mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Read error logs and update plugins for errors

Browse Source 
Read error logs and update pluginks for errors.
This commit is contained in:
Mark McKinnon 2020-05-14 09:05:20 -04:00
parent b7e50c30cc
commit 50c7a80e79
3 changed files with 32 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
View File

@ -418,10 +418,31 @@ class ExtractRegistry extends Extract {
String errFilePath = outFilePathBase + "-full.err.txt"; //NON-NLS
logger.log(Level.INFO, "Writing Full RegRipper results to: {0}", regOutputFiles.fullPlugins); //NON-NLS
executeRegRipper(rrFullCmd, rrFullHome, regFilePath, fullType, regOutputFiles.fullPlugins, errFilePath);
try {
scanErrorLogs(errFilePath);
} catch (IOException ex) {
logger.log(Level.SEVERE, "Unable to run RegRipper", ex); //NON-NLS
this.addErrorMessage(NbBundle.getMessage(this.getClass(), "ExtractRegistry.execRegRip.errMsg.failedAnalyzeRegFile", this.getName()));
}
}
return regOutputFiles;
}
private void scanErrorLogs(String errFilePath) throws IOException {
File regfile = new File(errFilePath);
try (BufferedReader reader = new BufferedReader(new FileReader(regfile))) {
String line = reader.readLine();
while (line != null) {
line = line.trim();
if (line.contains("Error")) {
logger.log(Level.WARNING, "Regripper file {0} contains errors from run", errFilePath); //NON-NLS
}
line = reader.readLine();
}
}
}
private void executeRegRipper(List<String> regRipperPath, Path regRipperHomeDir, String hiveFilePath, String hiveFileType, String outputFile, String errFile) {
try {
List<String> commandLine = new ArrayList<>();
@ -1497,11 +1518,11 @@ class ExtractRegistry extends Extract {
line = line.trim();
// Reading to the SECTION DIVIDER to get next section of records to process. Dates appear to have
// multiple spaces in them that makes it harder to parse so next section will be easier to parse
while (!line.contains(SECTION_DIVIDER) && !line.contains("MSOffice version not found.")) {
while (!line.contains(SECTION_DIVIDER) && !line.contains("not found") && !line.contains("version 2010 located")) {
line = reader.readLine();
}
line = reader.readLine();
while (!line.contains(SECTION_DIVIDER) && !line.contains("MSOffice version not found.")) {
while (!line.contains(SECTION_DIVIDER) && !line.contains("not found")) {
// record has the following format
// 1294283922|REG|||OfficeDocs2010 - F:\Windows_time_Rules_xp.doc
String tokens[] = line.split("\\|");

4
thirdparty/rr-full/plugins/ie_zones.pl vendored
View File

@ -61,7 +61,11 @@ sub pluginmain {
# Get Zones and various security settings
foreach my $n (0..4) {
$zone = $key->get_subkey('Zones\\'.$n);
if (defined($zone->get_value("PMDisplayName"))) {
::rptMsg("Zone ".$n.": ".$zone->get_value("PMDisplayName")->get_data()." - ".$zone->get_value("Description")->get_data());
} else {
::rptMsg("Zone ".$n.": ".$zone->get_value("DisplayName")->get_data()." - ".$zone->get_value("Description")->get_data());
}
::rptMsg("LastWrite: ".gmtime($zone->get_timestamp()." UTC"));
my @vals = $zone->get_list_of_values();

2
thirdparty/rr-full/plugins/searchscopes.pl vendored
View File

@ -47,8 +47,10 @@ sub pluginmain {
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("SearchScopes");
::rptMsg($key_path);
if (defined($key->get_value("DefaultScope"))) {
::rptMsg("DefaultScope: ".$key->get_value("DefaultScope")->get_data());
::rptMsg("");
}
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {