mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-13 08:26:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

fixed Android GPS time bug, cleaned up Android code, disablede iOS code. moved KML logic to KML report module

Browse Source
This commit is contained in:
Brian Carrier 2014-07-08 18:25:02 -04:00
parent 681fa0bf4e
commit 4bc93248a4
17 changed files with 558 additions and 594 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
Core/src/org/sleuthkit/autopsy/modules/android/AndroidIngestModule.java
View File

@ -45,17 +45,13 @@ class AndroidIngestModule implements DataSourceIngestModule {
@Override @Override
public ProcessResult process(Content dataSource, DataSourceIngestModuleProgress progressBar) { public ProcessResult process(Content dataSource, DataSourceIngestModuleProgress progressBar) {
services.postMessage(IngestMessage.createMessage(IngestMessage.MessageType.INFO, AndroidModuleFactory.getModuleName(), "Started {0}")); services.postMessage(IngestMessage.createMessage(IngestMessage.MessageType.INFO, AndroidModuleFactory.getModuleName(), "Started {0}"));
ArrayList<String> errors = new ArrayList<>(); ArrayList<String> errors = new ArrayList<>();
progressBar.switchToDeterminate(9); progressBar.switchToDeterminate(9);
try { try {
ContactAnalyzer FindContacts = new ContactAnalyzer(); ContactAnalyzer.findContacts();
FindContacts.findContacts();
progressBar.progress(1); progressBar.progress(1);
if (context.isJobCancelled()) { if (context.isJobCancelled()) {
return IngestModule.ProcessResult.OK; return IngestModule.ProcessResult.OK;
@ -63,9 +59,9 @@ class AndroidIngestModule implements DataSourceIngestModule {
} catch (Exception e) { } catch (Exception e) {
errors.add("Error getting Contacts"); errors.add("Error getting Contacts");
} }
try { try {
CallLogAnalyzer FindCallLogs = new CallLogAnalyzer(); CallLogAnalyzer.findCallLogs();
FindCallLogs.findCallLogs();
progressBar.progress(2); progressBar.progress(2);
if (context.isJobCancelled()) { if (context.isJobCancelled()) {
return IngestModule.ProcessResult.OK; return IngestModule.ProcessResult.OK;
@ -73,9 +69,9 @@ class AndroidIngestModule implements DataSourceIngestModule {
} catch (Exception e) { } catch (Exception e) {
errors.add("Error getting Call Logs"); errors.add("Error getting Call Logs");
} }
try { try {
TextMessageAnalyzer FindTexts = new TextMessageAnalyzer(); TextMessageAnalyzer.findTexts();
FindTexts.findTexts();
progressBar.progress(3); progressBar.progress(3);
if (context.isJobCancelled()) { if (context.isJobCancelled()) {
return IngestModule.ProcessResult.OK; return IngestModule.ProcessResult.OK;
@ -83,9 +79,9 @@ class AndroidIngestModule implements DataSourceIngestModule {
} catch (Exception e) { } catch (Exception e) {
errors.add("Error getting Text Messages"); errors.add("Error getting Text Messages");
} }
try { try {
TangoMessageAnalyzer FindTangoMessages = new TangoMessageAnalyzer(); TangoMessageAnalyzer.findTangoMessages();
FindTangoMessages.findTangoMessages();
progressBar.progress(4); progressBar.progress(4);
if (context.isJobCancelled()) { if (context.isJobCancelled()) {
return IngestModule.ProcessResult.OK; return IngestModule.ProcessResult.OK;
@ -93,9 +89,9 @@ class AndroidIngestModule implements DataSourceIngestModule {
} catch (Exception e) { } catch (Exception e) {
errors.add("Error getting Tango Messages"); errors.add("Error getting Tango Messages");
} }
try { try {
WWFMessageAnalyzer FindWWFMessages = new WWFMessageAnalyzer(); WWFMessageAnalyzer.findWWFMessages();
FindWWFMessages.findWWFMessages();
progressBar.progress(5); progressBar.progress(5);
if (context.isJobCancelled()) { if (context.isJobCancelled()) {
return IngestModule.ProcessResult.OK; return IngestModule.ProcessResult.OK;
@ -103,40 +99,43 @@ class AndroidIngestModule implements DataSourceIngestModule {
} catch (Exception e) { } catch (Exception e) {
errors.add("Error getting Words with Friends Messages"); errors.add("Error getting Words with Friends Messages");
} }
try { try {
GoogleMapLocationAnalyzer FindGoogleMapLocations = new GoogleMapLocationAnalyzer(); GoogleMapLocationAnalyzer.findGeoLocations();
FindGoogleMapLocations.findGeoLocations();
progressBar.progress(6); progressBar.progress(6);
if (context.isJobCancelled()) { if (context.isJobCancelled()) {
return IngestModule.ProcessResult.OK; return IngestModule.ProcessResult.OK;
} }
} catch (Exception e) { } catch (Exception e) {
errors.add( "Error getting Google Map Locations"); errors.add("Error getting Google Map Locations");
} }
try { try {
BrowserLocationAnalyzer FindBrowserLocations = new BrowserLocationAnalyzer(); BrowserLocationAnalyzer.findGeoLocations();
FindBrowserLocations.findGeoLocations();
progressBar.progress(7); progressBar.progress(7);
} catch (Exception e) {
errors.add("Error getting Browser Locations");
}
if (context.isJobCancelled()) { if (context.isJobCancelled()) {
return IngestModule.ProcessResult.OK; return IngestModule.ProcessResult.OK;
} }
} catch (Exception e) {
errors.add("Error getting Browser Locations");
}
try { try {
CacheLocationAnalyzer FindCacheLocations = new CacheLocationAnalyzer(); CacheLocationAnalyzer.findGeoLocations();
FindCacheLocations.findGeoLocations();
progressBar.progress(8); progressBar.progress(8);
} catch (Exception e) { } catch (Exception e) {
errors.add("Error getting Cache Locations"); errors.add("Error getting Cache Locations");
} }
/* I'm not sure why we have this in here since we have a KML report module ...
try { try {
KMLFileCreator KMLFileCreator = new KMLFileCreator(); KMLFileCreator kMLFileCreator = new KMLFileCreator();
KMLFileCreator.CreateKML(); kMLFileCreator.createKml();
progressBar.progress(9); progressBar.progress(9);
} catch (Exception e) { } catch (Exception e) {
errors.add("Error creating KML"); errors.add("Error creating KML");
} }
*/
// create the final message for inbox // create the final message for inbox
StringBuilder errorMessage = new StringBuilder(); StringBuilder errorMessage = new StringBuilder();
@ -153,17 +152,15 @@ class AndroidIngestModule implements DataSourceIngestModule {
if (errors.size() == 1) { if (errors.size() == 1) {
errorMsgSubject = "One error was found"; errorMsgSubject = "One error was found";
} else { } else {
errorMsgSubject = "errors found: " +errors.size(); errorMsgSubject = "errors found: " + errors.size();
} }
} else { } else {
errorMessage.append( "No errors"); errorMessage.append("No errors");
errorMsgSubject ="No errors"; errorMsgSubject = "No errors";
} }
final IngestMessage msg = IngestMessage.createMessage(msgLevel, AndroidModuleFactory.getModuleName(),"Ingest Finished"); final IngestMessage msg = IngestMessage.createMessage(msgLevel, AndroidModuleFactory.getModuleName(), "Ingest Finished");
services.postMessage(msg); services.postMessage(msg);
return IngestModule.ProcessResult.OK; return IngestModule.ProcessResult.OK;
} }
} }

1
Core/src/org/sleuthkit/autopsy/modules/android/AndroidModuleFactory.java
View File

@ -25,7 +25,6 @@ import org.sleuthkit.autopsy.ingest.DataSourceIngestModule;
import org.sleuthkit.autopsy.ingest.IngestModuleFactoryAdapter; import org.sleuthkit.autopsy.ingest.IngestModuleFactoryAdapter;
import org.sleuthkit.autopsy.ingest.IngestModuleIngestJobSettings; import org.sleuthkit.autopsy.ingest.IngestModuleIngestJobSettings;
@ServiceProvider(service = IngestModuleFactory.class) // @ServiceProvider(service = IngestModuleFactory.class) //
public class AndroidModuleFactory extends IngestModuleFactoryAdapter { public class AndroidModuleFactory extends IngestModuleFactoryAdapter {

73
Core/src/org/sleuthkit/autopsy/modules/android/BrowserLocationAnalyzer.java
View File

@ -18,6 +18,7 @@
*/ */
package org.sleuthkit.autopsy.modules.android; package org.sleuthkit.autopsy.modules.android;
import java.io.File;
import java.sql.Connection; import java.sql.Connection;
import java.sql.DriverManager; import java.sql.DriverManager;
import java.sql.ResultSet; import java.sql.ResultSet;
@ -36,31 +37,22 @@ import org.sleuthkit.datamodel.TskCoreException;
class BrowserLocationAnalyzer { class BrowserLocationAnalyzer {
private Connection connection = null; private static final String moduleName = AndroidModuleFactory.getModuleName();
private ResultSet resultSet = null;
private Statement statement = null;
private String dbPath = "";
private long fileId = 0;
private java.io.File jFile = null;
private String moduleName= AndroidModuleFactory.getModuleName();
private static final Logger logger = Logger.getLogger(BrowserLocationAnalyzer.class.getName()); private static final Logger logger = Logger.getLogger(BrowserLocationAnalyzer.class.getName());
public void findGeoLocations() { public static void findGeoLocations() {
List<AbstractFile> absFiles;
try { try {
SleuthkitCase skCase = Case.getCurrentCase().getSleuthkitCase(); SleuthkitCase skCase = Case.getCurrentCase().getSleuthkitCase();
absFiles = skCase.findAllFilesWhere("name LIKE 'CachedGeoposition%.db'"); //get exact file names List<AbstractFile> abstractFiles = skCase.findAllFilesWhere("name LIKE 'CachedGeoposition%.db'"); //get exact file names
if (absFiles.isEmpty()) {
return; for (AbstractFile abstractFile : abstractFiles) {
}
for (AbstractFile AF : absFiles) {
try { try {
if (AF.getSize() ==0) continue; if (abstractFile.getSize() == 0) {
jFile = new java.io.File(Case.getCurrentCase().getTempDirectory(), AF.getName()); continue;
ContentUtils.writeToFile(AF,jFile); }
dbPath = jFile.toString(); //path of file as string File jFile = new File(Case.getCurrentCase().getTempDirectory(), abstractFile.getName());
fileId = AF.getId(); ContentUtils.writeToFile(abstractFile, jFile);
findGeoLocationsInDB(dbPath, fileId); findGeoLocationsInDB(jFile.toString(), abstractFile);
} catch (Exception e) { } catch (Exception e) {
logger.log(Level.SEVERE, "Error parsing Browser Location files", e); logger.log(Level.SEVERE, "Error parsing Browser Location files", e);
} }
@ -71,7 +63,10 @@ class BrowserLocationAnalyzer {
} }
} }
private void findGeoLocationsInDB(String DatabasePath, long fId) { private static void findGeoLocationsInDB(String DatabasePath, AbstractFile f) {
Connection connection = null;
ResultSet resultSet = null;
Statement statement = null;
if (DatabasePath == null || DatabasePath.isEmpty()) { if (DatabasePath == null || DatabasePath.isEmpty()) {
return; return;
} }
@ -81,50 +76,38 @@ class BrowserLocationAnalyzer {
statement = connection.createStatement(); statement = connection.createStatement();
} catch (ClassNotFoundException | SQLException e) { } catch (ClassNotFoundException | SQLException e) {
logger.log(Level.SEVERE, "Error connecting to sql database", e); logger.log(Level.SEVERE, "Error connecting to sql database", e);
return;
} }
Case currentCase = Case.getCurrentCase();
SleuthkitCase skCase = currentCase.getSleuthkitCase();
try {
AbstractFile f = skCase.getAbstractFileById(fId);
try { try {
resultSet = statement.executeQuery( resultSet = statement.executeQuery(
"Select timestamp, latitude, longitude, accuracy FROM CachedPosition;"); "Select timestamp, latitude, longitude, accuracy FROM CachedPosition;");
BlackboardArtifact bba;
Long timestamp; // unix time
String latitude;
String longitude;
while (resultSet.next()) { while (resultSet.next()) {
timestamp = Long.valueOf(resultSet.getString("timestamp")) / 1000; Long timestamp = Long.valueOf(resultSet.getString("timestamp")) / 1000;
latitude= resultSet.getString("latitude"); double latitude = Double.valueOf(resultSet.getString("latitude"));
longitude = resultSet.getString("longitude"); double longitude = Double.valueOf(resultSet.getString("longitude"));
bba = f.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_TRACKPOINT); BlackboardArtifact bba = f.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_TRACKPOINT);
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE.getTypeID(),moduleName,latitude)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE.getTypeID(), moduleName, latitude));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE.getTypeID(),moduleName, longitude)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE.getTypeID(), moduleName, longitude));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),moduleName, timestamp)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), moduleName, timestamp));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),moduleName, "Browser Location History")); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), moduleName, "Browser Location History"));
// bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),moduleName, accuracy)); // bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),moduleName, accuracy));
} }
} catch (Exception e) { } catch (Exception e) {
logger.log(Level.SEVERE, "Error Putting artifacts to Blackboard", e); logger.log(Level.SEVERE, "Error Putting artifacts to Blackboard", e);
} finally { } finally {
try { try {
if (resultSet != null) {
resultSet.close(); resultSet.close();
}
statement.close(); statement.close();
connection.close(); connection.close();
} catch (Exception e) { } catch (Exception e) {
logger.log(Level.SEVERE, "Error closing database", e); logger.log(Level.SEVERE, "Error closing database", e);
} }
} }
} catch (Exception e) {
logger.log(Level.SEVERE, "Error Putting artifacts to Blackboard", e);
}
} }
} }

81
Core/src/org/sleuthkit/autopsy/modules/android/CacheLocationAnalyzer.java
View File

@ -36,27 +36,24 @@ import org.sleuthkit.datamodel.TskCoreException;
class CacheLocationAnalyzer { class CacheLocationAnalyzer {
private String filePath = ""; private static final String moduleName = AndroidModuleFactory.getModuleName();
private long fileId = 0;
private java.io.File jFile = null;
private String moduleName= AndroidModuleFactory.getModuleName();
private static final Logger logger = Logger.getLogger(CacheLocationAnalyzer.class.getName()); private static final Logger logger = Logger.getLogger(CacheLocationAnalyzer.class.getName());
public void findGeoLocations() {
List<AbstractFile> absFiles; public static void findGeoLocations() {
try { try {
SleuthkitCase skCase = Case.getCurrentCase().getSleuthkitCase(); SleuthkitCase skCase = Case.getCurrentCase().getSleuthkitCase();
absFiles = skCase.findAllFilesWhere("name ='cache.cell'OR name='cache.wifi'"); //get exact file names List<AbstractFile> abstractFiles = skCase.findAllFilesWhere("name ='cache.cell' OR name='cache.wifi'"); //get exact file names
if (absFiles.isEmpty()) {
return; for (AbstractFile abstractFile : abstractFiles) {
}
for (AbstractFile AF : absFiles) {
try { try {
if (AF.getSize() ==0) continue; if (abstractFile.getSize() == 0) {
jFile = new java.io.File(Case.getCurrentCase().getTempDirectory(), AF.getName()); continue;
ContentUtils.writeToFile(AF,jFile); }
filePath = jFile.toString(); //path of file as string File jFile = new File(Case.getCurrentCase().getTempDirectory(), abstractFile.getName());
fileId = AF.getId(); ContentUtils.writeToFile(abstractFile, jFile);
findGeoLocationsInFile(filePath, fileId);
findGeoLocationsInFile(jFile, abstractFile);
} catch (Exception e) { } catch (Exception e) {
logger.log(Level.SEVERE, "Error parsing cached Location files", e); logger.log(Level.SEVERE, "Error parsing cached Location files", e);
} }
@ -66,82 +63,72 @@ class CacheLocationAnalyzer {
} }
} }
private void findGeoLocationsInFile(String filePath, long fId) { private static void findGeoLocationsInFile(File file, AbstractFile f) {
if (filePath == null || filePath.isEmpty()) {
return;
}
String fileName=filePath.contains("cell")? "cache.cell":"cache.wifi";
File file = new File(filePath); //cache.cell or cache.wifi
byte[] bytes; // will temporarily hold bytes to be converted into the correct data types byte[] bytes; // will temporarily hold bytes to be converted into the correct data types
Case currentCase = Case.getCurrentCase();
SleuthkitCase skCase = currentCase.getSleuthkitCase();
try { try {
InputStream inputStream = new FileInputStream(file); InputStream inputStream = new FileInputStream(file);
AbstractFile f = skCase.getAbstractFileById(fId);
BlackboardArtifact bba;
String latitude;
String longitude;
String confidence;
String accuracy; //measure of how accurate the gps location is.
bytes = new byte[2]; // version bytes = new byte[2]; // version
inputStream.read(bytes); inputStream.read(bytes);
bytes = new byte[2]; bytes = new byte[2];
inputStream.read(bytes); //number of location entries inputStream.read(bytes); //number of location entries
int iterations = new BigInteger(bytes).intValue(); int iterations = new BigInteger(bytes).intValue();
for (int i = 0; i < iterations; i++) { //loop through every entry for (int i = 0; i < iterations; i++) { //loop through every entry
bytes = new byte[2]; bytes = new byte[2];
inputStream.read(bytes); inputStream.read(bytes);
bytes = new byte[1]; bytes = new byte[1];
inputStream.read(bytes); inputStream.read(bytes);
while (new BigInteger(bytes).intValue() != 0) //pass through non important values until the start of accuracy(around 7-10 bytes) while (new BigInteger(bytes).intValue() != 0) { //pass through non important values until the start of accuracy(around 7-10 bytes)
{
inputStream.read(bytes); inputStream.read(bytes);
} }
bytes = new byte[3]; bytes = new byte[3];
inputStream.read(bytes); inputStream.read(bytes);
if (new BigInteger(bytes).intValue()<=0){//This refers to a location that could not be calculated. if (new BigInteger(bytes).intValue() <= 0) {//This refers to a location that could not be calculated.
bytes = new byte[28]; //read rest of the row's bytes bytes = new byte[28]; //read rest of the row's bytes
inputStream.read(bytes); inputStream.read(bytes);
continue; continue;
} }
accuracy=""+new BigInteger(bytes).intValue(); String accuracy = "" + new BigInteger(bytes).intValue();
bytes = new byte[4]; bytes = new byte[4];
inputStream.read(bytes); inputStream.read(bytes);
confidence=""+new BigInteger(bytes).intValue(); String confidence = "" + new BigInteger(bytes).intValue();
bytes = new byte[8]; bytes = new byte[8];
inputStream.read(bytes); inputStream.read(bytes);
latitude=""+toDouble(bytes); double latitude = toDouble(bytes);
bytes = new byte[8]; bytes = new byte[8];
inputStream.read(bytes); inputStream.read(bytes);
longitude= ""+toDouble(bytes); double longitude = toDouble(bytes);
bytes = new byte[8]; bytes = new byte[8];
inputStream.read(bytes); inputStream.read(bytes);
Long timestamp = new BigInteger(bytes).longValue(); Long timestamp = new BigInteger(bytes).longValue() / 1000;
bba = f.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_TRACKPOINT); BlackboardArtifact bba = f.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_TRACKPOINT);
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE.getTypeID(),moduleName,latitude)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE.getTypeID(), moduleName, latitude));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE.getTypeID(),moduleName, longitude)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE.getTypeID(), moduleName, longitude));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),moduleName, timestamp)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), moduleName, timestamp));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),moduleName, fileName+" Location History")); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), moduleName, file.getName() + " Location History"));
//Not storing these for now. //Not storing these for now.
// bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),moduleName, accuracy)); // bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),moduleName, accuracy));
// bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT.getTypeID(),moduleName, confidence)); // bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT.getTypeID(),moduleName, confidence));
} }
}catch (Exception e) { } catch (Exception e) {
logger.log(Level.SEVERE, "Error parsing Cached GPS locations to Blackboard", e); logger.log(Level.SEVERE, "Error parsing Cached GPS locations to Blackboard", e);
} }
} }
public static double toDouble(byte[] bytes) { private static double toDouble(byte[] bytes) {
return ByteBuffer.wrap(bytes).getDouble(); return ByteBuffer.wrap(bytes).getDouble();
} }
} }

