From 4abbbd9dcc27b1b25fe290286a801873a9c78cee Mon Sep 17 00:00:00 2001 From: Mark McKinnon Date: Tue, 28 Jul 2020 10:16:00 -0400 Subject: [PATCH] Initial commit Initial commit of Chrome based browsers --- .../recentactivity/Bundle.properties-MERGED | 20 +- .../autopsy/recentactivity/Chrome.java | 180 ++++++++++-------- 2 files changed, 108 insertions(+), 92 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED index 5ea28d7eec..839ccdd039 100755 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED @@ -5,15 +5,10 @@ ChromeCacheExtract_adding_artifacts_msg=Chrome Cache: Adding %d artifacts for an ChromeCacheExtract_adding_extracted_files_msg=Chrome Cache: Adding %d extracted files for analysis. ChromeCacheExtract_loading_files_msg=Chrome Cache: Loading files from %s. ChromeCacheExtractor.moduleName=ChromeCacheExtractor -# {0} - module name -# {1} - row number -# {2} - table length -# {3} - cache path ChromeCacheExtractor.progressMsg={0}: Extracting cache entry {1} of {2} entries from {3} DataSourceUsage_AndroidMedia=Android Media Card DataSourceUsage_DJU_Drone_DAT=DJI Internal SD Card DataSourceUsage_FlashDrive=Flash Drive -# {0} - OS name DataSourceUsageAnalyzer.customVolume.label=OS Drive ({0}) DataSourceUsageAnalyzer.parentModuleName=Recent Activity Extract.indexError.message=Failed to index artifact for keyword search. @@ -77,7 +72,7 @@ ExtractZone_progress_Msg=Extracting :Zone.Identifer files ExtractZone_Restricted=Restricted Sites Zone ExtractZone_Trusted=Trusted Sites Zone OpenIDE-Module-Display-Category=Ingest Module -OpenIDE-Module-Long-Description=Recent Activity ingest module.\n\n\The module extracts useful information about the recent user activity on the disk image being ingested, such as:\n\n- Recently open documents,\n- Web activity (sites visited, stored cookies, book marked sites, search engine queries, file downloads),\n- Recently attached devices,\n- Installed programs.\n\nThe module currently supports Windows only disk images.\nThe plugin is also fully functional when deployed on Windows version of Autopsy. +OpenIDE-Module-Long-Description=Recent Activity ingest module.\n\nThe module extracts useful information about the recent user activity on the disk image being ingested, such as:\n\n- Recently open documents,\n- Web activity (sites visited, stored cookies, book marked sites, search engine queries, file downloads),\n- Recently attached devices,\n- Installed programs.\n\nThe module currently supports Windows only disk images.\nThe plugin is also fully functional when deployed on Windows version of Autopsy. OpenIDE-Module-Name=RecentActivity OpenIDE-Module-Short-Description=Recent Activity finder ingest module Chrome.moduleName=Chrome @@ -148,14 +143,14 @@ Firefox.getDlV24.errMsg.errAnalyzeFile={0}: Error while trying to analyze file:{ Firefox.getDlV24.errMsg.errParsingArtifacts={0}: Error parsing {1} Firefox web download artifacts. Progress_Message_Analyze_Registry=Analyzing Registry Files Progress_Message_Analyze_Usage=Data Sources Usage Analysis -Progress_Message_Chrome_AutoFill=Chrome Auto Fill -Progress_Message_Chrome_Bookmarks=Chrome Bookmarks +Progress_Message_Chrome_AutoFill=Chrome Auto Fill Browser {0} +Progress_Message_Chrome_Bookmarks=Chrome Bookmarks Browser {0} Progress_Message_Chrome_Cache=Chrome Cache -Progress_Message_Chrome_Cookies=Chrome Cookies -Progress_Message_Chrome_Downloads=Chrome Downloads +Progress_Message_Chrome_Cookies=Chrome Cookies Browser {0} +Progress_Message_Chrome_Downloads=Chrome Downloads Browser {0} Progress_Message_Chrome_FormHistory=Chrome Form History -Progress_Message_Chrome_History=Chrome History -Progress_Message_Chrome_Logins=Chrome Logins +Progress_Message_Chrome_History=Chrome History Browser {0} +Progress_Message_Chrome_Logins=Chrome