mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3678 from sleuthkit/vol_fix

Browse Source 
Remember selection and allow user to specify profile
This commit is contained in:
Brian Carrier 2018-04-26 22:50:01 -04:00 committed by GitHub
commit 4a08a71ff6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 206 additions and 143 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
Core/src/org/sleuthkit/autopsy/ingest/IngestJobSettings.java
View File

@ -501,13 +501,16 @@ public final class IngestJobSettings {
this.warnings.add(warning); this.warnings.add(warning);
} }
} else { } else {
try (PythonObjectInputStream in = new PythonObjectInputStream(new FileInputStream(settingsFile.getAbsolutePath()))) { // @@@ BC Jython serialization is currently broken and this
settings = (IngestModuleIngestJobSettings) in.readObject(); // throws an exception. (-2323). Commenting out so that
} catch (IOException | ClassNotFoundException exception) { // Python modules will at least load with default settings.
String warning = NbBundle.getMessage(IngestJobSettings.class, "IngestJobSettings.moduleSettingsLoad.warning", factory.getModuleDisplayName(), this.executionContext); //NON-NLS // try (PythonObjectInputStream in = new PythonObjectInputStream(new FileInputStream(settingsFile.getAbsolutePath()))) {
logger.log(Level.WARNING, warning, exception); // settings = (IngestModuleIngestJobSettings) in.readObject();
this.warnings.add(warning); // } catch (IOException | ClassNotFoundException exception) {
} // String warning = NbBundle.getMessage(IngestJobSettings.class, "IngestJobSettings.moduleSettingsLoad.warning", factory.getModuleDisplayName(), this.executionContext); //NON-NLS
// logger.log(Level.WARNING, warning, exception);
// this.warnings.add(warning);
// }
} }
} }
if (settings == null) { if (settings == null) {

7
Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/AddMemoryImageTask.java
View File

@ -49,6 +49,7 @@ final class AddMemoryImageTask implements Runnable {
private final DataSourceProcessorCallback callback; private final DataSourceProcessorCallback callback;
private volatile VolatilityProcessor volatilityProcessor; private volatile VolatilityProcessor volatilityProcessor;
private volatile boolean isCancelled; private volatile boolean isCancelled;
private final String profile; // empty for autodetect
/** /**
* Constructs a runnable that adds a memory image to a case database. * Constructs a runnable that adds a memory image to a case database.
@ -57,6 +58,7 @@ final class AddMemoryImageTask implements Runnable {
* associated with the data source that is intended * associated with the data source that is intended
* to be unique across multiple cases (e.g., a UUID). * to be unique across multiple cases (e.g., a UUID).
* @param memoryImagePath Path to the memory image file. * @param memoryImagePath Path to the memory image file.
* @param profile Volatility profile to run or empty string to autodetect
* @param pluginsToRun The Volatility plugins to run. * @param pluginsToRun The Volatility plugins to run.
* @param timeZone The time zone to use when processing dates and * @param timeZone The time zone to use when processing dates and
* times for the image, obtained from * times for the image, obtained from
@ -65,9 +67,10 @@ final class AddMemoryImageTask implements Runnable {
* during processing. * during processing.
* @param callback Callback to call when processing is done. * @param callback Callback to call when processing is done.
*/ */
AddMemoryImageTask(String deviceId, String memoryImagePath, List<String> pluginsToRun, String timeZone, DataSourceProcessorProgressMonitor progressMonitor, DataSourceProcessorCallback callback) { AddMemoryImageTask(String deviceId, String memoryImagePath, String profile, List<String> pluginsToRun, String timeZone, DataSourceProcessorProgressMonitor progressMonitor, DataSourceProcessorCallback callback) {
this.deviceId = deviceId; this.deviceId = deviceId;
this.memoryImagePath = memoryImagePath; this.memoryImagePath = memoryImagePath;
this.profile = profile;
this.pluginsToRun = pluginsToRun; this.pluginsToRun = pluginsToRun;
this.timeZone = timeZone; this.timeZone = timeZone;
this.callback = callback; this.callback = callback;
@ -94,7 +97,7 @@ final class AddMemoryImageTask implements Runnable {
try { try {
Image dataSource = addImageToCase(); Image dataSource = addImageToCase();
dataSources.add(dataSource); dataSources.add(dataSource);
volatilityProcessor = new VolatilityProcessor(memoryImagePath, dataSource, pluginsToRun, progressMonitor); volatilityProcessor = new VolatilityProcessor(memoryImagePath, dataSource, profile, pluginsToRun, progressMonitor);
volatilityProcessor.run(); volatilityProcessor.run();
} catch (NoCurrentCaseException | TskCoreException | VolatilityProcessor.VolatilityProcessorException ex) { } catch (NoCurrentCaseException | TskCoreException | VolatilityProcessor.VolatilityProcessorException ex) {
criticalErrorOccurred = true; criticalErrorOccurred = true;

7
Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/Bundle.properties
View File

