mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-12 16:06:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

7673 Add ingest job IDs to artifact posts

Browse Source
This commit is contained in:
Richard Cordovano 2021-10-21 15:44:07 -04:00
parent 84fa20b8e3
commit 4f8e42df43
4 changed files with 128 additions and 133 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties
View File

@ -35,7 +35,7 @@ ExtractIE.getHistory.errMsg.errProcHist={0}: Error processing Internet Explorer
ExtractIE.parsePascoOutput.errMsg.notFound={0}: Pasco output not found: {1} ExtractIE.parsePascoOutput.errMsg.notFound={0}: Pasco output not found: {1}
ExtractIE.parsePascoOutput.errMsg.errParsing={0}: Error parsing IE history entry {1} ExtractIE.parsePascoOutput.errMsg.errParsing={0}: Error parsing IE history entry {1}
ExtractIE.parsePascoOutput.errMsg.errParsingEntry={0}: Error parsing Internet Explorer History entry. ExtractIE.parsePascoOutput.errMsg.errParsingEntry={0}: Error parsing Internet Explorer History entry.
ExtractRegistry.moduleName.text=Registry ExtractRegistry.moduleName.text=Registry Analyzer
ExtractRegistry.findRegFiles.errMsg.errReadingFile=Error fetching registry file: {0} ExtractRegistry.findRegFiles.errMsg.errReadingFile=Error fetching registry file: {0}
ExtractRegistry.analyzeRegFiles.errMsg.errWritingTemp={0}: Error analyzing registry file {1} ExtractRegistry.analyzeRegFiles.errMsg.errWritingTemp={0}: Error analyzing registry file {1}
ExtractRegistry.analyzeRegFiles.failedParsingResults={0}: Failed parsing registry file results {1} ExtractRegistry.analyzeRegFiles.failedParsingResults={0}: Failed parsing registry file results {1}

4
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED
View File

@ -9,7 +9,6 @@ ChromeCacheExtractor.progressMsg={0}: Extracting cache entry {1} of {2} entries
DataSourceUsage_AndroidMedia=Android Media Card DataSourceUsage_AndroidMedia=Android Media Card
DataSourceUsage_DJU_Drone_DAT=DJI Internal SD Card DataSourceUsage_DJU_Drone_DAT=DJI Internal SD Card
DataSourceUsage_FlashDrive=Flash Drive DataSourceUsage_FlashDrive=Flash Drive
# {0} - OS name
DataSourceUsageAnalyzer.customVolume.label=OS Drive ({0}) DataSourceUsageAnalyzer.customVolume.label=OS Drive ({0})
DataSourceUsageAnalyzer.displayName=Data Source Usage Analyzer DataSourceUsageAnalyzer.displayName=Data Source Usage Analyzer
DataSourceUsageAnalyzer.parentModuleName=Recent Activity DataSourceUsageAnalyzer.parentModuleName=Recent Activity
@ -56,10 +55,9 @@ ExtractOs.windowsVolume.label=OS Drive (Windows)
ExtractOs.yellowDogLinuxOs.label=Linux (Yellow Dog) ExtractOs.yellowDogLinuxOs.label=Linux (Yellow Dog)
ExtractOs.yellowDogLinuxVolume.label=OS Drive (Linux Yellow Dog) ExtractOs.yellowDogLinuxVolume.label=OS Drive (Linux Yellow Dog)
ExtractOS_progressMessage=Checking for OS ExtractOS_progressMessage=Checking for OS
# {0} - sub module name
ExtractPrefetch_errMsg_prefetchParsingFailed={0}: Error analyzing prefetch files ExtractPrefetch_errMsg_prefetchParsingFailed={0}: Error analyzing prefetch files
ExtractPrefetch_module_name=Windows Prefetch Extractor ExtractPrefetch_module_name=Windows Prefetch Extractor
ExtractRecycleBin_module_name=Recycle Bin ExtractRecycleBin_module_name=Recycle Bin Analyzer
ExtractRecycleBin_Recyle_Bin_Display_Name=Recycle Bin ExtractRecycleBin_Recyle_Bin_Display_Name=Recycle Bin
ExtractSafari_Error_Getting_History=An error occurred while processing Safari history files. ExtractSafari_Error_Getting_History=An error occurred while processing Safari history files.
