mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7796 from gdicristofaro/ileapp_aleapp_updates

Browse Source 
Ileapp aleapp updates
This commit is contained in:
eugene7646 2023-06-14 11:04:27 -04:00 committed by GitHub
commit 565b81925e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 149 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java
View File

@ -220,6 +220,17 @@ public final class LeappFileProcessor {
loadConfigFile();
}
/**
* Generates a key trimmed and case-insensitive that can be used for a
* case-insensitive lookup in a map.
*
* @param origKey The original key.
* @return The normalized key.
*/
private static String normalizeKey(String origKey) {
return StringUtils.defaultString(origKey).trim().toLowerCase();
}
@NbBundle.Messages({
"LeappFileProcessor.error.running.Leapp=Error running Leapp, see log file.",
@ -280,7 +291,7 @@ public final class LeappFileProcessor {
.filter(f -> f.toLowerCase().endsWith(".tsv")).collect(Collectors.toList());
for (String tsvFile : allTsvFiles) {
if (tsvFiles.containsKey(FilenameUtils.getName(tsvFile.toLowerCase()))) {
if (tsvFiles.containsKey(normalizeKey(FilenameUtils.getName(tsvFile)))) {
foundTsvFiles.add(tsvFile);
}
}
@ -329,9 +340,10 @@ public final class LeappFileProcessor {
progress.progress(Bundle.LeappFileProcessor_tsvProcessed(fileName), i);
File LeappFile = new File(LeappFileName);
if (tsvFileAttributes.containsKey(fileName)) {
List<TsvColumn> attrList = tsvFileAttributes.get(fileName);
BlackboardArtifact.Type artifactType = tsvFileArtifacts.get(fileName);
String fileKey = fileName.toLowerCase().trim();
if (tsvFileAttributes.containsKey(normalizeKey(fileKey))) {
List<TsvColumn> attrList = tsvFileAttributes.get(normalizeKey(fileKey));
BlackboardArtifact.Type artifactType = tsvFileArtifacts.get(normalizeKey(fileKey));
try {
processFile(LeappFile, attrList, fileName, artifactType, dataSource);
@ -901,18 +913,15 @@ public final class LeappFileProcessor {
private Collection<BlackboardAttribute> processReadLine(List<String> lineValues, Map<String, Integer> columnIndexes,
List<TsvColumn> attrList, String fileName, int lineNum) throws IngestModuleException {
// if no attributes, return an empty row
if (MapUtils.isEmpty(columnIndexes) || CollectionUtils.isEmpty(lineValues)
|| (lineValues.size() == 1 && StringUtils.isEmpty(lineValues.get(0)))) {
return Collections.emptyList();
} else if (lineValues.size() != columnIndexes.size()) {
logger.log(Level.WARNING, String.format(
"Row at line number %d in file %s has %d columns when %d were expected based on the header row.",
lineNum, fileName, lineValues.size(), columnIndexes.size()));
return Collections.emptyList();
}
List<BlackboardAttribute> attrsToRet = new ArrayList<>();
for (TsvColumn colAttr : attrList) {
// if no matching attribute type, keep going
if (colAttr.getAttributeType() == null) {
// this handles columns that are currently ignored.
continue;
@ -926,22 +935,30 @@ public final class LeappFileProcessor {
String value = (columnIdx >= lineValues.size() || columnIdx < 0) ? null : lineValues.get(columnIdx);
if (value == null) {
