorProgressMonitor progressMonitor) { + VolatilityProcessor(String memoryImagePath, Image dataSource, String profile, List plugInToRun, DataSourceProcessorProgressMonitor progressMonitor) { + this.profile = profile; this.memoryImagePath = memoryImagePath; this.pluginsToRun = plugInToRun; this.dataSource = dataSource; @@ -133,11 +136,16 @@ class VolatilityProcessor { File directory = new File(String.valueOf(moduleOutputPath)); if (!directory.exists()) { directory.mkdirs(); + + } + + // if they did not specify a profile, then run imageinfo to get one + if (profile.isEmpty() ) { progressMonitor.setProgressText(Bundle.VolatilityProcessor_progressMessage_runningImageInfo("imageinfo")); //NON-NLS runVolatilityPlugin("imageinfo"); //NON-NLS + profile = getProfileFromImageInfoOutput(); } - progressMonitor.setIndeterminate(false); progressMonitor.setProgressMax(pluginsToRun.size()); for (int i = 0; i < pluginsToRun.size(); i++) { @@ -186,13 +194,9 @@ class VolatilityProcessor { commandLine.add("\"" + executableFile + "\""); //NON-NLS File memoryImage = new File(memoryImagePath); commandLine.add("--filename=" + memoryImage.getName()); //NON-NLS - - File imageInfoOutputFile = new File(moduleOutputPath + "\\imageinfo.txt"); //NON-NLS - if (imageInfoOutputFile.exists()) { - String memoryProfile = parseImageInfoOutput(imageInfoOutputFile); - commandLine.add("--profile=" + memoryProfile); //NON-NLS + if (profile.isEmpty() == false) { + commandLine.add("--profile=" + profile); //NON-NLS } - commandLine.add(pluginToRun); String outputFileAsString = moduleOutputPath + "\\" + pluginToRun + ".txt"; //NON-NLS @@ -258,12 +262,18 @@ class VolatilityProcessor { @NbBundle.Messages({ "VolatilityProcessor_exceptionMessage_failedToParseImageInfo=Could not parse image info" }) - private String parseImageInfoOutput(File imageOutputFile) throws VolatilityProcessorException { + private String getProfileFromImageInfoOutput() throws VolatilityProcessorException { + File imageOutputFile = new File(moduleOutputPath + "\\imageinfo.txt"); //NON-NLS try (BufferedReader br = new BufferedReader(new FileReader(imageOutputFile))) { String fileRead = br.readLine(); - String[] profileLine = fileRead.split(":"); //NON-NLS - String[] memProfile = profileLine[1].split(",|\\("); //NON-NLS - return memProfile[0].replaceAll("\\s+", ""); //NON-NLS + if (fileRead != null) { + String[] profileLine = fileRead.split(":"); //NON-NLS + String[] memProfile = profileLine[1].split(",|\\("); //NON-NLS + return memProfile[0].replaceAll("\\s+", ""); //NON-NLS + } + else { + throw new VolatilityProcessorException(Bundle.VolatilityProcessor_exceptionMessage_failedToParseImageInfo()); + } } catch (IOException ex) { throw new VolatilityProcessorException(Bundle.VolatilityProcessor_exceptionMessage_failedToParseImageInfo(), ex); } From b77f0007a8c24a3831ac67e4fec1c56c4ec265fe Mon Sep 17 00:00:00 2001 From: Brian Carrier Date: Sun, 15 Apr 2018 00:00:25 -0400 Subject: [PATCH 3/9] Fix bundle name --- .../experimental/volatilityDSP/MemoryDSInputPanel.java | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java index 48244cb896..18ef95f36b 100644 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java @@ -205,11 +205,11 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { jLabel1 = new javax.swing.JLabel(); profileComboBox = new javax.swing.JComboBox<>(); - org.openide.awt.Mnemonics.setLocalizedText(pathLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "RawDSInputPanel.pathLabel.text")); // NOI18N + org.openide.awt.Mnemonics.setLocalizedText(pathLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.pathLabel.text")); // NOI18N - pathTextField.setText(org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "RawDSInputPanel.pathTextField.text")); // NOI18N + pathTextField.setText(org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.pathTextField.text")); // NOI18N - org.openide.awt.Mnemonics.setLocalizedText(browseButton, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "RawDSInputPanel.browseButton.text")); // NOI18N + org.openide.awt.Mnemonics.setLocalizedText(browseButton, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.browseButton.text")); // NOI18N browseButton.addActionListener(new java.awt.event.ActionListener() { public void actionPerformed(java.awt.event.ActionEvent evt) { browseButtonActionPerformed(evt); @@ -217,9 +217,9 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { }); errorLabel.setForeground(new java.awt.Color(255, 0, 0)); - org.openide.awt.Mnemonics.setLocalizedText(errorLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "RawDSInputPanel.errorLabel.text")); // NOI18N + org.openide.awt.Mnemonics.setLocalizedText(errorLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.errorLabel.text")); // NOI18N - org.openide.awt.Mnemonics.setLocalizedText(timeZoneLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "RawDSInputPanel.timeZoneLabel.text")); // NOI18N + org.openide.awt.Mnemonics.setLocalizedText(timeZoneLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.timeZoneLabel.text")); // NOI18N timeZoneComboBox.setMaximumRowCount(30); From ee096bba59501ed30910da8b36567317812fc180 Mon Sep 17 00:00:00 2001 From: Brian Carrier Date: Sun, 15 Apr 2018 00:11:27 -0400 Subject: [PATCH 4/9] cleanup old RAW references --- .../volatilityDSP/MemoryDSInputPanel.form | 16 +++++----------- .../volatilityDSP/MemoryDSInputPanel.java | 2 +- 2 files changed, 6 insertions(+), 12 deletions(-) diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.form b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.form index a05b8261a0..1b52f24aea 100644 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.form +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.form @@ -85,7 +85,7 @@ - + @@ -97,14 +97,14 @@ - + - + @@ -117,14 +117,14 @@ - + - + @@ -178,12 +178,6 @@ - - - - - - diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java index 18ef95f36b..7d7427bc21 100644 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java @@ -240,7 +240,7 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { org.openide.awt.Mnemonics.setLocalizedText(jLabel1, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.jLabel1.text")); // NOI18N - profileComboBox.setModel(new javax.swing.DefaultComboBoxModel<>(new String[] { "Item 1", "Item 2", "Item 3", "Item 4" })); + profileComboBox.setModel(new javax.swing.DefaultComboBoxModel<>()); profileComboBox.addActionListener(new java.awt.event.ActionListener() { public void actionPerformed(java.awt.event.ActionEvent evt) { profileComboBoxActionPerformed(evt); From cf7970cb4294f9a744f24dfcaca737a0318838fd Mon Sep 17 00:00:00 2001 From: Brian Carrier Date: Sun, 15 Apr 2018 00:51:05 -0400 Subject: [PATCH 5/9] Codacy messages and more bundle cleanup --- .../volatilityDSP/Bundle.properties | 3 +- .../volatilityDSP/MemoryDSInputPanel.form | 29 ++++++++++--------- .../volatilityDSP/MemoryDSInputPanel.java | 22 ++++++++++---- .../volatilityDSP/VolatilityProcessor.java | 1 - 4 files changed, 32 insertions(+), 23 deletions(-) diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/Bundle.properties b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/Bundle.properties index 1908725bcb..4f6bc6b9b9 100755 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/Bundle.properties +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/Bundle.properties @@ -8,6 +8,5 @@ MemoryDSInputPanel.pathLabel.text=Browse for a memory image file: MemoryDSInputPanel.pathTextField.text= MemoryDSInputPanel.errorLabel.text=Error Label MemoryDSInputPanel.browseButton.text=Browse -MemoryDSImputPanel.pathTextField.text= -MemoryDSInputPanel.timeZoneLabel.text=Please select the input timezone: +MemoryDSInputPanel.timeZoneLabel.text=Timezone: MemoryDSInputPanel.jLabel1.text=Profile: diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.form b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.form index 1b52f24aea..3529fe8920 100644 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.form +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.form @@ -28,13 +28,15 @@ - - + + - - + + + + @@ -76,7 +78,7 @@ - + @@ -85,7 +87,7 @@ - + @@ -97,14 +99,17 @@ - + + + + - + @@ -117,14 +122,14 @@ - + - + @@ -176,10 +181,6 @@ - - - - diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java index 7d7427bc21..beaa46fc36 100644 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java @@ -44,6 +44,7 @@ import org.sleuthkit.autopsy.corecomponentinterfaces.DataSourceProcessor; import org.sleuthkit.autopsy.coreutils.ModuleSettings; import org.sleuthkit.autopsy.coreutils.PathValidator; +@SuppressWarnings("PMD.SingularField") // UI widgets cause lots of false positives final class MemoryDSInputPanel extends JPanel implements DocumentListener { private static final long serialVersionUID = 1L; //default @@ -68,7 +69,7 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { "Win81U1x64", "Win81U1x86", "Win8SP0x64", "Win8SP0x86", "Win8SP1x64", "Win8SP1x64_18340", "Win8SP1x86", "WinXPSP1x64", "WinXPSP2x64", "WinXPSP2x86", "WinXPSP3x86")); - private final String AUTODETECT_PROFILE = "Auto Detect"; + private final static String AUTODETECT_PROFILE = "Auto Detect"; /** * Creates new MemoryDSInputPanel panel for user input @@ -208,6 +209,11 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { org.openide.awt.Mnemonics.setLocalizedText(pathLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.pathLabel.text")); // NOI18N pathTextField.setText(org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.pathTextField.text")); // NOI18N + pathTextField.addActionListener(new java.awt.event.ActionListener() { + public void actionPerformed(java.awt.event.ActionEvent evt) { + pathTextFieldActionPerformed(evt); + } + }); org.openide.awt.Mnemonics.setLocalizedText(browseButton, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.browseButton.text")); // NOI18N browseButton.addActionListener(new java.awt.event.ActionListener() { @@ -240,7 +246,6 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { org.openide.awt.Mnemonics.setLocalizedText(jLabel1, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.jLabel1.text")); // NOI18N - profileComboBox.setModel(new javax.swing.DefaultComboBoxModel<>()); profileComboBox.addActionListener(new java.awt.event.ActionListener() { public void actionPerformed(java.awt.event.ActionEvent evt) { profileComboBoxActionPerformed(evt); @@ -259,12 +264,13 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) .addComponent(pathLabel, javax.swing.GroupLayout.PREFERRED_SIZE, 218, javax.swing.GroupLayout.PREFERRED_SIZE) .addGroup(layout.createSequentialGroup() - .addComponent(timeZoneLabel, javax.swing.GroupLayout.PREFERRED_SIZE, 168, javax.swing.GroupLayout.PREFERRED_SIZE) + .addComponent(timeZoneLabel, javax.swing.GroupLayout.PREFERRED_SIZE, 134, javax.swing.GroupLayout.PREFERRED_SIZE) .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED) .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) - .addComponent(timeZoneComboBox, javax.swing.GroupLayout.PREFERRED_SIZE, 199, javax.swing.GroupLayout.PREFERRED_SIZE) .addComponent(listsScrollPane, javax.swing.GroupLayout.PREFERRED_SIZE, 248, javax.swing.GroupLayout.PREFERRED_SIZE) - .addComponent(profileComboBox, javax.swing.GroupLayout.PREFERRED_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE)))) + .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.TRAILING, false) + .addComponent(profileComboBox, javax.swing.GroupLayout.Alignment.LEADING, 0, 243, Short.MAX_VALUE) + .addComponent(timeZoneComboBox, javax.swing.GroupLayout.Alignment.LEADING, 0, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE))))) .addGap(0, 163, Short.MAX_VALUE)) .addGroup(layout.createSequentialGroup() .