@ -3,11 +3,10 @@
# and open the template in the editor. # and open the template in the editor.
MemoryDSInputPanel.pathLabel.AccessibleContext.accessibleName=Browse for a memory image file: MemoryDSInputPanel.pathLabel.AccessibleContext.accessibleName=Browse for a memory image file:
MemoryDSInputPanel.PluginsToRunLabel.text=Available plugins to run: MemoryDSInputPanel.PluginsToRunLabel.text=Plugins to run:
MemoryDSInputPanel.volExecutableLabel.text=Version of Volatility to Run:
MemoryDSInputPanel.pathLabel.text=Browse for a memory image file: MemoryDSInputPanel.pathLabel.text=Browse for a memory image file:
MemoryDSInputPanel.pathTextField.text= MemoryDSInputPanel.pathTextField.text=
MemoryDSInputPanel.errorLabel.text=Error Label MemoryDSInputPanel.errorLabel.text=Error Label
MemoryDSInputPanel.browseButton.text=Browse MemoryDSInputPanel.browseButton.text=Browse
MemoryDSImputPanel.pathTextField.text= MemoryDSInputPanel.timeZoneLabel.text=Timezone:
MemoryDSInputPanel.timeZoneLabel.text=Please select the input timezone: MemoryDSInputPanel.profileLabel.text=Profile:

73
Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.form
View File

@ -28,13 +28,15 @@
<Group type="102" attributes="0"> <Group type="102" attributes="0">
<Group type="103" groupAlignment="0" attributes="0"> <Group type="103" groupAlignment="0" attributes="0">
<Component id="pathLabel" min="-2" pref="218" max="-2" attributes="0"/> <Component id="pathLabel" min="-2" pref="218" max="-2" attributes="0"/>
<Group type="102" alignment="0" attributes="0"> <Group type="102" attributes="0">
<Component id="timeZoneLabel" min="-2" pref="168" max="-2" attributes="0"/> <Component id="timeZoneLabel" min="-2" pref="134" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/> <EmptySpace max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0"> <Group type="103" groupAlignment="0" attributes="0">
<Component id="volExecutableComboBox" min="-2" max="-2" attributes="0"/>
<Component id="timeZoneComboBox" min="-2" pref="199" max="-2" attributes="0"/>
<Component id="listsScrollPane" alignment="0" min="-2" pref="248" max="-2" attributes="0"/> <Component id="listsScrollPane" alignment="0" min="-2" pref="248" max="-2" attributes="0"/>
<Group type="103" alignment="0" groupAlignment="1" max="-2" attributes="0">
<Component id="profileComboBox" alignment="0" pref="243" max="32767" attributes="0"/>
<Component id="timeZoneComboBox" alignment="0" max="32767" attributes="0"/>
</Group>
</Group> </Group>
</Group> </Group>
</Group> </Group>
@ -43,8 +45,8 @@
<Group type="102" attributes="0"> <Group type="102" attributes="0">
<Group type="103" groupAlignment="0" attributes="0"> <Group type="103" groupAlignment="0" attributes="0">
<Component id="errorLabel" min="-2" max="-2" attributes="0"/> <Component id="errorLabel" min="-2" max="-2" attributes="0"/>
<Component id="volExecutableLabel" alignment="0" min="-2" max="-2" attributes="0"/>
<Component id="PluginsToRunLabel" alignment="0" min="-2" max="-2" attributes="0"/> <Component id="PluginsToRunLabel" alignment="0" min="-2" max="-2" attributes="0"/>
<Component id="profileLabel" alignment="0" min="-2" max="-2" attributes="0"/>
</Group> </Group>
<EmptySpace max="32767" attributes="0"/> <EmptySpace max="32767" attributes="0"/>
</Group> </Group>
@ -66,17 +68,17 @@
</Group> </Group>
<EmptySpace max="-2" attributes="0"/> <EmptySpace max="-2" attributes="0"/>
<Component id="errorLabel" min="-2" max="-2" attributes="0"/> <Component id="errorLabel" min="-2" max="-2" attributes="0"/>
<EmptySpace type="separate" max="-2" attributes="0"/> <EmptySpace type="unrelated" max="-2" attributes="0"/>
<Group type="103" groupAlignment="3" attributes="0"> <Group type="103" groupAlignment="3" attributes="0">
<Component id="volExecutableLabel" alignment="3" min="-2" max="-2" attributes="0"/> <Component id="profileLabel" alignment="3" min="-2" max="-2" attributes="0"/>
<Component id="volExecutableComboBox" alignment="3" min="-2" max="-2" attributes="0"/> <Component id="profileComboBox" alignment="3" min="-2" max="-2" attributes="0"/>
</Group> </Group>
<EmptySpace type="unrelated" max="-2" attributes="0"/> <EmptySpace type="unrelated" max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0"> <Group type="103" groupAlignment="0" attributes="0">
<Component id="PluginsToRunLabel" min="-2" max="-2" attributes="0"/> <Component id="PluginsToRunLabel" min="-2" max="-2" attributes="0"/>
<Component id="listsScrollPane" min="-2" pref="132" max="-2" attributes="0"/> <Component id="listsScrollPane" min="-2" pref="122" max="-2" attributes="0"/>
</Group> </Group>
<EmptySpace pref="30" max="32767" attributes="0"/> <EmptySpace pref="73" max="32767" attributes="0"/>
</Group> </Group>
</Group> </Group>
</DimensionLayout> </DimensionLayout>
@ -85,7 +87,7 @@
<Component class="javax.swing.JLabel" name="pathLabel"> <Component class="javax.swing.JLabel" name="pathLabel">
<Properties> <Properties>
<Property name="text" type="java.lang.String" editor="org.netbeans.modules.i18n.form.FormI18nStringEditor"> <Property name="text" type="java.lang.String" editor="org.netbeans.modules.i18n.form.FormI18nStringEditor">
<ResourceString bundle="org/sleuthkit/autopsy/datasourceprocessors/Bundle.properties" key="RawDSInputPanel.pathLabel.text" replaceFormat="org.openide.util.NbBundle.getMessage({sourceFileName}.class, &quot;{key}&quot;)"/> <ResourceString bundle="org/sleuthkit/autopsy/experimental/volatilityDSP/Bundle.properties" key="MemoryDSInputPanel.pathLabel.text" replaceFormat="org.openide.util.NbBundle.getMessage({sourceFileName}.class, &quot;{key}&quot;)"/>
</Property> </Property>
</Properties> </Properties>
<AccessibilityProperties> <AccessibilityProperties>
@ -97,14 +99,17 @@
<Component class="javax.swing.JTextField" name="pathTextField"> <Component class="javax.swing.JTextField" name="pathTextField">
<Properties> <Properties>
<Property name="text" type="java.lang.String" editor="org.netbeans.modules.i18n.form.FormI18nStringEditor"> <Property name="text" type="java.lang.String" editor="org.netbeans.modules.i18n.form.FormI18nStringEditor">
