mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

updates to registry example

Browse Source
This commit is contained in:
Greg DiCristofaro 2021-07-21 09:35:26 -04:00
parent ad9b499fee
commit 4e69e4c471
1 changed files with 30 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
pythonExamples/Registry_Example.py
View File

@ -45,12 +45,13 @@ from java.lang import Class
from java.lang import System from java.lang import System
from java.sql import DriverManager, SQLException from java.sql import DriverManager, SQLException
from java.util.logging import Level from java.util.logging import Level
from java.util import ArrayList from java.util import Arrays
from org.sleuthkit.datamodel import SleuthkitCase from org.sleuthkit.datamodel import SleuthkitCase
from org.sleuthkit.datamodel import AbstractFile from org.sleuthkit.datamodel import AbstractFile
from org.sleuthkit.datamodel import ReadContentInputStream from org.sleuthkit.datamodel import ReadContentInputStream
from org.sleuthkit.datamodel import BlackboardArtifact from org.sleuthkit.datamodel import BlackboardArtifact
from org.sleuthkit.datamodel import BlackboardAttribute from org.sleuthkit.datamodel import BlackboardAttribute
from org.sleuthkit.datamodel import Blackboard
from org.sleuthkit.datamodel import TskData from org.sleuthkit.datamodel import TskData
from org.sleuthkit.autopsy.ingest import IngestModule from org.sleuthkit.autopsy.ingest import IngestModule
from org.sleuthkit.autopsy.ingest.IngestModule import IngestModuleException from org.sleuthkit.autopsy.ingest.IngestModule import IngestModuleException
@ -130,12 +131,13 @@ class RegistryExampleIngestModule(DataSourceIngestModule):
tempDir = os.path.join(Case.getCurrentCase().getTempDirectory(), "RegistryExample") tempDir = os.path.join(Case.getCurrentCase().getTempDirectory(), "RegistryExample")
self.log(Level.INFO, "create Directory " + tempDir) self.log(Level.INFO, "create Directory " + tempDir)
try: try:
os.mkdir(tempDir) os.mkdir(tempDir)
except: except:
self.log(Level.INFO, "ExampleRegistry Directory already exists " + tempDir) self.log(Level.INFO, "ExampleRegistry Directory already exists " + tempDir)
# Set the database to be read to the once created by the prefetch parser program # Set the database to be read to the once created by the prefetch parser program
skCase = Case.getCurrentCase().getSleuthkitCase(); skCase = Case.getCurrentCase().getSleuthkitCase()
blackboard = Case.getCurrentCase().getSleuthkitCase().getBlackboard()
fileManager = Case.getCurrentCase().getServices().getFileManager() fileManager = Case.getCurrentCase().getServices().getFileManager()
# Look for files to process # Look for files to process
@ -170,12 +172,12 @@ class RegistryExampleIngestModule(DataSourceIngestModule):
# Setup Artifact and Attributes # Setup Artifact and Attributes
try: artType = skCase.getArtifactType("TSK_REGISTRY_RUN_KEYS")
artID = skCase.addArtifactType( "TSK_REGISTRY_RUN_KEYS", "Registry Run Keys") if not artType:
except: try:
self.log(Level.INFO, "Artifacts Creation Error, some artifacts may not exist now. ==> ") artType = skCase.addBlackboardArtifactType( "TSK_REGISTRY_RUN_KEYS", "Registry Run Keys")
except:
artId = skCase.getArtifactTypeID("TSK_REGISTRY_RUN_KEYS") self.log(Level.WARNING, "Artifacts Creation Error, some artifacts may not exist now. ==> ")
try: try:
attributeIdRunKeyName = skCase.addArtifactAttributeType("TSK_REG_RUN_KEY_NAME", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Run Key Name") attributeIdRunKeyName = skCase.addArtifactAttributeType("TSK_REG_RUN_KEY_NAME", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Run Key Name")
