From 5cc1e7f6853e7534792471b106ddcb1d3477b60a Mon Sep 17 00:00:00 2001 From: Karl Mortensen Date: Mon, 17 Nov 2014 10:24:48 -0500 Subject: [PATCH 1/5] Update Photorec XML parsing to use built-in parser --- .../PhotoRecCarverOutputParser.java | 91 ++++++++----------- 1 file changed, 39 insertions(+), 52 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/modules/photoreccarver/PhotoRecCarverOutputParser.java b/Core/src/org/sleuthkit/autopsy/modules/photoreccarver/PhotoRecCarverOutputParser.java index a6cbd4449e..6b24dfd9dc 100755 --- a/Core/src/org/sleuthkit/autopsy/modules/photoreccarver/PhotoRecCarverOutputParser.java +++ b/Core/src/org/sleuthkit/autopsy/modules/photoreccarver/PhotoRecCarverOutputParser.java @@ -18,13 +18,10 @@ */ package org.sleuthkit.autopsy.modules.photoreccarver; -import java.io.BufferedReader; import java.io.File; import java.io.FileNotFoundException; -import java.io.FileReader; import java.io.IOException; import java.nio.file.Path; -import java.nio.file.Paths; import java.util.ArrayList; import java.util.Collections; import java.util.List; @@ -32,11 +29,15 @@ import java.util.logging.Level; import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.services.FileManager; import org.sleuthkit.autopsy.coreutils.Logger; +import org.sleuthkit.autopsy.coreutils.XMLUtil; import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.LayoutFile; import org.sleuthkit.datamodel.CarvedFileContainer; import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskFileRange; +import org.w3c.dom.Document; +import org.w3c.dom.Element; +import org.w3c.dom.NodeList; /** * This class parses the xml output from PhotoRec, and creates a list of entries to add back in to be processed. @@ -73,66 +74,52 @@ class PhotoRecCarverOutputParser { * @throws IOException */ List parse(File xmlInputFile, long id, AbstractFile af) throws FileNotFoundException, IOException { - try (BufferedReader in = new BufferedReader(new FileReader(xmlInputFile))) { - String fileName; - long fileSize; - String result; - String[] fields; + try { + final Document doc = XMLUtil.loadDoc(PhotoRecCarverOutputParser.class, xmlInputFile.toString()); + if (doc == null) { + return null; + } + Element root = doc.getDocumentElement(); + if (root == null) { + logger.log(Level.SEVERE, "Error loading config file: invalid file format (bad root)."); //NON-NLS + return null; + } + + NodeList fileObjects = root.getElementsByTagName("fileobject"); //NON-NLS + final int numberOfFiles = fileObjects.getLength(); + + if (numberOfFiles == 0) { + return null; + } + NodeList fileNames; + NodeList fileSizes; + NodeList fileRanges; + Element entry; FileManager fileManager = Case.getCurrentCase().getServices().getFileManager(); // create and initialize the list to put into the database List carvedFileContainer = new ArrayList<>(); - // create and initialize a line - String line = in.readLine(); + for (int fileIndex = 0; fileIndex < numberOfFiles; ++fileIndex) { + entry = (Element) fileObjects.item(fileIndex); + fileNames = entry.getElementsByTagName("filename"); //NON-NLS + fileSizes = entry.getElementsByTagName("filesize"); //NON-NLS + fileRanges = entry.getElementsByTagName("byte_run"); //NON-NLS - // loop until an empty line is read - reachedEndOfFile: - while (!line.isEmpty()) { - while (!line.contains("")) //NON-NLS - { - if (line.equals("")) //NON-NLS - { // We have found the end. Break out of both loops and move on to processing. - line = ""; - break reachedEndOfFile; - } - line = in.readLine(); + List tskRanges = new ArrayList<>(); + for (int rangeIndex = 0; rangeIndex < fileRanges.getLength(); ++rangeIndex) { + Long img_offset = Long.parseLong(((Element) fileRanges.item(rangeIndex)).getAttribute("img_offset")); //NON-NLS + Long len = Long.parseLong(((Element) fileRanges.item(rangeIndex)).getAttribute("len")); //NON-NLS + tskRanges.add(new TskFileRange(af.convertToImgOffset(img_offset), len, rangeIndex)); } - - List ranges = new ArrayList<>(); - - // read filename line - line = in.readLine(); - fileName = getValue("filename", line); //NON-NLS - Path p = Paths.get(fileName); - if (p.startsWith(basePath)) { - fileName = p.getFileName().toString(); - } - - line = in.readLine(); /// read filesize line - fileSize = Long.parseLong(getValue("filesize", line)); //NON-NLS - - in.readLine(); /// eat a line and move on to the next - - line = in.readLine(); /// now get next valid line - while (line.contains("[\t ]*", ""); //NON-NLS - fields = result.split(" "); /// offset, image offset, length //NON-NLS - ranges.add((new TskFileRange(af.convertToImgOffset(Long.parseLong(fields[1])), Long.parseLong(fields[2]), ranges.size()))); - - // read the next line - line = in.readLine(); - } - carvedFileContainer.add(new CarvedFileContainer(fileName, fileSize, id, ranges)); + carvedFileContainer.add( + new CarvedFileContainer(fileNames.item(0).getTextContent(), Long.parseLong(fileSizes.item(0).getTextContent()), + id, tskRanges)); } return fileManager.addCarvedFiles(carvedFileContainer); } - catch (IOException | NumberFormatException | TskCoreException ex) { + catch (NumberFormatException | TskCoreException ex) { logger.log(Level.SEVERE, "Error