<ResourceString bundle="org/sleuthkit/autopsy/datasourceprocessors/Bundle.properties" key="RawDSInputPanel.pathTextField.text" replaceFormat="org.openide.util.NbBundle.getMessage({sourceFileName}.class, &quot;{key}&quot;)"/> <ResourceString bundle="org/sleuthkit/autopsy/experimental/volatilityDSP/Bundle.properties" key="MemoryDSInputPanel.pathTextField.text" replaceFormat="org.openide.util.NbBundle.getMessage({sourceFileName}.class, &quot;{key}&quot;)"/>
</Property> </Property>
</Properties> </Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="pathTextFieldActionPerformed"/>
</Events>
</Component> </Component>
<Component class="javax.swing.JButton" name="browseButton"> <Component class="javax.swing.JButton" name="browseButton">
<Properties> <Properties>
<Property name="text" type="java.lang.String" editor="org.netbeans.modules.i18n.form.FormI18nStringEditor"> <Property name="text" type="java.lang.String" editor="org.netbeans.modules.i18n.form.FormI18nStringEditor">
<ResourceString bundle="org/sleuthkit/autopsy/datasourceprocessors/Bundle.properties" key="RawDSInputPanel.browseButton.text" replaceFormat="org.openide.util.NbBundle.getMessage({sourceFileName}.class, &quot;{key}&quot;)"/> <ResourceString bundle="org/sleuthkit/autopsy/experimental/volatilityDSP/Bundle.properties" key="MemoryDSInputPanel.browseButton.text" replaceFormat="org.openide.util.NbBundle.getMessage({sourceFileName}.class, &quot;{key}&quot;)"/>
</Property> </Property>
</Properties> </Properties>
<Events> <Events>
@ -117,14 +122,14 @@
<Color blue="0" green="0" red="ff" type="rgb"/> <Color blue="0" green="0" red="ff" type="rgb"/>
</Property> </Property>
<Property name="text" type="java.lang.String" editor="org.netbeans.modules.i18n.form.FormI18nStringEditor"> <Property name="text" type="java.lang.String" editor="org.netbeans.modules.i18n.form.FormI18nStringEditor">
<ResourceString bundle="org/sleuthkit/autopsy/datasourceprocessors/Bundle.properties" key="RawDSInputPanel.errorLabel.text" replaceFormat="org.openide.util.NbBundle.getMessage({sourceFileName}.class, &quot;{key}&quot;)"/> <ResourceString bundle="org/sleuthkit/autopsy/experimental/volatilityDSP/Bundle.properties" key="MemoryDSInputPanel.errorLabel.text" replaceFormat="org.openide.util.NbBundle.getMessage({sourceFileName}.class, &quot;{key}&quot;)"/>
</Property> </Property>
</Properties> </Properties>
</Component> </Component>
<Component class="javax.swing.JLabel" name="timeZoneLabel"> <Component class="javax.swing.JLabel" name="timeZoneLabel">
<Properties> <Properties>
<Property name="text" type="java.lang.String" editor="org.netbeans.modules.i18n.form.FormI18nStringEditor"> <Property name="text" type="java.lang.String" editor="org.netbeans.modules.i18n.form.FormI18nStringEditor">
<ResourceString bundle="org/sleuthkit/autopsy/datasourceprocessors/Bundle.properties" key="RawDSInputPanel.timeZoneLabel.text" replaceFormat="org.openide.util.NbBundle.getMessage({sourceFileName}.class, &quot;{key}&quot;)"/> <ResourceString bundle="org/sleuthkit/autopsy/experimental/volatilityDSP/Bundle.properties" key="MemoryDSInputPanel.timeZoneLabel.text" replaceFormat="org.openide.util.NbBundle.getMessage({sourceFileName}.class, &quot;{key}&quot;)"/>
</Property> </Property>
</Properties> </Properties>
</Component> </Component>
@ -139,27 +144,6 @@
<AuxValue name="JavaCodeGenerator_TypeParameters" type="java.lang.String" value="&lt;String&gt;"/> <AuxValue name="JavaCodeGenerator_TypeParameters" type="java.lang.String" value="&lt;String&gt;"/>
</AuxValues> </AuxValues>
</Component> </Component>
<Component class="javax.swing.JLabel" name="volExecutableLabel">
<Properties>
<Property name="text" type="java.lang.String" editor="org.netbeans.modules.i18n.form.FormI18nStringEditor">
<ResourceString bundle="org/sleuthkit/autopsy/experimental/volatilityDSP/Bundle.properties" key="MemoryDSInputPanel.volExecutableLabel.text" replaceFormat="org.openide.util.NbBundle.getMessage({sourceFileName}.class, &quot;{key}&quot;)"/>
</Property>
</Properties>
</Component>
<Component class="javax.swing.JComboBox" name="volExecutableComboBox">
<Properties>
<Property name="model" type="javax.swing.ComboBoxModel" editor="org.netbeans.modules.form.editors2.ComboBoxModelEditor">
<StringArray count="0"/>
</Property>
<Property name="enabled" type="boolean" value="false"/>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="volExecutableComboBoxActionPerformed"/>
</Events>
<AuxValues>
<AuxValue name="JavaCodeGenerator_TypeParameters" type="java.lang.String" value="&lt;String&gt;"/>
</AuxValues>
</Component>
<Component class="javax.swing.JLabel" name="PluginsToRunLabel"> <Component class="javax.swing.JLabel" name="PluginsToRunLabel">
<Properties> <Properties>
<Property name="text" type="java.lang.String" editor="org.netbeans.modules.i18n.form.FormI18nStringEditor"> <Property name="text" type="java.lang.String" editor="org.netbeans.modules.i18n.form.FormI18nStringEditor">
@ -174,7 +158,7 @@
<Layout class="org.netbeans.modules.form.compat2.layouts.support.JScrollPaneSupportLayout"/> <Layout class="org.netbeans.modules.form.compat2.layouts.support.JScrollPaneSupportLayout"/>
<SubComponents> <SubComponents>
<Component class="javax.swing.JTable" name="PluginList"> <Component class="javax.swing.JTable" name="pluginTable">
<Properties> <Properties>
<Property name="model" type="javax.swing.table.TableModel" editor="org.netbeans.modules.form.editors2.TableModelEditor"> <Property name="model" type="javax.swing.table.TableModel" editor="org.netbeans.modules.form.editors2.TableModelEditor">
<Table columnCount="0" rowCount="4"/> <Table columnCount="0" rowCount="4"/>
@ -189,5 +173,20 @@
</Component> </Component>
</SubComponents> </SubComponents>
</Container> </Container>
<Component class="javax.swing.JLabel" name="profileLabel">
<Properties>
<Property name="text" type="java.lang.String" editor="org.netbeans.modules.i18n.form.FormI18nStringEditor">
<ResourceString bundle="org/sleuthkit/autopsy/experimental/volatilityDSP/Bundle.properties" key="MemoryDSInputPanel.profileLabel.text" replaceFormat="org.openide.util.NbBundle.getMessage({sourceFileName}.class, &quot;{key}&quot;)"/>
</Property>
</Properties>
</Component>
<Component class="javax.swing.JComboBox" name="profileComboBox">
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="profileComboBoxActionPerformed"/>
</Events>
<AuxValues>
<AuxValue name="JavaCodeGenerator_TypeParameters" type="java.lang.String" value="&lt;String&gt;"/>
</AuxValues>
</Component>
</SubComponents> </SubComponents>
</Form> </Form>

137
Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSInputPanel.java
View File

@ -26,7 +26,9 @@ import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.SimpleTimeZone; import java.util.SimpleTimeZone;
import java.util.SortedSet;
import java.util.TimeZone; import java.util.TimeZone;
import java.util.TreeSet;
import javax.swing.JFileChooser; import javax.swing.JFileChooser;
import javax.swing.JPanel; import javax.swing.JPanel;
import javax.swing.JTable; import javax.swing.JTable;
@ -42,6 +44,7 @@ import org.sleuthkit.autopsy.corecomponentinterfaces.DataSourceProcessor;
import org.sleuthkit.autopsy.coreutils.ModuleSettings; import org.sleuthkit.autopsy.coreutils.ModuleSettings;
import org.sleuthkit.autopsy.coreutils.PathValidator; import org.sleuthkit.autopsy.coreutils.PathValidator;
@SuppressWarnings("PMD.SingularField") // UI widgets cause lots of false positives
final class MemoryDSInputPanel extends JPanel implements DocumentListener { final class MemoryDSInputPanel extends JPanel implements DocumentListener {
private static final long serialVersionUID = 1L; //default private static final long serialVersionUID = 1L; //default
@ -53,13 +56,26 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener {
private final PluginListTableModel tableModel = new PluginListTableModel(); private final PluginListTableModel tableModel = new PluginListTableModel();
private final List<String> PluginListNames = new ArrayList<>(); private final List<String> PluginListNames = new ArrayList<>();
private final Map<String, Boolean> pluginListStates = new HashMap<>(); // is set by listeners when users select and deselect items private final Map<String, Boolean> pluginListStates = new HashMap<>(); // is set by listeners when users select and deselect items
private final Boolean isEnabled = true;
private final SortedSet<String> profileList = new TreeSet<>(Arrays.asList(
"VistaSP0x64", "VistaSP0x86", "VistaSP1x64", "VistaSP1x86",
"VistaSP2x64", "VistaSP2x86", "Win10x64", "Win10x64_10586",
"Win10x64_14393", "Win10x86", "Win10x86_10586", "Win10x86_14393",
"Win2003SP0x86", "Win2003SP1x64", "Win2003SP1x86", "Win2003SP2x64",
"Win2003SP2x86", "Win2008R2SP0x64", "Win2008R2SP1x64", "Win2008R2SP1x64_23418",
"Win2008SP1x64", "Win2008SP1x86", "Win2008SP2x64", "Win2008SP2x86",
"Win2012R2x64", "Win2012R2x64_18340", "Win2012x64", "Win2016x64_14393",
"Win7SP0x64", "Win7SP0x86", "Win7SP1x64", "Win7SP1x64_23418", "Win7SP1x86_23418",
"Win81U1x64", "Win81U1x86", "Win8SP0x64", "Win8SP0x86", "Win8SP1x64",
"Win8SP1x64_18340", "Win8SP1x86", "WinXPSP1x64", "WinXPSP2x64", "WinXPSP2x86",
"WinXPSP3x86"));
private final static String AUTODETECT_PROFILE = "Auto Detect";
/** /**
* Creates new MemoryDSInputPanel panel for user input * Creates new MemoryDSInputPanel panel for user input
*/ */
private MemoryDSInputPanel(String context) { private MemoryDSInputPanel(String context) {
this.pluginList = new String[]{"amcache", "cmdline", "cmdscan", "consoles", "malfind", "netscan", "notepad", "pslist", "psxview", "shellbags", "shimcache", "shutdown", "userassist", "apihooks", "connscan", "devicetree", "dlllist", "envars", "filescan", "gahti", "getservicesids", "getsids", "handles", "hashdump", "hivelist", "hivescan", "impscan", "ldrmodules", "lsadump", "modules", "mutantscan", "privs", "psscan", "pstree", "sockets", "svcscan", "shimcache", "timeliner", "unloadedmodules", "userhandles", "vadinfo", "verinfo"}; this.pluginList = new String[]{"amcache", "cmdline", "cmdscan", "consoles", "malfind", "netscan", "notepad", "pslist", "psxview", "shellbags", "shimcache", "shutdown", "userassist", "apihooks", "connscan", "devicetree", "dlllist", "envars", "filescan", "gahti", "getservicesids", "getsids", "handles", "hashdump", "hivelist", "hivescan", "impscan", "ldrmodules", "lsadump", "modules", "mutantscan", "privs", "psscan", "pstree", "sockets", "svcscan", "shimcache", "timeliner", "unloadedmodules", "userhandles", "vadinfo", "verinfo", "dlldump", "moddump", "procdump", "dumpfiles", "dumpregistry"};
Arrays.sort(this.pluginList); Arrays.sort(this.pluginList);
initComponents(); initComponents();
@ -82,7 +98,7 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener {
instance.postInit(); instance.postInit();
instance.customizePluginListTable(); instance.customizePluginListTable();
instance.createTimeZoneList(); instance.createTimeZoneList();
instance.createVolatilityVersionList(); instance.populateProfileCombobox();
instance.createPluginList(); instance.createPluginList();
return instance; return instance;
@ -95,14 +111,14 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener {
} }
private void customizePluginListTable() { private void customizePluginListTable() {
PluginList.setModel(tableModel); pluginTable.setModel(tableModel);
PluginList.setTableHeader(null); pluginTable.setTableHeader(null);
PluginList.setSelectionMode(ListSelectionModel.SINGLE_SELECTION); pluginTable.setSelectionMode(ListSelectionModel.SINGLE_SELECTION);
final int width = listsScrollPane.getPreferredSize().width; final int width = listsScrollPane.getPreferredSize().width;
PluginList.setAutoResizeMode(JTable.AUTO_RESIZE_NEXT_COLUMN); pluginTable.setAutoResizeMode(JTable.AUTO_RESIZE_NEXT_COLUMN);
TableColumn column; TableColumn column;
for (int i = 0; i < PluginList.getColumnCount(); i++) { for (int i = 0; i < pluginTable.getColumnCount(); i++) {
column = PluginList.getColumnModel().getColumn(i); column = pluginTable.getColumnModel().getColumn(i);
if (i == 0) { if (i == 0) {
column.setPreferredWidth(((int) (width * 0.07))); column.setPreferredWidth(((int) (width * 0.07)));
} else { } else {
@ -138,11 +154,12 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener {
timeZoneComboBox.setSelectedItem(formatted); timeZoneComboBox.setSelectedItem(formatted);
} }
private void createVolatilityVersionList() {
private void populateProfileCombobox() {
volExecutableComboBox.addItem("2.6"); profileComboBox.addItem(AUTODETECT_PROFILE);
volExecutableComboBox.addItem("2.5"); profileList.forEach((profile) -> {
profileComboBox.addItem(profile);
});
} }
private void createPluginList() { private void createPluginList() {
