mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-12 16:06:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

7673 Add ingest job IDs to artifact posts

Browse Source
This commit is contained in:
Richard Cordovano 2021-10-21 15:44:07 -04:00
parent 84fa20b8e3
commit 4f8e42df43
4 changed files with 128 additions and 133 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties
View File

@ -35,7 +35,7 @@ ExtractIE.getHistory.errMsg.errProcHist={0}: Error processing Internet Explorer
ExtractIE.parsePascoOutput.errMsg.notFound={0}: Pasco output not found: {1} ExtractIE.parsePascoOutput.errMsg.notFound={0}: Pasco output not found: {1}
ExtractIE.parsePascoOutput.errMsg.errParsing={0}: Error parsing IE history entry {1} ExtractIE.parsePascoOutput.errMsg.errParsing={0}: Error parsing IE history entry {1}
ExtractIE.parsePascoOutput.errMsg.errParsingEntry={0}: Error parsing Internet Explorer History entry. ExtractIE.parsePascoOutput.errMsg.errParsingEntry={0}: Error parsing Internet Explorer History entry.
ExtractRegistry.moduleName.text=Registry ExtractRegistry.moduleName.text=Registry Analyzer
ExtractRegistry.findRegFiles.errMsg.errReadingFile=Error fetching registry file: {0} ExtractRegistry.findRegFiles.errMsg.errReadingFile=Error fetching registry file: {0}
ExtractRegistry.analyzeRegFiles.errMsg.errWritingTemp={0}: Error analyzing registry file {1} ExtractRegistry.analyzeRegFiles.errMsg.errWritingTemp={0}: Error analyzing registry file {1}
ExtractRegistry.analyzeRegFiles.failedParsingResults={0}: Failed parsing registry file results {1} ExtractRegistry.analyzeRegFiles.failedParsingResults={0}: Failed parsing registry file results {1}

4
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED
View File

@ -9,7 +9,6 @@ ChromeCacheExtractor.progressMsg={0}: Extracting cache entry {1} of {2} entries
DataSourceUsage_AndroidMedia=Android Media Card DataSourceUsage_AndroidMedia=Android Media Card
DataSourceUsage_DJU_Drone_DAT=DJI Internal SD Card DataSourceUsage_DJU_Drone_DAT=DJI Internal SD Card
DataSourceUsage_FlashDrive=Flash Drive DataSourceUsage_FlashDrive=Flash Drive
# {0} - OS name
DataSourceUsageAnalyzer.customVolume.label=OS Drive ({0}) DataSourceUsageAnalyzer.customVolume.label=OS Drive ({0})
DataSourceUsageAnalyzer.displayName=Data Source Usage Analyzer DataSourceUsageAnalyzer.displayName=Data Source Usage Analyzer
DataSourceUsageAnalyzer.parentModuleName=Recent Activity DataSourceUsageAnalyzer.parentModuleName=Recent Activity
@ -56,10 +55,9 @@ ExtractOs.windowsVolume.label=OS Drive (Windows)
ExtractOs.yellowDogLinuxOs.label=Linux (Yellow Dog) ExtractOs.yellowDogLinuxOs.label=Linux (Yellow Dog)
ExtractOs.yellowDogLinuxVolume.label=OS Drive (Linux Yellow Dog) ExtractOs.yellowDogLinuxVolume.label=OS Drive (Linux Yellow Dog)
ExtractOS_progressMessage=Checking for OS ExtractOS_progressMessage=Checking for OS
# {0} - sub module name
ExtractPrefetch_errMsg_prefetchParsingFailed={0}: Error analyzing prefetch files ExtractPrefetch_errMsg_prefetchParsingFailed={0}: Error analyzing prefetch files
ExtractPrefetch_module_name=Windows Prefetch Extractor ExtractPrefetch_module_name=Windows Prefetch Extractor
ExtractRecycleBin_module_name=Recycle Bin ExtractRecycleBin_module_name=Recycle Bin Analyzer
ExtractRecycleBin_Recyle_Bin_Display_Name=Recycle Bin ExtractRecycleBin_Recyle_Bin_Display_Name=Recycle Bin
ExtractSafari_Error_Getting_History=An error occurred while processing Safari history files. ExtractSafari_Error_Getting_History=An error occurred while processing Safari history files.
ExtractSafari_Error_Parsing_Bookmark=An error occured while processing Safari Bookmark files ExtractSafari_Error_Parsing_Bookmark=An error occured while processing Safari Bookmark files

8
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRecycleBin.java
View File

@ -2,7 +2,7 @@
* *
* Autopsy Forensic Browser * Autopsy Forensic Browser
* *
* Copyright 2019 Basis Technology Corp. * Copyright 2019-2021 Basis Technology Corp.
* *
* Copyright 2012 42six Solutions. * Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com * Contact: aebadirad <at> 42six <dot> com
@ -79,7 +79,7 @@ final class ExtractRecycleBin extends Extract {
private static final int V2_FILE_NAME_OFFSET = 28; private static final int V2_FILE_NAME_OFFSET = 28;
@Messages({ @Messages({
"ExtractRecycleBin_module_name=Recycle Bin" "ExtractRecycleBin_module_name=Recycle Bin Analyzer"
}) })
ExtractRecycleBin(IngestJobContext context) { ExtractRecycleBin(IngestJobContext context) {
super(Bundle.ExtractRecycleBin_module_name(), context); super(Bundle.ExtractRecycleBin_module_name(), context);
@ -136,10 +136,10 @@ final class ExtractRecycleBin extends Extract {
return; // No need to continue return; // No need to continue
} }
String tempRARecycleBinPath = RAImageIngestModule.getRATempPath(Case.getCurrentCase(), "recyclebin", getIngestJobContext().getJobId()); //NON-NLS IngestJobContext context = getIngestJobContext();
String tempRARecycleBinPath = RAImageIngestModule.getRATempPath(Case.getCurrentCase(), "recyclebin", context.getJobId()); //NON-NLS
// cycle through the $I files and process each. // cycle through the $I files and process each.