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) @@ -295,7 +301,7 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) .addComponent(PluginsToRunLabel) .addComponent(listsScrollPane, javax.swing.GroupLayout.PREFERRED_SIZE, 122, javax.swing.GroupLayout.PREFERRED_SIZE)) - .addContainerGap(59, Short.MAX_VALUE)) + .addContainerGap(73, Short.MAX_VALUE)) ); pathLabel.getAccessibleContext().setAccessibleName(org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.pathLabel.AccessibleContext.accessibleName")); // NOI18N @@ -320,6 +326,10 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { // TODO add your handling code here: }//GEN-LAST:event_profileComboBoxActionPerformed + private void pathTextFieldActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_pathTextFieldActionPerformed + // TODO add your handling code here: + }//GEN-LAST:event_pathTextFieldActionPerformed + // Variables declaration - do not modify//GEN-BEGIN:variables private javax.swing.JLabel PluginsToRunLabel; private javax.swing.JButton browseButton; diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java index ec85fc21e5..1d23367d65 100644 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java @@ -29,7 +29,6 @@ import java.util.List; import java.util.Set; import java.util.logging.Level; import org.openide.modules.InstalledFileLocator; -import org.openide.util.Exceptions; import org.openide.util.NbBundle; import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException; From dc8a5d7ffb92206bbec5649d7c2a583aa273a412 Mon Sep 17 00:00:00 2001 From: Brian Carrier Date: Sun, 22 Apr 2018 11:12:36 -0400 Subject: [PATCH 6/9] Disable loading of Python modules to prevent exception until it is fixed --- .../autopsy/ingest/IngestJobSettings.java | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/ingest/IngestJobSettings.java b/Core/src/org/sleuthkit/autopsy/ingest/IngestJobSettings.java index 3a06a3be4d..d512c6670c 100644 --- a/Core/src/org/sleuthkit/autopsy/ingest/IngestJobSettings.java +++ b/Core/src/org/sleuthkit/autopsy/ingest/IngestJobSettings.java @@ -501,13 +501,16 @@ public final class IngestJobSettings { this.warnings.add(warning); } } else { - try (PythonObjectInputStream in = new PythonObjectInputStream(new FileInputStream(settingsFile.getAbsolutePath()))) { - settings = (IngestModuleIngestJobSettings) in.readObject(); - } catch (IOException | ClassNotFoundException exception) { - String warning = NbBundle.getMessage(IngestJobSettings.class, "IngestJobSettings.moduleSettingsLoad.warning", factory.getModuleDisplayName(), this.executionContext); //NON-NLS - logger.log(Level.WARNING, warning, exception); - this.warnings.add(warning); - } + // @@@ BC Jython serialization is currently broken and this + // throws an exception. (-2323). Commenting out so that + // Python modules will at least load with default settings. +// try (PythonObjectInputStream in = new PythonObjectInputStream(new FileInputStream(settingsFile.getAbsolutePath()))) { +// settings = (IngestModuleIngestJobSettings) in.readObject(); +// } catch (IOException | ClassNotFoundException exception) { +// String warning = NbBundle.getMessage(IngestJobSettings.class, "IngestJobSettings.moduleSettingsLoad.warning", factory.getModuleDisplayName(), this.executionContext); //NON-NLS +// logger.log(Level.WARNING, warning, exception); +// this.warnings.add(warning); +// } } } if (settings == null) { From 72dfafc69367d241c240de47f96c38a11623b867 Mon Sep 17 00:00:00 2001 From: Brian Carrier Date: Sun, 22 Apr 2018 11:13:01 -0400 Subject: [PATCH 7/9] renamed variable --- .../experimental/volatilityDSP/Bundle.properties | 2 +- .../experimental/volatilityDSP/MemoryDSInputPanel.form | 8 ++++---- .../experimental/volatilityDSP/MemoryDSInputPanel.java | 10 +++++----- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/Bundle.properties b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/Bundle.properties index 4f6bc6b9b9..1c7d3312da 100755 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/Bundle.properties +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/Bundle.properties @@ -9,4 +9,4 @@ MemoryDSInputPanel.pathTextField.text= MemoryDSInputPanel.errorLabel.text=Error Label MemoryDSInputPanel.browseButton.text=Browse