parsing PhotoRec output and inserting it into the database: {0}", ex); //NON_NLS } From dfb81d9ac558e617103c29b77ab006ff63d61b4f Mon Sep 17 00:00:00 2001 From: Karl Mortensen Date: Mon, 17 Nov 2014 11:23:32 -0500 Subject: [PATCH 2/5] Update Photorec XML parsing to clip paths from filenames --- .../photoreccarver/PhotoRecCarverOutputParser.java | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/modules/photoreccarver/PhotoRecCarverOutputParser.java b/Core/src/org/sleuthkit/autopsy/modules/photoreccarver/PhotoRecCarverOutputParser.java index 6b24dfd9dc..03c53202ae 100755 --- a/Core/src/org/sleuthkit/autopsy/modules/photoreccarver/PhotoRecCarverOutputParser.java +++ b/Core/src/org/sleuthkit/autopsy/modules/photoreccarver/PhotoRecCarverOutputParser.java @@ -22,6 +22,7 @@ import java.io.File; import java.io.FileNotFoundException; import java.io.IOException; import java.nio.file.Path; +import java.nio.file.Paths; import java.util.ArrayList; import java.util.Collections; import java.util.List; @@ -92,10 +93,13 @@ class PhotoRecCarverOutputParser { if (numberOfFiles == 0) { return null; } + String fileName; + Long fileSize; NodeList fileNames; NodeList fileSizes; NodeList fileRanges; Element entry; + Path filePath; FileManager fileManager = Case.getCurrentCase().getServices().getFileManager(); // create and initialize the list to put into the database @@ -107,6 +111,13 @@ class PhotoRecCarverOutputParser { fileSizes = entry.getElementsByTagName("filesize"); //NON-NLS fileRanges = entry.getElementsByTagName("byte_run"); //NON-NLS + fileSize=Long.parseLong(fileSizes.item(0).getTextContent()); + fileName=fileNames.item(0).getTextContent(); + filePath = Paths.get(fileName); + if (filePath.startsWith(basePath)) { + fileName = filePath.getFileName().toString(); + } + List tskRanges = new ArrayList<>(); for (int rangeIndex = 0; rangeIndex < fileRanges.getLength(); ++rangeIndex) { Long img_offset = Long.parseLong(((Element) fileRanges.item(rangeIndex)).getAttribute("img_offset")); //NON-NLS @@ -114,8 +125,7 @@ class PhotoRecCarverOutputParser { tskRanges.add(new TskFileRange(af.convertToImgOffset(img_offset), len, rangeIndex)); } carvedFileContainer.add( - new CarvedFileContainer(fileNames.item(0).getTextContent(), Long.parseLong(fileSizes.item(0).getTextContent()), - id, tskRanges)); + new CarvedFileContainer(fileName, fileSize, id, tskRanges)); } return fileManager.addCarvedFiles(carvedFileContainer); } From cb1826537d7186add0496da25a1534420db72b06 Mon Sep 17 00:00:00 2001 From: Karl Mortensen Date: Mon, 17 Nov 2014 11:53:56 -0500 Subject: [PATCH 3/5] Remove unused method --- .../photoreccarver/PhotoRecCarverOutputParser.java | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/modules/photoreccarver/PhotoRecCarverOutputParser.java b/Core/src/org/sleuthkit/autopsy/modules/photoreccarver/PhotoRecCarverOutputParser.java index 03c53202ae..ba33e173f7 100755 --- a/Core/src/org/sleuthkit/autopsy/modules/photoreccarver/PhotoRecCarverOutputParser.java +++ b/Core/src/org/sleuthkit/autopsy/modules/photoreccarver/PhotoRecCarverOutputParser.java @@ -52,17 +52,6 @@ class PhotoRecCarverOutputParser { basePath = base; } - /** - * Gets the value inside the XML element and returns it. Ignores leading whitespace. - * - * @param name The XML element we are looking for. - * @param line The line in which we are looking for the element. - * @return The String value found - */ - private static String getValue(String name, String line) { - return line.replaceAll("[\t ]*", ""); //NON-NLS - } - /** * Parses the given report.xml file, creating a List to return. Uses FileManager to add all carved files * that it finds to the TSK database as $CarvedFiles under the passed-in parent id. From fa8a3597b2844e99f6e84999926a4e4422ae0c40 Mon Sep 17 00:00:00 2001 From: Karl Mortensen Date: Mon, 17 Nov 2014 15:39:22 -0500 Subject: [PATCH 4/5] Fix report generation to include more artifacts and attributes --- .../datamodel/BlackboardArtifactNode.java | 2 + .../autopsy/datamodel/ExtractedContent.java | 2 + .../modules/android/CallLogAnalyzer.java | 7 +- .../autopsy/modules/iOS/CallLogAnalyzer.java | 9 +- .../modules/iOS/TextMessageAnalyzer.java | 11 +- .../autopsy/report/Bundle.properties | 22 +++ .../autopsy/report/ReportGenerator.java | 150 ++++++++++++++---- .../sleuthkit/autopsy/report/ReportHTML.java | 25 ++- .../timeline/events/type/MiscTypes.java | 2 +- .../timeline/events/type/WebTypes.java | 2 +- .../autopsy/recentactivity/Chrome.java | 8 +- .../autopsy/recentactivity/ExtractIE.java | 5 + 12 files changed, 209 insertions(+), 36 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java b/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java index df07fe90bc..dd75fba0e7 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java @@ -399,6 +399,8 @@ public class BlackboardArtifactNode extends DisplayableItemNode { return "green-tag-icon-16.png"; //NON-NLS case TSK_METADATA_EXIF: return "camera-icon-16.png"; //NON-NLS + case TSK_EMAIL_MSG: + return "mail-icon-16.png"; //NON-NLS case TSK_CONTACT: return "contact.png"; //NON-NLS case TSK_MESSAGE: diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/ExtractedContent.java b/Core/src/org/sleuthkit/autopsy/datamodel/ExtractedContent.java index 7be1f68965..1b8966f5e6 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/ExtractedContent.