@ -157,8 +174,10 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener {
PluginListNames.add(plugin); PluginListNames.add(plugin);
if (allEnabled) { if (allEnabled) {
pluginListStates.put(plugin, true); pluginListStates.put(plugin, true);
} else if ((pluginMap.containsKey(plugin) && pluginMap.get(plugin).equals("false"))) {
pluginListStates.put(plugin, false);
} else { } else {
pluginListStates.put(plugin, pluginMap.containsKey(plugin)); pluginListStates.put(plugin, true);
} }
} }
tableModel.fireTableDataChanged(); tableModel.fireTableDataChanged();
@ -181,15 +200,20 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener {
errorLabel = new javax.swing.JLabel(); errorLabel = new javax.swing.JLabel();
timeZoneLabel = new javax.swing.JLabel(); timeZoneLabel = new javax.swing.JLabel();
timeZoneComboBox = new javax.swing.JComboBox<>(); timeZoneComboBox = new javax.swing.JComboBox<>();
volExecutableLabel = new javax.swing.JLabel();
volExecutableComboBox = new javax.swing.JComboBox<>();
PluginsToRunLabel = new javax.swing.JLabel(); PluginsToRunLabel = new javax.swing.JLabel();
listsScrollPane = new javax.swing.JScrollPane(); listsScrollPane = new javax.swing.JScrollPane();
PluginList = new javax.swing.JTable(); pluginTable = new javax.swing.JTable();
profileLabel = new javax.swing.JLabel();
profileComboBox = new javax.swing.JComboBox<>();
org.openide.awt.Mnemonics.setLocalizedText(pathLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.pathLabel.text")); // NOI18N org.openide.awt.Mnemonics.setLocalizedText(pathLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.pathLabel.text")); // NOI18N
pathTextField.setText(org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.pathTextField.text")); // NOI18N pathTextField.setText(org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.pathTextField.text")); // NOI18N
pathTextField.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
pathTextFieldActionPerformed(evt);
}
});
org.openide.awt.Mnemonics.setLocalizedText(browseButton, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.browseButton.text")); // NOI18N org.openide.awt.Mnemonics.setLocalizedText(browseButton, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.browseButton.text")); // NOI18N
browseButton.addActionListener(new java.awt.event.ActionListener() { browseButton.addActionListener(new java.awt.event.ActionListener() {
@ -205,18 +229,9 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener {
timeZoneComboBox.setMaximumRowCount(30); timeZoneComboBox.setMaximumRowCount(30);
org.openide.awt.Mnemonics.setLocalizedText(volExecutableLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.volExecutableLabel.text")); // NOI18N
volExecutableComboBox.setEnabled(false);
volExecutableComboBox.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
volExecutableComboBoxActionPerformed(evt);
}
});
org.openide.awt.Mnemonics.setLocalizedText(PluginsToRunLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.PluginsToRunLabel.text")); // NOI18N org.openide.awt.Mnemonics.setLocalizedText(PluginsToRunLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.PluginsToRunLabel.text")); // NOI18N
PluginList.setModel(new javax.swing.table.DefaultTableModel( pluginTable.setModel(new javax.swing.table.DefaultTableModel(
new Object [][] { new Object [][] {
{}, {},
{}, {},
@ -227,7 +242,15 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener {
} }
)); ));
listsScrollPane.setViewportView(PluginList); listsScrollPane.setViewportView(pluginTable);
org.openide.awt.Mnemonics.setLocalizedText(profileLabel, org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.profileLabel.text")); // NOI18N
profileComboBox.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
profileComboBoxActionPerformed(evt);
}
});
javax.swing.GroupLayout layout = new javax.swing.GroupLayout(this); javax.swing.GroupLayout layout = new javax.swing.GroupLayout(this);
this.setLayout(layout); this.setLayout(layout);
@ -241,18 +264,19 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener {
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addComponent(pathLabel, javax.swing.GroupLayout.PREFERRED_SIZE, 218, javax.swing.GroupLayout.PREFERRED_SIZE) .addComponent(pathLabel, javax.swing.GroupLayout.PREFERRED_SIZE, 218, javax.swing.GroupLayout.PREFERRED_SIZE)
.addGroup(layout.createSequentialGroup() .addGroup(layout.createSequentialGroup()
.addComponent(timeZoneLabel, javax.swing.GroupLayout.PREFERRED_SIZE, 168, javax.swing.GroupLayout.PREFERRED_SIZE) .addComponent(timeZoneLabel, javax.swing.GroupLayout.PREFERRED_SIZE, 134, javax.swing.GroupLayout.PREFERRED_SIZE)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED) .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addComponent(volExecutableComboBox, javax.swing.GroupLayout.PREFERRED_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE) .addComponent(listsScrollPane, javax.swing.GroupLayout.PREFERRED_SIZE, 248, javax.swing.GroupLayout.PREFERRED_SIZE)
.addComponent(timeZoneComboBox, javax.swing.GroupLayout.PREFERRED_SIZE, 199, javax.swing.GroupLayout.PREFERRED_SIZE) .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.TRAILING, false)
.addComponent(listsScrollPane, javax.swing.GroupLayout.PREFERRED_SIZE, 248, javax.swing.GroupLayout.PREFERRED_SIZE)))) .addComponent(profileComboBox, javax.swing.GroupLayout.Alignment.LEADING, 0, 243, Short.MAX_VALUE)
.addComponent(timeZoneComboBox, javax.swing.GroupLayout.Alignment.LEADING, 0, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)))))
.addGap(0, 163, Short.MAX_VALUE)) .addGap(0, 163, Short.MAX_VALUE))
.addGroup(layout.createSequentialGroup() .addGroup(layout.createSequentialGroup()
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addComponent(errorLabel) .addComponent(errorLabel)
.addComponent(volExecutableLabel) .addComponent(PluginsToRunLabel)
.addComponent(PluginsToRunLabel)) .addComponent(profileLabel))
.addContainerGap(javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)) .addContainerGap(javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE))
); );
layout.setVerticalGroup( layout.setVerticalGroup(
@ -269,15 +293,15 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener {
.addComponent(timeZoneComboBox, javax.swing.GroupLayout.PREFERRED_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE)) .addComponent(timeZoneComboBox, javax.swing.GroupLayout.PREFERRED_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE))
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED) .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(errorLabel) .addComponent(errorLabel)
.addGap(18, 18, 18) .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.UNRELATED)
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE) .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE)
.addComponent(volExecutableLabel) .addComponent(profileLabel)
.addComponent(volExecutableComboBox, javax.swing.GroupLayout.PREFERRED_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE)) .addComponent(profileComboBox, javax.swing.GroupLayout.PREFERRED_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE))
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.UNRELATED) .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.UNRELATED)
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addComponent(PluginsToRunLabel) .addComponent(PluginsToRunLabel)
.addComponent(listsScrollPane, javax.swing.GroupLayout.PREFERRED_SIZE, 132, javax.swing.GroupLayout.PREFERRED_SIZE)) .addComponent(listsScrollPane, javax.swing.GroupLayout.PREFERRED_SIZE, 122, javax.swing.GroupLayout.PREFERRED_SIZE))
.addContainerGap(30, Short.MAX_VALUE)) .addContainerGap(73, Short.MAX_VALUE))
); );
pathLabel.getAccessibleContext().setAccessibleName(org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.pathLabel.AccessibleContext.accessibleName")); // NOI18N pathLabel.getAccessibleContext().setAccessibleName(org.openide.util.NbBundle.getMessage(MemoryDSInputPanel.class, "MemoryDSInputPanel.pathLabel.AccessibleContext.accessibleName")); // NOI18N
@ -298,12 +322,15 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener {
} }
}//GEN-LAST:event_browseButtonActionPerformed }//GEN-LAST:event_browseButtonActionPerformed
private void volExecutableComboBoxActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_volExecutableComboBoxActionPerformed private void profileComboBoxActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_profileComboBoxActionPerformed
// TODO add your handling code here: // TODO add your handling code here:
}//GEN-LAST:event_volExecutableComboBoxActionPerformed }//GEN-LAST:event_profileComboBoxActionPerformed
private void pathTextFieldActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_pathTextFieldActionPerformed
// TODO add your handling code here:
}//GEN-LAST:event_pathTextFieldActionPerformed
// Variables declaration - do not modify//GEN-BEGIN:variables // Variables declaration - do not modify//GEN-BEGIN:variables
private javax.swing.JTable PluginList;
private javax.swing.JLabel PluginsToRunLabel; private javax.swing.JLabel PluginsToRunLabel;
private javax.swing.JButton browseButton; private javax.swing.JButton browseButton;
private javax.swing.JLabel errorLabel; private javax.swing.JLabel errorLabel;
@ -311,10 +338,11 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener {
private javax.swing.JScrollPane listsScrollPane; private javax.swing.JScrollPane listsScrollPane;
private javax.swing.JLabel pathLabel; private javax.swing.JLabel pathLabel;
private javax.swing.JTextField pathTextField; private javax.swing.JTextField pathTextField;
private javax.swing.JTable pluginTable;
private javax.swing.JComboBox<String> profileComboBox;
private javax.swing.JLabel profileLabel;
private javax.swing.JComboBox<String> timeZoneComboBox; private javax.swing.JComboBox<String> timeZoneComboBox;
private javax.swing.JLabel timeZoneLabel; private javax.swing.JLabel timeZoneLabel;
private javax.swing.JComboBox<String> volExecutableComboBox;
private javax.swing.JLabel volExecutableLabel;
// End of variables declaration//GEN-END:variables // End of variables declaration//GEN-END:variables
/** /**
* Get the path of the user selected image. * Get the path of the user selected image.
@ -325,17 +353,28 @@ final class MemoryDSInputPanel extends JPanel implements DocumentListener {
return pathTextField.getText(); return pathTextField.getText();
} }
/**
*
* @return Profile or empty string if auto detect
*/
String getProfile() {
String profile = (String)profileComboBox.getSelectedItem();
if (profile.equals(AUTODETECT_PROFILE)) {
return "";
}
return profile;
}
List<String> getPluginsToRun() { List<String> getPluginsToRun() {
List<String> enabledPlugins = new ArrayList<>(); List<String> enabledPlugins = new ArrayList<>();
Map<String, String> pluginMap = new HashMap<>(); Map<String, String> pluginSettingsToSave = new HashMap<>();
for (String plugin : PluginListNames) { for (String plugin : PluginListNames) {
if (pluginListStates.get(plugin)) { if (pluginListStates.get(plugin)) {
enabledPlugins.add(plugin); enabledPlugins.add(plugin);
pluginMap.put(plugin, "");
} }
pluginSettingsToSave.put(plugin, pluginListStates.get(plugin).toString());
} }
ModuleSettings.setConfigSettings(this.contextName, pluginSettingsToSave);
ModuleSettings.setConfigSettings(this.contextName, pluginMap);
// @@ Could return keys of set // @@ Could return keys of set
return enabledPlugins; return enabledPlugins;
} }

7
Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/MemoryDSProcessor.java
View File

@ -117,7 +117,7 @@ public class MemoryDSProcessor implements DataSourceProcessor {
@Override @Override
public void run(DataSourceProcessorProgressMonitor progressMonitor, DataSourceProcessorCallback callback) { public void run(DataSourceProcessorProgressMonitor progressMonitor, DataSourceProcessorCallback callback) {
configPanel.storeSettings(); configPanel.storeSettings();
run(UUID.randomUUID().toString(), configPanel.getImageFilePath(), configPanel.getPluginsToRun(), configPanel.getTimeZone(), progressMonitor, callback); run(UUID.randomUUID().toString(), configPanel.getImageFilePath(), configPanel.getProfile(), configPanel.getPluginsToRun(), configPanel.getTimeZone(), progressMonitor, callback);
} }
/** /**
@ -131,6 +131,7 @@ public class MemoryDSProcessor implements DataSourceProcessor {
* associated with the data source that is intended * associated with the data source that is intended
* to be unique across multiple cases (e.g., a UUID). * to be unique across multiple cases (e.g., a UUID).
