diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java index dc2ccc296c..add8763e2e 100644 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java @@ -384,16 +384,23 @@ class VolatilityProcessor { return ""; filePath = filePath.trim(); - - // strip C: and \??\C: - if (filePath.contains(":")) { - filePath = filePath.substring(filePath.indexOf(":") + 1); - } - // change slash direction filePath = filePath.replaceAll("\\\\", "/"); filePath = filePath.toLowerCase(); + // \??\c:\windows ... + if ((filePath.length() > 4) && (filePath.startsWith("/??/"))) { + filePath = filePath.substring(4); + } + + // strip C: + if (filePath.contains(":")) { + int index = filePath.indexOf(":"); + if (index+1 < filePath.length()) + filePath = filePath.substring(index + 1); + } + + filePath = filePath.replaceAll("/systemroot/", "/windows/"); // catches 1 type of file in cmdline filePath = filePath.replaceAll("%systemroot%", "/windows/"); @@ -402,7 +409,9 @@ class VolatilityProcessor { // example: \Device\clfs\Device\HarddiskVolume2\Users\joe\AppData\Local\Microsoft\Windows\UsrClass.dat{e15d4b01-1598-11e8-93e6-080027b5e733}.TM if (filePath.contains("/harddiskvolume")) { // 16 advances beyond harddiskvolume and the number - filePath = filePath.substring(filePath.indexOf("/harddiskvolume") + 16); + int index = filePath.indexOf("/harddiskvolume"); + if (index+16 < filePath.length()) + filePath = filePath.substring(index + 16); } // no point returning these. We won't map to them @@ -456,35 +465,13 @@ class VolatilityProcessor { try (BufferedReader br = new BufferedReader(new FileReader(pluginFile))) { String line; while ((line = br.readLine()) != null) { - - String TAG = "Command line : "; - if (line.startsWith(TAG)) { - - if(line.length() > TAG.length()) { - String file_path; - - // Command line : "C:\Program Files\VMware\VMware Tools\vmacthlp.exe" - // grab whats inbetween the quotes - if (line.charAt(TAG.length()) == '\"') { - file_path = line.substring(TAG.length() + 1); - if (file_path.contains("\"")) { - file_path = file_path.substring(0, file_path.indexOf("\"")); - } - } - // Command line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 - // grab everything before the next space - we don't want arguments - else { - file_path = line.substring(TAG.length()); - if (file_path.contains(" ")) { - file_path = file_path.substring(0, file_path.indexOf(" ")); - } - } - fileSet.add(normalizePath(file_path)); - } - } + + // we skip the Command Line entries because that data + // is also in the 0x lines (and is more likely to have a full path there. + // 0x4a680000 0x5000 0xffff \??\C:\WINDOWS\system32\csrss.exe // 0x7c900000 0xb2000 0xffff C:\WINDOWS\system32\ntdll.dll - else if (line.startsWith("0x") && line.length() > 33) { + if (line.startsWith("0x") && line.length() > 33) { // These lines do not have arguments String file_path = line.substring(33); fileSet.add(normalizePath(file_path)); @@ -506,8 +493,9 @@ class VolatilityProcessor { // read the first line from the text file while ((line = br.readLine()) != null) { try { - String file_path; - file_path = line.substring(41); + if (line.length() < 41) + continue; + String file_path = line.substring(41); fileSet.add(normalizePath(file_path)); } catch (StringIndexOutOfBoundsException ex) { // TO DO Catch exception @@ -530,7 +518,7 @@ class VolatilityProcessor { while ((line = br.readLine()) != null) { if (line.length() > 16) { String TAG = "Command line : "; - if (line.startsWith(TAG)) { + if ((line.startsWith(TAG)) && line.length() > TAG.length() + 1) { String file_path; // Command line : "C:\Program Files\VMware\VMware Tools\vmacthlp.exe" @@ -603,6 +591,8 @@ class VolatilityProcessor { // 0x000000000969a020 notepad.exe 3604 3300 0x16d40340 2018-01-12 14:41:16 UTC+0000 if (line.startsWith("0x") == false) continue; + if (line.length() < 37) + continue; String file_path = line.substring(19, 37); file_path = normalizePath(file_path); @@ -631,8 +621,9 @@ class VolatilityProcessor { continue; // 0x89cfb998 csrss.exe 704 640 14 532 0 0 2017-12-07 14:05:34 UTC+0000 - String file_path; - file_path = line.substring(10, 34); + if (line.length() < 34) + continue; + String file_path = line.substring(10, 34); file_path = normalizePath(file_path); // ignore system, it's not really a path @@ -661,6 +652,8 @@ class VolatilityProcessor { // 0x09adf980 svchost.exe 1368 True True False True True True True if (line.startsWith("0x") == false) continue; + if (line.length() < 34) + continue; String file_path = line.substring(11, 34); file_path = normalizePath(file_path); @@ -686,10 +679,12 @@ class VolatilityProcessor { // read the first line from the text file while ((line = br.readLine()) != null) { // ... 0x897e5020:services.exe 772 728 15 287 2017-12-07 14:05:35 UTC+000 - String file_path; String TAG = ":"; if (line.contains(TAG)) { - file_path = line.substring(line.indexOf(":") + 1, 52); + int index = line.indexOf(TAG); + if (line.length() < 52 || index + 1 >= 52) + continue; + String file_path = line.substring(line.indexOf(TAG) + 1, 52); file_path = normalizePath(file_path); // ignore system, it's not really a path @@ -716,7 +711,7 @@ class VolatilityProcessor { while ((line = br.readLine()) != null) { String file_path; String TAG = "Binary Path: "; - if (line.startsWith(TAG)) { + if (line.startsWith(TAG) && line.length() > TAG.length()+1) { if (line.charAt(TAG.length()) == '\"') { file_path = line.substring(TAG.length()+1); if (file_path.contains("\"")) {