From 4f8e42df436e7f159d6f4b3ba5dc92a9e66b82a7 Mon Sep 17 00:00:00 2001 From: Richard Cordovano Date: Thu, 21 Oct 2021 15:44:07 -0400 Subject: [PATCH] 7673 Add ingest job IDs to artifact posts --- .../autopsy/recentactivity/Bundle.properties | 2 +- .../recentactivity/Bundle.properties-MERGED | 4 +- .../recentactivity/ExtractRecycleBin.java | 8 +- .../recentactivity/ExtractRegistry.java | 247 +++++++++--------- 4 files changed, 128 insertions(+), 133 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties index 27440f0cdf..f04eef01f6 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties @@ -35,7 +35,7 @@ ExtractIE.getHistory.errMsg.errProcHist={0}: Error processing Internet Explorer ExtractIE.parsePascoOutput.errMsg.notFound={0}: Pasco output not found: {1} ExtractIE.parsePascoOutput.errMsg.errParsing={0}: Error parsing IE history entry {1} ExtractIE.parsePascoOutput.errMsg.errParsingEntry={0}: Error parsing Internet Explorer History entry. -ExtractRegistry.moduleName.text=Registry +ExtractRegistry.moduleName.text=Registry Analyzer ExtractRegistry.findRegFiles.errMsg.errReadingFile=Error fetching registry file: {0} ExtractRegistry.analyzeRegFiles.errMsg.errWritingTemp={0}: Error analyzing registry file {1} ExtractRegistry.analyzeRegFiles.failedParsingResults={0}: Failed parsing registry file results {1} diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED index 3691d7d683..16e6c88dc9 100755 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED @@ -9,7 +9,6 @@ ChromeCacheExtractor.progressMsg={0}: Extracting cache entry {1} of {2} entries DataSourceUsage_AndroidMedia=Android Media Card DataSourceUsage_DJU_Drone_DAT=DJI Internal SD Card DataSourceUsage_FlashDrive=Flash Drive -# {0} - OS name DataSourceUsageAnalyzer.customVolume.label=OS Drive ({0}) DataSourceUsageAnalyzer.displayName=Data Source Usage Analyzer DataSourceUsageAnalyzer.parentModuleName=Recent Activity @@ -56,10 +55,9 @@ ExtractOs.windowsVolume.label=OS Drive (Windows) ExtractOs.yellowDogLinuxOs.label=Linux (Yellow Dog) ExtractOs.yellowDogLinuxVolume.label=OS Drive (Linux Yellow Dog) ExtractOS_progressMessage=Checking for OS -# {0} - sub module name ExtractPrefetch_errMsg_prefetchParsingFailed={0}: Error analyzing prefetch files ExtractPrefetch_module_name=Windows Prefetch Extractor -ExtractRecycleBin_module_name=Recycle Bin +ExtractRecycleBin_module_name=Recycle Bin Analyzer ExtractRecycleBin_Recyle_Bin_Display_Name=Recycle Bin ExtractSafari_Error_Getting_History=An error occurred while processing Safari history files. ExtractSafari_Error_Parsing_Bookmark=An error occured while processing Safari Bookmark files diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRecycleBin.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRecycleBin.java index 0186a5d804..b9f0b768ee 100755 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRecycleBin.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRecycleBin.java @@ -2,7 +2,7 @@ * * Autopsy Forensic Browser * - * Copyright 2019 Basis Technology Corp. + * Copyright 2019-2021 Basis Technology Corp. * * Copyright 2012 42six Solutions. * Contact: aebadirad 42six com @@ -79,7 +79,7 @@ final class ExtractRecycleBin extends Extract { private static final int V2_FILE_NAME_OFFSET = 28; @Messages({ - "ExtractRecycleBin_module_name=Recycle Bin" + "ExtractRecycleBin_module_name=Recycle Bin Analyzer" }) ExtractRecycleBin(IngestJobContext context) { super(Bundle.ExtractRecycleBin_module_name(), context); @@ -136,10 +136,10 @@ final class ExtractRecycleBin extends Extract { return; // No need to continue } - String tempRARecycleBinPath = RAImageIngestModule.getRATempPath(Case.getCurrentCase(), "recyclebin", getIngestJobContext().getJobId()); //NON-NLS + IngestJobContext context = getIngestJobContext(); + String tempRARecycleBinPath = RAImageIngestModule.getRATempPath(Case.getCurrentCase(), "recyclebin", context.getJobId()); //NON-NLS // cycle through the $I files and process each. - IngestJobContext context = getIngestJobContext(); for (AbstractFile iFile : iFiles) { if (context.dataSourceIngestIsCancelled()) { diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index 4f237d0c33..d52424703f 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -61,7 +61,6 @@ import java.util.AbstractMap; import java.util.ArrayList; import java.util.List; import java.util.Collection; -import java.util.Collections; import java.util.Date; import java.util.HashMap; import java.util.Map; @@ -92,7 +91,6 @@ import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAM import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_HOME_DIR; import org.sleuthkit.datamodel.Content; -import org.sleuthkit.datamodel.DataArtifact; import org.sleuthkit.datamodel.DataSource; import org.sleuthkit.datamodel.Host; import org.sleuthkit.datamodel.HostManager; @@ -181,23 +179,23 @@ class ExtractRegistry extends Extract { private String compName = ""; private String domainName = ""; - + private static final String SHELLBAG_ARTIFACT_NAME = "RA_SHELL_BAG"; //NON-NLS private static final String SHELLBAG_ATTRIBUTE_LAST_WRITE = "RA_SHELL_BAG_LAST_WRITE"; //NON-NLS private static final String SHELLBAG_ATTRIBUTE_KEY = "RA_SHELL_BAG_KEY"; //NON-NLS - + private static final SimpleDateFormat REG_RIPPER_TIME_FORMAT = new SimpleDateFormat("EEE MMM dd HH:mm:ss yyyy 'Z'", US); - + private BlackboardArtifact.Type shellBagArtifactType = null; private BlackboardAttribute.Type shellBagKeyAttributeType = null; private BlackboardAttribute.Type shellBagLastWriteAttributeType = null; - + static { REG_RIPPER_TIME_FORMAT.setTimeZone(getTimeZone("GMT")); } ExtractRegistry(IngestJobContext context) throws IngestModuleException { - super(NbBundle.getMessage(ExtractIE.class, "ExtractRegistry.moduleName.text"), context); + super(NbBundle.getMessage(ExtractRegistry.class, "ExtractRegistry.moduleName.text"), context); final File rrRoot = InstalledFileLocator.getDefault().locate("rr", ExtractRegistry.class.getPackage().getName(), false); //NON-NLS if (rrRoot == null) { @@ -298,6 +296,7 @@ class ExtractRegistry extends Extract { /** * Identifies registry files in the database by mtimeItem, runs regripper on * them, and parses the output. + * * @param ingestJobId The ingest job id. */ private void analyzeRegistryFiles(long ingestJobId) { @@ -316,7 +315,7 @@ class ExtractRegistry extends Extract { if (context.dataSourceIngestIsCancelled()) { return; } - + String regFileName = regFile.getName(); long regFileId = regFile.getId(); String regFileNameLocal = RAImageIngestModule.getRATempPath(currentCase, "reg", ingestJobId) + File.separator + regFileName; @@ -364,7 +363,7 @@ class ExtractRegistry extends Extract { NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.failedParsingResults", this.getDisplayName(), regFileName)); } - + if (context.dataSourceIngestIsCancelled()) { return; } @@ -375,7 +374,7 @@ class ExtractRegistry extends Extract { if (regFileNameLocal.toLowerCase().contains("sam") && parseSamPluginOutput(regOutputFiles.fullPlugins, regFile, ingestJobId) == false) { this.addErrorMessage( NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.failedParsingResults", - this.getDisplayName(), regFileName)); + this.getDisplayName(), regFileName)); } else if (regFileNameLocal.toLowerCase().contains("ntuser") || regFileNameLocal.toLowerCase().contains("usrclass")) { try { List shellbags = ShellBagParser.parseShellbagOutput(regOutputFiles.fullPlugins); @@ -389,11 +388,11 @@ class ExtractRegistry extends Extract { NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.failedParsingResults", this.getDisplayName(), regFileName)); } - + if (context.dataSourceIngestIsCancelled()) { return; } - + try { Report report = currentCase.addReport(regOutputFiles.fullPlugins, NbBundle.getMessage(this.getClass(), "ExtractRegistry.parentModuleName.noSpace"), @@ -531,6 +530,7 @@ class ExtractRegistry extends Extract { * @return */ private boolean parseAutopsyPluginOutput(String regFilePath, AbstractFile regFile) { + IngestJobContext context = getIngestJobContext(); FileInputStream fstream = null; List newArtifacts = new ArrayList<>(); try { @@ -556,7 +556,7 @@ class ExtractRegistry extends Extract { int len = children.getLength(); for (int i = 0; i < len; i++) { - if (getIngestJobContext().dataSourceIngestIsCancelled()) { + if (context.dataSourceIngestIsCancelled()) { return false; } @@ -636,7 +636,7 @@ class ExtractRegistry extends Extract { case "InstallDate": //NON-NLS if (value != null && !value.isEmpty()) { try { - installtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyyZ", US).parse(value+"+0000").getTime(); + installtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyyZ", US).parse(value + "+0000").getTime(); String Tempdate = installtime.toString(); installtime = Long.valueOf(Tempdate) / MS_IN_SEC; } catch (ParseException e) { @@ -747,14 +747,14 @@ class ExtractRegistry extends Extract { } else { results.get(0).addAttributes(bbattributes); } - for (Map.Entry userMap : getUserNameMap().entrySet()) { + for (Map.Entry userMap : getUserNameMap().entrySet()) { String sid = ""; - try{ + try { sid = userMap.getKey(); String userName = userMap.getValue(); // Accounts in the SAM are all local accounts createOrUpdateOsAccount(regFile, sid, userName, null, null, OsAccountRealm.RealmScope.LOCAL); - } catch(TskCoreException | TskDataException | NotUserSIDException ex) { + } catch (TskCoreException | TskDataException | NotUserSIDException ex) { logger.log(Level.WARNING, String.format("Failed to update Domain for existing OsAccount: %s, sid: %s", regFile.getId(), sid), ex); } } @@ -784,7 +784,7 @@ class ExtractRegistry extends Extract { case "usb": //NON-NLS try { Long usbMtime = Long.parseLong(artnode.getAttribute("mtime")); //NON-NLS - usbMtime = Long.valueOf(usbMtime.toString()); + usbMtime = Long.valueOf(usbMtime.toString()); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, usbMtime)); String dev = artnode.getAttribute("dev"); //NON-NLS String make = ""; @@ -839,7 +839,7 @@ class ExtractRegistry extends Extract { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE, parentModuleName, value)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, parentModuleName, artnode.getNodeName())); BlackboardArtifact bbart = regFile.newDataArtifact(new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_RECENT_OBJECT), bbattributes); - + newArtifacts.add(bbart); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error adding recent object artifact to blackboard.", ex); //NON-NLS @@ -866,18 +866,18 @@ class ExtractRegistry extends Extract { String sid = artnode.getAttribute("sid"); //NON-NLS String username = artnode.getAttribute("username"); //NON-NLS String domName = domainName; - + // accounts in profileList can be either domain or local // Assume domain unless the SID was seen before in the SAM (which is only local). OsAccountRealm.RealmScope scope = OsAccountRealm.RealmScope.DOMAIN; - if(isDomainIdInSAMList(sid)) { + if (isDomainIdInSAMList(sid)) { domName = null; scope = OsAccountRealm.RealmScope.LOCAL; } - - try{ + + try { createOrUpdateOsAccount(regFile, sid, username, homeDir, domName, scope); - } catch(TskCoreException | TskDataException | NotUserSIDException ex) { + } catch (TskCoreException | TskDataException | NotUserSIDException ex) { logger.log(Level.SEVERE, String.format("Failed to create OsAccount for file: %s, sid: %s", regFile.getId(), sid), ex); } break; @@ -886,7 +886,7 @@ class ExtractRegistry extends Extract { try { String localPath = artnode.getAttribute("localPath"); //NON-NLS String remoteName = value; - + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LOCAL_PATH, parentModuleName, localPath)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REMOTE_PATH, @@ -942,8 +942,8 @@ class ExtractRegistry extends Extract { } } catch (IOException ex) { } - - if (!getIngestJobContext().dataSourceIngestIsCancelled()) { + + if (!context.dataSourceIngestIsCancelled()) { postArtifacts(newArtifacts); } } @@ -1013,7 +1013,7 @@ class ExtractRegistry extends Extract { addBlueToothAttribute(line, attributes, TSK_DATETIME); line = reader.readLine(); addBlueToothAttribute(line, attributes, TSK_DATETIME_ACCESSED); - + try { bbartifacts.add(createArtifactWithAttributes(BlackboardArtifact.Type.TSK_BLUETOOTH_PAIRING, regFile, attributes)); } catch (TskCoreException ex) { @@ -1029,7 +1029,7 @@ class ExtractRegistry extends Extract { } } } - + if (!bbartifacts.isEmpty() && !getIngestJobContext().dataSourceIngestIsCancelled()) { postArtifacts(bbartifacts); } @@ -1074,7 +1074,7 @@ class ExtractRegistry extends Extract { * @return true if successful, false if parsing failed at some point */ private boolean parseSamPluginOutput(String regFilePath, AbstractFile regAbstractFile, long ingestJobId) { - + File regfile = new File(regFilePath); List newArtifacts = new ArrayList<>(); try (BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(new FileInputStream(regfile), StandardCharsets.UTF_8))) { @@ -1103,31 +1103,31 @@ class ExtractRegistry extends Extract { userInfoMap.put(sid, userInfo); addSIDToSAMList(sid); } - + // New OsAccount Code OsAccountManager accountMgr = tskCase.getOsAccountManager(); HostManager hostMrg = tskCase.getHostManager(); - Host host = hostMrg.getHostByDataSource((DataSource)dataSource); + Host host = hostMrg.getHostByDataSource((DataSource) dataSource); List existingAccounts = accountMgr.getOsAccounts(host); - for(OsAccount osAccount: existingAccounts) { + for (OsAccount osAccount : existingAccounts) { Optional optional = osAccount.getAddr(); - if(!optional.isPresent()) { + if (!optional.isPresent()) { continue; } - + String sid = optional.get(); - Map userInfo = userInfoMap.remove(sid); - if(userInfo != null) { - addAccountInstance(accountMgr, osAccount, (DataSource)dataSource); + Map userInfo = userInfoMap.remove(sid); + if (userInfo != null) { + addAccountInstance(accountMgr, osAccount, (DataSource) dataSource); updateOsAccount(osAccount, userInfo, groupMap.get(sid), regAbstractFile); } } - + //add remaining userinfos as accounts; for (Map userInfo : userInfoMap.values()) { OsAccount osAccount = accountMgr.newWindowsOsAccount(userInfo.get(SID_KEY), null, null, host, OsAccountRealm.RealmScope.LOCAL); - accountMgr.newOsAccountInstance(osAccount, (DataSource)dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED); + accountMgr.newOsAccountInstance(osAccount, (DataSource) dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED); updateOsAccount(osAccount, userInfo, groupMap.get(userInfo.get(SID_KEY)), regAbstractFile); } return true; @@ -1137,10 +1137,9 @@ class ExtractRegistry extends Extract { logger.log(Level.WARNING, "Error building the document parser: {0}", ex); //NON-NLS } catch (TskDataException | TskCoreException ex) { logger.log(Level.WARNING, "Error updating TSK_OS_ACCOUNT artifacts to include newly parsed data.", ex); //NON-NLS - } catch (OsAccountManager.NotUserSIDException ex) { + } catch (OsAccountManager.NotUserSIDException ex) { logger.log(Level.WARNING, "Error creating OS Account, input SID is not a user SID.", ex); //NON-NLS - } - finally { + } finally { if (!getIngestJobContext().dataSourceIngestIsCancelled()) { postArtifacts(newArtifacts); } @@ -1280,7 +1279,7 @@ class ExtractRegistry extends Extract { attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME, getDisplayName(), userName)); attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, getDisplayName(), progRunDateTime)); attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COMMENT, getDisplayName(), comment)); - + try { BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_PROG_RUN, regFile, attributes); bbartifacts.add(bba); @@ -1294,7 +1293,7 @@ class ExtractRegistry extends Extract { line = reader.readLine(); } if (!bbartifacts.isEmpty() && !getIngestJobContext().dataSourceIngestIsCancelled()) { - postArtifacts(bbartifacts); + postArtifacts(bbartifacts); } } @@ -1348,7 +1347,7 @@ class ExtractRegistry extends Extract { attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName)); attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, getDisplayName(), adobeUsedTime)); attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment)); - try{ + try { BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes); if (bba != null) { bbartifacts.add(bba); @@ -1358,7 +1357,7 @@ class ExtractRegistry extends Extract { bbartifacts.add(bba); } } - } catch(TskCoreException ex) { + } catch (TskCoreException ex) { logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex); } line = reader.readLine(); @@ -1400,7 +1399,7 @@ class ExtractRegistry extends Extract { Collection attributes = new ArrayList<>(); attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName)); attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment)); - try{ + try { BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes); if (bba != null) { bbartifacts.add(bba); @@ -1413,7 +1412,7 @@ class ExtractRegistry extends Extract { } } } - } catch(TskCoreException ex) { + } catch (TskCoreException ex) { logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex); } line = reader.readLine(); @@ -1421,7 +1420,7 @@ class ExtractRegistry extends Extract { line = line.trim(); } } - if (!bbartifacts.isEmpty()&& !getIngestJobContext().dataSourceIngestIsCancelled()) { + if (!bbartifacts.isEmpty() && !getIngestJobContext().dataSourceIngestIsCancelled()) { postArtifacts(bbartifacts); } } @@ -1457,7 +1456,7 @@ class ExtractRegistry extends Extract { Collection attributes = new ArrayList<>(); attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName)); attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment)); - try{ + try { BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes); if (bba != null) { bbartifacts.add(bba); @@ -1466,7 +1465,7 @@ class ExtractRegistry extends Extract { bbartifacts.add(bba); } } - } catch(TskCoreException ex) { + } catch (TskCoreException ex) { logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex); } } @@ -1510,14 +1509,14 @@ class ExtractRegistry extends Extract { Collection attributes = new ArrayList<>(); attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName)); attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment)); - try{ + try { BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes); bbartifacts.add(bba); bba = createAssociatedArtifact(FilenameUtils.normalize(fileName, true), bba); if (bba != null) { bbartifacts.add(bba); } - } catch(TskCoreException ex) { + } catch (TskCoreException ex) { logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex); } line = reader.readLine(); @@ -1555,15 +1554,15 @@ class ExtractRegistry extends Extract { Collection attributes = new ArrayList<>(); attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName)); attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment)); - try{ + try { BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes); bbartifacts.add(bba); bba = createAssociatedArtifact(FilenameUtils.normalize(fileName, true), bba); if (bba != null) { bbartifacts.add(bba); } - - } catch(TskCoreException ex) { + + } catch (TskCoreException ex) { logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex); } line = reader.readLine(); @@ -1608,14 +1607,14 @@ class ExtractRegistry extends Extract { attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName)); attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, getDisplayName(), docDate)); attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment)); - try{ - BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes); + try { + BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes); bbartifacts.add(bba); bba = createAssociatedArtifact(FilenameUtils.normalize(fileName, true), bba); if (bba != null) { bbartifacts.add(bba); } - } catch(TskCoreException ex) { + } catch (TskCoreException ex) { logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex); } line = reader.readLine(); @@ -1673,15 +1672,15 @@ class ExtractRegistry extends Extract { attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName)); attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, getDisplayName(), usedTime)); attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment)); - try{ - BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes); + try { + BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes); bbartifacts.add(bba); bba = createAssociatedArtifact(FilenameUtils.normalize(fileName, true), bba); if (bba != null) { bbartifacts.add(bba); } - } catch(TskCoreException ex) { - logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex); } line = line.trim(); } @@ -1720,8 +1719,8 @@ class ExtractRegistry extends Extract { } /** - * Create a map of userids to usernames for all OS Accounts associated with the current - * host in OsAccountManager. + * Create a map of userids to usernames for all OS Accounts associated with + * the current host in OsAccountManager. * * @param dataSource * @@ -1732,55 +1731,53 @@ class ExtractRegistry extends Extract { private Map makeUserNameMap(Content dataSource) throws TskCoreException { Map map = new HashMap<>(); - for(OsAccount account: tskCase.getOsAccountManager().getOsAccounts(((DataSource)dataSource).getHost())) { + for (OsAccount account : tskCase.getOsAccountManager().getOsAccounts(((DataSource) dataSource).getHost())) { Optional userName = account.getLoginName(); String address = account.getAddr().orElse(""); - if(!address.isEmpty()) { + if (!address.isEmpty()) { map.put(address, userName.isPresent() ? userName.get() : ""); } } return map; } - + /** * Strip the machine sid off of the osAccountSID. The returned string will * include everything in the osAccountSID up to the last -. - * - * There must be at least three dashes in the SID for it to be useful. - * The sid is of a format S-R-X-Y1 where Y1 is the domain identifier which - * may contain multiple dashes. Everything after the final dash is the - * relative identifier. For example - * S-1-5-21-1004336348-1177238915-682003330-512 - * - * In this example the domain identifier is - * 21-1004336348-1177238915-682003330 - * The relative identifier is 512. - * + * + * There must be at least three dashes in the SID for it to be useful. The + * sid is of a format S-R-X-Y1 where Y1 is the domain identifier which may + * contain multiple dashes. Everything after the final dash is the relative + * identifier. For example S-1-5-21-1004336348-1177238915-682003330-512 + * + * In this example the domain identifier is + * 21-1004336348-1177238915-682003330 The relative identifier is 512. + * * In other words everything between the third and last dash is the domain * identifier. - * + * * @param osAccountSID The SID of the os account. - * + * * @return The Machine SID */ private String stripRelativeIdentifierFromSID(String osAccountSID) { - if(osAccountSID.split("-").length > 4) { + if (osAccountSID.split("-").length > 4) { int index = osAccountSID.lastIndexOf('-'); return index > 1 ? osAccountSID.substring(0, index) : ""; } return ""; } - + private final List machineSIDs = new ArrayList<>(); - + /** * Returns a mapping of user sids to user