MemoryDSInputPanel.timeZoneLabel.text=Timezone: -MemoryDSInputPanel.jLabel1.text=Profile: +MemoryDSInputPanel.profileLabel.text=Profile: diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.form b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.form index 3529fe8920..f899eeb503 100644 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.form +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.form @@ -46,7 +46,7 @@ - + @@ -70,7 +70,7 @@ - + @@ -173,10 +173,10 @@ - + - + diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java index beaa46fc36..7c87a5f810 100644 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java @@ -203,7 +203,7 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { PluginsToRunLabel = new javax.swing.JLabel(); listsScrollPane = new javax.swing.JScrollPane(); pluginTable = new javax.swing.JTable(); - jLabel1 = new javax.swing.JLabel(); + profileLabel = new javax.swing.JLabel(); profileComboBox = new javax.swing.JComboBox<>(); org.openide.awt.Mnemonics.setLocalizedText(pathLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.pathLabel.text")); // NOI18N @@ -244,7 +244,7 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { )); listsScrollPane.setViewportView(pluginTable); - org.openide.awt.Mnemonics.setLocalizedText(jLabel1, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.jLabel1.text")); // NOI18N + org.openide.awt.Mnemonics.setLocalizedText(profileLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.profileLabel.text")); // NOI18N profileComboBox.addActionListener(new java.awt.event.ActionListener() { public void actionPerformed(java.awt.event.ActionEvent evt) { @@ -276,7 +276,7 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) .addComponent(errorLabel) .addComponent(PluginsToRunLabel) - .addComponent(jLabel1)) + .addComponent(profileLabel)) .addContainerGap(javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)) ); layout.setVerticalGroup( @@ -295,7 +295,7 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { .addComponent(errorLabel) .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.UNRELATED) .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE) - .addComponent(jLabel1) + .addComponent(profileLabel) .addComponent(profileComboBox, javax.swing.GroupLayout.PREFERRED_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE)) .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.UNRELATED) .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) @@ -335,12 +335,12 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { private javax.swing.JButton browseButton; private javax.swing.JLabel errorLabel; private javax.swing.ButtonGroup infileTypeButtonGroup; - private javax.swing.JLabel jLabel1; private javax.swing.JScrollPane listsScrollPane; private javax.swing.JLabel pathLabel; private javax.swing.JTextField pathTextField; private javax.swing.JTable pluginTable; private javax.swing.JComboBox profileComboBox; + private javax.swing.JLabel profileLabel; private javax.swing.JComboBox timeZoneComboBox; private javax.swing.JLabel timeZoneLabel; // End of variables declaration//GEN-END:variables From b4df569d411cbb3a9251f9d6aca4dfc30cef29ac Mon Sep 17 00:00:00 2001 From: Brian Carrier Date: Sun, 22 Apr 2018 11:32:45 -0400 Subject: [PATCH 8/9] changed logic --- .../autopsy/experimental/volatilityDSP/VolatilityProcessor.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java index 1d23367d65..f3f2c75b9d 100644 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java @@ -193,7 +193,7 @@ class VolatilityProcessor { commandLine.add("\"" + executableFile + "\""); //NON-NLS File memoryImage = new File(memoryImagePath); commandLine.add("--filename=" + memoryImage.getName()); //NON-NLS - if (profile.isEmpty() == false) { + if (!profile.isEmpty()) { commandLine.add("--profile=" + profile); //NON-NLS } commandLine.add(pluginToRun); From 7b2e19aa5521ed0865d358a085e353cb71a187de Mon Sep 17 00:00:00 2001 From: Brian Carrier Date: Sun, 22 Apr 2018 23:18:33 -0400 Subject: [PATCH 9/9] Added dump commands