* @param memoryImagePath Path to the memory image file. * @param memoryImagePath Path to the memory image file.
* @param profile Volatility profile to run or empty string to autodetect
* @param pluginsToRun The Volatility plugins to run. * @param pluginsToRun The Volatility plugins to run.
* @param timeZone The time zone to use when processing dates and * @param timeZone The time zone to use when processing dates and
* times for the image, obtained from * times for the image, obtained from
@ -139,8 +140,8 @@ public class MemoryDSProcessor implements DataSourceProcessor {
* processing. * processing.
* @param callback Callback to call when processing is done. * @param callback Callback to call when processing is done.
*/ */
private void run(String deviceId, String memoryImagePath, List<String> pluginsToRun, String timeZone, DataSourceProcessorProgressMonitor progressMonitor, DataSourceProcessorCallback callback) { private void run(String deviceId, String memoryImagePath, String profile, List<String> pluginsToRun, String timeZone, DataSourceProcessorProgressMonitor progressMonitor, DataSourceProcessorCallback callback) {
addImageTask = new AddMemoryImageTask(deviceId, memoryImagePath, pluginsToRun, timeZone, progressMonitor, callback); addImageTask = new AddMemoryImageTask(deviceId, memoryImagePath, profile, pluginsToRun, timeZone, progressMonitor, callback);
new Thread(addImageTask).start(); new Thread(addImageTask).start();
} }

101
Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java
View File

@ -29,7 +29,6 @@ import java.util.List;
import java.util.Set; import java.util.Set;
import java.util.logging.Level; import java.util.logging.Level;
import org.openide.modules.InstalledFileLocator; import org.openide.modules.InstalledFileLocator;
import org.openide.util.Lookup;
import org.openide.util.NbBundle; import org.openide.util.NbBundle;
import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException; import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
@ -41,13 +40,13 @@ import org.sleuthkit.autopsy.coreutils.Logger;
import org.sleuthkit.autopsy.coreutils.PlatformUtil; import org.sleuthkit.autopsy.coreutils.PlatformUtil;
import org.sleuthkit.autopsy.ingest.IngestServices; import org.sleuthkit.autopsy.ingest.IngestServices;
import org.sleuthkit.autopsy.ingest.ModuleDataEvent; import org.sleuthkit.autopsy.ingest.ModuleDataEvent;
import org.sleuthkit.autopsy.keywordsearchservice.KeywordSearchService;
import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.AbstractFile;
import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.Image; import org.sleuthkit.datamodel.Image;
import org.sleuthkit.datamodel.Report;
import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskCoreException;
import org.sleuthkit.datamodel.TskData.EncodingType;
import org.sleuthkit.datamodel.TskData.TSK_DB_FILES_TYPE_ENUM; import org.sleuthkit.datamodel.TskData.TSK_DB_FILES_TYPE_ENUM;
/** /**
@ -70,6 +69,8 @@ class VolatilityProcessor {
private String moduleOutputPath; private String moduleOutputPath;
private FileManager fileManager; private FileManager fileManager;
private volatile boolean isCancelled; private volatile boolean isCancelled;
private Content outputVirtDir;
private String profile;
/** /**
* Constructs a processor that runs Volatility on a given memory image file * Constructs a processor that runs Volatility on a given memory image file
@ -77,11 +78,13 @@ class VolatilityProcessor {
* *
* @param memoryImagePath Path to memory image file. * @param memoryImagePath Path to memory image file.
* @param dataSource The memory image data source. * @param dataSource The memory image data source.
* @param profile Volatility profile to run or empty string to autodetect
* @param plugInToRuns Volatility plugins to run. * @param plugInToRuns Volatility plugins to run.
* @param progressMonitor Progress monitor for reporting progress during * @param progressMonitor Progress monitor for reporting progress during
* processing. * processing.
*/ */
VolatilityProcessor(String memoryImagePath, Image dataSource, List<String> plugInToRun, DataSourceProcessorProgressMonitor progressMonitor) { VolatilityProcessor(String memoryImagePath, Image dataSource, String profile, List<String> plugInToRun, DataSourceProcessorProgressMonitor progressMonitor) {
this.profile = profile;
this.memoryImagePath = memoryImagePath; this.memoryImagePath = memoryImagePath;
this.pluginsToRun = plugInToRun; this.pluginsToRun = plugInToRun;
this.dataSource = dataSource; this.dataSource = dataSource;
@ -117,6 +120,13 @@ class VolatilityProcessor {
fileManager = currentCase.getServices().getFileManager(); fileManager = currentCase.getServices().getFileManager();
try {
// make a virtual directory to store the reports
outputVirtDir = currentCase.getSleuthkitCase().addVirtualDirectory(dataSource.getId(), "ModuleOutput");
} catch (TskCoreException ex) {
throw new VolatilityProcessorException("Error creating virtual directory", ex);
}
/* /*
* Make an output folder unique to this data source. * Make an output folder unique to this data source.