logger.log(Level.WARNING, String.format("No value found for column %s at line %d in file %s. Omitting row.", colAttr.getColumnName(), lineNum, fileName));
return Collections.emptyList();
// if column is required, return empty for this row if no value
if (colAttr.isRequired()) {
logger.log(Level.WARNING, String.format("No value found for required column %s at line %d in file %s. Omitting row.", colAttr.getColumnName(), lineNum, fileName));
return Collections.emptyList();
} else {
// otherwise, continue to next column
logger.log(Level.WARNING, String.format("No value found for column %s at line %d in file %s. Omitting column.", colAttr.getColumnName(), lineNum, fileName));
continue;
}
}
String formattedValue = formatValueBasedOnAttrType(colAttr, value);
BlackboardAttribute attr = getAttribute(colAttr.getAttributeType(), formattedValue, fileName);
if (attr == null) {
if (attr != null) {
attrsToRet.add(attr);
} else if (colAttr.isRequired()) {
logger.log(Level.WARNING, String.format("Blackboard attribute could not be parsed column %s at line %d in file %s. Omitting row.", colAttr.getColumnName(), lineNum, fileName));
return Collections.emptyList();
}
attrsToRet.add(attr);
}
if (tsvFileArtifactComments.containsKey(fileName)) {
attrsToRet.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COMMENT, moduleName, tsvFileArtifactComments.get(fileName)));
if (tsvFileArtifactComments.containsKey(normalizeKey(fileName))) {
attrsToRet.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COMMENT, moduleName, tsvFileArtifactComments.get(normalizeKey(fileName))));
}
return attrsToRet;
@ -1121,7 +1138,7 @@ public final class LeappFileProcessor {
for (int i = 0; i < nlist.getLength(); i++) {
NamedNodeMap nnm = nlist.item(i).getAttributes();
tsvFiles.put(nnm.getNamedItem("filename").getNodeValue().toLowerCase(), nnm.getNamedItem("description").getNodeValue());
tsvFiles.put(normalizeKey(nnm.getNamedItem("filename").getNodeValue()), nnm.getNamedItem("description").getNodeValue());
}
@ -1147,11 +1164,11 @@ public final class LeappFileProcessor {
logger.log(Level.SEVERE, String.format("No known artifact mapping found for [artifact: %s, %s]",
artifactName, getXmlFileIdentifier(parentName)));
} else {
tsvFileArtifacts.put(parentName, foundArtifactType);
tsvFileArtifacts.put(normalizeKey(parentName), foundArtifactType);
}
if (!comment.toLowerCase().matches("null")) {
tsvFileArtifactComments.put(parentName, comment);
tsvFileArtifactComments.put(normalizeKey(parentName), comment);
}
}
@ -1213,14 +1230,14 @@ public final class LeappFileProcessor {
columnName.trim().toLowerCase(),
"yes".compareToIgnoreCase(required) == 0);
if (tsvFileAttributes.containsKey(parentName)) {
List<TsvColumn> attrList = tsvFileAttributes.get(parentName);
if (tsvFileAttributes.containsKey(normalizeKey(parentName))) {
List<TsvColumn> attrList = tsvFileAttributes.get(normalizeKey(parentName));
attrList.add(thisCol);
tsvFileAttributes.replace(parentName, attrList);
} else {
List<TsvColumn> attrList = new ArrayList<>();
attrList.add(thisCol);
tsvFileAttributes.put(parentName, attrList);
tsvFileAttributes.put(normalizeKey(parentName), attrList);
}
}