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/ExtractedContent.java @@ -307,6 +307,8 @@ public class ExtractedContent implements AutopsyVisitableItem { return "searchquery.png"; //NON-NLS case TSK_METADATA_EXIF: return "camera-icon-16.png"; //NON-NLS + case TSK_EMAIL_MSG: + return "mail-icon-16.png"; //NON-NLS case TSK_CONTACT: return "contact.png"; //NON-NLS case TSK_MESSAGE: diff --git a/Core/src/org/sleuthkit/autopsy/modules/android/CallLogAnalyzer.java b/Core/src/org/sleuthkit/autopsy/modules/android/CallLogAnalyzer.java index d85755bce5..5f06532860 100755 --- a/Core/src/org/sleuthkit/autopsy/modules/android/CallLogAnalyzer.java +++ b/Core/src/org/sleuthkit/autopsy/modules/android/CallLogAnalyzer.java @@ -93,7 +93,12 @@ class CallLogAnalyzer { try { BlackboardArtifact bba = f.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_CALLLOG); //create a call log and then add attributes from result set. - bba.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PHONE_NUMBER.getTypeID(), moduleName, number)); + if(direction == CallDirection.OUTGOING) { + bba.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO.getTypeID(), moduleName, number)); + } + else { /// Covers INCOMING and MISSED + bba.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM.getTypeID(), moduleName, number)); + } bba.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_START.getTypeID(), moduleName, date)); bba.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_END.getTypeID(), moduleName, duration + date)); bba.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DIRECTION.getTypeID(), moduleName, directionString)); diff --git a/Core/src/org/sleuthkit/autopsy/modules/iOS/CallLogAnalyzer.java b/Core/src/org/sleuthkit/autopsy/modules/iOS/CallLogAnalyzer.java index 7de74ab10d..38831120e0 100755 --- a/Core/src/org/sleuthkit/autopsy/modules/iOS/CallLogAnalyzer.java +++ b/Core/src/org/sleuthkit/autopsy/modules/iOS/CallLogAnalyzer.java @@ -102,9 +102,14 @@ class CallLogAnalyzer { duration = resultSet.getString("duration"); date = resultSet.getString("date"); type = resultSet.getString("type"); - + bba = f.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_CALLLOG); //create a call log and then add attributes from result set. - bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER.getTypeID(), moduleName, number)); + if(type.equalsIgnoreCase("outgoing")) { + bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO.getTypeID(), moduleName, number)); + } + else { /// Covers INCOMING and MISSED + bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM.getTypeID(), moduleName, number)); + } bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_START.getTypeID(), moduleName, date)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_END.getTypeID(), moduleName, duration + date)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DIRECTION.getTypeID(), moduleName, type)); diff --git a/Core/src/org/sleuthkit/autopsy/modules/iOS/TextMessageAnalyzer.java b/Core/src/org/sleuthkit/autopsy/modules/iOS/TextMessageAnalyzer.java index 3cf2e6ba91..434bcd0ea0 100755 --- a/Core/src/org/sleuthkit/autopsy/modules/iOS/TextMessageAnalyzer.java +++ b/Core/src/org/sleuthkit/autopsy/modules/iOS/TextMessageAnalyzer.java @@ -105,13 +105,20 @@ class TextMessageAnalyzer { bba = f.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_MESSAGE); //create Message artifact and then add attributes from result set. // @@@ NEed to put into more specific TO or FROM - bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER.getTypeID(), moduleName, address)); + + if (type.equals("1")) { + bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DIRECTION.getTypeID(), moduleName, "Incoming")); + bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM.getTypeID(), moduleName, address)); + } + else { + bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DIRECTION.getTypeID(), moduleName, "Outgoing")); + bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO.getTypeID(), moduleName, address)); + } bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), moduleName, date)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DIRECTION.getTypeID(), moduleName, type)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SUBJECT.getTypeID(), moduleName, subject)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TEXT.getTypeID(), moduleName, body)); bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MESSAGE_TYPE.getTypeID(), moduleName, "SMS Message")); - } } catch (Exception e) { diff --git a/Core/src/org/sleuthkit/autopsy/report/Bundle.properties b/Core/src/org/sleuthkit/autopsy/report/Bundle.properties index 1782170bc7..c12c35aedb 100644 --- a/Core/src/org/sleuthkit/autopsy/report/Bundle.properties +++ b/Core/src/org/sleuthkit/autopsy/report/Bundle.properties @@ -118,9 +118,16 @@ ReportGenerator.artTableColHdr.text=Text ReportGenerator.artTableColHdr.domain=Domain ReportGenerator.artTableColHdr.dateTaken=Date Taken ReportGenerator.artTableColHdr.devManufacturer=Device