ExtractSafari_Error_Parsing_Bookmark=An error occured while processing Safari Bookmark files ExtractSafari_Error_Parsing_Bookmark=An error occured while processing Safari Bookmark files

8
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRecycleBin.java
View File

@ -2,7 +2,7 @@
* *
* Autopsy Forensic Browser * Autopsy Forensic Browser
* *
* Copyright 2019 Basis Technology Corp. * Copyright 2019-2021 Basis Technology Corp.
* *
* Copyright 2012 42six Solutions. * Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com * Contact: aebadirad <at> 42six <dot> com
@ -79,7 +79,7 @@ final class ExtractRecycleBin extends Extract {
private static final int V2_FILE_NAME_OFFSET = 28; private static final int V2_FILE_NAME_OFFSET = 28;
@Messages({ @Messages({
"ExtractRecycleBin_module_name=Recycle Bin" "ExtractRecycleBin_module_name=Recycle Bin Analyzer"
}) })
ExtractRecycleBin(IngestJobContext context) { ExtractRecycleBin(IngestJobContext context) {
super(Bundle.ExtractRecycleBin_module_name(), context); super(Bundle.ExtractRecycleBin_module_name(), context);
@ -136,10 +136,10 @@ final class ExtractRecycleBin extends Extract {
return; // No need to continue return; // No need to continue
} }
String tempRARecycleBinPath = RAImageIngestModule.getRATempPath(Case.getCurrentCase(), "recyclebin", getIngestJobContext().getJobId()); //NON-NLS IngestJobContext context = getIngestJobContext();
String tempRARecycleBinPath = RAImageIngestModule.getRATempPath(Case.getCurrentCase(), "recyclebin", context.getJobId()); //NON-NLS
// cycle through the $I files and process each. // cycle through the $I files and process each.
IngestJobContext context = getIngestJobContext();
for (AbstractFile iFile : iFiles) { for (AbstractFile iFile : iFiles) {
if (context.dataSourceIngestIsCancelled()) { if (context.dataSourceIngestIsCancelled()) {

123
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
View File

@ -61,7 +61,6 @@ import java.util.AbstractMap;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.Collection; import java.util.Collection;
import java.util.Collections;
import java.util.Date; import java.util.Date;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
@ -92,7 +91,6 @@ import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAM
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH;
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_HOME_DIR; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_HOME_DIR;
import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.DataArtifact;
import org.sleuthkit.datamodel.DataSource; import org.sleuthkit.datamodel.DataSource;
import org.sleuthkit.datamodel.Host; import org.sleuthkit.datamodel.Host;
import org.sleuthkit.datamodel.HostManager; import org.sleuthkit.datamodel.HostManager;
@ -197,7 +195,7 @@ class ExtractRegistry extends Extract {
} }
ExtractRegistry(IngestJobContext context) throws IngestModuleException { ExtractRegistry(IngestJobContext context) throws IngestModuleException {
super(NbBundle.getMessage(ExtractIE.class, "ExtractRegistry.moduleName.text"), context); super(NbBundle.getMessage(ExtractRegistry.class, "ExtractRegistry.moduleName.text"), context);
final File rrRoot = InstalledFileLocator.getDefault().locate("rr", ExtractRegistry.class.getPackage().getName(), false); //NON-NLS final File rrRoot = InstalledFileLocator.getDefault().locate("rr", ExtractRegistry.class.getPackage().getName(), false); //NON-NLS
if (rrRoot == null) { if (rrRoot == null) {
@ -298,6 +296,7 @@ class ExtractRegistry extends Extract {
/** /**
* Identifies registry files in the database by mtimeItem, runs regripper on * Identifies registry files in the database by mtimeItem, runs regripper on
* them, and parses the output. * them, and parses the output.
*
* @param ingestJobId The ingest job id. * @param ingestJobId The ingest job id.