IngestJobContext context = getIngestJobContext();
for (AbstractFile iFile : iFiles) { for (AbstractFile iFile : iFiles) {
if (context.dataSourceIngestIsCancelled()) { if (context.dataSourceIngestIsCancelled()) {

247
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
View File

@ -61,7 +61,6 @@ import java.util.AbstractMap;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.Collection; import java.util.Collection;
import java.util.Collections;
import java.util.Date; import java.util.Date;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
@ -92,7 +91,6 @@ import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAM
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH;
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_HOME_DIR; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_HOME_DIR;
import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.DataArtifact;
import org.sleuthkit.datamodel.DataSource; import org.sleuthkit.datamodel.DataSource;
import org.sleuthkit.datamodel.Host; import org.sleuthkit.datamodel.Host;
import org.sleuthkit.datamodel.HostManager; import org.sleuthkit.datamodel.HostManager;
@ -181,23 +179,23 @@ class ExtractRegistry extends Extract {
private String compName = ""; private String compName = "";
private String domainName = ""; private String domainName = "";
private static final String SHELLBAG_ARTIFACT_NAME = "RA_SHELL_BAG"; //NON-NLS private static final String SHELLBAG_ARTIFACT_NAME = "RA_SHELL_BAG"; //NON-NLS
private static final String SHELLBAG_ATTRIBUTE_LAST_WRITE = "RA_SHELL_BAG_LAST_WRITE"; //NON-NLS private static final String SHELLBAG_ATTRIBUTE_LAST_WRITE = "RA_SHELL_BAG_LAST_WRITE"; //NON-NLS
private static final String SHELLBAG_ATTRIBUTE_KEY = "RA_SHELL_BAG_KEY"; //NON-NLS private static final String SHELLBAG_ATTRIBUTE_KEY = "RA_SHELL_BAG_KEY"; //NON-NLS
private static final SimpleDateFormat REG_RIPPER_TIME_FORMAT = new SimpleDateFormat("EEE MMM dd HH:mm:ss yyyy 'Z'", US); private static final SimpleDateFormat REG_RIPPER_TIME_FORMAT = new SimpleDateFormat("EEE MMM dd HH:mm:ss yyyy 'Z'", US);
private BlackboardArtifact.Type shellBagArtifactType = null; private BlackboardArtifact.Type shellBagArtifactType = null;
private BlackboardAttribute.Type shellBagKeyAttributeType = null; private BlackboardAttribute.Type shellBagKeyAttributeType = null;
private BlackboardAttribute.Type shellBagLastWriteAttributeType = null; private BlackboardAttribute.Type shellBagLastWriteAttributeType = null;
static { static {
REG_RIPPER_TIME_FORMAT.setTimeZone(getTimeZone("GMT")); REG_RIPPER_TIME_FORMAT.setTimeZone(getTimeZone("GMT"));
} }
ExtractRegistry(IngestJobContext context) throws IngestModuleException { ExtractRegistry(IngestJobContext context) throws IngestModuleException {
super(NbBundle.getMessage(ExtractIE.class, "ExtractRegistry.moduleName.text"), context); super(NbBundle.getMessage(ExtractRegistry.class, "ExtractRegistry.moduleName.text"), context);
final File rrRoot = InstalledFileLocator.getDefault().locate("rr", ExtractRegistry.class.getPackage().getName(), false); //NON-NLS final File rrRoot = InstalledFileLocator.getDefault().locate("rr", ExtractRegistry.class.getPackage().getName(), false); //NON-NLS
if (rrRoot == null) { if (rrRoot == null) {
@ -298,6 +296,7 @@ class ExtractRegistry extends Extract {
/** /**
* Identifies registry files in the database by mtimeItem, runs regripper on * Identifies registry files in the database by mtimeItem, runs regripper on
* them, and parses the output. * them, and parses the output.
*
* @param ingestJobId The ingest job id. * @param ingestJobId The ingest job id.
*/ */
private void analyzeRegistryFiles(long ingestJobId) { private void analyzeRegistryFiles(long ingestJobId) {
@ -316,7 +315,7 @@ class ExtractRegistry extends Extract {
if (context.dataSourceIngestIsCancelled()) { if (context.dataSourceIngestIsCancelled()) {
return; return;
} }
String regFileName = regFile.getName(); String regFileName = regFile.getName();
long regFileId = regFile.getId(); long regFileId = regFile.getId();
String regFileNameLocal = RAImageIngestModule.getRATempPath(currentCase, "reg", ingestJobId) + File.separator + regFileName; String regFileNameLocal = RAImageIngestModule.getRATempPath(currentCase, "reg", ingestJobId) + File.separator + regFileName;
@ -364,7 +363,7 @@ class ExtractRegistry extends Extract {
NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.failedParsingResults", NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.failedParsingResults",
this.getDisplayName(), regFileName)); this.getDisplayName(), regFileName));
} }
if (context.dataSourceIngestIsCancelled()) { if (context.dataSourceIngestIsCancelled()) {
return; return;
} }
@ -375,7 +374,7 @@ class ExtractRegistry extends Extract {
if (regFileNameLocal.toLowerCase().contains("sam") && parseSamPluginOutput(regOutputFiles.fullPlugins, regFile, ingestJobId) == false) { if (regFileNameLocal.toLowerCase().contains("sam") && parseSamPluginOutput(regOutputFiles.fullPlugins, regFile, ingestJobId) == false) {
this.addErrorMessage( this.addErrorMessage(
NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.failedParsingResults", NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.failedParsingResults",
this.getDisplayName(), regFileName)); this.getDisplayName(), regFileName));
} else if (regFileNameLocal.toLowerCase().contains("ntuser") || regFileNameLocal.toLowerCase().contains("usrclass")) { } else if (regFileNameLocal.toLowerCase().contains("ntuser") || regFileNameLocal.toLowerCase().contains("usrclass")) {
try { try {
List<ShellBag> shellbags = ShellBagParser.parseShellbagOutput(regOutputFiles.fullPlugins); List<ShellBag> shellbags = ShellBagParser.parseShellbagOutput(regOutputFiles.fullPlugins);