Manufacturer +ReportGenerator.artTableColHdr.devMake=Device Make ReportGenerator.artTableColHdr.devModel=Device Model ReportGenerator.artTableColHdr.latitude=Latitude ReportGenerator.artTableColHdr.longitude=Longitude +ReportGenerator.artTableColHdr.latitudeStart=Starting Latitude +ReportGenerator.artTableColHdr.longitudeStart=Starting Longitude +ReportGenerator.artTableColHdr.latitudeEnd=Ending Latitude +ReportGenerator.artTableColHdr.longitudeEnd=Ending Longitude +ReportGenerator.artTableColHdr.associatedArtifact=Associated Artifact +ReportGenerator.artTableColHdr.count=Count ReportGenerator.artTableColHdr.personName=Person Name ReportGenerator.artTableColHdr.phoneNumber=Phone Number ReportGenerator.artTableColHdr.phoneNumHome=Phone Number (Home) @@ -135,6 +142,20 @@ ReportGenerator.artTableColHdr.fromEmail=From Email ReportGenerator.artTableColHdr.toPhoneNum=To Phone Number ReportGenerator.artTableColHdr.toEmail=To Email ReportGenerator.artTableColHdr.subject=Subject +ReportGenerator.artTableColHdr.tskEmailTo=E-Mail To +ReportGenerator.artTableColHdr.tskEmailCc=E-Mail CC +ReportGenerator.artTableColHdr.tskEmailBcc=E-Mail BCC +ReportGenerator.artTableColHdr.tskEmailFrom=E-Mail From +ReportGenerator.artTableColHdr.tskMsgId=Message ID +ReportGenerator.artTableColHdr.tskMsgReplyId=Message Reply ID +ReportGenerator.artTableColHdr.tskDateTimeRcvd=Date Received +ReportGenerator.artTableColHdr.tskDateTimeSent=Date Sent +ReportGenerator.artTableColHdr.tskSubject=Subject +ReportGenerator.artTableColHdr.tskTitle=Title +ReportGenerator.artTableColHdr.tskSetName=Set Name +ReportGenerator.artTableColHdr.tskInterestingFilesCategory=Rule +ReportGenerator.artTableColHdr.tskGpsRouteCategory=Category +ReportGenerator.artTableColHdr.tskPath=Path ReportGenerator.artTableColHdr.calendarEntryType=Calendar Entry Type ReportGenerator.artTableColHdr.description=Description ReportGenerator.artTableColHdr.startDateTime=Start Date/Time @@ -147,6 +168,7 @@ ReportGenerator.artTableColHdr.altitude=Altitude ReportGenerator.artTableColHdr.locationAddress=Location Address ReportGenerator.artTableColHdr.category=Category ReportGenerator.artTableColHdr.userId=User ID +ReportGenerator.artTableColHdr.userName=User Name ReportGenerator.artTableColHdr.password=Password ReportGenerator.artTableColHdr.appName=App Name ReportGenerator.artTableColHdr.appPath=App Path diff --git a/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java b/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java index 4c9628e8f6..209c7d3f29 100644 --- a/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java +++ b/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java @@ -462,7 +462,7 @@ import org.sleuthkit.datamodel.TskData; type.getDisplayName())); } - // Keyword hits and hashset hit artifacts get sepcial handling. + // Keyword hits and hashset hit artifacts get special handling. if (type.equals(ARTIFACT_TYPE.TSK_KEYWORD_HIT)) { writeKeywordHits(tableModules, comment.toString(), tagNamesFilter); continue; @@ -491,10 +491,6 @@ import org.sleuthkit.datamodel.TskData; List columnHeaders = getArtifactTableColumnHeaders(type.getTypeID()); if (columnHeaders == null) { // @@@ Hack to prevent system from hanging. Better solution is to merge all attributes into a single column or analyze the artifacts to find out how many are needed. - MessageNotifyUtil.Notify.show( - NbBundle.getMessage(this.getClass(), "ReportGenerator.msgShow.skippingArtType.title", type), - NbBundle.getMessage(this.getClass(), "ReportGenerator.msgShow.skippingArtType.msg"), - MessageNotifyUtil.MessageType.ERROR); continue; } @@ -557,7 +553,7 @@ import org.sleuthkit.datamodel.TskData; } // Tell the modules reporting on content tags is beginning. - for (TableReportModule module : tableModules) { + for (TableReportModule module : tableModules) { // @@@ This casting is a tricky little workaround to allow the HTML report module to slip in a content hyperlink. // @@@ Alos Using the obsolete ARTIFACT_TYPE.TSK_TAG_FILE is also an expedient hack. tableProgress.get(module).updateStatusLabel( @@ -1186,9 +1182,10 @@ import org.sleuthkit.datamodel.TskData; NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.file"), NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.size")})); break; - case TSK_DEVICE_ATTACHED: + case TSK_DEVICE_ATTACHED: columnHeaders = new ArrayList<>(Arrays.asList(new String[] { - NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.name"), + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.devMake"), + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.devModel"), NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.deviceId"), NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.dateTime"), NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.srcFile")})); @@ -1208,6 +1205,7 @@ import org.sleuthkit.datamodel.TskData; NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.devModel"), NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.latitude"), NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.longitude"), + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.altitude"), NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.srcFile")})); break; case TSK_CONTACT: @@ -1237,7 +1235,8 @@ import org.sleuthkit.datamodel.TskData; case TSK_CALLLOG: columnHeaders = new ArrayList<>(Arrays.asList(new String[] { NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.personName"), - NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.phoneNumber"), + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.fromPhoneNum"), + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.toPhoneNum"), NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.dateTime"), NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.direction"), NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.srcFile") })); @@ -1319,12 +1318,6 @@ import org.sleuthkit.datamodel.TskData; NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.mailServer"), NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.srcFile") })); break; - case TSK_TOOL_OUTPUT: - columnHeaders = new ArrayList<>(Arrays.asList(new String[] { - NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.progName"), - NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.text"), - NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.srcFile")})); - break; case TSK_ENCRYPTION_DETECTED: columnHeaders = new ArrayList<>(Arrays.asList(new String[] { NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.name"), @@ -1344,6 +1337,55 @@ import org.sleuthkit.datamodel.TskData; NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.osInstallDate.text"), NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.srcFile")})); break; + case TSK_EMAIL_MSG: + columnHeaders = new ArrayList<>(Arrays.asList(new String[] { + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskEmailTo"), //TSK_EMAIL_TO + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskEmailFrom"), //TSK_EMAIL_FROM + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskSubject"), //TSK_SUBJECT + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskDateTimeSent"), //TSK_DATETIME_SENT + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskDateTimeRcvd"), //TSK_DATETIME_RCVD + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskPath"), //TSK_PATH + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskEmailCc"), //TSK_EMAIL_CC + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskEmailBcc"), //TSK_EMAIL_BCC + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskMsgId")})); //TSK_MSG_ID + break; + case TSK_INTERESTING_FILE_HIT: + columnHeaders = new ArrayList<>(Arrays.asList(new String[]{ + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskSetName"), //TSK_SET_NAME + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskInterestingFilesCategory"), //TSK_CATEGORY + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskPath")})); //TSK_PATH + break; + case TSK_GPS_ROUTE: + columnHeaders = new ArrayList<>(Arrays.asList(new String[]{ + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskGpsRouteCategory"), //TSK_CATEGORY + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.dateTime"), //TSK_DATETIME + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.latitudeEnd"), //TSK_GEO_LATITUDE_END + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.longitudeEnd"), //TSK_GEO_LONGITUDE_END + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.latitudeStart"), //TSK_GEO_LATITUDE_START + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.longitudeStart"), //TSK_GEO_LONGITUDE_START + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.name"), //TSK_NAME + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.location"), //TSK_LOCATION + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.program")}));//TSK_PROG_NAME + break; + case TSK_INTERESTING_ARTIFACT_HIT: + columnHeaders = new ArrayList<>(Arrays.asList(new String[]{ + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskSetName"), //TSK_SET_NAME + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.associatedArtifact"), //TSK_ASSOCIATED_ARTIFACT + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.program")})); //TSK_PROG_NAME + break; + case TSK_PROG_RUN: + columnHeaders = new ArrayList<>(Arrays.asList(new String[]{ + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.program"), //TSK_PROG_NAME + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.associatedArtifact"), //TSK_ASSOCIATED_ARTIFACT + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.dateTime"), //TSK_DATETIME + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.count")})); //TSK_COUNT + break; + + case TSK_OS_ACCOUNT: + columnHeaders = new ArrayList<>(Arrays.asList(new String[]{ + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.userName"), //TSK_USER_NAME + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.userId")})); //TSK_USER_ID + break; default: return null; } @@ -1420,8 +1462,15 @@ import org.sleuthkit.datamodel.TskData; */ private String getFileUniquePath(long objId) { try { - return skCase.getAbstractFileById(objId).getUniquePath(); - } catch (TskCoreException ex) { + AbstractFile af = skCase.getAbstractFileById(objId); + if(af!=null) { + return af.getUniquePath(); + } + else { + return ""; + } + } + catch (TskCoreException ex) { logger.log(Level.WARNING, "Failed to get Abstract File by ID.", ex); //NON-NLS } return ""; @@ -1549,6 +1598,7 @@ import org.sleuthkit.datamodel.TskData; orderedRowData.add(getFileUniquePath(getObjectID())); break; case TSK_DEVICE_ATTACHED: + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_DEVICE_MAKE.getTypeID())); orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID())); orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_DEVICE_ID.getTypeID())); orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID())); @@ -1561,12 +1611,13 @@ import org.sleuthkit.datamodel.TskData; orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID())); orderedRowData.add(getFileUniquePath(getObjectID())); break; - case TSK_METADATA_EXIF: - orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID())); + case TSK_METADATA_EXIF: + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED.getTypeID())); orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_DEVICE_MAKE.getTypeID())); orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID())); orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_GEO_LATITUDE.getTypeID())); orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_GEO_ALTITUDE.getTypeID())); orderedRowData.add(getFileUniquePath(getObjectID())); break; case TSK_CONTACT: @@ -1593,7 +1644,8 @@ import org.sleuthkit.datamodel.TskData; break; case TSK_CALLLOG: orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_NAME.getTypeID())); - orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_PHONE_NUMBER.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO.getTypeID())); orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_DATETIME_START.getTypeID())); orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_DIRECTION.getTypeID())); orderedRowData.add(getFileUniquePath(getObjectID())); @@ -1608,7 +1660,7 @@ import org.sleuthkit.datamodel.TskData; break; case TSK_SPEED_DIAL_ENTRY: orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_SHORTCUT.getTypeID())); - orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_NAME.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_NAME_PERSON.getTypeID())); orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_PHONE_NUMBER.getTypeID())); orderedRowData.add(getFileUniquePath(getObjectID())); break; @@ -1621,9 +1673,6 @@ import org.sleuthkit.datamodel.TskData; case TSK_GPS_TRACKPOINT: orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_GEO_LATITUDE.getTypeID())); orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE.getTypeID())); - orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_GEO_ALTITUDE.getTypeID())); - orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_NAME.getTypeID())); - orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_LOCATION.getTypeID())); orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID())); orderedRowData.add(getFileUniquePath(getObjectID())); break; @@ -1667,7 +1716,7 @@ import org.sleuthkit.datamodel.TskData; orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_SERVER_NAME.getTypeID())); orderedRowData.add(getFileUniquePath(getObjectID())); break; - case TSK_TOOL_OUTPUT: + case TSK_TOOL_OUTPUT: orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID())); orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_TEXT.getTypeID())); orderedRowData.add(getFileUniquePath(getObjectID())); @@ -1676,7 +1725,7 @@ import org.sleuthkit.datamodel.TskData; orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_NAME.getTypeID())); orderedRowData.add(getFileUniquePath(getObjectID())); break; - case TSK_EXT_MISMATCH_DETECTED: + case TSK_EXT_MISMATCH_DETECTED: AbstractFile file = skCase.getAbstractFileById(getObjectID()); orderedRowData.add(file.getName()); orderedRowData.add(file.getNameExtension()); @@ -1688,12 +1737,59 @@ import org.sleuthkit.datamodel.TskData; } orderedRowData.add(file.getUniquePath()); break; - case TSK_OS_INFO: + case TSK_OS_INFO: orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_PROCESSOR_ARCHITECTURE.getTypeID())); orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID())); orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID())); orderedRowData.add(getFileUniquePath(getObjectID())); break; + case TSK_EMAIL_MSG: + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_EMAIL_TO.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_EMAIL_FROM.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_SUBJECT.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_DATETIME_SENT.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_DATETIME_RCVD.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_PATH.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_EMAIL_CC.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_EMAIL_BCC.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_MSG_ID.getTypeID())); + break; + case TSK_INTERESTING_FILE_HIT: + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_CATEGORY.getTypeID())); + String pathToShow=mappedAttributes.get(ATTRIBUTE_TYPE.TSK_PATH.getTypeID()); + if (pathToShow.isEmpty()) + { + pathToShow=getFileUniquePath(getObjectID()); + } + orderedRowData.add(pathToShow); + break; + case TSK_GPS_ROUTE: + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_CATEGORY.