@ -198,25 +200,24 @@ class RegistryExampleIngestModule(DataSourceIngestModule):
# RefistryKeysFound is a list that contains a list with the following records abstractFile, Registry Key Location, Key Name, Key value # RefistryKeysFound is a list that contains a list with the following records abstractFile, Registry Key Location, Key Name, Key value
for registryKey in self.registryKeysFound: for registryKey in self.registryKeysFound:
attributes = ArrayList() self.log(Level.INFO, "Creating artifact for registry key with path: " + registryKey[1] + " and key: " + registryKey[2])
art = registryKey[0].newArtifact(artId) art = registryKey[0].newDataArtifact(artType, Arrays.asList(
BlackboardAttribute(attributeIdRegKeyLoc, moduleName, registryKey[1]),
attributes.add(BlackboardAttribute(attributeIdRegKeyLoc, moduleName, registryKey[1])) BlackboardAttribute(attributeIdRunKeyName, moduleName, registryKey[2]),
attributes.add(BlackboardAttribute(attributeIdRunKeyName, moduleName, registryKey[2])) BlackboardAttribute(attributeIdRunKeyValue, moduleName, registryKey[3])
attributes.add(BlackboardAttribute(attributeIdRunKeyValue, moduleName, registryKey[3])) ))
art.addAttributes(attributes)
# index the artifact for keyword search # index the artifact for keyword search
try: try:
blackboard.indexArtifact(art) blackboard.postArtifact(art, moduleName)
except: except Blackboard.BlackboardException as ex:
self._logger.log(Level.WARNING, "Error indexing artifact " + art.getDisplayName()) self.log(Level.SEVERE, "Unable to index blackboard artifact " + str(art.getArtifactTypeName()), ex)
#Clean up registryExample directory and files #Clean up registryExample directory and files
try: try:
shutil.rmtree(tempDir) shutil.rmtree(tempDir)
except: except:
self.log(Level.INFO, "removal of directory tree failed " + tempDir) self.log(Level.INFO, "removal of directory tree failed " + tempDir)
# After all databases, post a message to the ingest messages in box. # After all databases, post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
@ -236,7 +237,7 @@ class RegistryExampleIngestModule(DataSourceIngestModule):
softwareRegFile = RegistryHiveFile(File(softwareHive)) softwareRegFile = RegistryHiveFile(File(softwareHive))
for runKey in self.registrySoftwareRunKeys: for runKey in self.registrySoftwareRunKeys:
currentKey = self.findRegistryKey(softwareRegFile, runKey) currentKey = self.findRegistryKey(softwareRegFile, runKey)
if len(currentKey.getValueList()) > 0: if currentKey and len(currentKey.getValueList()) > 0:
skValues = currentKey.getValueList() skValues = currentKey.getValueList()
for skValue in skValues: for skValue in skValues:
regKey = [] regKey = []
@ -255,7 +256,7 @@ class RegistryExampleIngestModule(DataSourceIngestModule):
ntuserRegFile = RegistryHiveFile(File(ntuserHive)) ntuserRegFile = RegistryHiveFile(File(ntuserHive))
for runKey in self.registryNTUserRunKeys: for runKey in self.registryNTUserRunKeys:
currentKey = self.findRegistryKey(ntuserRegFile, runKey) currentKey = self.findRegistryKey(ntuserRegFile, runKey)
if len(currentKey.getValueList()) > 0: if currentKey and len(currentKey.getValueList()) > 0:
skValues = currentKey.getValueList() skValues = currentKey.getValueList()
for skValue in skValues: for skValue in skValues:
regKey = [] regKey = []
@ -276,9 +277,10 @@ class RegistryExampleIngestModule(DataSourceIngestModule):
for key in regKeyList: for key in regKeyList:
currentKey = currentKey.getSubkey(key) currentKey = currentKey.getSubkey(key)
return currentKey return currentKey
except: except Exception as ex:
# Key not found # Key not found
return null self.log(Level.SEVERE, "registry key parsing issue:", ex)
return None