@ -389,11 +388,11 @@ class ExtractRegistry extends Extract {
NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.failedParsingResults", NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.failedParsingResults",
this.getDisplayName(), regFileName)); this.getDisplayName(), regFileName));
} }
if (context.dataSourceIngestIsCancelled()) { if (context.dataSourceIngestIsCancelled()) {
return; return;
} }
try { try {
Report report = currentCase.addReport(regOutputFiles.fullPlugins, Report report = currentCase.addReport(regOutputFiles.fullPlugins,
NbBundle.getMessage(this.getClass(), "ExtractRegistry.parentModuleName.noSpace"), NbBundle.getMessage(this.getClass(), "ExtractRegistry.parentModuleName.noSpace"),
@ -531,6 +530,7 @@ class ExtractRegistry extends Extract {
* @return * @return
*/ */
private boolean parseAutopsyPluginOutput(String regFilePath, AbstractFile regFile) { private boolean parseAutopsyPluginOutput(String regFilePath, AbstractFile regFile) {
IngestJobContext context = getIngestJobContext();
FileInputStream fstream = null; FileInputStream fstream = null;
List<BlackboardArtifact> newArtifacts = new ArrayList<>(); List<BlackboardArtifact> newArtifacts = new ArrayList<>();
try { try {
@ -556,7 +556,7 @@ class ExtractRegistry extends Extract {
int len = children.getLength(); int len = children.getLength();
for (int i = 0; i < len; i++) { for (int i = 0; i < len; i++) {
if (getIngestJobContext().dataSourceIngestIsCancelled()) { if (context.dataSourceIngestIsCancelled()) {
return false; return false;
} }
@ -636,7 +636,7 @@ class ExtractRegistry extends Extract {
case "InstallDate": //NON-NLS case "InstallDate": //NON-NLS
if (value != null && !value.isEmpty()) { if (value != null && !value.isEmpty()) {
try { try {
installtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyyZ", US).parse(value+"+0000").getTime(); installtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyyZ", US).parse(value + "+0000").getTime();
String Tempdate = installtime.toString(); String Tempdate = installtime.toString();
installtime = Long.valueOf(Tempdate) / MS_IN_SEC; installtime = Long.valueOf(Tempdate) / MS_IN_SEC;
} catch (ParseException e) { } catch (ParseException e) {
@ -747,14 +747,14 @@ class ExtractRegistry extends Extract {
} else { } else {
results.get(0).addAttributes(bbattributes); results.get(0).addAttributes(bbattributes);
} }
for (Map.Entry<String, String> userMap : getUserNameMap().entrySet()) { for (Map.Entry<String, String> userMap : getUserNameMap().entrySet()) {
String sid = ""; String sid = "";
try{ try {
sid = userMap.getKey(); sid = userMap.getKey();
String userName = userMap.getValue(); String userName = userMap.getValue();
// Accounts in the SAM are all local accounts // Accounts in the SAM are all local accounts
createOrUpdateOsAccount(regFile, sid, userName, null, null, OsAccountRealm.RealmScope.LOCAL); createOrUpdateOsAccount(regFile, sid, userName, null, null, OsAccountRealm.RealmScope.LOCAL);
} catch(TskCoreException | TskDataException | NotUserSIDException ex) { } catch (TskCoreException | TskDataException | NotUserSIDException ex) {
logger.log(Level.WARNING, String.format("Failed to update Domain for existing OsAccount: %s, sid: %s", regFile.getId(), sid), ex); logger.log(Level.WARNING, String.format("Failed to update Domain for existing OsAccount: %s, sid: %s", regFile.getId(), sid), ex);
} }
} }
@ -784,7 +784,7 @@ class ExtractRegistry extends Extract {
case "usb": //NON-NLS case "usb": //NON-NLS
try { try {
Long usbMtime = Long.parseLong(artnode.getAttribute("mtime")); //NON-NLS Long usbMtime = Long.parseLong(artnode.getAttribute("mtime")); //NON-NLS
usbMtime = Long.valueOf(usbMtime.toString()); usbMtime = Long.valueOf(usbMtime.toString());
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, usbMtime)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, usbMtime));
String dev = artnode.getAttribute("dev"); //NON-NLS String dev = artnode.getAttribute("dev"); //NON-NLS
String make = ""; String make = "";
@ -839,7 +839,7 @@ class ExtractRegistry extends Extract {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE, parentModuleName, value)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE, parentModuleName, value));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, parentModuleName, artnode.getNodeName())); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, parentModuleName, artnode.getNodeName()));
BlackboardArtifact bbart = regFile.newDataArtifact(new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_RECENT_OBJECT), bbattributes); BlackboardArtifact bbart = regFile.newDataArtifact(new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_RECENT_OBJECT), bbattributes);
newArtifacts.add(bbart); newArtifacts.add(bbart);
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Error adding recent object artifact to blackboard.", ex); //NON-NLS logger.log(Level.SEVERE, "Error adding recent object artifact to blackboard.", ex); //NON-NLS
@ -866,18 +866,18 @@ class ExtractRegistry extends Extract {
String sid = artnode.getAttribute("sid"); //NON-NLS String sid = artnode.getAttribute("sid"); //NON-NLS
String username = artnode.getAttribute("username"); //NON-NLS String username = artnode.getAttribute("username"); //NON-NLS
String domName = domainName; String domName = domainName;
// accounts in profileList can be either domain or local // accounts in profileList can be either domain or local
// Assume domain unless the SID was seen before in the SAM (which is only local). // Assume domain unless the SID was seen before in the SAM (which is only local).