*/ */
private void analyzeRegistryFiles(long ingestJobId) { private void analyzeRegistryFiles(long ingestJobId) {
@ -531,6 +530,7 @@ class ExtractRegistry extends Extract {
* @return * @return
*/ */
private boolean parseAutopsyPluginOutput(String regFilePath, AbstractFile regFile) { private boolean parseAutopsyPluginOutput(String regFilePath, AbstractFile regFile) {
IngestJobContext context = getIngestJobContext();
FileInputStream fstream = null; FileInputStream fstream = null;
List<BlackboardArtifact> newArtifacts = new ArrayList<>(); List<BlackboardArtifact> newArtifacts = new ArrayList<>();
try { try {
@ -556,7 +556,7 @@ class ExtractRegistry extends Extract {
int len = children.getLength(); int len = children.getLength();
for (int i = 0; i < len; i++) { for (int i = 0; i < len; i++) {
if (getIngestJobContext().dataSourceIngestIsCancelled()) { if (context.dataSourceIngestIsCancelled()) {
return false; return false;
} }
@ -636,7 +636,7 @@ class ExtractRegistry extends Extract {
case "InstallDate": //NON-NLS case "InstallDate": //NON-NLS
if (value != null && !value.isEmpty()) { if (value != null && !value.isEmpty()) {
try { try {
installtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyyZ", US).parse(value+"+0000").getTime(); installtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyyZ", US).parse(value + "+0000").getTime();
String Tempdate = installtime.toString(); String Tempdate = installtime.toString();
installtime = Long.valueOf(Tempdate) / MS_IN_SEC; installtime = Long.valueOf(Tempdate) / MS_IN_SEC;
} catch (ParseException e) { } catch (ParseException e) {
@ -749,12 +749,12 @@ class ExtractRegistry extends Extract {
} }
for (Map.Entry<String, String> userMap : getUserNameMap().entrySet()) { for (Map.Entry<String, String> userMap : getUserNameMap().entrySet()) {
String sid = ""; String sid = "";
try{ try {
sid = userMap.getKey(); sid = userMap.getKey();
String userName = userMap.getValue(); String userName = userMap.getValue();
// Accounts in the SAM are all local accounts // Accounts in the SAM are all local accounts
createOrUpdateOsAccount(regFile, sid, userName, null, null, OsAccountRealm.RealmScope.LOCAL); createOrUpdateOsAccount(regFile, sid, userName, null, null, OsAccountRealm.RealmScope.LOCAL);
} catch(TskCoreException | TskDataException | NotUserSIDException ex) { } catch (TskCoreException | TskDataException | NotUserSIDException ex) {
logger.log(Level.WARNING, String.format("Failed to update Domain for existing OsAccount: %s, sid: %s", regFile.getId(), sid), ex); logger.log(Level.WARNING, String.format("Failed to update Domain for existing OsAccount: %s, sid: %s", regFile.getId(), sid), ex);
} }
} }
@ -870,14 +870,14 @@ class ExtractRegistry extends Extract {
// accounts in profileList can be either domain or local // accounts in profileList can be either domain or local
// Assume domain unless the SID was seen before in the SAM (which is only local). // Assume domain unless the SID was seen before in the SAM (which is only local).