to Volatility list --- .../volatilityDSP/MemoryDSInputPanel.java | 2 +- .../volatilityDSP/VolatilityProcessor.java | 26 +++++++++++++++---- 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java index 7c87a5f810..134cdbc914 100644 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java @@ -75,7 +75,7 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener { * Creates new MemoryDSInputPanel panel for user input */ private MemoryDSInputPanel(String context) { - this.pluginList = new String[]{"amcache", "cmdline", "cmdscan", "consoles", "malfind", "netscan", "notepad", "pslist", "psxview", "shellbags", "shimcache", "shutdown", "userassist", "apihooks", "connscan", "devicetree", "dlllist", "envars", "filescan", "gahti", "getservicesids", "getsids", "handles", "hashdump", "hivelist", "hivescan", "impscan", "ldrmodules", "lsadump", "modules", "mutantscan", "privs", "psscan", "pstree", "sockets", "svcscan", "shimcache", "timeliner", "unloadedmodules", "userhandles", "vadinfo", "verinfo"}; + this.pluginList = new String[]{"amcache", "cmdline", "cmdscan", "consoles", "malfind", "netscan", "notepad", "pslist", "psxview", "shellbags", "shimcache", "shutdown", "userassist", "apihooks", "connscan", "devicetree", "dlllist", "envars", "filescan", "gahti", "getservicesids", "getsids", "handles", "hashdump", "hivelist", "hivescan", "impscan", "ldrmodules", "lsadump", "modules", "mutantscan", "privs", "psscan", "pstree", "sockets", "svcscan", "shimcache", "timeliner", "unloadedmodules", "userhandles", "vadinfo", "verinfo", "dlldump", "moddump", "procdump", "dumpfiles", "dumpregistry"}; Arrays.sort(this.pluginList); initComponents(); diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java index f3f2c75b9d..9d3fcd15d5 100644 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java @@ -134,8 +134,7 @@ class VolatilityProcessor { moduleOutputPath = Paths.get(currentCase.getModuleDirectory(), VOLATILITY, dataSourceId.toString()).toString(); File directory = new File(String.valueOf(moduleOutputPath)); if (!directory.exists()) { - directory.mkdirs(); - + directory.mkdirs(); } // if they did not specify a profile, then run imageinfo to get one @@ -198,7 +197,24 @@ class VolatilityProcessor { } commandLine.add(pluginToRun); - String outputFileAsString = moduleOutputPath + "\\" + pluginToRun + ".txt"; //NON-NLS + switch (pluginToRun) { + case "dlldump": + case "moddump": + case "procdump": + case "dumpregistry": + case "dumpfiles": + String outputDir = moduleOutputPath + File.separator + pluginToRun; + File directory = new File(outputDir); + if (!directory.exists()) { + directory.mkdirs(); + } + commandLine.add("--dump-dir=" + outputDir); //NON-NLS + break; + default: + break; + } + + String outputFileAsString = moduleOutputPath + File.separator + pluginToRun + ".txt"; //NON-NLS ProcessBuilder processBuilder = new ProcessBuilder(commandLine); /* * Add an environment variable to force Volatility to run with the same @@ -207,7 +223,7 @@ class VolatilityProcessor { processBuilder.environment().put("__COMPAT_LAYER", "RunAsInvoker"); //NON-NLS File outputFile = new File(outputFileAsString); processBuilder.redirectOutput(outputFile); - processBuilder.redirectError(new File(moduleOutputPath + "\\Volatility_Run.err")); //NON-NLS + processBuilder.redirectError(new File(moduleOutputPath + File.separator + "Volatility_err.txt")); //NON-NLS processBuilder.directory(new File(memoryImage.getParent())); try { @@ -262,7 +278,7 @@ class VolatilityProcessor { "VolatilityProcessor_exceptionMessage_failedToParseImageInfo=Could not parse image info" }) private String getProfileFromImageInfoOutput() throws VolatilityProcessorException { - File imageOutputFile = new File(moduleOutputPath + "\\imageinfo.txt"); //NON-NLS + File imageOutputFile = new File(moduleOutputPath + File.separator + "imageinfo.txt"); //NON-NLS try (BufferedReader br = new BufferedReader(new FileReader(imageOutputFile))) { String fileRead = br.readLine(); if (fileRead != null) {