OsAccountRealm.RealmScope scope = OsAccountRealm.RealmScope.DOMAIN; OsAccountRealm.RealmScope scope = OsAccountRealm.RealmScope.DOMAIN;
if(isDomainIdInSAMList(sid)) { if (isDomainIdInSAMList(sid)) {
domName = null; domName = null;
scope = OsAccountRealm.RealmScope.LOCAL; scope = OsAccountRealm.RealmScope.LOCAL;
} }
try{ try {
createOrUpdateOsAccount(regFile, sid, username, homeDir, domName, scope); createOrUpdateOsAccount(regFile, sid, username, homeDir, domName, scope);
} catch(TskCoreException | TskDataException | NotUserSIDException ex) { } catch (TskCoreException | TskDataException | NotUserSIDException ex) {
logger.log(Level.SEVERE, String.format("Failed to create OsAccount for file: %s, sid: %s", regFile.getId(), sid), ex); logger.log(Level.SEVERE, String.format("Failed to create OsAccount for file: %s, sid: %s", regFile.getId(), sid), ex);
} }
break; break;
@ -886,7 +886,7 @@ class ExtractRegistry extends Extract {
try { try {
String localPath = artnode.getAttribute("localPath"); //NON-NLS String localPath = artnode.getAttribute("localPath"); //NON-NLS
String remoteName = value; String remoteName = value;
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LOCAL_PATH, bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LOCAL_PATH,
parentModuleName, localPath)); parentModuleName, localPath));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REMOTE_PATH, bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REMOTE_PATH,
@ -942,8 +942,8 @@ class ExtractRegistry extends Extract {
} }
} catch (IOException ex) { } catch (IOException ex) {
} }
if (!getIngestJobContext().dataSourceIngestIsCancelled()) { if (!context.dataSourceIngestIsCancelled()) {
postArtifacts(newArtifacts); postArtifacts(newArtifacts);
} }
} }
@ -1013,7 +1013,7 @@ class ExtractRegistry extends Extract {
addBlueToothAttribute(line, attributes, TSK_DATETIME); addBlueToothAttribute(line, attributes, TSK_DATETIME);
line = reader.readLine(); line = reader.readLine();
addBlueToothAttribute(line, attributes, TSK_DATETIME_ACCESSED); addBlueToothAttribute(line, attributes, TSK_DATETIME_ACCESSED);
try { try {
bbartifacts.add(createArtifactWithAttributes(BlackboardArtifact.Type.TSK_BLUETOOTH_PAIRING, regFile, attributes)); bbartifacts.add(createArtifactWithAttributes(BlackboardArtifact.Type.TSK_BLUETOOTH_PAIRING, regFile, attributes));
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
@ -1029,7 +1029,7 @@ class ExtractRegistry extends Extract {
} }
} }
} }
if (!bbartifacts.isEmpty() && !getIngestJobContext().dataSourceIngestIsCancelled()) { if (!bbartifacts.isEmpty() && !getIngestJobContext().dataSourceIngestIsCancelled()) {
postArtifacts(bbartifacts); postArtifacts(bbartifacts);
} }
@ -1074,7 +1074,7 @@ class ExtractRegistry extends Extract {
* @return true if successful, false if parsing failed at some point * @return true if successful, false if parsing failed at some point
*/ */
private boolean parseSamPluginOutput(String regFilePath, AbstractFile regAbstractFile, long ingestJobId) { private boolean parseSamPluginOutput(String regFilePath, AbstractFile regAbstractFile, long ingestJobId) {
File regfile = new File(regFilePath); File regfile = new File(regFilePath);
List<BlackboardArtifact> newArtifacts = new ArrayList<>(); List<BlackboardArtifact> newArtifacts = new ArrayList<>();
try (BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(new FileInputStream(regfile), StandardCharsets.UTF_8))) { try (BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(new FileInputStream(regfile), StandardCharsets.UTF_8))) {
@ -1103,31 +1103,31 @@ class ExtractRegistry extends Extract {
userInfoMap.put(sid, userInfo); userInfoMap.put(sid, userInfo);
addSIDToSAMList(sid); addSIDToSAMList(sid);
} }
// New OsAccount Code // New OsAccount Code
OsAccountManager accountMgr = tskCase.getOsAccountManager(); OsAccountManager accountMgr = tskCase.getOsAccountManager();
HostManager hostMrg = tskCase.getHostManager(); HostManager hostMrg = tskCase.getHostManager();
Host host = hostMrg.getHostByDataSource((DataSource)dataSource); Host host = hostMrg.getHostByDataSource((DataSource) dataSource);
List<OsAccount> existingAccounts = accountMgr.getOsAccounts(host); List<OsAccount> existingAccounts = accountMgr.getOsAccounts(host);
for(OsAccount osAccount: existingAccounts) { for (OsAccount osAccount : existingAccounts) {
Optional<String> optional = osAccount.getAddr(); Optional<String> optional = osAccount.getAddr();
if(!optional.isPresent()) { if (!optional.isPresent()) {
continue; continue;
} }
String sid = optional.get(); String sid = optional.get();
Map<String, String> userInfo = userInfoMap.remove(sid); Map<String, String> userInfo = userInfoMap.remove(sid);
if(userInfo != null) { if (userInfo != null) {
addAccountInstance(accountMgr, osAccount, (DataSource)dataSource); addAccountInstance(accountMgr, osAccount, (DataSource) dataSource);
updateOsAccount(osAccount, userInfo, groupMap.get(sid), regAbstractFile); updateOsAccount(osAccount, userInfo, groupMap.get(sid), regAbstractFile);
} }
} }
//add remaining userinfos as accounts; //add remaining userinfos as accounts;
for (Map<String, String> userInfo : userInfoMap.values()) { for (Map<String, String> userInfo : userInfoMap.values()) {
OsAccount osAccount = accountMgr.newWindowsOsAccount(userInfo.get(SID_KEY), null, null, host, OsAccountRealm.RealmScope.LOCAL); OsAccount osAccount = accountMgr.newWindowsOsAccount(userInfo.get(SID_KEY), null, null, host, OsAccountRealm.RealmScope.LOCAL);
accountMgr.newOsAccountInstance(osAccount, (DataSource)dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED); accountMgr.newOsAccountInstance(osAccount, (DataSource) dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED);
updateOsAccount(osAccount, userInfo, groupMap.get(userInfo.get(SID_KEY)), regAbstractFile); updateOsAccount(osAccount, userInfo, groupMap.get(userInfo.get(SID_KEY)), regAbstractFile);
} }
return true; return true;
@ -1137,10 +1137,9 @@ class ExtractRegistry extends Extract {
logger.log(Level.WARNING, "Error building the document parser: {0}", ex); //NON-NLS logger.log(Level.WARNING, "Error building the document parser: {0}", ex); //NON-NLS
} catch (TskDataException | TskCoreException ex) { } catch (TskDataException | TskCoreException ex) {
logger.log(Level.WARNING, "Error updating TSK_OS_ACCOUNT artifacts to include newly parsed data.", ex); //NON-NLS logger.log(Level.WARNING, "Error updating TSK_OS_ACCOUNT artifacts to include newly parsed data.", ex); //NON-NLS
} catch (OsAccountManager.NotUserSIDException ex) { } catch (OsAccountManager.NotUserSIDException ex) {