Logins Browser {0} Progress_Message_Edge_Bookmarks=Microsoft Edge Bookmarks Progress_Message_Edge_Cookies=Microsoft Edge Cookies Progress_Message_Edge_History=Microsoft Edge History @@ -209,7 +204,6 @@ Recently_Used_Artifacts_Winrar=Recently opened according to WinRAR MRU Registry_System_Bam=Recently Executed according to Background Activity Moderator (BAM) RegRipperFullNotFound=Full version RegRipper executable not found. RegRipperNotFound=Autopsy RegRipper executable not found. -# {0} - file name SearchEngineURLQueryAnalyzer.init.exception.msg=Unable to find {0}. SearchEngineURLQueryAnalyzer.moduleName.text=Search Engine SearchEngineURLQueryAnalyzer.engineName.none=NONE diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java index 2c7c5dfcb0..f7949bdf78 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java @@ -22,6 +22,7 @@ */ package org.sleuthkit.autopsy.recentactivity; +import com.google.common.collect.ImmutableMap; import com.google.gson.JsonArray; import com.google.gson.JsonElement; import com.google.gson.JsonIOException; @@ -84,14 +85,25 @@ class Chrome extends Extract { private Content dataSource; private IngestJobContext context; + private static final Map BROWSERS_MAP = ImmutableMap.builder() + .put("Microsoft Edge", "Microsoft/Edge") +// .put("Yandex Browser", "YandexBrowser") + .put("Opera", "Opera Software") +// .put("SalamWeb", "SalamWeb") +// .put("UC Browser", "UCBrowser") +// .put("Brave", "BraveSoftware") +// .put("Google Chrome", "Chrome") + .build(); + + @Messages({ - "Progress_Message_Chrome_History=Chrome History", - "Progress_Message_Chrome_Bookmarks=Chrome Bookmarks", - "Progress_Message_Chrome_Cookies=Chrome Cookies", - "Progress_Message_Chrome_Downloads=Chrome Downloads", + "Progress_Message_Chrome_History=Chrome History Browser {0}", + "Progress_Message_Chrome_Bookmarks=Chrome Bookmarks Browser {0}", + "Progress_Message_Chrome_Cookies=Chrome Cookies Browser {0}", + "Progress_Message_Chrome_Downloads=Chrome Downloads Browser {0}", "Progress_Message_Chrome_FormHistory=Chrome Form History", - "Progress_Message_Chrome_AutoFill=Chrome Auto Fill", - "Progress_Message_Chrome_Logins=Chrome Logins", + "Progress_Message_Chrome_AutoFill=Chrome Auto Fill Browser {0}", + "Progress_Message_Chrome_Logins=Chrome Logins Browser {0}", "Progress_Message_Chrome_Cache=Chrome Cache", }) @@ -105,55 +117,60 @@ class Chrome extends Extract { this.context = context; dataFound = false; - progressBar.progress(Bundle.Progress_Message_Chrome_History()); - this.getHistory(); - if (context.dataSourceIngestIsCancelled()) { - return; - } - - progressBar.progress(Bundle.Progress_Message_Chrome_Bookmarks()); - this.getBookmark(); - if (context.dataSourceIngestIsCancelled()) { - return; - } - - progressBar.progress(Bundle.Progress_Message_Chrome_Cookies()); - this.getCookie(); - if (context.dataSourceIngestIsCancelled()) { - return; - } - - progressBar.progress(Bundle.Progress_Message_Chrome_Logins()); - this.getLogins(); - if (context.dataSourceIngestIsCancelled()) { - return; - } - - progressBar.progress(Bundle.Progress_Message_Chrome_AutoFill()); - this.getAutofill(); - if (context.dataSourceIngestIsCancelled()) { - return; - } - - progressBar.progress(Bundle.Progress_Message_Chrome_Downloads()); - this.getDownload(); - if (context.dataSourceIngestIsCancelled()) { - return; + for (Map.Entry browser : BROWSERS_MAP.entrySet()) { + String browserName = browser.getKey(); + String browserLocation = browser.getValue(); + progressBar.progress(NbBundle.getMessage(this.getClass(), "Progress_Message_Chrome_History", browserName)); + this.getHistory(browser.getKey(), browser.getValue()); + if (context.dataSourceIngestIsCancelled()) { + return; + } + + progressBar.progress(NbBundle.getMessage(this.getClass(), "Progress_Message_Chrome_Bookmarks", browserName)); + this.getBookmark(browser.getKey(), browser.getValue()); + if (context.dataSourceIngestIsCancelled()) { + return; + } + + progressBar.progress(NbBundle.getMessage(this.getClass(), "Progress_Message_Chrome_Cookies", browserName)); + this.getCookie(browser.getKey(), browser.getValue()); + if (context.dataSourceIngestIsCancelled()) { + return; + } + + progressBar.progress(NbBundle.getMessage(this.getClass(), "Progress_Message_Chrome_Logins", browserName)); + this.getLogins(browser.getKey(), browser.getValue()); + if (context.dataSourceIngestIsCancelled()) { + return; + } + + progressBar.progress(NbBundle.getMessage(this.getClass(), "Progress_Message_Chrome_AutoFill", browserName)); + this.getAutofill(browser.getKey(), browser.getValue()); + if (context.dataSourceIngestIsCancelled()) { + return; + } + + progressBar.progress(NbBundle.getMessage(this.getClass(), "Progress_Message_Chrome_Downloads", browserName)); + this.getDownload(browser.getKey(), browser.getValue()); + if (context.dataSourceIngestIsCancelled()) { + return; + } } progressBar.progress(Bundle.Progress_Message_Chrome_Cache()); ChromeCacheExtractor chromeCacheExtractor = new ChromeCacheExtractor(dataSource, context, progressBar); chromeCacheExtractor.processCaches(); + } /** * Query for history databases and add artifacts */ - private void getHistory() { + private void getHistory(String browser, String browserLocation) { FileManager fileManager = currentCase.getServices().getFileManager(); List historyFiles; try { - historyFiles = fileManager.findFiles(dataSource, "History", "Chrome"); //NON-NLS + historyFiles = fileManager.findFiles(dataSource, "%History%", browserLocation); //NON-NLS } catch (TskCoreException ex) { String msg = NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errGettingFiles"); logger.log(Level.SEVERE, msg, ex); @@ -179,10 +196,11 @@ class Chrome extends Extract { dataFound = true; Collection bbartifacts = new ArrayList<>(); int j = 0; - while (j < historyFiles.size()) { - String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + historyFiles.get(j).getName() + j + ".db"; //NON-NLS - final AbstractFile historyFile = historyFiles.get(j++); - if (historyFile.getSize() == 0) { + while (j < allocatedHistoryFiles.size()) { + String temps = RAImageIngestModule.getRATempPath(currentCase, browser) + File.separator + allocatedHistoryFiles.get(j).getName() + j + ".db"; //NON-NLS + final AbstractFile historyFile = allocatedHistoryFiles.get(j++); + if ((historyFile.getSize() == 0) || (historyFile.getName().toLowerCase().contains("-slack")) + || (historyFile.getName().toLowerCase().contains("cache"))) { continue; } try { @@ -223,8 +241,7 @@ class Chrome extends Extract { RecentActivityExtracterModuleFactory.getModuleName(), ((result.get("title").toString() != null) ? result.get("title").toString() : ""))); //NON-NLS bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, - RecentActivityExtracterModuleFactory.getModuleName(), - NbBundle.getMessage(this.getClass(), "Chrome.moduleName"))); + RecentActivityExtracterModuleFactory.getModuleName(), browser)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, RecentActivityExtracterModuleFactory.getModuleName(), (NetworkUtils.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : "")))); //NON-NLS @@ -245,11 +262,11 @@ class Chrome extends Extract { /** * Search for bookmark files and make artifacts. */ - private void getBookmark() { + private void getBookmark(String browser, String browserLocation) { FileManager fileManager = currentCase.getServices().getFileManager(); List bookmarkFiles; try { - bookmarkFiles = fileManager.findFiles(dataSource, "Bookmarks", "Chrome"); //NON-NLS + bookmarkFiles = fileManager.findFiles(dataSource, "%Bookmarks%", browserLocation); //NON-NLS } catch (TskCoreException ex) { String msg = NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errGettingFiles"); logger.log(Level.SEVERE, msg, ex); @@ -268,10 +285,10 @@ class Chrome extends Extract { while (j < bookmarkFiles.size()) { AbstractFile bookmarkFile = bookmarkFiles.get(j++); - if (bookmarkFile.getSize() == 0) { + if ((bookmarkFile.getSize() == 0) || (bookmarkFile.getName().toLowerCase().contains("-slack"))) { continue; } - String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + bookmarkFile.getName() + j + ".db"; //NON-NLS + String temps = RAImageIngestModule.getRATempPath(currentCase, browser) + File.separator + bookmarkFile.getName() + j + ".db"; //NON-NLS try { ContentUtils.writeToFile(bookmarkFile, new File(temps), context::dataSourceIngestIsCancelled); } catch (ReadContentInputStreamException ex) { @@ -359,8 +376,7 @@ class Chrome extends Extract { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED, RecentActivityExtracterModuleFactory.getModuleName(), (date / 1000000) - Long.valueOf("11644473600"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, - RecentActivityExtracterModuleFactory.getModuleName(), - NbBundle.getMessage(this.getClass(), "Chrome.moduleName"))); + RecentActivityExtracterModuleFactory.getModuleName(), browser)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, RecentActivityExtracterModuleFactory.getModuleName(), domain)); bbart.addAttributes(bbattributes); @@ -381,12 +397,12 @@ class Chrome extends Extract { /** * Queries for cookie files and adds artifacts */ - private void getCookie() { + private void getCookie(String browser, String browserLocation) { FileManager fileManager = currentCase.getServices().getFileManager(); List cookiesFiles; try { - cookiesFiles = fileManager.findFiles(dataSource, "Cookies", "Chrome"); //NON-NLS + cookiesFiles = fileManager.findFiles(dataSource, "%Cookies%", browserLocation); //NON-NLS } catch (TskCoreException ex) { String msg = NbBundle.getMessage(this.getClass(), "Chrome.getCookie.errMsg.errGettingFiles"); logger.log(Level.SEVERE, msg, ex); @@ -404,10 +420,10 @@ class Chrome extends Extract { int j = 0; while (j < cookiesFiles.size()) { AbstractFile cookiesFile = cookiesFiles.get(j++); - if (cookiesFile.getSize() == 0) { + if ((cookiesFile.getSize() == 0) || (cookiesFile.getName().toLowerCase().contains("-slack"))) { continue; } - String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + cookiesFile.getName() + j + ".db"; //NON-NLS + String temps = RAImageIngestModule.getRATempPath(currentCase, browser) + File.separator + cookiesFile.getName() + j + ".db"; //NON-NLS try { ContentUtils.writeToFile(cookiesFile, new File(temps), context::dataSourceIngestIsCancelled); } catch (ReadContentInputStreamException ex) { @@ -447,8 +463,7 @@ class Chrome extends Extract { RecentActivityExtracterModuleFactory.getModuleName(), ((result.get("value").toString() != null) ? result.get("value").toString() : ""))); //NON-NLS bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, - RecentActivityExtracterModuleFactory.getModuleName(), - NbBundle.getMessage(this.getClass(), "Chrome.moduleName"))); + RecentActivityExtracterModuleFactory.getModuleName(), browser)); String domain = result.get("host_key").toString(); //NON-NLS domain = domain.replaceFirst("^\\.+(?!