names. - * + * * @return SID to username map. Will be empty if none where found. */ private Map getUserNameMap() { - if(userNameMap == null) { + if (userNameMap == null) { // Get a mapping of user sids to user names and save globally so it can be used for other areas // of the registry, ie: BAM key try { @@ -1792,7 +1789,7 @@ class ExtractRegistry extends Extract { userNameMap = new HashMap<>(); } } - + return userNameMap; } @@ -1847,12 +1844,12 @@ class ExtractRegistry extends Extract { attributes.add(new BlackboardAttribute(TSK_DATETIME_ACCESSED, getDisplayName(), time)); } - BlackboardArtifact artifact = createArtifactWithAttributes(getShellBagArtifact(), regFile, attributes); + BlackboardArtifact artifact = createArtifactWithAttributes(getShellBagArtifact(), regFile, attributes); artifacts.add(artifact); } } finally { - if(!getIngestJobContext().dataSourceIngestIsCancelled()) { - postArtifacts(artifacts); + if (!getIngestJobContext().dataSourceIngestIsCancelled()) { + postArtifacts(artifacts); } } } @@ -1871,7 +1868,7 @@ class ExtractRegistry extends Extract { shellBagArtifactType = tskCase.getBlackboard().getOrAddArtifactType(SHELLBAG_ARTIFACT_NAME, Bundle.Shellbag_Artifact_Display_Name()); } catch (BlackboardException ex) { throw new TskCoreException(String.format("Failed to get shell bag artifact type", SHELLBAG_ARTIFACT_NAME), ex); - } + } } return shellBagArtifactType; @@ -1942,7 +1939,7 @@ class ExtractRegistry extends Extract { if (line.contains("Group Name")) { String value = line.replaceAll("Group Name\\s*?:", "").trim(); groupName = (value.replaceAll("\\[\\d*?\\]", "")).trim(); - int startIndex = value.indexOf(" [") + 1; + int startIndex = value.indexOf(" [") + 1; int endIndex = value.indexOf(']'); if (startIndex != -1 && endIndex != -1) { @@ -2020,7 +2017,7 @@ class ExtractRegistry extends Extract { public String autopsyPlugins = ""; public String fullPlugins = ""; } - + /** * Updates an existing or creates a new OsAccount with the given attributes. * @@ -2036,19 +2033,19 @@ class ExtractRegistry extends Extract { private void createOrUpdateOsAccount(AbstractFile file, String sid, String userName, String homeDir, String domainName, OsAccountRealm.RealmScope realmScope) throws TskCoreException, TskDataException, NotUserSIDException { OsAccountManager accountMgr = tskCase.getOsAccountManager(); HostManager hostMrg = tskCase.getHostManager(); - Host host = hostMrg.getHostByDataSource((DataSource)dataSource); + Host host = hostMrg.getHostByDataSource((DataSource) dataSource); Optional optional = accountMgr.getWindowsOsAccount(sid, null, null, host); OsAccount osAccount; if (!optional.isPresent()) { osAccount = accountMgr.newWindowsOsAccount(sid, userName != null && userName.isEmpty() ? null : userName, domainName, host, realmScope); - accountMgr.newOsAccountInstance(osAccount, (DataSource)dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED); + accountMgr.newOsAccountInstance(osAccount, (DataSource) dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED); } else { osAccount = optional.get(); - addAccountInstance(accountMgr, osAccount, (DataSource)dataSource); - if (userName != null && !userName.isEmpty()) { - OsAccountUpdateResult updateResult= accountMgr.updateCoreWindowsOsAccountAttributes(osAccount, null, userName, (domainName == null || domainName.isEmpty()) ? null : domainName, host); - osAccount = updateResult.getUpdatedAccount().orElse(osAccount); + addAccountInstance(accountMgr, osAccount, (DataSource) dataSource); + if (userName != null && !userName.isEmpty()) { + OsAccountUpdateResult updateResult = accountMgr.updateCoreWindowsOsAccountAttributes(osAccount, null, userName, (domainName == null || domainName.isEmpty()) ? null : domainName, host); + osAccount = updateResult.getUpdatedAccount().orElse(osAccount); } } @@ -2111,7 +2108,7 @@ class ExtractRegistry extends