logger.log(Level.WARNING, "Error creating OS Account, input SID is not a user SID.", ex); //NON-NLS logger.log(Level.WARNING, "Error creating OS Account, input SID is not a user SID.", ex); //NON-NLS
} } finally {
finally {
if (!getIngestJobContext().dataSourceIngestIsCancelled()) { if (!getIngestJobContext().dataSourceIngestIsCancelled()) {
postArtifacts(newArtifacts); postArtifacts(newArtifacts);
} }
@ -1280,7 +1279,7 @@ class ExtractRegistry extends Extract {
attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME, getDisplayName(), userName)); attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME, getDisplayName(), userName));
attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, getDisplayName(), progRunDateTime)); attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, getDisplayName(), progRunDateTime));
attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COMMENT, getDisplayName(), comment)); attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COMMENT, getDisplayName(), comment));
try { try {
BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_PROG_RUN, regFile, attributes); BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_PROG_RUN, regFile, attributes);
bbartifacts.add(bba); bbartifacts.add(bba);
@ -1294,7 +1293,7 @@ class ExtractRegistry extends Extract {
line = reader.readLine(); line = reader.readLine();
} }
if (!bbartifacts.isEmpty() && !getIngestJobContext().dataSourceIngestIsCancelled()) { if (!bbartifacts.isEmpty() && !getIngestJobContext().dataSourceIngestIsCancelled()) {
postArtifacts(bbartifacts); postArtifacts(bbartifacts);
} }
} }
@ -1348,7 +1347,7 @@ class ExtractRegistry extends Extract {
attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName)); attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName));
attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, getDisplayName(), adobeUsedTime)); attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, getDisplayName(), adobeUsedTime));
attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment)); attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment));
try{ try {
BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes); BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes);
if (bba != null) { if (bba != null) {
bbartifacts.add(bba); bbartifacts.add(bba);
@ -1358,7 +1357,7 @@ class ExtractRegistry extends Extract {
bbartifacts.add(bba); bbartifacts.add(bba);
} }
} }
} catch(TskCoreException ex) { } catch (TskCoreException ex) {
logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex); logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex);
} }
line = reader.readLine(); line = reader.readLine();
@ -1400,7 +1399,7 @@ class ExtractRegistry extends Extract {
Collection<BlackboardAttribute> attributes = new ArrayList<>(); Collection<BlackboardAttribute> attributes = new ArrayList<>();
attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName)); attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName));
attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment)); attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment));
try{ try {
BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes); BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes);
if (bba != null) { if (bba != null) {
bbartifacts.add(bba); bbartifacts.add(bba);
@ -1413,7 +1412,7 @@ class ExtractRegistry extends Extract {
} }
} }
} }
} catch(TskCoreException ex) { } catch (TskCoreException ex) {
logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex); logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex);
} }
line = reader.readLine(); line = reader.readLine();
@ -1421,7 +1420,7 @@ class ExtractRegistry extends Extract {
line = line.trim(); line = line.trim();
} }
} }
if (!bbartifacts.isEmpty()&& !getIngestJobContext().dataSourceIngestIsCancelled()) { if (!bbartifacts.isEmpty() && !getIngestJobContext().dataSourceIngestIsCancelled()) {
postArtifacts(bbartifacts); postArtifacts(bbartifacts);
} }
} }
@ -1457,7 +1456,7 @@ class ExtractRegistry extends Extract {
Collection<BlackboardAttribute> attributes = new ArrayList<>(); Collection<BlackboardAttribute> attributes = new ArrayList<>();
attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName)); attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName));
attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment)); attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment));
try{ try {
BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes); BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes);
if (bba != null) { if (bba != null) {
bbartifacts.add(bba); bbartifacts.add(bba);
@ -1466,7 +1465,7 @@ class ExtractRegistry extends Extract {
bbartifacts.add(bba); bbartifacts.add(bba);
} }
} }
} catch(TskCoreException ex) { } catch (TskCoreException ex) {
logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex); logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex);
} }
} }
@ -1510,14 +1509,14 @@ class ExtractRegistry extends Extract {
Collection<BlackboardAttribute> attributes = new ArrayList<>(); Collection<BlackboardAttribute> attributes = new ArrayList<>();
attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName)); attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName));
attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment)); attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment));
try{ try {
BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes); BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes);
bbartifacts.add(bba); bbartifacts.add(bba);
bba = createAssociatedArtifact(FilenameUtils.normalize(fileName, true), bba); bba = createAssociatedArtifact(FilenameUtils.normalize(fileName, true), bba);
if (bba != null) { if (bba != null) {
bbartifacts.add(bba); bbartifacts.add(bba);
} }
} catch(TskCoreException ex) { } catch (TskCoreException ex) {
logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex); logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex);
} }
line = reader.readLine(); line = reader.readLine();
@ -1555,15 +1554,15 @@ class ExtractRegistry extends Extract {
Collection<BlackboardAttribute> attributes = new ArrayList<>(); Collection<BlackboardAttribute> attributes = new ArrayList<>();
attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName)); attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName));
attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment)); attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment));