$)", ""); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, @@ -471,11 +486,11 @@ class Chrome extends Extract { /** * Queries for download files and adds artifacts */ - private void getDownload() { + private void getDownload(String browser, String browserLocation) { FileManager fileManager = currentCase.getServices().getFileManager(); List downloadFiles; try { - downloadFiles = fileManager.findFiles(dataSource, "History", "Chrome"); //NON-NLS + downloadFiles = fileManager.findFiles(dataSource, "%History%", "Chrome"); //NON-NLS } catch (TskCoreException ex) { String msg = NbBundle.getMessage(this.getClass(), "Chrome.getDownload.errMsg.errGettingFiles"); logger.log(Level.SEVERE, msg, ex); @@ -493,10 +508,12 @@ class Chrome extends Extract { int j = 0; while (j < downloadFiles.size()) { AbstractFile downloadFile = downloadFiles.get(j++); - if (downloadFile.getSize() == 0) { + if ((downloadFile.getSize() == 0) || (downloadFile.getName().toLowerCase().contains("-slack")) + || (downloadFile.getName().toLowerCase().contains("cache"))) { continue; } - String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + downloadFile.getName() + j + ".db"; //NON-NLS + + String temps = RAImageIngestModule.getRATempPath(currentCase, browser) + File.separator + downloadFile.getName() + j + ".db"; //NON-NLS try { ContentUtils.writeToFile(downloadFile, new File(temps), context::dataSourceIngestIsCancelled); } catch (ReadContentInputStreamException ex) { @@ -552,8 +569,7 @@ class Chrome extends Extract { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, RecentActivityExtracterModuleFactory.getModuleName(), domain)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, - RecentActivityExtracterModuleFactory.getModuleName(), - NbBundle.getMessage(this.getClass(), "Chrome.moduleName"))); + RecentActivityExtracterModuleFactory.getModuleName(), browser)); BlackboardArtifact webDownloadArtifact = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadFile, bbattributes); if (webDownloadArtifact != null) { @@ -561,7 +577,7 @@ class Chrome extends Extract { // find the downloaded file and create a TSK_ASSOCIATED_OBJECT for it, associating it with the TSK_WEB_DOWNLOAD artifact. try { - String normalizedFullPath = FilenameUtils.normalize(fullPath, true); + String normalizedFullPath = FilenameUtils.normalize(fullPath, true); for (AbstractFile downloadedFile : fileManager.findFiles(dataSource, FilenameUtils.getName(normalizedFullPath), FilenameUtils.getPath(normalizedFullPath))) { BlackboardArtifact associatedObjectArtifact = downloadedFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_ASSOCIATED_OBJECT); associatedObjectArtifact.addAttribute( @@ -588,12 +604,12 @@ class Chrome extends Extract { /** * Gets user logins from Login Data sqlite database */ - private void getLogins() { + private void getLogins(String browser, String browserLocation) { FileManager fileManager = currentCase.getServices().getFileManager(); List loginDataFiles; try { - loginDataFiles = fileManager.findFiles(dataSource, "Login Data", "Chrome"); //NON-NLS + loginDataFiles = fileManager.findFiles(dataSource, "%Login Data%", browserLocation); //NON-NLS } catch (TskCoreException ex) { String msg = NbBundle.getMessage(this.getClass(), "Chrome.getLogin.errMsg.errGettingFiles"); logger.log(Level.SEVERE, msg, ex); @@ -611,10 +627,10 @@ class Chrome extends Extract { int j = 0; while (j < loginDataFiles.size()) { AbstractFile loginDataFile = loginDataFiles.get(j++); - if (loginDataFile.getSize() == 0) { + if ((loginDataFile.getSize() == 0) || (loginDataFile.getName().toLowerCase().contains("-slack"))) { continue; } - String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + loginDataFile.getName() + j + ".db"; //NON-NLS + String temps = RAImageIngestModule.getRATempPath(currentCase, browser) + File.separator + loginDataFile.getName() + j + ".db"; //NON-NLS try { ContentUtils.writeToFile(loginDataFile, new File(temps), context::dataSourceIngestIsCancelled); } catch (ReadContentInputStreamException ex) { @@ -661,6 +677,9 @@ class Chrome extends Extract { RecentActivityExtracterModuleFactory.getModuleName(), ((result.get("signon_realm").toString() != null) ? result.get("signon_realm").toString() : ""))); //NON-NLS + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, + RecentActivityExtracterModuleFactory.getModuleName(), browser)); + BlackboardArtifact bbart = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_SERVICE_ACCOUNT, loginDataFile, bbattributes); if (bbart != null) { bbartifacts.add(bbart); @@ -679,12 +698,12 @@ class Chrome extends Extract { * Gets and parses Autofill data from 'Web Data' database, * and creates TSK_WEB_FORM_AUTOFILL, TSK_WEB_FORM_ADDRESS artifacts */ - private void getAutofill() { + private void getAutofill(String browser, String browserLocation) { FileManager fileManager = currentCase.getServices().getFileManager(); List webDataFiles; try { - webDataFiles = fileManager.findFiles(dataSource, "Web Data", "Chrome"); //NON-NLS + webDataFiles = fileManager.findFiles(dataSource, "%Web Data%", browserLocation); //NON-NLS } catch (TskCoreException ex) { String msg = NbBundle.getMessage(this.getClass(), "Chrome.getAutofills.errMsg.errGettingFiles"); logger.log(Level.SEVERE, msg, ex); @@ -702,10 +721,10 @@ class Chrome extends Extract { int j = 0; while (j < webDataFiles.size()) { AbstractFile webDataFile = webDataFiles.get(j++); - if (webDataFile.getSize() == 0) { + if ((webDataFile.getSize() == 0) || (webDataFile.getName().toLowerCase().contains("-slack"))) { continue; } - String tempFilePath = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + webDataFile.getName() + j + ".db"; //NON-NLS + String tempFilePath = RAImageIngestModule.getRATempPath(currentCase, browser) + File.separator + webDataFile.getName() + j + ".db"; //NON-NLS try { ContentUtils.writeToFile(webDataFile, new File(tempFilePath), context::dataSourceIngestIsCancelled); } catch (ReadContentInputStreamException ex) { @@ -731,7 +750,7 @@ class Chrome extends Extract { boolean isSchemaV8X = Util.checkColumn("date_created", "autofill", tempFilePath); // get form autofill artifacts - bbartifacts.addAll(getFormAutofillArtifacts(webDataFile, tempFilePath, isSchemaV8X)); + bbartifacts.addAll(getFormAutofillArtifacts(webDataFile, tempFilePath, isSchemaV8X, browser)); try { // get form address atifacts getFormAddressArtifacts(webDataFile, tempFilePath, isSchemaV8X); @@ -757,7 +776,7 @@ class Chrome extends Extract { * * @return collection of TSK_WEB_FORM_AUTOFILL artifacts */ - private Collection getFormAutofillArtifacts (AbstractFile webDataFile, String dbFilePath , boolean isSchemaV8X ) { + private Collection getFormAutofillArtifacts (AbstractFile webDataFile, String dbFilePath , boolean isSchemaV8X, String browser ) { Collection bbartifacts = new ArrayList<>(); @@ -783,7 +802,7 @@ class Chrome extends Extract { RecentActivityExtracterModuleFactory.getModuleName(), (Integer.valueOf(result.get("count").toString())))); //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED, + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED, RecentActivityExtracterModuleFactory.getModuleName(), Long.valueOf(result.get("date_created").toString()))); //NON-NLS @@ -794,6 +813,9 @@ class Chrome extends Extract { Long.valueOf(result.get("date_last_used").toString()))); //NON-NLS } + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, + RecentActivityExtracterModuleFactory.getModuleName(), browser)); + // Add an artifact BlackboardArtifact bbart = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_FORM_AUTOFILL, webDataFile, bbattributes); if (bbart != null) { @@ -886,7 +908,7 @@ class Chrome extends Extract { use_count, otherAttributes); } } - + private boolean isChromePreVersion30(String temps) { String query = "PRAGMA table_info(downloads)"; //NON-NLS List> columns = this.dbConnect(temps, query);