OsAccountRealm.RealmScope scope = OsAccountRealm.RealmScope.DOMAIN; OsAccountRealm.RealmScope scope = OsAccountRealm.RealmScope.DOMAIN;
if(isDomainIdInSAMList(sid)) { if (isDomainIdInSAMList(sid)) {
domName = null; domName = null;
scope = OsAccountRealm.RealmScope.LOCAL; scope = OsAccountRealm.RealmScope.LOCAL;
} }
try{ try {
createOrUpdateOsAccount(regFile, sid, username, homeDir, domName, scope); createOrUpdateOsAccount(regFile, sid, username, homeDir, domName, scope);
} catch(TskCoreException | TskDataException | NotUserSIDException ex) { } catch (TskCoreException | TskDataException | NotUserSIDException ex) {
logger.log(Level.SEVERE, String.format("Failed to create OsAccount for file: %s, sid: %s", regFile.getId(), sid), ex); logger.log(Level.SEVERE, String.format("Failed to create OsAccount for file: %s, sid: %s", regFile.getId(), sid), ex);
} }
break; break;
@ -943,7 +943,7 @@ class ExtractRegistry extends Extract {
} catch (IOException ex) { } catch (IOException ex) {
} }
if (!getIngestJobContext().dataSourceIngestIsCancelled()) { if (!context.dataSourceIngestIsCancelled()) {
postArtifacts(newArtifacts); postArtifacts(newArtifacts);
} }
} }
@ -1107,19 +1107,19 @@ class ExtractRegistry extends Extract {
// New OsAccount Code // New OsAccount Code
OsAccountManager accountMgr = tskCase.getOsAccountManager(); OsAccountManager accountMgr = tskCase.getOsAccountManager();
HostManager hostMrg = tskCase.getHostManager(); HostManager hostMrg = tskCase.getHostManager();
Host host = hostMrg.getHostByDataSource((DataSource)dataSource); Host host = hostMrg.getHostByDataSource((DataSource) dataSource);
List<OsAccount> existingAccounts = accountMgr.getOsAccounts(host); List<OsAccount> existingAccounts = accountMgr.getOsAccounts(host);
for(OsAccount osAccount: existingAccounts) { for (OsAccount osAccount : existingAccounts) {
Optional<String> optional = osAccount.getAddr(); Optional<String> optional = osAccount.getAddr();
if(!optional.isPresent()) { if (!optional.isPresent()) {
continue; continue;
} }
String sid = optional.get(); String sid = optional.get();
Map<String, String> userInfo = userInfoMap.remove(sid); Map<String, String> userInfo = userInfoMap.remove(sid);
if(userInfo != null) { if (userInfo != null) {
addAccountInstance(accountMgr, osAccount, (DataSource)dataSource); addAccountInstance(accountMgr, osAccount, (DataSource) dataSource);
updateOsAccount(osAccount, userInfo, groupMap.get(sid), regAbstractFile); updateOsAccount(osAccount, userInfo, groupMap.get(sid), regAbstractFile);
} }
} }
@ -1127,7 +1127,7 @@ class ExtractRegistry extends Extract {
//add remaining userinfos as accounts; //add remaining userinfos as accounts;
for (Map<String, String> userInfo : userInfoMap.values()) { for (Map<String, String> userInfo : userInfoMap.values()) {
OsAccount osAccount = accountMgr.newWindowsOsAccount(userInfo.get(SID_KEY), null, null, host, OsAccountRealm.RealmScope.LOCAL); OsAccount osAccount = accountMgr.newWindowsOsAccount(userInfo.get(SID_KEY), null, null, host, OsAccountRealm.RealmScope.LOCAL);
accountMgr.newOsAccountInstance(osAccount, (DataSource)dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED); accountMgr.newOsAccountInstance(osAccount, (DataSource) dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED);
updateOsAccount(osAccount, userInfo, groupMap.get(userInfo.get(SID_KEY)), regAbstractFile); updateOsAccount(osAccount, userInfo, groupMap.get(userInfo.get(SID_KEY)), regAbstractFile);
} }
return true; return true;
@ -1137,10 +1137,9 @@ class ExtractRegistry extends Extract {
logger.log(Level.WARNING, "Error building the document parser: {0}", ex); //NON-NLS logger.log(Level.WARNING, "Error building the document parser: {0}", ex); //NON-NLS
} catch (TskDataException | TskCoreException ex) { } catch (TskDataException | TskCoreException ex) {
logger.log(Level.WARNING, "Error updating TSK_OS_ACCOUNT artifacts to include newly parsed data.", ex); //NON-NLS logger.log(Level.WARNING, "Error updating TSK_OS_ACCOUNT artifacts to include newly parsed data.", ex); //NON-NLS
} catch (OsAccountManager.NotUserSIDException ex) { } catch (OsAccountManager.NotUserSIDException ex) {
logger.log(Level.WARNING, "Error creating OS Account, input SID is not a user SID.", ex); //NON-NLS logger.log(Level.WARNING, "Error creating OS Account, input SID is not a user SID.", ex); //NON-NLS
} } finally {
finally {
if (!getIngestJobContext().dataSourceIngestIsCancelled()) { if (!getIngestJobContext().dataSourceIngestIsCancelled()) {
postArtifacts(newArtifacts); postArtifacts(newArtifacts);
} }
@ -1294,7 +1293,7 @@ class ExtractRegistry extends Extract {
line = reader.readLine(); line = reader.readLine();
} }
if (!bbartifacts.isEmpty() && !getIngestJobContext().dataSourceIngestIsCancelled()) { if (!bbartifacts.isEmpty() && !getIngestJobContext().dataSourceIngestIsCancelled()) {
postArtifacts(bbartifacts); postArtifacts(bbartifacts);
} }
} }
@ -1348,7 +1347,7 @@ class ExtractRegistry extends Extract {
attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName)); attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName));
attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, getDisplayName(), adobeUsedTime)); attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, getDisplayName(), adobeUsedTime));
attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment)); attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment));
try{ try {
BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes); BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes);
if (bba != null) { if (bba != null) {
bbartifacts.add(bba); bbartifacts.add(bba);
@ -1358,7 +1357,7 @@ class ExtractRegistry extends Extract {
bbartifacts.add(bba); bbartifacts.add(bba);
} }
} }
} catch(TskCoreException ex) { } catch (TskCoreException ex) {
logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex); logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex);
} }
line = reader.readLine(); line = reader.readLine();
@ -1400,7 +1399,7 @@ class ExtractRegistry extends Extract {
Collection<BlackboardAttribute> attributes = new ArrayList<>(); Collection<BlackboardAttribute> attributes = new ArrayList<>();
attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName)); attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName));
attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment)); attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment));
try{ try {
BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes); BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes);
if (bba != null) { if (bba != null) {
bbartifacts.add(bba); bbartifacts.add(bba);
@ -1413,7 +1412,7 @@ class ExtractRegistry extends Extract {
} }
} }
} }
} catch(TskCoreException ex) { } catch (TskCoreException ex) {
logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex); logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex);
} }
line = reader.readLine(); line = reader.readLine();
@ -1421,7 +1420,7 @@ class ExtractRegistry extends Extract {
line = line.trim(); line = line.trim();
} }
} }
if (!bbartifacts.isEmpty()&& !getIngestJobContext().dataSourceIngestIsCancelled()) { if (!bbartifacts.isEmpty() && !getIngestJobContext().dataSourceIngestIsCancelled()) {
postArtifacts(bbartifacts); postArtifacts(bbartifacts);
} }
} }
@ -1457,7 +1456,7 @@ class ExtractRegistry extends Extract {
Collection<BlackboardAttribute> attributes = new ArrayList<>(); Collection<BlackboardAttribute> attributes = new ArrayList<>();
attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName)); attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName));
attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment)); attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment));
try{ try {
BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes); BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes);
if (bba != null) { if (bba != null) {
bbartifacts.add(bba); bbartifacts.add(bba);
@ -1466,7 +1465,7 @@ class ExtractRegistry extends Extract {
bbartifacts.add(bba); bbartifacts.add(bba);
} }
} }
} catch(TskCoreException ex) { } catch (TskCoreException ex) {
logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex); logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex);
} }
} }
@ -1510,14 +1509,14 @@ class ExtractRegistry extends Extract {
Collection<BlackboardAttribute> attributes = new ArrayList<>(); Collection<BlackboardAttribute> attributes = new ArrayList<>();
attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName)); attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName));
attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment)); attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment));
try{ try {
BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes); BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes);
bbartifacts.add(bba); bbartifacts.add(bba);
bba = createAssociatedArtifact(FilenameUtils.normalize(fileName, true), bba); bba = createAssociatedArtifact(FilenameUtils.normalize(fileName, true), bba);
if (bba != null) { if (bba != null) {
bbartifacts.add(bba); bbartifacts.add(bba);
} }
} catch(TskCoreException ex) { } catch (TskCoreException ex) {
logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex); logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex);
} }
line = reader.readLine(); line = reader.readLine();
@ -1555,7 +1554,7 @@ class ExtractRegistry extends Extract {
Collection<BlackboardAttribute> attributes = new ArrayList<>(); Collection<BlackboardAttribute> attributes = new ArrayList<>();
attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName)); attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName));
attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment)); attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment));
try{ try {
BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes); BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes);
bbartifacts.add(bba); bbartifacts.add(bba);
bba = createAssociatedArtifact(FilenameUtils.normalize(fileName, true), bba); bba = createAssociatedArtifact(FilenameUtils.normalize(fileName, true), bba);