*/ */
@ -124,9 +134,14 @@ class VolatilityProcessor {
moduleOutputPath = Paths.get(currentCase.getModuleDirectory(), VOLATILITY, dataSourceId.toString()).toString(); moduleOutputPath = Paths.get(currentCase.getModuleDirectory(), VOLATILITY, dataSourceId.toString()).toString();
File directory = new File(String.valueOf(moduleOutputPath)); File directory = new File(String.valueOf(moduleOutputPath));
if (!directory.exists()) { if (!directory.exists()) {
directory.mkdirs(); directory.mkdirs();
}
// if they did not specify a profile, then run imageinfo to get one
if (profile.isEmpty() ) {
progressMonitor.setProgressText(Bundle.VolatilityProcessor_progressMessage_runningImageInfo("imageinfo")); //NON-NLS progressMonitor.setProgressText(Bundle.VolatilityProcessor_progressMessage_runningImageInfo("imageinfo")); //NON-NLS
runVolatilityPlugin("imageinfo"); //NON-NLS runVolatilityPlugin("imageinfo"); //NON-NLS
profile = getProfileFromImageInfoOutput();
} }
progressMonitor.setIndeterminate(false); progressMonitor.setIndeterminate(false);
@ -177,24 +192,38 @@ class VolatilityProcessor {
commandLine.add("\"" + executableFile + "\""); //NON-NLS commandLine.add("\"" + executableFile + "\""); //NON-NLS
File memoryImage = new File(memoryImagePath); File memoryImage = new File(memoryImagePath);
commandLine.add("--filename=" + memoryImage.getName()); //NON-NLS commandLine.add("--filename=" + memoryImage.getName()); //NON-NLS
if (!profile.isEmpty()) {
File imageInfoOutputFile = new File(moduleOutputPath + "\\imageinfo.txt"); //NON-NLS commandLine.add("--profile=" + profile); //NON-NLS
if (imageInfoOutputFile.exists()) {
String memoryProfile = parseImageInfoOutput(imageInfoOutputFile);
commandLine.add("--profile=" + memoryProfile); //NON-NLS
} }
commandLine.add(pluginToRun); commandLine.add(pluginToRun);
String outputFile = moduleOutputPath + "\\" + pluginToRun + ".txt"; //NON-NLS switch (pluginToRun) {
case "dlldump":
case "moddump":
case "procdump":
case "dumpregistry":
case "dumpfiles":
String outputDir = moduleOutputPath + File.separator + pluginToRun;
File directory = new File(outputDir);
if (!directory.exists()) {
directory.mkdirs();
}
commandLine.add("--dump-dir=" + outputDir); //NON-NLS
break;
default:
break;
}
String outputFileAsString = moduleOutputPath + File.separator + pluginToRun + ".txt"; //NON-NLS
ProcessBuilder processBuilder = new ProcessBuilder(commandLine); ProcessBuilder processBuilder = new ProcessBuilder(commandLine);
/* /*
* Add an environment variable to force Volatility to run with the same * Add an environment variable to force Volatility to run with the same
* permissions Autopsy uses. * permissions Autopsy uses.
*/ */
processBuilder.environment().put("__COMPAT_LAYER", "RunAsInvoker"); //NON-NLS processBuilder.environment().put("__COMPAT_LAYER", "RunAsInvoker"); //NON-NLS
processBuilder.redirectOutput(new File(outputFile)); File outputFile = new File(outputFileAsString);
processBuilder.redirectError(new File(moduleOutputPath + "\\Volatility_Run.err")); //NON-NLS processBuilder.redirectOutput(outputFile);
processBuilder.redirectError(new File(moduleOutputPath + File.separator + "Volatility_err.txt")); //NON-NLS
processBuilder.directory(new File(memoryImage.getParent())); processBuilder.directory(new File(memoryImage.getParent()));
try { try {
@ -210,32 +239,16 @@ class VolatilityProcessor {
if (isCancelled) { if (isCancelled) {
return; return;
} }
/*
* Add the plugin output file to the case as a report.
*/
try { try {
Report report = currentCase.getSleuthkitCase().addReport(outputFile, VOLATILITY, VOLATILITY + " " + pluginToRun + " Plugin"); //NON-NLS String relativePath = new File(currentCase.getCaseDirectory()).toURI().relativize(new File(outputFileAsString).toURI()).getPath();
try { fileManager.addDerivedFile(pluginToRun, relativePath, outputFile.length(), 0, 0, 0, 0, true, outputVirtDir, null, null, null, null, EncodingType.NONE);
KeywordSearchService searchService = Lookup.getDefault().lookup(KeywordSearchService.class);
if (searchService != null) {
searchService.index(report);
} else {
errorMsgs.add(Bundle.VolatilityProcessor_exceptionMessage_searchServiceNotFound(pluginToRun));
/*
* Log the exception as well as add it to the error
* messages, to ensure that the stack trace is not lost.
*/
logger.log(Level.WARNING, Bundle.VolatilityProcessor_exceptionMessage_errorIndexingOutput(pluginToRun));
}
} catch (TskCoreException ex) {
throw new VolatilityProcessorException(Bundle.VolatilityProcessor_exceptionMessage_errorIndexingOutput(pluginToRun), ex);
}
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
throw new VolatilityProcessorException(Bundle.VolatilityProcessor_exceptionMessage_errorAddingOutput(pluginToRun), ex); errorMsgs.add("Error adding " + pluginToRun + " volatility report as a file");
logger.log(Level.WARNING, "Error adding report as derived file", ex);
} }
createArtifactsFromPluginOutput(pluginToRun, new File(outputFile)); createArtifactsFromPluginOutput(pluginToRun, new File(outputFileAsString));
} }
/** /**
@ -264,12 +277,18 @@ class VolatilityProcessor {
@NbBundle.Messages({ @NbBundle.Messages({
"VolatilityProcessor_exceptionMessage_failedToParseImageInfo=Could not parse image info" "VolatilityProcessor_exceptionMessage_failedToParseImageInfo=Could not parse image info"
}) })
private String parseImageInfoOutput(File imageOutputFile) throws VolatilityProcessorException { private String getProfileFromImageInfoOutput() throws VolatilityProcessorException {
File imageOutputFile = new File(moduleOutputPath + File.separator + "imageinfo.txt"); //NON-NLS
try (BufferedReader br = new BufferedReader(new FileReader(imageOutputFile))) { try (BufferedReader br = new BufferedReader(new FileReader(imageOutputFile))) {
String fileRead = br.readLine(); String fileRead = br.readLine();
String[] profileLine = fileRead.split(":"); //NON-NLS if (fileRead != null) {
String[] memProfile = profileLine[1].split(",|\\("); //NON-NLS String[] profileLine = fileRead.split(":"); //NON-NLS
return memProfile[0].replaceAll("\\s+", ""); //NON-NLS String[] memProfile = profileLine[1].split(",|\\("); //NON-NLS
return memProfile[0].replaceAll("\\s+", ""); //NON-NLS
}
else {
throw new VolatilityProcessorException(Bundle.VolatilityProcessor_exceptionMessage_failedToParseImageInfo());
}
} catch (IOException ex) { } catch (IOException ex) {
throw new VolatilityProcessorException(Bundle.VolatilityProcessor_exceptionMessage_failedToParseImageInfo(), ex); throw new VolatilityProcessorException(Bundle.VolatilityProcessor_exceptionMessage_failedToParseImageInfo(), ex);
} }