45
Core/src/org/sleuthkit/autopsy/modules/android/CallLogAnalyzer.java
View File

@ -18,6 +18,7 @@
*/ */
package org.sleuthkit.autopsy.modules.android; package org.sleuthkit.autopsy.modules.android;
import java.io.File;
import java.sql.Connection; import java.sql.Connection;
import java.sql.DriverManager; import java.sql.DriverManager;
import java.sql.ResultSet; import java.sql.ResultSet;
@ -34,18 +35,12 @@ import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskCoreException;
class CallLogAnalyzer { class CallLogAnalyzer {
private Connection connection = null; private static final String moduleName = AndroidModuleFactory.getModuleName();
private ResultSet resultSet = null;
private Statement statement = null;
private String dbPath = "";
private long fileId = 0;
private java.io.File jFile = null;
private String moduleName= AndroidModuleFactory.getModuleName();
private static final Logger logger = Logger.getLogger(CallLogAnalyzer.class.getName()); private static final Logger logger = Logger.getLogger(CallLogAnalyzer.class.getName());
public void findCallLogs() { public static void findCallLogs() {
List<AbstractFile> absFiles; List<AbstractFile> absFiles;
try { try {
SleuthkitCase skCase = Case.getCurrentCase().getSleuthkitCase(); SleuthkitCase skCase = Case.getCurrentCase().getSleuthkitCase();
@ -53,13 +48,12 @@ import org.sleuthkit.datamodel.TskCoreException;
if (absFiles.isEmpty()) { if (absFiles.isEmpty()) {
return; return;
} }
for (AbstractFile AF : absFiles) { for (AbstractFile abstractFile : absFiles) {
try { try {
jFile = new java.io.File(Case.getCurrentCase().getTempDirectory(), AF.getName()); File jFile = new java.io.File(Case.getCurrentCase().getTempDirectory(), abstractFile.getName());
ContentUtils.writeToFile(AF,jFile); ContentUtils.writeToFile(abstractFile, jFile);
dbPath = jFile.toString(); //path of file as string
fileId = AF.getId(); findCallLogsInDB(jFile.toString(), abstractFile);
findCallLogsInDB(dbPath, fileId);
} catch (Exception e) { } catch (Exception e) {
logger.log(Level.SEVERE, "Error parsing Call logs", e); logger.log(Level.SEVERE, "Error parsing Call logs", e);
} }
@ -69,7 +63,11 @@ import org.sleuthkit.datamodel.TskCoreException;
} }
} }
private void findCallLogsInDB(String DatabasePath, long fId) { private static void findCallLogsInDB(String DatabasePath, AbstractFile f) {
Connection connection = null;
ResultSet resultSet = null;
Statement statement = null;
if (DatabasePath == null || DatabasePath.isEmpty()) { if (DatabasePath == null || DatabasePath.isEmpty()) {
return; return;
} }
@ -79,12 +77,9 @@ import org.sleuthkit.datamodel.TskCoreException;
statement = connection.createStatement(); statement = connection.createStatement();
} catch (ClassNotFoundException | SQLException e) { } catch (ClassNotFoundException | SQLException e) {
logger.log(Level.SEVERE, "Error opening database", e); logger.log(Level.SEVERE, "Error opening database", e);
return;
} }
Case currentCase = Case.getCurrentCase();
SleuthkitCase skCase = currentCase.getSleuthkitCase();
try {
AbstractFile f = skCase.getAbstractFileById(fId);
try { try {
resultSet = statement.executeQuery( resultSet = statement.executeQuery(
"SELECT number,date,duration,type, name FROM calls ORDER BY date DESC;"); "SELECT number,date,duration,type, name FROM calls ORDER BY date DESC;");
@ -113,9 +108,9 @@ import org.sleuthkit.datamodel.TskCoreException;
} }
bba = f.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_CALLLOG); //create a call log and then add attributes from result set. bba = f.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_CALLLOG); //create a call log and then add attributes from result set.
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER.getTypeID(),moduleName, number)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER.getTypeID(), moduleName, number));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_START.getTypeID(), moduleName, date)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_START.getTypeID(), moduleName, date));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_END.getTypeID(), moduleName, duration+date)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_END.getTypeID(), moduleName, duration + date));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DIRECTION.getTypeID(), moduleName, direction)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DIRECTION.getTypeID(), moduleName, direction));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), moduleName, name)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), moduleName, name));
} }
@ -123,15 +118,15 @@ import org.sleuthkit.datamodel.TskCoreException;
logger.log(Level.SEVERE, "Error parsing Call logs to the Blackboard", e); logger.log(Level.SEVERE, "Error parsing Call logs to the Blackboard", e);
} finally { } finally {
try { try {
if (resultSet != null) {
resultSet.close(); resultSet.close();
}
statement.close(); statement.close();
connection.close(); connection.close();
} catch (Exception e) { } catch (Exception e) {
logger.log(Level.SEVERE, "Error closing the database", e); logger.log(Level.SEVERE, "Error closing the database", e);
} }
} }
} catch (Exception e) {
logger.log(Level.SEVERE, "Error parsing Call logs to the Blackboard", e);
}
} }
} }