@ -1563,7 +1562,7 @@ class ExtractRegistry extends Extract {
bbartifacts.add(bba); bbartifacts.add(bba);
} }
} catch(TskCoreException ex) { } catch (TskCoreException ex) {
logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex); logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex);
} }
line = reader.readLine(); line = reader.readLine();
@ -1608,14 +1607,14 @@ class ExtractRegistry extends Extract {
attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName)); attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName));
attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, getDisplayName(), docDate)); attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, getDisplayName(), docDate));
attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment)); attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment));
try{ try {
BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes); BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes);
bbartifacts.add(bba); bbartifacts.add(bba);
bba = createAssociatedArtifact(FilenameUtils.normalize(fileName, true), bba); bba = createAssociatedArtifact(FilenameUtils.normalize(fileName, true), bba);
if (bba != null) { if (bba != null) {
bbartifacts.add(bba); bbartifacts.add(bba);
} }
} catch(TskCoreException ex) { } catch (TskCoreException ex) {
logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex); logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex);
} }
line = reader.readLine(); line = reader.readLine();
@ -1673,15 +1672,15 @@ class ExtractRegistry extends Extract {
attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName)); attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName));
attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, getDisplayName(), usedTime)); attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, getDisplayName(), usedTime));
attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment)); attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment));
try{ try {
BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes); BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes);
bbartifacts.add(bba); bbartifacts.add(bba);
bba = createAssociatedArtifact(FilenameUtils.normalize(fileName, true), bba); bba = createAssociatedArtifact(FilenameUtils.normalize(fileName, true), bba);
if (bba != null) { if (bba != null) {
bbartifacts.add(bba); bbartifacts.add(bba);
} }
} catch(TskCoreException ex) { } catch (TskCoreException ex) {
logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex); logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex);
} }
line = line.trim(); line = line.trim();
} }
@ -1720,8 +1719,8 @@ class ExtractRegistry extends Extract {
} }
/** /**
* Create a map of userids to usernames for all OS Accounts associated with the current * Create a map of userids to usernames for all OS Accounts associated with
* host in OsAccountManager. * the current host in OsAccountManager.
* *
* @param dataSource * @param dataSource
* *
@ -1732,10 +1731,10 @@ class ExtractRegistry extends Extract {
private Map<String, String> makeUserNameMap(Content dataSource) throws TskCoreException { private Map<String, String> makeUserNameMap(Content dataSource) throws TskCoreException {
Map<String, String> map = new HashMap<>(); Map<String, String> map = new HashMap<>();
for(OsAccount account: tskCase.getOsAccountManager().getOsAccounts(((DataSource)dataSource).getHost())) { for (OsAccount account : tskCase.getOsAccountManager().getOsAccounts(((DataSource) dataSource).getHost())) {
Optional<String> userName = account.getLoginName(); Optional<String> userName = account.getLoginName();
String address = account.getAddr().orElse(""); String address = account.getAddr().orElse("");
if(!address.isEmpty()) { if (!address.isEmpty()) {
map.put(address, userName.isPresent() ? userName.get() : ""); map.put(address, userName.isPresent() ? userName.get() : "");
} }
} }
@ -1747,15 +1746,13 @@ class ExtractRegistry extends Extract {
* Strip the machine sid off of the osAccountSID. The returned string will * Strip the machine sid off of the osAccountSID. The returned string will
* include everything in the osAccountSID up to the last -. * include everything in the osAccountSID up to the last -.
* *
* There must be at least three dashes in the SID for it to be useful. * There must be at least three dashes in the SID for it to be useful. The
* The sid is of a format S-R-X-Y1 where Y1 is the domain identifier which * sid is of a format S-R-X-Y1 where Y1 is the domain identifier which may
* may contain multiple dashes. Everything after the final dash is the * contain multiple dashes. Everything after the final dash is the relative
* relative identifier. For example * identifier. For example S-1-5-21-1004336348-1177238915-682003330-512
* S-1-5-21-1004336348-1177238915-682003330-512
* *
* In this example the domain identifier is * In this example the domain identifier is
* 21-1004336348-1177238915-682003330 * 21-1004336348-1177238915-682003330 The relative identifier is 512.
* The relative identifier is 512.
* *
* In other words everything between the third and last dash is the domain * In other words everything between the third and last dash is the domain
* identifier. * identifier.
@ -1765,7 +1762,7 @@ class ExtractRegistry extends Extract {
* @return The Machine SID * @return The Machine SID
*/ */
private String stripRelativeIdentifierFromSID(String osAccountSID) { private String stripRelativeIdentifierFromSID(String osAccountSID) {
if(osAccountSID.split("-").length > 4) { if (osAccountSID.split("-").length > 4) {
int index = osAccountSID.lastIndexOf('-'); int index = osAccountSID.lastIndexOf('-');
return index > 1 ? osAccountSID.substring(0, index) : ""; return index > 1 ? osAccountSID.substring(0, index) : "";
} }
@ -1780,7 +1777,7 @@ class ExtractRegistry extends Extract {
* @return SID to username map. Will be empty if none where found. * @return SID to username map. Will be empty if none where found.
*/ */
private Map<String, String> getUserNameMap() { private Map<String, String> getUserNameMap() {
if(userNameMap == null) { if (userNameMap == null) {
// Get a mapping of user sids to user names and save globally so it can be used for other areas // Get a mapping of user sids to user names and save globally so it can be used for other areas
// of the registry, ie: BAM key // of the registry, ie: BAM key
try { try {
@ -1851,7 +1848,7 @@ class ExtractRegistry extends Extract {
artifacts.add(artifact); artifacts.add(artifact);
} }
} finally { } finally {
if(!getIngestJobContext().dataSourceIngestIsCancelled()) { if (!getIngestJobContext().dataSourceIngestIsCancelled()) {
postArtifacts(artifacts); postArtifacts(artifacts);
} }
} }
@ -2036,18 +2033,18 @@ class ExtractRegistry extends Extract {
private void createOrUpdateOsAccount(AbstractFile file, String sid, String userName, String homeDir, String domainName, OsAccountRealm.RealmScope realmScope) throws TskCoreException, TskDataException, NotUserSIDException { private void createOrUpdateOsAccount(AbstractFile file, String sid, String userName, String homeDir, String domainName, OsAccountRealm.RealmScope realmScope) throws TskCoreException, TskDataException, NotUserSIDException {
OsAccountManager accountMgr = tskCase.getOsAccountManager(); OsAccountManager accountMgr = tskCase.getOsAccountManager();
HostManager hostMrg = tskCase.getHostManager(); HostManager hostMrg = tskCase.getHostManager();
Host host = hostMrg.getHostByDataSource((DataSource)dataSource); Host host = hostMrg.getHostByDataSource((DataSource) dataSource);
Optional<OsAccount> optional = accountMgr.getWindowsOsAccount(sid, null, null, host); Optional<OsAccount> optional = accountMgr.getWindowsOsAccount(sid, null, null, host);
OsAccount osAccount; OsAccount osAccount;
if (!optional.isPresent()) { if (!optional.isPresent()) {
osAccount = accountMgr.newWindowsOsAccount(sid, userName != null && userName.isEmpty() ? null : userName, domainName, host, realmScope); osAccount = accountMgr.newWindowsOsAccount(sid, userName != null && userName.isEmpty() ? null : userName, domainName, host, realmScope);
accountMgr.newOsAccountInstance(osAccount, (DataSource)dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED); accountMgr.newOsAccountInstance(osAccount, (DataSource) dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED);
} else { } else {
osAccount = optional.get(); osAccount = optional.get();
addAccountInstance(accountMgr, osAccount, (DataSource)dataSource); addAccountInstance(accountMgr, osAccount, (DataSource) dataSource);
if (userName != null && !userName.isEmpty()) { if (userName != null && !userName.isEmpty()) {