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_GEO_LATITUDE_END.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE_END.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_GEO_LATITUDE_START.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE_START.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_NAME.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_LOCATION.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID())); + break; + case TSK_INTERESTING_ARTIFACT_HIT: + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID())); + break; + case TSK_PROG_RUN: + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_COUNT.getTypeID())); + break; + case TSK_OS_ACCOUNT: + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_USER_ID.getTypeID())); + break; } orderedRowData.add(makeCommaSeparatedList(getTags())); diff --git a/Core/src/org/sleuthkit/autopsy/report/ReportHTML.java b/Core/src/org/sleuthkit/autopsy/report/ReportHTML.java index b44c9755d0..257cdb732a 100644 --- a/Core/src/org/sleuthkit/autopsy/report/ReportHTML.java +++ b/Core/src/org/sleuthkit/autopsy/report/ReportHTML.java @@ -230,7 +230,30 @@ import org.sleuthkit.datamodel.TskData.TSK_DB_FILES_TYPE_ENUM; case TSK_OS_INFO: in = getClass().getResourceAsStream("/org/sleuthkit/autopsy/report/images/computer.png"); //NON-NLS break; - + case TSK_GPS_TRACKPOINT: + in = getClass().getResourceAsStream("/org/sleuthkit/autopsy/report/images/gps_trackpoint.png"); //NON-NLS + break; + case TSK_GPS_ROUTE: + in = getClass().getResourceAsStream("/org/sleuthkit/autopsy/report/images/gps_trackpoint.png"); //NON-NLS + break; + case TSK_EMAIL_MSG: + in = getClass().getResourceAsStream("/org/sleuthkit/autopsy/images/mail-icon-16.png"); //NON-NLS + break; + case TSK_ENCRYPTION_DETECTED: + in = getClass().getResourceAsStream("/org/sleuthkit/autopsy/images/encrypted-file.png"); //NON-NLS + break; + case TSK_EXT_MISMATCH_DETECTED: + in = getClass().getResourceAsStream("/org/sleuthkit/autopsy/images/mismatch-16.png"); //NON-NLS + break; + case TSK_INTERESTING_ARTIFACT_HIT: + in = getClass().getResourceAsStream("/org/sleuthkit/autopsy/images/interesting_item.png"); //NON-NLS + break; + case TSK_INTERESTING_FILE_HIT: + in = getClass().getResourceAsStream("/org/sleuthkit/autopsy/images/interesting_item.png"); //NON-NLS + break; + case TSK_PROG_RUN: + in = getClass().getResourceAsStream("/org/sleuthkit/autopsy/report/images/installed.png"); //NON-NLS + break; default: logger.log(Level.WARNING, "useDataTypeIcon: unhandled artifact type = " + dataType); //NON-NLS in = getClass().getResourceAsStream("/org/sleuthkit/autopsy/report/images/star.png"); //NON-NLS diff --git a/Core/src/org/sleuthkit/autopsy/timeline/events/type/MiscTypes.java b/Core/src/org/sleuthkit/autopsy/timeline/events/type/MiscTypes.java index 68851e9caf..5555b0ce2c 100644 --- a/Core/src/org/sleuthkit/autopsy/timeline/events/type/MiscTypes.java +++ b/Core/src/org/sleuthkit/autopsy/timeline/events/type/MiscTypes.java @@ -62,7 +62,7 @@ public enum MiscTypes implements EventType, ArtifactEventType { final BlackboardAttribute longEnd = attrMap.get(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE_END); return String.format("from %1$g %2$g to %3$g %4$g", latStart.getValueDouble(), longStart.getValueDouble(), latEnd.getValueDouble(), longEnd.getValueDouble()); }), - GPS_TRACKPOINT("Location History", "gps-trackpoint.png", + GPS_TRACKPOINT("Location History", "gps_trackpoint.png", BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_TRACKPOINT, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME, new AttributeExtractor(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME), diff --git a/Core/src/org/sleuthkit/autopsy/timeline/events/type/WebTypes.java b/Core/src/org/sleuthkit/autopsy/timeline/events/type/WebTypes.java index 6309320994..fddb451f29 100644 --- a/Core/src/org/sleuthkit/autopsy/timeline/events/type/WebTypes.java +++ b/Core/src/org/sleuthkit/autopsy/timeline/events/type/WebTypes.java @@ -43,7 +43,7 @@ public enum WebTypes implements EventType, ArtifactEventType { /** Override * {@link ArtifactEventType#parseAttributesHelper(org.sleuthkit.datamodel.BlackboardArtifact, java.util.Map)} - * with non default descritpion construction */ + * with non default description construction */ @Override public AttributeEventDescription parseAttributesHelper(BlackboardArtifact artf, Map attrMap) { long time = attrMap.get(getDateTimeAttrubuteType()).getValueLong(); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java index abaaf2a84d..eea4f8be9a 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java @@ -536,10 +536,16 @@ class Chrome extends Extract { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID(), NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), ((result.get("username_value").toString() != null) ? result.get("username_value").toString().replaceAll("'", "''") : ""))); //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), /// KDM DUPLIATE of TSK_DOMAIN! NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), result.get("signon_realm").toString())); //NON-NLS this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, signonFile, bbattributes); + + Collection