39
Core/src/org/sleuthkit/autopsy/modules/android/ContactAnalyzer.java
View File

@ -18,6 +18,7 @@
*/ */
package org.sleuthkit.autopsy.modules.android; package org.sleuthkit.autopsy.modules.android;
import java.io.File;
import java.sql.Connection; import java.sql.Connection;
import java.sql.DriverManager; import java.sql.DriverManager;
import java.sql.ResultSet; import java.sql.ResultSet;
@ -27,24 +28,19 @@ import java.util.List;
import java.util.logging.Level; import java.util.logging.Level;
import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.coreutils.Logger;
import org.sleuthkit.autopsy.datamodel.ContentUtils;
import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.AbstractFile;
import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskCoreException;
import org.sleuthkit.autopsy.datamodel.ContentUtils;
class ContactAnalyzer { class ContactAnalyzer {
private Connection connection = null; private static final String moduleName = AndroidModuleFactory.getModuleName();
private ResultSet resultSet = null;
private Statement statement = null;
private String dbPath = "";
private long fileId = 0;
private java.io.File jFile = null;
private String moduleName= AndroidModuleFactory.getModuleName();
private static final Logger logger = Logger.getLogger(ContactAnalyzer.class.getName()); private static final Logger logger = Logger.getLogger(ContactAnalyzer.class.getName());
public void findContacts() { public static void findContacts() {
List<AbstractFile> absFiles; List<AbstractFile> absFiles;
try { try {
@ -55,11 +51,9 @@ class ContactAnalyzer {
} }
for (AbstractFile AF : absFiles) { for (AbstractFile AF : absFiles) {
try { try {
jFile = new java.io.File(Case.getCurrentCase().getTempDirectory(), AF.getName()); File jFile = new File(Case.getCurrentCase().getTempDirectory(), AF.getName());
ContentUtils.writeToFile(AF,jFile); ContentUtils.writeToFile(AF, jFile);
dbPath = jFile.toString(); //path of file as string findContactsInDB(jFile.toString(), AF);
fileId = AF.getId();
findContactsInDB(dbPath, fileId);
} catch (Exception e) { } catch (Exception e) {
logger.log(Level.SEVERE, "Error parsing Contacts", e); logger.log(Level.SEVERE, "Error parsing Contacts", e);
} }
@ -75,7 +69,11 @@ class ContactAnalyzer {
* @param fId Will create artifact from a database given by the path The * @param fId Will create artifact from a database given by the path The
* fileId will be the Abstract file associated with the artifacts * fileId will be the Abstract file associated with the artifacts
*/ */
private void findContactsInDB(String DatabasePath, long fId) { private static void findContactsInDB(String DatabasePath, AbstractFile f) {
Connection connection = null;
ResultSet resultSet = null;
Statement statement = null;
if (DatabasePath == null || DatabasePath.isEmpty()) { if (DatabasePath == null || DatabasePath.isEmpty()) {
return; return;
} }
@ -85,12 +83,9 @@ class ContactAnalyzer {
statement = connection.createStatement(); statement = connection.createStatement();
} catch (ClassNotFoundException | SQLException e) { } catch (ClassNotFoundException | SQLException e) {
logger.log(Level.SEVERE, "Error opening database", e); logger.log(Level.SEVERE, "Error opening database", e);
return;
} }
Case currentCase = Case.getCurrentCase();
SleuthkitCase skCase = currentCase.getSleuthkitCase();
try {
AbstractFile f = skCase.getAbstractFileById(fId);
try { try {
// get display_name, mimetype(email or phone number) and data1 (phonenumber or email address depending on mimetype) // get display_name, mimetype(email or phone number) and data1 (phonenumber or email address depending on mimetype)
//sorted by name, so phonenumber/email would be consecutive for a person if they exist. //sorted by name, so phonenumber/email would be consecutive for a person if they exist.
@ -130,18 +125,16 @@ class ContactAnalyzer {
logger.log(Level.SEVERE, "Error parsing Contacts to Blackboard", e); logger.log(Level.SEVERE, "Error parsing Contacts to Blackboard", e);
} finally { } finally {
try { try {
if (resultSet != null) {
resultSet.close(); resultSet.close();
}
statement.close(); statement.close();
connection.close(); connection.close();
} catch (Exception e) { } catch (Exception e) {
logger.log(Level.SEVERE, "Error closing database", e); logger.log(Level.SEVERE, "Error closing database", e);
} }
} }
} catch (Exception e) {
logger.log(Level.SEVERE, "Error parsing Contacts to Blackboard", e);
}
} }
} }

69
Core/src/org/sleuthkit/autopsy/modules/android/GoogleMapLocationAnalyzer.java
View File

@ -18,6 +18,7 @@
*/ */
package org.sleuthkit.autopsy.modules.android; package org.sleuthkit.autopsy.modules.android;
import java.io.File;
import java.sql.Connection; import java.sql.Connection;
import java.sql.DriverManager; import java.sql.DriverManager;
import java.sql.ResultSet; import java.sql.ResultSet;
@ -34,19 +35,12 @@ import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskCoreException;
class GoogleMapLocationAnalyzer { class GoogleMapLocationAnalyzer {
private Connection connection = null; private static final String moduleName = AndroidModuleFactory.getModuleName();
private ResultSet resultSet = null;
private Statement statement = null;
private String dbPath = "";
private long fileId = 0;
private java.io.File jFile = null;
private String moduleName = AndroidModuleFactory.getModuleName();
private static final Logger logger = Logger.getLogger(GoogleMapLocationAnalyzer.class.getName()); private static final Logger logger = Logger.getLogger(GoogleMapLocationAnalyzer.class.getName());
public void findGeoLocations() { public static void findGeoLocations() {
List<AbstractFile> absFiles; List<AbstractFile> absFiles;
try { try {
SleuthkitCase skCase = Case.getCurrentCase().getSleuthkitCase(); SleuthkitCase skCase = Case.getCurrentCase().getSleuthkitCase();
@ -54,13 +48,11 @@ class GoogleMapLocationAnalyzer {
if (absFiles.isEmpty()) { if (absFiles.isEmpty()) {
return; return;
} }
for (AbstractFile AF : absFiles) { for (AbstractFile abstractFile : absFiles) {
try { try {
jFile = new java.io.File(Case.getCurrentCase().getTempDirectory(), AF.getName()); File jFile = new java.io.File(Case.getCurrentCase().getTempDirectory(), abstractFile.getName());
ContentUtils.writeToFile(AF,jFile); ContentUtils.writeToFile(abstractFile, jFile);
dbPath = jFile.toString(); //path of file as string findGeoLocationsInDB(jFile.toString(), abstractFile);
fileId = AF.getId();
findGeoLocationsInDB(dbPath, fileId);
} catch (Exception e) { } catch (Exception e) {
logger.log(Level.SEVERE, "Error parsing Google map locations", e); logger.log(Level.SEVERE, "Error parsing Google map locations", e);
} }
@ -70,7 +62,11 @@ class GoogleMapLocationAnalyzer {
} }
} }
private void findGeoLocationsInDB(String DatabasePath, long fId) { private static void findGeoLocationsInDB(String DatabasePath, AbstractFile f) {
Connection connection = null;
ResultSet resultSet = null;
Statement statement = null;
if (DatabasePath == null || DatabasePath.isEmpty()) { if (DatabasePath == null || DatabasePath.isEmpty()) {
return; return;
} }
@ -80,38 +76,23 @@ class GoogleMapLocationAnalyzer {
statement = connection.createStatement(); statement = connection.createStatement();
} catch (ClassNotFoundException | SQLException e) { } catch (ClassNotFoundException | SQLException e) {
logger.log(Level.SEVERE, "Error opening database", e); logger.log(Level.SEVERE, "Error opening database", e);
return;
} }
Case currentCase = Case.getCurrentCase();
SleuthkitCase skCase = currentCase.getSleuthkitCase();
try {
AbstractFile f = skCase.getAbstractFileById(fId);
try { try {
resultSet = statement.executeQuery( resultSet = statement.executeQuery(
"Select time,dest_lat,dest_lng,dest_title,dest_address,source_lat,source_lng FROM destination_history;"); "Select time,dest_lat,dest_lng,dest_title,dest_address,source_lat,source_lng FROM destination_history;");
BlackboardArtifact bba;
while (resultSet.next()) { while (resultSet.next()) {
Long time = Long.valueOf(resultSet.getString("time")) / 1000; Long time = Long.valueOf(resultSet.getString("time")) / 1000;
String dest_lat = resultSet.getString("dest_lat");
String dest_lng = resultSet.getString("dest_lng");
String dest_title = resultSet.getString("dest_title"); String dest_title = resultSet.getString("dest_title");
String dest_address = resultSet.getString("dest_address"); String dest_address = resultSet.getString("dest_address");
String source_lat = resultSet.getString("source_lat");
String source_lng = resultSet.getString("source_lng");
//add periods 6 decimal places before the end. double dest_lat = convertGeo(resultSet.getString("dest_lat"));
if(dest_lat.length()>6) double dest_lng = convertGeo(resultSet.getString("dest_lng"));
dest_lat = dest_lat.substring(0, dest_lat.length()-6) + "." + dest_lat.substring(dest_lat.length()-6, dest_lat.length()) ; double source_lat = convertGeo(resultSet.getString("source_lat"));
if(dest_lng.length()>6) double source_lng = convertGeo(resultSet.getString("source_lng"));
dest_lng = dest_lng.substring(0, dest_lng.length()-6) + "." + dest_lng.substring(dest_lng.length()-6, dest_lng.length()) ;
if(source_lat.length()>6)
source_lat = source_lat.substring(0, source_lat.length()-6) + "." + source_lat.substring(source_lat.length()-6, source_lat.length()) ;
if(source_lng.length()>6)
source_lng = source_lng.substring(0, source_lng.length()-6) + "." + source_lng.substring(source_lng.length()-6, source_lng.length()) ;
// bba = f.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_TRACKPOINT);//src // bba = f.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_TRACKPOINT);//src
// bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY.getTypeID(), moduleName, "Source")); // bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY.getTypeID(), moduleName, "Source"));
@ -128,8 +109,7 @@ class GoogleMapLocationAnalyzer {
// bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), moduleName, dest_title)); // bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), moduleName, dest_title));
// bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_LOCATION.getTypeID(), moduleName, dest_address)); // bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_LOCATION.getTypeID(), moduleName, dest_address));
// bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), moduleName, "Google Maps History")); // bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), moduleName, "Google Maps History"));
BlackboardArtifact bba = f.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_ROUTE);
bba = f.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_ROUTE);
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY.getTypeID(), moduleName, "Destination")); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY.getTypeID(), moduleName, "Destination"));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), moduleName, time)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), moduleName, time));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE_END.getTypeID(), moduleName, dest_lat)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE_END.getTypeID(), moduleName, dest_lat));
@ -146,15 +126,22 @@ class GoogleMapLocationAnalyzer {
logger.log(Level.SEVERE, "Error parsing Google map locations to the Blackboard", e); logger.log(Level.SEVERE, "Error parsing Google map locations to the Blackboard", e);
} finally { } finally {
try { try {
if (resultSet != null) {
resultSet.close(); resultSet.close();
}
statement.close(); statement.close();
connection.close(); connection.close();
} catch (Exception e) { } catch (Exception e) {
logger.log(Level.SEVERE, "Error closing the database", e); logger.log(Level.SEVERE, "Error closing the database", e);
} }
} }
} catch (Exception e) {
logger.log(Level.SEVERE, "Error parsing Google map locations to the Blackboard", e);
} }
//add periods 6 decimal places before the end.
private static double convertGeo(String s) {
if (s.length() > 6)
return Double.valueOf(s.substring(0, s.length() - 6) + "." + s.substring(s.length() - 6, s.length()));
else
return Double.valueOf(s);
} }
} }