OsAccountUpdateResult updateResult= accountMgr.updateCoreWindowsOsAccountAttributes(osAccount, null, userName, (domainName == null || domainName.isEmpty()) ? null : domainName, host); OsAccountUpdateResult updateResult = accountMgr.updateCoreWindowsOsAccountAttributes(osAccount, null, userName, (domainName == null || domainName.isEmpty()) ? null : domainName, host);
osAccount = updateResult.getUpdatedAccount().orElse(osAccount); osAccount = updateResult.getUpdatedAccount().orElse(osAccount);
} }
} }
@ -2111,7 +2108,7 @@ class ExtractRegistry extends Extract {
* @throws TskCoreException * @throws TskCoreException
*/ */
private void updateOsAccount(OsAccount osAccount, Map<String, String> userInfo, List<String> groupList, AbstractFile regFile) throws TskDataException, TskCoreException, NotUserSIDException { private void updateOsAccount(OsAccount osAccount, Map<String, String> userInfo, List<String> groupList, AbstractFile regFile) throws TskDataException, TskCoreException, NotUserSIDException {
Host host = ((DataSource)dataSource).getHost(); Host host = ((DataSource) dataSource).getHost();
SimpleDateFormat regRipperTimeFormat = new SimpleDateFormat("EEE MMM dd HH:mm:ss yyyy 'Z'", US); SimpleDateFormat regRipperTimeFormat = new SimpleDateFormat("EEE MMM dd HH:mm:ss yyyy 'Z'", US);
regRipperTimeFormat.setTimeZone(getTimeZone("GMT")); regRipperTimeFormat.setTimeZone(getTimeZone("GMT"));
@ -2153,7 +2150,7 @@ class ExtractRegistry extends Extract {
// and "Default Guest Acct" // and "Default Guest Acct"
value = userInfo.get(ACCOUNT_TYPE_KEY); value = userInfo.get(ACCOUNT_TYPE_KEY);
if (value != null && !value.isEmpty() && value.toLowerCase().contains("admin")) { if (value != null && !value.isEmpty() && value.toLowerCase().contains("admin")) {
attributes.add(createOsAccountAttribute(ATTRIBUTE_TYPE.TSK_IS_ADMIN, attributes.add(createOsAccountAttribute(ATTRIBUTE_TYPE.TSK_IS_ADMIN,
1, osAccount, host, regFile)); 1, osAccount, host, regFile));
} }
@ -2244,7 +2241,6 @@ class ExtractRegistry extends Extract {
// update other standard attributes - fullname, creationdate // update other standard attributes - fullname, creationdate
accountMgr.updateStandardOsAccountAttributes(osAccount, fullName, null, null, creationTime); accountMgr.updateStandardOsAccountAttributes(osAccount, fullName, null, null, creationTime);
} }
/** /**
@ -2318,12 +2314,13 @@ class ExtractRegistry extends Extract {
} }
/** /**
* Adds an account instance for the given data source if one does not already * Adds an account instance for the given data source if one does not
* exist. * already exist.
* *
* @param accountMgr * @param accountMgr
* @param osAccount * @param osAccount
* @param dataSource * @param dataSource
*
* @throws TskCoreException * @throws TskCoreException
*/ */
private void addAccountInstance(OsAccountManager accountMgr, OsAccount osAccount, DataSource dataSource) throws TskCoreException { private void addAccountInstance(OsAccountManager accountMgr, OsAccount osAccount, DataSource dataSource) throws TskCoreException {
@ -2337,14 +2334,14 @@ class ExtractRegistry extends Extract {
*/ */
private void addSIDToSAMList(String sid) { private void addSIDToSAMList(String sid) {
String relativeID = stripRelativeIdentifierFromSID(sid); String relativeID = stripRelativeIdentifierFromSID(sid);
if(!relativeID.isEmpty() && !samDomainIDsList.contains(relativeID)) { if (!relativeID.isEmpty() && !samDomainIDsList.contains(relativeID)) {
samDomainIDsList.add(relativeID); samDomainIDsList.add(relativeID);
} }
} }
/** /**
* Returns true if the domain id of the os account sid is in the list * Returns true if the domain id of the os account sid is in the list of
* of domain ids seen when parsing the sam file. * domain ids seen when parsing the sam file.
* *
* @param osAccountSID * @param osAccountSID
* *