try{ try {
BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes); BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes);
bbartifacts.add(bba); bbartifacts.add(bba);
bba = createAssociatedArtifact(FilenameUtils.normalize(fileName, true), bba); bba = createAssociatedArtifact(FilenameUtils.normalize(fileName, true), bba);
if (bba != null) { if (bba != null) {
bbartifacts.add(bba); bbartifacts.add(bba);
} }
} catch(TskCoreException ex) { } catch (TskCoreException ex) {
logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex); logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex);
} }
line = reader.readLine(); line = reader.readLine();
@ -1608,14 +1607,14 @@ class ExtractRegistry extends Extract {
attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName)); attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName));
attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, getDisplayName(), docDate)); attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, getDisplayName(), docDate));
attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment)); attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment));
try{ try {
BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes); BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes);
bbartifacts.add(bba); bbartifacts.add(bba);
bba = createAssociatedArtifact(FilenameUtils.normalize(fileName, true), bba); bba = createAssociatedArtifact(FilenameUtils.normalize(fileName, true), bba);
if (bba != null) { if (bba != null) {
bbartifacts.add(bba); bbartifacts.add(bba);
} }
} catch(TskCoreException ex) { } catch (TskCoreException ex) {
logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex); logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex);
} }
line = reader.readLine(); line = reader.readLine();
@ -1673,15 +1672,15 @@ class ExtractRegistry extends Extract {
attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName)); attributes.add(new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName));
attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, getDisplayName(), usedTime)); attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, getDisplayName(), usedTime));
attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment)); attributes.add(new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment));
try{ try {
BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes); BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes);
bbartifacts.add(bba); bbartifacts.add(bba);
bba = createAssociatedArtifact(FilenameUtils.normalize(fileName, true), bba); bba = createAssociatedArtifact(FilenameUtils.normalize(fileName, true), bba);
if (bba != null) { if (bba != null) {
bbartifacts.add(bba); bbartifacts.add(bba);
} }
} catch(TskCoreException ex) { } catch (TskCoreException ex) {
logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex); logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex);
} }
line = line.trim(); line = line.trim();
} }
@ -1720,8 +1719,8 @@ class ExtractRegistry extends Extract {
} }
/** /**
* Create a map of userids to usernames for all OS Accounts associated with the current * Create a map of userids to usernames for all OS Accounts associated with
* host in OsAccountManager. * the current host in OsAccountManager.
* *
* @param dataSource * @param dataSource
* *
@ -1732,55 +1731,53 @@ class ExtractRegistry extends Extract {
private Map<String, String> makeUserNameMap(Content dataSource) throws TskCoreException { private Map<String, String> makeUserNameMap(Content dataSource) throws TskCoreException {
Map<String, String> map = new HashMap<>(); Map<String, String> map = new HashMap<>();
for(OsAccount account: tskCase.getOsAccountManager().getOsAccounts(((DataSource)dataSource).getHost())) { for (OsAccount account : tskCase.getOsAccountManager().getOsAccounts(((DataSource) dataSource).getHost())) {
Optional<String> userName = account.getLoginName(); Optional<String> userName = account.getLoginName();
String address = account.getAddr().orElse(""); String address = account.getAddr().orElse("");
if(!address.isEmpty()) { if (!address.isEmpty()) {
map.put(address, userName.isPresent() ? userName.get() : ""); map.put(address, userName.isPresent() ? userName.get() : "");
} }
} }
return map; return map;
} }
/** /**
* Strip the machine sid off of the osAccountSID. The returned string will * Strip the machine sid off of the osAccountSID. The returned string will
* include everything in the osAccountSID up to the last -. * include everything in the osAccountSID up to the last -.
* *
* There must be at least three dashes in the SID for it to be useful. * There must be at least three dashes in the SID for it to be useful. The
* The sid is of a format S-R-X-Y1 where Y1 is the domain identifier which * sid is of a format S-R-X-Y1 where Y1 is the domain identifier which may
* may contain multiple dashes. Everything after the final dash is the * contain multiple dashes. Everything after the final dash is the relative
* relative identifier. For example * identifier. For example S-1-5-21-1004336348-1177238915-682003330-512
* S-1-5-21-1004336348-1177238915-682003330-512 *
* * In this example the domain identifier is
* In this example the domain identifier is * 21-1004336348-1177238915-682003330 The relative identifier is 512.
* 21-1004336348-1177238915-682003330 *
* The relative identifier is 512.
*
* In other words everything between the third and last dash is the domain * In other words everything between the third and last dash is the domain
* identifier. * identifier.
* *
* @param osAccountSID The SID of the os account. * @param osAccountSID The SID of the os account.
* *
* @return The Machine SID * @return The Machine SID
*/ */
private String stripRelativeIdentifierFromSID(String osAccountSID) { private String stripRelativeIdentifierFromSID(String osAccountSID) {
if(osAccountSID.split("-").length > 4) { if (osAccountSID.split("-").length > 4) {
int index = osAccountSID.lastIndexOf('-'); int index = osAccountSID.lastIndexOf('-');
return index > 1 ? osAccountSID.substring(0, index) : ""; return index > 1 ? osAccountSID.substring(0, index) : "";
} }
return ""; return "";
} }
private final List<String> machineSIDs = new ArrayList<>(); private final List<String> machineSIDs = new ArrayList<>();
/** /**
* Returns a mapping of user sids to user names. * Returns a mapping of user sids to user names.
* *
* @return SID to username map. Will be empty if none where found. * @return SID to username map. Will be empty if none where found.