4
Core/src/org/sleuthkit/autopsy/modules/android/KMLFileCreator.java
View File

@ -43,7 +43,7 @@ public class KMLFileCreator {
private SleuthkitCase skCase; private SleuthkitCase skCase;
private String reportPath; private String reportPath;
public void CreateKML() { public void createKml() {
reportPath = Case.getCurrentCase().getTempDirectory() + "ReportKML.kml"; //NON-NLS reportPath = Case.getCurrentCase().getTempDirectory() + "ReportKML.kml"; //NON-NLS
String reportPath2 = Case.getCurrentCase().getTempDirectory() + "ReportKML.txt"; //NON-NLS String reportPath2 = Case.getCurrentCase().getTempDirectory() + "ReportKML.txt"; //NON-NLS
@ -127,7 +127,6 @@ public class KMLFileCreator {
/* /*
* Step 2: add in Style elements * Step 2: add in Style elements
*/ */
// Style // Style
Element style = new Element("Style", ns); //NON-NLS Element style = new Element("Style", ns); //NON-NLS
style.setAttribute("id", "redIcon"); //NON-NLS style.setAttribute("id", "redIcon"); //NON-NLS
@ -203,6 +202,5 @@ public class KMLFileCreator {
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
} }
} }
} }

70
Core/src/org/sleuthkit/autopsy/modules/android/TangoMessageAnalyzer.java
View File

@ -18,6 +18,7 @@
*/ */
package org.sleuthkit.autopsy.modules.android; package org.sleuthkit.autopsy.modules.android;
import java.io.File;
import java.sql.Connection; import java.sql.Connection;
import java.sql.DriverManager; import java.sql.DriverManager;
import java.sql.ResultSet; import java.sql.ResultSet;
@ -35,31 +36,21 @@ import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskCoreException;
class TangoMessageAnalyzer { class TangoMessageAnalyzer {
private Connection connection = null;
private ResultSet resultSet = null; private static final String moduleName = AndroidModuleFactory.getModuleName();
private Statement statement = null;
private String dbPath = "";
private long fileId = 0;
private java.io.File jFile = null;
private String moduleName= AndroidModuleFactory.getModuleName();
private static final Logger logger = Logger.getLogger(TangoMessageAnalyzer.class.getName()); private static final Logger logger = Logger.getLogger(TangoMessageAnalyzer.class.getName());
public void findTangoMessages() { public static void findTangoMessages() {
List<AbstractFile> absFiles; List<AbstractFile> absFiles;
try { try {
SleuthkitCase skCase = Case.getCurrentCase().getSleuthkitCase(); SleuthkitCase skCase = Case.getCurrentCase().getSleuthkitCase();
absFiles = skCase.findAllFilesWhere("name ='tc.db' "); //get exact file names absFiles = skCase.findAllFilesWhere("name ='tc.db' "); //get exact file names
if (absFiles.isEmpty()) { for (AbstractFile abstractFile : absFiles) {
return;
}
for (AbstractFile AF : absFiles) {
try { try {
jFile = new java.io.File(Case.getCurrentCase().getTempDirectory(), AF.getName()); File jFile = new File(Case.getCurrentCase().getTempDirectory(), abstractFile.getName());
ContentUtils.writeToFile(AF,jFile); ContentUtils.writeToFile(abstractFile, jFile);
dbPath = jFile.toString(); //path of file as string findTangoMessagesInDB(jFile.toString(), abstractFile);
fileId = AF.getId();
findTangoMessagesInDB(dbPath, fileId);
} catch (Exception e) { } catch (Exception e) {
logger.log(Level.SEVERE, "Error parsing Tango messages", e); logger.log(Level.SEVERE, "Error parsing Tango messages", e);
} }
@ -67,9 +58,13 @@ import org.sleuthkit.datamodel.TskCoreException;
} catch (TskCoreException e) { } catch (TskCoreException e) {
logger.log(Level.SEVERE, "Error finding Tango messages", e); logger.log(Level.SEVERE, "Error finding Tango messages", e);
} }
} }
private void findTangoMessagesInDB(String DatabasePath, long fId) {
private static void findTangoMessagesInDB(String DatabasePath, AbstractFile f) {
Connection connection = null;
ResultSet resultSet = null;
Statement statement = null;
if (DatabasePath == null || DatabasePath.isEmpty()) { if (DatabasePath == null || DatabasePath.isEmpty()) {
return; return;
} }
@ -79,33 +74,32 @@ import org.sleuthkit.datamodel.TskCoreException;
statement = connection.createStatement(); statement = connection.createStatement();
} catch (ClassNotFoundException | SQLException e) { } catch (ClassNotFoundException | SQLException e) {
logger.log(Level.SEVERE, "Error opening database", e); logger.log(Level.SEVERE, "Error opening database", e);
return;
} }
Case currentCase = Case.getCurrentCase();
SleuthkitCase skCase = currentCase.getSleuthkitCase();
try {
AbstractFile f = skCase.getAbstractFileById(fId);
try { try {
resultSet = statement.executeQuery( resultSet = statement.executeQuery(
"Select conv_id, create_time,direction,payload FROM messages ORDER BY create_time DESC;"); "Select conv_id, create_time,direction,payload FROM messages ORDER BY create_time DESC;");
BlackboardArtifact bba;
String conv_id; // seems to wrap around the message found in payload after decoding from base-64 String conv_id; // seems to wrap around the message found in payload after decoding from base-64
String direction; // 1 incoming, 2 outgoing String direction; // 1 incoming, 2 outgoing
String payload; // seems to be a base64 message wrapped by the conv_id String payload; // seems to be a base64 message wrapped by the conv_id
while (resultSet.next()) { while (resultSet.next()) {
conv_id = resultSet.getString("conv_id"); conv_id = resultSet.getString("conv_id");
Long create_time = Long.valueOf(resultSet.getString("create_time")) / 1000; Long create_time = Long.valueOf(resultSet.getString("create_time")) / 1000;
direction = resultSet.getString("direction"); if (resultSet.getString("direction").equals("1")) {
direction = "Incoming";
} else {
direction = "Outgoing";
}
payload = resultSet.getString("payload"); payload = resultSet.getString("payload");
bba = f.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_MESSAGE); //create a call log and then add attributes from result set. BlackboardArtifact bba = f.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_MESSAGE); //create a call log and then add attributes from result set.
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), moduleName, create_time)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), moduleName, create_time));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DIRECTION.getTypeID(), moduleName, direction)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DIRECTION.getTypeID(), moduleName, direction));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TEXT.getTypeID(), moduleName, decodeMessage(conv_id,payload))); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TEXT.getTypeID(), moduleName, decodeMessage(conv_id, payload)));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MESSAGE_TYPE.getTypeID(), moduleName,"Tango Message" )); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MESSAGE_TYPE.getTypeID(), moduleName, "Tango Message"));
} }
@ -113,27 +107,25 @@ import org.sleuthkit.datamodel.TskCoreException;
logger.log(Level.SEVERE, "Error parsing Tango messages to the Blackboard", e); logger.log(Level.SEVERE, "Error parsing Tango messages to the Blackboard", e);
} finally { } finally {
try { try {
if (resultSet != null) {
resultSet.close(); resultSet.close();
}
statement.close(); statement.close();
connection.close(); connection.close();
} catch (Exception e) { } catch (Exception e) {
logger.log(Level.SEVERE, "Error closing database", e); logger.log(Level.SEVERE, "Error closing database", e);
} }
} }
} catch (Exception e) {
logger.log(Level.SEVERE, "Error parsing Tango messages to the Blackboard", e);
}
} }
//take the message string which is wrapped by a certain string, and return the text enclosed. //take the message string which is wrapped by a certain string, and return the text enclosed.
private String decodeMessage(String wrapper, String message) private static String decodeMessage(String wrapper, String message) {
{ String result = "";
String result= "";
byte[] decoded = Base64.decodeBase64(message); byte[] decoded = Base64.decodeBase64(message);
try{ try {
String Z= new String (decoded,"UTF-8"); String Z = new String(decoded, "UTF-8");
result = Z.split(wrapper)[1]; result = Z.split(wrapper)[1];
}catch(Exception e){ } catch (Exception e) {
logger.log(Level.SEVERE, "Error decoding a Tango message", e); logger.log(Level.SEVERE, "Error decoding a Tango message", e);
} }
return result; return result;