osAcctAttributes = new ArrayList<>(); + osAcctAttributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID(), + NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), + ((result.get("username_value").toString() != null) ? result.get("username_value").toString().replaceAll("'", "''") : ""))); //NON-NLS + this.addArtifact(ARTIFACT_TYPE.TSK_OS_ACCOUNT, signonFile, osAcctAttributes); } dbFile.delete(); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java index 0af6e1786a..a3bfc37015 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java @@ -505,6 +505,11 @@ class ExtractIE extends Extract { NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName.noSpace"), user)); bbart.addAttributes(bbattributes); + + + BlackboardArtifact osAttr = origFile.newArtifact(ARTIFACT_TYPE.TSK_OS_ACCOUNT); + osAttr.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID(), + NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName.noSpace"), user)); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error writing Internet Explorer web history artifact to the blackboard.", ex); //NON-NLS } From d7deec052dc70880c2f0e5fe406868ca7024b831 Mon Sep 17 00:00:00 2001 From: Karl Mortensen Date: Mon, 17 Nov 2014 15:58:22 -0500 Subject: [PATCH 5/5] remove duplicate domain. Set it to TSK_URL_DECODED --- Core/src/org/sleuthkit/autopsy/report/Bundle.properties | 1 + Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java | 7 +++---- .../src/org/sleuthkit/autopsy/recentactivity/Chrome.java | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/report/Bundle.properties b/Core/src/org/sleuthkit/autopsy/report/Bundle.properties index c12c35aedb..f440813e43 100644 --- a/Core/src/org/sleuthkit/autopsy/report/Bundle.properties +++ b/Core/src/org/sleuthkit/autopsy/report/Bundle.properties @@ -99,6 +99,7 @@ ReportGenerator.artTableColHdr.url=URL ReportGenerator.artTableColHdr.title=Title ReportGenerator.artTableColHdr.dateCreated=Date Created ReportGenerator.artTableColHdr.program=Program +ReportGenerator.artTableColHdr.urlDomainDecoded=URL Domain ReportGenerator.artTableColHdr.srcFile=Source File ReportGenerator.artTableColHdr.dateTime=Date/Time ReportGenerator.artTableColHdr.name=Name diff --git a/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java b/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java index 209c7d3f29..6d102bc5b9 100644 --- a/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java +++ b/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java @@ -1150,6 +1150,7 @@ import org.sleuthkit.datamodel.TskData; NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.referrer"), NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.title"), NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.program"), + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.urlDomainDecoded"), NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.srcFile")})); break; case TSK_WEB_DOWNLOAD: @@ -1268,11 +1269,8 @@ import org.sleuthkit.datamodel.TskData; columnHeaders = new ArrayList<>(Arrays.asList(new String[] { NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.latitude"), NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.longitude"), - NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.altitude"), - NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.name"), - NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.locationAddress"), NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.dateTime"), - NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.srcFile") })); + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.srcFile")})); break; case TSK_GPS_BOOKMARK: columnHeaders = new ArrayList<>(Arrays.asList(new String[] { @@ -1577,6 +1575,7 @@ import org.sleuthkit.datamodel.TskData; orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID())); orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID())); orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_TITLE.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID())); orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID())); orderedRowData.add(getFileUniquePath(getObjectID())); break; diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java index eea4f8be9a..0adba0b000 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java @@ -530,13 +530,13 @@ class Chrome extends Extract { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), NbBundle.getMessage(this.getClass(), "Chrome.moduleName"))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), (Util.extractDomain((result.get("origin_url").toString() != null) ? result.get("url").toString() : "")))); //NON-NLS bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID(), NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), ((result.get("username_value").toString() != null) ? result.get("username_value").toString().replaceAll("'", "''") : ""))); //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), /// KDM DUPLIATE of TSK_DOMAIN! + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), result.get("signon_realm").toString())); //NON-NLS this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, signonFile, bbattributes);