*/ */
private Map<String, String> getUserNameMap() { private Map<String, String> getUserNameMap() {
if(userNameMap == null) { if (userNameMap == null) {
// Get a mapping of user sids to user names and save globally so it can be used for other areas // Get a mapping of user sids to user names and save globally so it can be used for other areas
// of the registry, ie: BAM key // of the registry, ie: BAM key
try { try {
@ -1792,7 +1789,7 @@ class ExtractRegistry extends Extract {
userNameMap = new HashMap<>(); userNameMap = new HashMap<>();
} }
} }
return userNameMap; return userNameMap;
} }
@ -1847,12 +1844,12 @@ class ExtractRegistry extends Extract {
attributes.add(new BlackboardAttribute(TSK_DATETIME_ACCESSED, getDisplayName(), time)); attributes.add(new BlackboardAttribute(TSK_DATETIME_ACCESSED, getDisplayName(), time));
} }
BlackboardArtifact artifact = createArtifactWithAttributes(getShellBagArtifact(), regFile, attributes); BlackboardArtifact artifact = createArtifactWithAttributes(getShellBagArtifact(), regFile, attributes);
artifacts.add(artifact); artifacts.add(artifact);
} }
} finally { } finally {
if(!getIngestJobContext().dataSourceIngestIsCancelled()) { if (!getIngestJobContext().dataSourceIngestIsCancelled()) {
postArtifacts(artifacts); postArtifacts(artifacts);
} }
} }
} }
@ -1871,7 +1868,7 @@ class ExtractRegistry extends Extract {
shellBagArtifactType = tskCase.getBlackboard().getOrAddArtifactType(SHELLBAG_ARTIFACT_NAME, Bundle.Shellbag_Artifact_Display_Name()); shellBagArtifactType = tskCase.getBlackboard().getOrAddArtifactType(SHELLBAG_ARTIFACT_NAME, Bundle.Shellbag_Artifact_Display_Name());
} catch (BlackboardException ex) { } catch (BlackboardException ex) {
throw new TskCoreException(String.format("Failed to get shell bag artifact type", SHELLBAG_ARTIFACT_NAME), ex); throw new TskCoreException(String.format("Failed to get shell bag artifact type", SHELLBAG_ARTIFACT_NAME), ex);
} }
} }
return shellBagArtifactType; return shellBagArtifactType;
@ -1942,7 +1939,7 @@ class ExtractRegistry extends Extract {
if (line.contains("Group Name")) { if (line.contains("Group Name")) {
String value = line.replaceAll("Group Name\\s*?:", "").trim(); String value = line.replaceAll("Group Name\\s*?:", "").trim();
groupName = (value.replaceAll("\\[\\d*?\\]", "")).trim(); groupName = (value.replaceAll("\\[\\d*?\\]", "")).trim();
int startIndex = value.indexOf(" [") + 1; int startIndex = value.indexOf(" [") + 1;
int endIndex = value.indexOf(']'); int endIndex = value.indexOf(']');
if (startIndex != -1 && endIndex != -1) { if (startIndex != -1 && endIndex != -1) {
@ -2020,7 +2017,7 @@ class ExtractRegistry extends Extract {
public String autopsyPlugins = ""; public String autopsyPlugins = "";
public String fullPlugins = ""; public String fullPlugins = "";
} }
/** /**
* Updates an existing or creates a new OsAccount with the given attributes. * Updates an existing or creates a new OsAccount with the given attributes.
* *
@ -2036,19 +2033,19 @@ class ExtractRegistry extends Extract {
private void createOrUpdateOsAccount(AbstractFile file, String sid, String userName, String homeDir, String domainName, OsAccountRealm.RealmScope realmScope) throws TskCoreException, TskDataException, NotUserSIDException { private void createOrUpdateOsAccount(AbstractFile file, String sid, String userName, String homeDir, String domainName, OsAccountRealm.RealmScope realmScope) throws TskCoreException, TskDataException, NotUserSIDException {
OsAccountManager accountMgr = tskCase.getOsAccountManager(); OsAccountManager accountMgr = tskCase.getOsAccountManager();
HostManager hostMrg = tskCase.getHostManager(); HostManager hostMrg = tskCase.getHostManager();
Host host = hostMrg.getHostByDataSource((DataSource)dataSource); Host host = hostMrg.getHostByDataSource((DataSource) dataSource);
Optional<OsAccount> optional = accountMgr.getWindowsOsAccount(sid, null, null, host); Optional<OsAccount> optional = accountMgr.getWindowsOsAccount(sid, null, null, host);
OsAccount osAccount; OsAccount osAccount;
if (!optional.isPresent()) { if (!optional.isPresent()) {
osAccount = accountMgr.newWindowsOsAccount(sid, userName != null && userName.isEmpty() ? null : userName, domainName, host, realmScope); osAccount = accountMgr.newWindowsOsAccount(sid, userName != null && userName.isEmpty() ? null : userName, domainName, host, realmScope);
accountMgr.newOsAccountInstance(osAccount, (DataSource)dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED); accountMgr.newOsAccountInstance(osAccount, (DataSource) dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED);
} else { } else {
osAccount = optional.get(); osAccount = optional.get();
addAccountInstance(accountMgr, osAccount, (DataSource)dataSource); addAccountInstance(accountMgr, osAccount, (DataSource) dataSource);
if (userName != null && !userName.isEmpty()) { if (userName != null && !userName.isEmpty()) {
OsAccountUpdateResult updateResult= accountMgr.updateCoreWindowsOsAccountAttributes(osAccount, null, userName, (domainName == null || domainName.isEmpty()) ? null : domainName, host); OsAccountUpdateResult updateResult = accountMgr.updateCoreWindowsOsAccountAttributes(osAccount, null, userName, (domainName == null || domainName.isEmpty()) ? null : domainName, host);
osAccount = updateResult.getUpdatedAccount().orElse(osAccount); osAccount = updateResult.getUpdatedAccount().orElse(osAccount);
} }
} }
@ -2111,7 +2108,7 @@ class ExtractRegistry extends Extract {
* @throws TskCoreException * @throws TskCoreException
*/ */
private void updateOsAccount(OsAccount osAccount, Map<String, String> userInfo, List<String> groupList, AbstractFile regFile) throws TskDataException, TskCoreException, NotUserSIDException { private void updateOsAccount(OsAccount osAccount, Map<String, String> userInfo, List<String> groupList, AbstractFile regFile) throws TskDataException, TskCoreException, NotUserSIDException {