67
Core/src/org/sleuthkit/autopsy/modules/android/TextMessageAnalyzer.java
View File

@ -18,6 +18,7 @@
*/ */
package org.sleuthkit.autopsy.modules.android; package org.sleuthkit.autopsy.modules.android;
import java.io.File;
import java.sql.Connection; import java.sql.Connection;
import java.sql.DriverManager; import java.sql.DriverManager;
import java.sql.ResultSet; import java.sql.ResultSet;
@ -34,33 +35,21 @@ import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskCoreException;
class TextMessageAnalyzer {
class TextMessageAnalyzer { private static final String moduleName = AndroidModuleFactory.getModuleName();
private Connection connection = null;
private ResultSet resultSet = null;
private Statement statement = null;
private String dbPath = "";
private long fileId = 0;
private java.io.File jFile = null;
List<AbstractFile> absFiles;
private String moduleName= AndroidModuleFactory.getModuleName();
private static final Logger logger = Logger.getLogger(TextMessageAnalyzer.class.getName()); private static final Logger logger = Logger.getLogger(TextMessageAnalyzer.class.getName());
public static void findTexts() {
void findTexts() {
try { try {
SleuthkitCase skCase = Case.getCurrentCase().getSleuthkitCase(); SleuthkitCase skCase = Case.getCurrentCase().getSleuthkitCase();
absFiles = skCase.findAllFilesWhere("name ='mmssms.db'"); //get exact file name List<AbstractFile> absFiles = skCase.findAllFilesWhere("name ='mmssms.db'"); //get exact file name
if (absFiles.isEmpty()) {
return; for (AbstractFile abstractFile : absFiles) {
}
for (AbstractFile AF : absFiles) {
try { try {
jFile = new java.io.File(Case.getCurrentCase().getTempDirectory(), AF.getName()); File jFile = new File(Case.getCurrentCase().getTempDirectory(), abstractFile.getName());
ContentUtils.writeToFile(AF,jFile); ContentUtils.writeToFile(abstractFile, jFile);
dbPath = jFile.toString(); //path of file as string findTextsInDB(jFile.toString(), abstractFile);
fileId = AF.getId();
findTextsInDB(dbPath, fileId);
} catch (Exception e) { } catch (Exception e) {
logger.log(Level.SEVERE, "Error parsing text messages", e); logger.log(Level.SEVERE, "Error parsing text messages", e);
} }
@ -69,7 +58,12 @@ import org.sleuthkit.datamodel.TskCoreException;
logger.log(Level.SEVERE, "Error finding text messages", e); logger.log(Level.SEVERE, "Error finding text messages", e);
} }
} }
private void findTextsInDB(String DatabasePath, long fId) {
private static void findTextsInDB(String DatabasePath, AbstractFile f) {
Connection connection = null;
ResultSet resultSet = null;
Statement statement = null;
if (DatabasePath == null || DatabasePath.isEmpty()) { if (DatabasePath == null || DatabasePath.isEmpty()) {
return; return;
} }
@ -79,55 +73,50 @@ import org.sleuthkit.datamodel.TskCoreException;
statement = connection.createStatement(); statement = connection.createStatement();
} catch (ClassNotFoundException | SQLException e) { } catch (ClassNotFoundException | SQLException e) {
logger.log(Level.SEVERE, "Error opening database", e); logger.log(Level.SEVERE, "Error opening database", e);
return;
} }
Case currentCase = Case.getCurrentCase();
SleuthkitCase skCase = currentCase.getSleuthkitCase();
try {
AbstractFile f = skCase.getAbstractFileById(fId);
try { try {
resultSet = statement.executeQuery( resultSet = statement.executeQuery(
"Select address,date,type,subject,body FROM sms;"); "Select address,date,type,subject,body FROM sms;");
BlackboardArtifact bba;
String address; // may be phone number, or other addresses String address; // may be phone number, or other addresses
String type; // message received in inbox = 1, message sent = 2 String direction; // message received in inbox = 1, message sent = 2
String subject;//message subject String subject;//message subject
String body; //message body String body; //message body
while (resultSet.next()) { while (resultSet.next()) {
address = resultSet.getString("address"); address = resultSet.getString("address");
Long date = Long.valueOf(resultSet.getString("date")) / 1000; Long date = Long.valueOf(resultSet.getString("date")) / 1000;
type = resultSet.getString("type"); if (resultSet.getString("type").equals("1")) {
direction = "Incoming";
} else {
direction = "Outgoing";
}
subject = resultSet.getString("subject"); subject = resultSet.getString("subject");
body = resultSet.getString("body"); body = resultSet.getString("body");
bba = f.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_MESSAGE); //create Message artifact and then add attributes from result set. BlackboardArtifact bba = f.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_MESSAGE); //create Message artifact and then add attributes from result set.
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER.getTypeID(), moduleName, address)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER.getTypeID(), moduleName, address));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), moduleName, date)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), moduleName, date));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DIRECTION.getTypeID(), moduleName, type)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DIRECTION.getTypeID(), moduleName, direction));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SUBJECT.getTypeID(), moduleName, subject)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SUBJECT.getTypeID(), moduleName, subject));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TEXT.getTypeID(), moduleName, body)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TEXT.getTypeID(), moduleName, body));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MESSAGE_TYPE.getTypeID(), moduleName,"SMS Message" )); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MESSAGE_TYPE.getTypeID(), moduleName, "SMS Message"));
} }
} catch (Exception e) { } catch (Exception e) {
logger.log(Level.SEVERE, "Error parsing text messages to Blackboard", e); logger.log(Level.SEVERE, "Error parsing text messages to Blackboard", e);
} finally { } finally {
try { try {
if (resultSet != null) {
resultSet.close(); resultSet.close();
}
statement.close(); statement.close();
connection.close(); connection.close();
} catch (Exception e) { } catch (Exception e) {
logger.log(Level.SEVERE, "Error closing database", e); logger.log(Level.SEVERE, "Error closing database", e);
} }
} }
} catch (Exception e) {
logger.log(Level.SEVERE, "Error parsing text messages to Blackboard", e);
} }
}
} }