Extract { * @throws TskCoreException */ private void updateOsAccount(OsAccount osAccount, Map userInfo, List groupList, AbstractFile regFile) throws TskDataException, TskCoreException, NotUserSIDException { - Host host = ((DataSource)dataSource).getHost(); + Host host = ((DataSource) dataSource).getHost(); SimpleDateFormat regRipperTimeFormat = new SimpleDateFormat("EEE MMM dd HH:mm:ss yyyy 'Z'", US); regRipperTimeFormat.setTimeZone(getTimeZone("GMT")); @@ -2119,7 +2116,7 @@ class ExtractRegistry extends Extract { List attributes = new ArrayList<>(); Long creationTime = null; - + String value = userInfo.get(ACCOUNT_CREATED_KEY); if (value != null && !value.isEmpty() && !value.equals(NEVER_DATE)) { creationTime = parseRegRipTime(value); @@ -2134,9 +2131,9 @@ class ExtractRegistry extends Extract { osAccount, host, regFile)); } } - + String loginName = null; - value = userInfo.get(USERNAME_KEY); + value = userInfo.get(USERNAME_KEY); if (value != null && !value.isEmpty()) { loginName = value; } @@ -2153,7 +2150,7 @@ class ExtractRegistry extends Extract { // and "Default Guest Acct" value = userInfo.get(ACCOUNT_TYPE_KEY); if (value != null && !value.isEmpty() && value.toLowerCase().contains("admin")) { - attributes.add(createOsAccountAttribute(ATTRIBUTE_TYPE.TSK_IS_ADMIN, + attributes.add(createOsAccountAttribute(ATTRIBUTE_TYPE.TSK_IS_ADMIN, 1, osAccount, host, regFile)); } @@ -2237,22 +2234,21 @@ class ExtractRegistry extends Extract { // add the attributes to account. OsAccountManager accountMgr = tskCase.getOsAccountManager(); accountMgr.addExtendedOsAccountAttributes(osAccount, attributes); - + // update the loginname accountMgr.updateCoreWindowsOsAccountAttributes(osAccount, null, loginName, null, host); - + // update other standard attributes - fullname, creationdate accountMgr.updateStandardOsAccountAttributes(osAccount, fullName, null, null, creationTime); - - + } - + /** * Create comma separated list from the set values for the given keys. - * + * * @param keys List of map keys. * @param map Data map. - * + * * @return Comma separated String of values. */ private String getSettingsFromMap(String[] keys, Map map) { @@ -2316,38 +2312,39 @@ class ExtractRegistry extends Extract { private OsAccountAttribute createOsAccountAttribute(BlackboardAttribute.ATTRIBUTE_TYPE type, Integer value, OsAccount osAccount, Host host, AbstractFile file) { return osAccount.new OsAccountAttribute(new BlackboardAttribute.Type(type), value, osAccount, host, file); } - + /** - * Adds an account instance for the given data source if one does not already - * exist. - * + * Adds an account instance for the given data source if one does not + * already exist. + * * @param accountMgr * @param osAccount * @param dataSource - * @throws TskCoreException + * + * @throws TskCoreException */ private void addAccountInstance(OsAccountManager accountMgr, OsAccount osAccount, DataSource dataSource) throws TskCoreException { accountMgr.newOsAccountInstance(osAccount, dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED); } - + /** * Add the domainId of the given account sid to the sam domain id list. - * + * * @param sid OS account sid */ private void addSIDToSAMList(String sid) { String relativeID = stripRelativeIdentifierFromSID(sid); - if(!relativeID.isEmpty() && !samDomainIDsList.contains(relativeID)) { + if (!relativeID.isEmpty() && !samDomainIDsList.contains(relativeID)) { samDomainIDsList.add(relativeID); } } - + /** - * Returns true if the domain id of the os account sid is in the list - * of domain ids seen when parsing the sam file. - * + * Returns true if the domain id of the os account sid is in the list of + * domain ids seen when parsing the sam file. + * * @param osAccountSID - * + * * @return If the domainID is in the same file list. */ private boolean isDomainIdInSAMList(String osAccountSID) {