Host host = ((DataSource)dataSource).getHost(); Host host = ((DataSource) dataSource).getHost();
SimpleDateFormat regRipperTimeFormat = new SimpleDateFormat("EEE MMM dd HH:mm:ss yyyy 'Z'", US); SimpleDateFormat regRipperTimeFormat = new SimpleDateFormat("EEE MMM dd HH:mm:ss yyyy 'Z'", US);
regRipperTimeFormat.setTimeZone(getTimeZone("GMT")); regRipperTimeFormat.setTimeZone(getTimeZone("GMT"));
@ -2119,7 +2116,7 @@ class ExtractRegistry extends Extract {
List<OsAccountAttribute> attributes = new ArrayList<>(); List<OsAccountAttribute> attributes = new ArrayList<>();
Long creationTime = null; Long creationTime = null;
String value = userInfo.get(ACCOUNT_CREATED_KEY); String value = userInfo.get(ACCOUNT_CREATED_KEY);
if (value != null && !value.isEmpty() && !value.equals(NEVER_DATE)) { if (value != null && !value.isEmpty() && !value.equals(NEVER_DATE)) {
creationTime = parseRegRipTime(value); creationTime = parseRegRipTime(value);
@ -2134,9 +2131,9 @@ class ExtractRegistry extends Extract {
osAccount, host, regFile)); osAccount, host, regFile));
} }
} }
String loginName = null; String loginName = null;
value = userInfo.get(USERNAME_KEY); value = userInfo.get(USERNAME_KEY);
if (value != null && !value.isEmpty()) { if (value != null && !value.isEmpty()) {
loginName = value; loginName = value;
} }
@ -2153,7 +2150,7 @@ class ExtractRegistry extends Extract {
// and "Default Guest Acct" // and "Default Guest Acct"
value = userInfo.get(ACCOUNT_TYPE_KEY); value = userInfo.get(ACCOUNT_TYPE_KEY);
if (value != null && !value.isEmpty() && value.toLowerCase().contains("admin")) { if (value != null && !value.isEmpty() && value.toLowerCase().contains("admin")) {
attributes.add(createOsAccountAttribute(ATTRIBUTE_TYPE.TSK_IS_ADMIN, attributes.add(createOsAccountAttribute(ATTRIBUTE_TYPE.TSK_IS_ADMIN,
1, osAccount, host, regFile)); 1, osAccount, host, regFile));
} }
@ -2237,22 +2234,21 @@ class ExtractRegistry extends Extract {
// add the attributes to account. // add the attributes to account.
OsAccountManager accountMgr = tskCase.getOsAccountManager(); OsAccountManager accountMgr = tskCase.getOsAccountManager();
accountMgr.addExtendedOsAccountAttributes(osAccount, attributes); accountMgr.addExtendedOsAccountAttributes(osAccount, attributes);
// update the loginname // update the loginname
accountMgr.updateCoreWindowsOsAccountAttributes(osAccount, null, loginName, null, host); accountMgr.updateCoreWindowsOsAccountAttributes(osAccount, null, loginName, null, host);
// update other standard attributes - fullname, creationdate // update other standard attributes - fullname, creationdate
accountMgr.updateStandardOsAccountAttributes(osAccount, fullName, null, null, creationTime); accountMgr.updateStandardOsAccountAttributes(osAccount, fullName, null, null, creationTime);
} }
/** /**
* Create comma separated list from the set values for the given keys. * Create comma separated list from the set values for the given keys.
* *
* @param keys List of map keys. * @param keys List of map keys.
* @param map Data map. * @param map Data map.
* *
* @return Comma separated String of values. * @return Comma separated String of values.
*/ */
private String getSettingsFromMap(String[] keys, Map<String, String> map) { private String getSettingsFromMap(String[] keys, Map<String, String> map) {
@ -2316,38 +2312,39 @@ class ExtractRegistry extends Extract {
private OsAccountAttribute createOsAccountAttribute(BlackboardAttribute.ATTRIBUTE_TYPE type, Integer value, OsAccount osAccount, Host host, AbstractFile file) { private OsAccountAttribute createOsAccountAttribute(BlackboardAttribute.ATTRIBUTE_TYPE type, Integer value, OsAccount osAccount, Host host, AbstractFile file) {
return osAccount.new OsAccountAttribute(new BlackboardAttribute.Type(type), value, osAccount, host, file); return osAccount.new OsAccountAttribute(new BlackboardAttribute.Type(type), value, osAccount, host, file);
} }
/** /**
* Adds an account instance for the given data source if one does not already * Adds an account instance for the given data source if one does not
* exist. * already exist.
* *
* @param accountMgr * @param accountMgr
* @param osAccount * @param osAccount
* @param dataSource * @param dataSource
* @throws TskCoreException *
* @throws TskCoreException
*/ */
private void addAccountInstance(OsAccountManager accountMgr, OsAccount osAccount, DataSource dataSource) throws TskCoreException { private void addAccountInstance(OsAccountManager accountMgr, OsAccount osAccount, DataSource dataSource) throws TskCoreException {
accountMgr.newOsAccountInstance(osAccount, dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED); accountMgr.newOsAccountInstance(osAccount, dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED);
} }
/** /**
* Add the domainId of the given account sid to the sam domain id list. * Add the domainId of the given account sid to the sam domain id list.
* *
* @param sid OS account sid * @param sid OS account sid
*/ */
private void addSIDToSAMList(String sid) { private void addSIDToSAMList(String sid) {
String relativeID = stripRelativeIdentifierFromSID(sid); String relativeID = stripRelativeIdentifierFromSID(sid);
if(!relativeID.isEmpty() && !samDomainIDsList.contains(relativeID)) { if (!relativeID.isEmpty() && !samDomainIDsList.contains(relativeID)) {
samDomainIDsList.add(relativeID); samDomainIDsList.add(relativeID);
} }
} }
/** /**
* Returns true if the domain id of the os account sid is in the list * Returns true if the domain id of the os account sid is in the list of
* of domain ids seen when parsing the sam file. * domain ids seen when parsing the sam file.
* *
* @param osAccountSID * @param osAccountSID
* *
* @return If the domainID is in the same file list. * @return If the domainID is in the same file list.
*/ */
private boolean isDomainIdInSAMList(String osAccountSID) { private boolean isDomainIdInSAMList(String osAccountSID) {