55
Core/src/org/sleuthkit/autopsy/modules/android/WWFMessageAnalyzer.java
View File

@ -18,6 +18,7 @@
*/ */
package org.sleuthkit.autopsy.modules.android; package org.sleuthkit.autopsy.modules.android;
import java.io.File;
import java.sql.Connection; import java.sql.Connection;
import java.sql.DriverManager; import java.sql.DriverManager;
import java.sql.ResultSet; import java.sql.ResultSet;
@ -34,30 +35,23 @@ import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskCoreException;
class WWFMessageAnalyzer { class WWFMessageAnalyzer {
private Connection connection = null;
private ResultSet resultSet = null; private static final String moduleName = AndroidModuleFactory.getModuleName();
private Statement statement = null;
private String dbPath = "";
private long fileId = 0;
private java.io.File jFile = null;
private String moduleName= AndroidModuleFactory.getModuleName();
private static final Logger logger = Logger.getLogger(WWFMessageAnalyzer.class.getName()); private static final Logger logger = Logger.getLogger(WWFMessageAnalyzer.class.getName());
public void findWWFMessages() {
public static void findWWFMessages() {
List<AbstractFile> absFiles; List<AbstractFile> absFiles;
try { try {
SleuthkitCase skCase = Case.getCurrentCase().getSleuthkitCase(); SleuthkitCase skCase = Case.getCurrentCase().getSleuthkitCase();
absFiles = skCase.findAllFilesWhere("name ='WordsFramework' "); //get exact file names absFiles = skCase.findAllFilesWhere("name ='WordsFramework' "); //get exact file names
if (absFiles.isEmpty()) {
return; for (AbstractFile abstractFile : absFiles) {
}
for (AbstractFile AF : absFiles) {
try { try {
jFile = new java.io.File(Case.getCurrentCase().getTempDirectory(), AF.getName()); File jFile = new File(Case.getCurrentCase().getTempDirectory(), abstractFile.getName());
ContentUtils.writeToFile(AF,jFile); ContentUtils.writeToFile(abstractFile, jFile);
dbPath = jFile.toString(); //path of file as string
fileId = AF.getId(); findWWFMessagesInDB(jFile.toString(), abstractFile);
findWWFMessagesInDB(dbPath, fileId);
} catch (Exception e) { } catch (Exception e) {
logger.log(Level.SEVERE, "Error parsing WWF messages", e); logger.log(Level.SEVERE, "Error parsing WWF messages", e);
} }
@ -66,7 +60,12 @@ import org.sleuthkit.datamodel.TskCoreException;
logger.log(Level.SEVERE, "Error finding WWF messages", e); logger.log(Level.SEVERE, "Error finding WWF messages", e);
} }
} }
private void findWWFMessagesInDB(String DatabasePath, long fId) {
private static void findWWFMessagesInDB(String DatabasePath, AbstractFile f) {
Connection connection = null;
ResultSet resultSet = null;
Statement statement = null;
if (DatabasePath == null || DatabasePath.isEmpty()) { if (DatabasePath == null || DatabasePath.isEmpty()) {
return; return;
} }
@ -76,48 +75,42 @@ import org.sleuthkit.datamodel.TskCoreException;
statement = connection.createStatement(); statement = connection.createStatement();
} catch (ClassNotFoundException | SQLException e) { } catch (ClassNotFoundException | SQLException e) {
logger.log(Level.SEVERE, "Error opening database", e); logger.log(Level.SEVERE, "Error opening database", e);
return;
} }
Case currentCase = Case.getCurrentCase();
SleuthkitCase skCase = currentCase.getSleuthkitCase();
try {
AbstractFile f = skCase.getAbstractFileById(fId);
try { try {
resultSet = statement.executeQuery( resultSet = statement.executeQuery(
"SELECT message,created_at,user_id,game_id FROM chat_messages ORDER BY game_id DESC, created_at DESC;"); "SELECT message,created_at,user_id,game_id FROM chat_messages ORDER BY game_id DESC, created_at DESC;");
BlackboardArtifact bba;
String message; // WWF Message String message; // WWF Message
String user_id; // the ID of the user who sent the message. String user_id; // the ID of the user who sent the message.
String game_id; // ID of the game which the the message was sent. String game_id; // ID of the game which the the message was sent.
while (resultSet.next()) { while (resultSet.next()) {
message = resultSet.getString("message"); message = resultSet.getString("message");
Long created_at = Long.valueOf(resultSet.getString("created_at")) / 1000; Long created_at = Long.valueOf(resultSet.getString("created_at")) / 1000;
user_id = resultSet.getString("user_id"); user_id = resultSet.getString("user_id");
game_id = resultSet.getString("game_id"); game_id = resultSet.getString("game_id");
bba = f.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_MESSAGE); //create a call log and then add attributes from result set. BlackboardArtifact bba = f.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_MESSAGE); //create a call log and then add attributes from result set.
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), moduleName, created_at)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), moduleName, created_at));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), moduleName, user_id)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), moduleName, user_id));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MSG_ID.getTypeID(), moduleName, game_id)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MSG_ID.getTypeID(), moduleName, game_id));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TEXT.getTypeID(), moduleName,message)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TEXT.getTypeID(), moduleName, message));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MESSAGE_TYPE.getTypeID(), moduleName,"Words With Friends Message" )); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MESSAGE_TYPE.getTypeID(), moduleName, "Words With Friends Message"));
} }
} catch (Exception e) { } catch (Exception e) {
logger.log(Level.SEVERE, "Error parsing WWF messages to the Blackboard", e); logger.log(Level.SEVERE, "Error parsing WWF messages to the Blackboard", e);
} finally { } finally {
try { try {
if (resultSet != null) {
resultSet.close(); resultSet.close();
}
statement.close(); statement.close();
connection.close(); connection.close();
} catch (Exception e) { } catch (Exception e) {
logger.log(Level.SEVERE, "Error closing database", e); logger.log(Level.SEVERE, "Error closing database", e);
} }
} }
} catch (Exception e) {
logger.log(Level.SEVERE, "Error parsing WWF messages to the Blackboard", e);
}
} }
} }

10
Core/src/org/sleuthkit/autopsy/modules/iOS/CallLogAnalyzer.java
View File

@ -34,7 +34,7 @@ import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskCoreException;
class CallLogAnalyzer { class CallLogAnalyzer {
private Connection connection = null; private Connection connection = null;
private ResultSet resultSet = null; private ResultSet resultSet = null;
@ -42,7 +42,7 @@ import org.sleuthkit.datamodel.TskCoreException;
private String dbPath = ""; private String dbPath = "";
private long fileId = 0; private long fileId = 0;
private java.io.File jFile = null; private java.io.File jFile = null;
private String moduleName= iOSModuleFactory.getModuleName(); private String moduleName = iOSModuleFactory.getModuleName();
private static final Logger logger = Logger.getLogger(CallLogAnalyzer.class.getName()); private static final Logger logger = Logger.getLogger(CallLogAnalyzer.class.getName());
public void findCallLogs() { public void findCallLogs() {
@ -56,7 +56,7 @@ import org.sleuthkit.datamodel.TskCoreException;
for (AbstractFile AF : absFiles) { for (AbstractFile AF : absFiles) {
try { try {
jFile = new java.io.File(Case.getCurrentCase().getTempDirectory(), AF.getName().replaceAll("[<>%|\"/:*\\\\]", "")); jFile = new java.io.File(Case.getCurrentCase().getTempDirectory(), AF.getName().replaceAll("[<>%|\"/:*\\\\]", ""));
ContentUtils.writeToFile(AF,jFile); ContentUtils.writeToFile(AF, jFile);
dbPath = jFile.toString(); //path of file as string dbPath = jFile.toString(); //path of file as string
fileId = AF.getId(); fileId = AF.getId();
findCallLogsInDB(dbPath, fileId); findCallLogsInDB(dbPath, fileId);
@ -104,9 +104,9 @@ import org.sleuthkit.datamodel.TskCoreException;
type = resultSet.getString("type"); type = resultSet.getString("type");
bba = f.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_CALLLOG); //create a call log and then add attributes from result set. bba = f.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_CALLLOG); //create a call log and then add attributes from result set.
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER.getTypeID(),moduleName, number)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER.getTypeID(), moduleName, number));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_START.getTypeID(), moduleName, date)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_START.getTypeID(), moduleName, date));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_END.getTypeID(), moduleName, duration+date)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_END.getTypeID(), moduleName, duration + date));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DIRECTION.getTypeID(), moduleName, type)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DIRECTION.getTypeID(), moduleName, type));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), moduleName, name)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), moduleName, name));

11
Core/src/org/sleuthkit/autopsy/modules/iOS/ContactAnalyzer.java
View File

@ -39,6 +39,7 @@ import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskCoreException;
import org.sleuthkit.autopsy.datamodel.ContentUtils; import org.sleuthkit.autopsy.datamodel.ContentUtils;
import org.sleuthkit.datamodel.ReadContentInputStream; import org.sleuthkit.datamodel.ReadContentInputStream;
class ContactAnalyzer { class ContactAnalyzer {
private Connection connection = null; private Connection connection = null;
@ -47,7 +48,7 @@ class ContactAnalyzer {
private String dbPath = ""; private String dbPath = "";
private long fileId = 0; private long fileId = 0;
private java.io.File jFile = null; private java.io.File jFile = null;
private String moduleName= iOSModuleFactory.getModuleName(); private String moduleName = iOSModuleFactory.getModuleName();
private static final Logger logger = Logger.getLogger(ContactAnalyzer.class.getName()); private static final Logger logger = Logger.getLogger(ContactAnalyzer.class.getName());
public void findContacts() { public void findContacts() {
@ -63,7 +64,7 @@ class ContactAnalyzer {
try { try {
jFile = new java.io.File(Case.getCurrentCase().getTempDirectory(), AF.getName().replaceAll("[<>%|\"/:*\\\\]", "")); jFile = new java.io.File(Case.getCurrentCase().getTempDirectory(), AF.getName().replaceAll("[<>%|\"/:*\\\\]", ""));
//jFile = new java.io.File(Case.getCurrentCase().getTempDirectory(), i+".txt"); //jFile = new java.io.File(Case.getCurrentCase().getTempDirectory(), i+".txt");
ContentUtils.writeToFile(AF,jFile); ContentUtils.writeToFile(AF, jFile);
//copyFileUsingStreams(AF,jFile); //copyFileUsingStreams(AF,jFile);
//copyFileUsingStream(AF,jFile); //copyFileUsingStream(AF,jFile);
dbPath = jFile.toString(); //path of file as string dbPath = jFile.toString(); //path of file as string
@ -170,9 +171,10 @@ class ContactAnalyzer {
os.close(); os.close();
} }
} }
public static void copyFileUsingStreams(AbstractFile file, File jFile) { public static void copyFileUsingStreams(AbstractFile file, File jFile) {
InputStream istream; InputStream istream;
OutputStream ostream=null; OutputStream ostream = null;
int c; int c;
final int EOF = -1; final int EOF = -1;
istream = new ReadContentInputStream(file); istream = new ReadContentInputStream(file);
@ -180,8 +182,9 @@ class ContactAnalyzer {
// System.out.println("Type characters to write in File Press Ctrl+z to end "); // System.out.println("Type characters to write in File Press Ctrl+z to end ");
try { try {
ostream = new FileOutputStream(jFile); ostream = new FileOutputStream(jFile);
while ((c = istream.read()) != EOF) while ((c = istream.read()) != EOF) {
ostream.write(c); ostream.write(c);
}
} catch (IOException e) { } catch (IOException e) {
System.out.println("Error: " + e.getMessage()); System.out.println("Error: " + e.getMessage());
} finally { } finally {

13
Core/src/org/sleuthkit/autopsy/modules/iOS/TextMessageAnalyzer.java
View File

@ -34,8 +34,8 @@ import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskCoreException;
class TextMessageAnalyzer {
class TextMessageAnalyzer {
private Connection connection = null; private Connection connection = null;
private ResultSet resultSet = null; private ResultSet resultSet = null;
private Statement statement = null; private Statement statement = null;
@ -43,10 +43,9 @@ import org.sleuthkit.datamodel.TskCoreException;
private long fileId = 0; private long fileId = 0;
private java.io.File jFile = null; private java.io.File jFile = null;
List<AbstractFile> absFiles; List<AbstractFile> absFiles;
private String moduleName= iOSModuleFactory.getModuleName(); private String moduleName = iOSModuleFactory.getModuleName();
private static final Logger logger = Logger.getLogger(TextMessageAnalyzer.class.getName()); private static final Logger logger = Logger.getLogger(TextMessageAnalyzer.class.getName());
void findTexts() { void findTexts() {
try { try {
SleuthkitCase skCase = Case.getCurrentCase().getSleuthkitCase(); SleuthkitCase skCase = Case.getCurrentCase().getSleuthkitCase();
@ -56,8 +55,8 @@ import org.sleuthkit.datamodel.TskCoreException;
} }
for (AbstractFile AF : absFiles) { for (AbstractFile AF : absFiles) {
try { try {
jFile = new java.io.File(Case.getCurrentCase().getTempDirectory(),AF.getName().replaceAll("[<>%|\"/:*\\\\]", "")); jFile = new java.io.File(Case.getCurrentCase().getTempDirectory(), AF.getName().replaceAll("[<>%|\"/:*\\\\]", ""));
ContentUtils.writeToFile(AF,jFile); ContentUtils.writeToFile(AF, jFile);
dbPath = jFile.toString(); //path of file as string dbPath = jFile.toString(); //path of file as string
fileId = AF.getId(); fileId = AF.getId();
findTextsInDB(dbPath, fileId); findTextsInDB(dbPath, fileId);
@ -69,6 +68,7 @@ import org.sleuthkit.datamodel.TskCoreException;
logger.log(Level.SEVERE, "Error finding text messages", e); logger.log(Level.SEVERE, "Error finding text messages", e);
} }
} }
private void findTextsInDB(String DatabasePath, long fId) { private void findTextsInDB(String DatabasePath, long fId) {
if (DatabasePath == null || DatabasePath.isEmpty()) { if (DatabasePath == null || DatabasePath.isEmpty()) {
return; return;
@ -108,7 +108,7 @@ import org.sleuthkit.datamodel.TskCoreException;
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DIRECTION.getTypeID(), moduleName, type)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DIRECTION.getTypeID(), moduleName, type));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SUBJECT.getTypeID(), moduleName, subject)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SUBJECT.getTypeID(), moduleName, subject));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TEXT.getTypeID(), moduleName, body)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TEXT.getTypeID(), moduleName, body));
bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MESSAGE_TYPE.getTypeID(), moduleName,"SMS Message" )); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MESSAGE_TYPE.getTypeID(), moduleName, "SMS Message"));
} }
@ -129,5 +129,4 @@ import org.sleuthkit.datamodel.TskCoreException;
} }
} }

3
Core/src/org/sleuthkit/autopsy/modules/iOS/iOSIngestModule.java
View File

@ -43,11 +43,8 @@ class iOSIngestModule implements DataSourceIngestModule {
@Override @Override
public IngestModule.ProcessResult process(Content dataSource, DataSourceIngestModuleProgress progressBar) { public IngestModule.ProcessResult process(Content dataSource, DataSourceIngestModuleProgress progressBar) {
ContactAnalyzer FindContacts = new ContactAnalyzer(); ContactAnalyzer FindContacts = new ContactAnalyzer();
FindContacts.findContacts(); FindContacts.findContacts();
return IngestModule.ProcessResult.OK; return IngestModule.ProcessResult.OK;
} }
} }

2
Core/src/org/sleuthkit/autopsy/modules/iOS/iOSModuleFactory.java
View File

@ -26,7 +26,7 @@ import org.sleuthkit.autopsy.ingest.IngestModuleFactoryAdapter;
import org.sleuthkit.autopsy.ingest.IngestModuleIngestJobSettings; import org.sleuthkit.autopsy.ingest.IngestModuleIngestJobSettings;
@ServiceProvider(service = IngestModuleFactory.class) // //@ServiceProvider(service = IngestModuleFactory.class) //
public class iOSModuleFactory extends IngestModuleFactoryAdapter { public class iOSModuleFactory extends IngestModuleFactoryAdapter {
private static final String VERSION_NUMBER = "1.0.0"; private static final String VERSION_NUMBER = "1.0.0";

52
Core/src/org/sleuthkit/autopsy/report/ReportKML.java
View File

@ -145,8 +145,60 @@ class ReportKML implements GeneralReportModule {
// lat lon path name // lat lon path name
} }
} }
for (BlackboardArtifact artifact : skCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_TRACKPOINT)) {
lat = 0;
lon = 0;
for (BlackboardAttribute attribute : artifact.getAttributes()) {
if (attribute.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE.getTypeID()) //latitude
{
lat = attribute.getValueDouble();
}
if (attribute.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE.getTypeID()) //longitude
{
lon = attribute.getValueDouble();
}
}
if (lon != 0 && lat != 0) {
out.write(lat + ";" + lon + "\n");
}
}
for (BlackboardArtifact artifact : skCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_ROUTE)) {
lat = 0;
lon = 0;
double destlat = 0;
double destlon = 0;
String name = "";
for (BlackboardAttribute attribute : artifact.getAttributes()) {
if (attribute.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE_START.getTypeID()) //latitude
{
lat = attribute.getValueDouble();
} else if (attribute.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE_END.getTypeID()) //longitude
{
destlat = attribute.getValueDouble();
} else if (attribute.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE_START.getTypeID()) //longitude
{
lon = attribute.getValueDouble();
} else if (attribute.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE_END.getTypeID()) //longitude
{
destlon = attribute.getValueDouble();
} else if (attribute.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME.getTypeID()) //longitude
{
name = attribute.getValueString();
}
}
if (lon != 0 && lat != 0) {
out.write(lat + ";" + lon + ";;" + name + "\n");
}
if (destlat != 0 && destlon != 0) {
out.write(destlat + ";" + destlon + ";;" + name + "\n");
}
}
out.flush(); out.flush();
out.close(); out.close();
progressPanel.increment(); progressPanel.increment();
/* /*
* Step 1: generate XML stub * Step 1: generate XML stub