43
Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/aleapp-artifact-attribute-reference.xml
View File

@ -36,6 +36,14 @@
</ArtifactName>
</FileName>
<FileName filename="accounts ce 10.tsv" description="Accounts_ce">
<ArtifactName artifactname="TSK_SERVICE_ACCOUNT" comment="accounts ce 0">
<AttributeName attributename="TSK_USER_ID" columnName="Name" required="yes" />
<AttributeName attributename="TSK_PROG_NAME" columnName="Type" required="yes" />
<AttributeName attributename="TSK_PASSWORD" columnName="Password" required="yes" />
</ArtifactName>
</FileName>
<FileName filename="authtokens 0.tsv" description="Authtokens">
<ArtifactName artifactname="TSK_SERVICE_ACCOUNT" comment="Authtokens">
<AttributeName attributename="null" columnName="ID" required="no" />
@ -54,6 +62,14 @@
</ArtifactName>
</FileName>
<FileName filename="accounts de 10.tsv" description="Accounts_de">
<ArtifactName artifactname="TSK_SERVICE_ACCOUNT" comment="accounts de 0">
<AttributeName attributename="null" columnName="Last password entry" required="no" />
<AttributeName attributename="TSK_USER_ID" columnName="Name" required="yes" />
<AttributeName attributename="TSK_PROG_NAME" columnName="Type" required="yes" />
</ArtifactName>
</FileName>
<FileName filename="Browser - Bookmarks.tsv" description="Browser Bookmarks">
<ArtifactName artifactname="TSK_WEB_BOOKMARK" comment="Browser Bookmarks">
<AttributeName attributename="TSK_DATETIME_CREATED" columnName="Added Date" required="yes" />
@ -173,7 +189,7 @@
</ArtifactName>
</FileName>
<FileName filename="Chrome - History.tsv" description="Chrome History">
<FileName filename="Chrome - Web History.tsv" description="Chrome History">
<ArtifactName artifactname="TSK_WEB_HISTORY" comment="Chrome History">
<AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Last Visit Time" required="yes"/>
<AttributeName attributename="TSK_URL" columnName="URL" required="yes"/>
@ -185,11 +201,12 @@
<FileName filename="Chrome - login data.tsv" description="Chrome Login Data">
<ArtifactName artifactname="TSK_SERVICE_ACCOUNT" comment="Chrome Login">
<AttributeName attributename="TSK_DATETIME_CREATED" columnName="Created Time" required="yes" />
<AttributeName attributename="TSK_DATETIME_CREATED" columnName="Created Time" required="no" />
<AttributeName attributename="TSK_USER_ID" columnName="Username" required="yes" />
<AttributeName attributename="TSK_PASSWORD" columnName="Password" required="yes" />
<AttributeName attributename="TSK_PASSWORD" columnName="Password" required="no" />
<AttributeName attributename="TSK_URL" columnName="Origin URL" required="no" />
<AttributeName attributename="null" columnName="Blacklisted by User" required="no" />
<AttributeName attributename="null" columnName="Browser Name" required="no" />
</ArtifactName>
</FileName>
@ -236,17 +253,17 @@
<FileName filename="Edge - cookies.tsv" description="Edge Cookies">
<ArtifactName artifactname="TSK_WEB_COOKIE" comment="Edge Cookies">
<AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Last Access Date" required="yes" />
<AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Last Access Date" required="no" />
<AttributeName attributename="TSK_URL" columnName="Host" required="yes" />
<AttributeName attributename="TSK_NAME" columnName="Name" required="yes" />
<AttributeName attributename="TSK_VALUE" columnName="Value" required="yes" />
<AttributeName attributename="TSK_DATETIME_CREATED" columnName="Created Date" required="yes" />
<AttributeName attributename="TSK_DATETIME_END" columnName="Expiration Date" required="yes" />
<AttributeName attributename="TSK_DATETIME_CREATED" columnName="Created Date" required="no" />
<AttributeName attributename="TSK_DATETIME_END" columnName="Expiration Date" required="no" />
<AttributeName attributename="null" columnName="Path" required="no" />
</ArtifactName>
</FileName>
<FileName filename="Edge - History.tsv" description="Edge History">
<FileName filename="Edge - Web History.tsv" description="Edge History">
<ArtifactName artifactname="TSK_WEB_HISTORY" comment="Edge History">
<AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Last Visit Time" required="yes"/>
<AttributeName attributename="TSK_URL" columnName="URL" required="yes"/>
@ -317,7 +334,7 @@
<FileName filename="installed apps library.tsv" description="Installed Apps (Library)">
<ArtifactName artifactname="TSK_INSTALLED_PROG" comment="Installed Apps (Library)">
<AttributeName attributename="TSK_DATETIME" columnName="Purchase Time" required="yes"/>
<AttributeName attributename="TSK_DATETIME" columnName="Purchase Time" required="no"/>
<AttributeName attributename="null" columnName="Account" required="no"/>
<AttributeName attributename="TSK_PROG_NAME" columnName="Doc ID" required="yes"/>
</ArtifactName>
@ -329,13 +346,21 @@
</ArtifactName>
</FileName>
<FileName filename="installed apps - GMS_0.tsv" description="Installed Apps">
<ArtifactName artifactname="TSK_INSTALLED_PROG" comment="Installed Apps GSM">
<AttributeName attributename="TSK_PROG_NAME" columnName="Bundle ID" required="yes" />
</ArtifactName>
</FileName>
<FileName filename="installed apps vending.tsv" description="Installed Apps (Vending)">
<ArtifactName artifactname="TSK_INSTALLED_PROG" comment="Installed Apps (Vending)">
<AttributeName attributename="TSK_DATETIME" columnName="First Download" required="yes" />
<AttributeName attributename="TSK_DATETIME" columnName="First Download" required="no" />
<AttributeName attributename="TSK_PROG_NAME" columnName="Package Name" required="yes" />
<AttributeName attributename="null" columnName="Title" required="no" />
<AttributeName attributename="null" columnName="Install Reason" required="no" />
<AttributeName attributename="null" columnName="Last Updated" required="no" />
<AttributeName attributename="null" columnName="Auto Update?" required="no" />
<AttributeName attributename="null" columnName="Account" required="no" />
</ArtifactName>
</FileName>

103
Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/ileapp-artifact-attribute-reference.xml
View File

@ -66,14 +66,24 @@
</FileName>
<FileName filename="Bluetooth paired.tsv" description="Bluetooth Paired">
<ArtifactName artifactname="TSK_BLUETOOTH_PAIRING" comment="Bluetooth Paired">
<AttributeName attributename="TSK_DATETIME" columnName="Last Seen Time" required="no" />
<AttributeName attributename="TSK_MAC_ADDRESS" columnName="MAC Address" required="no" />
<AttributeName attributename="TSK_DEVICE_NAME" columnName="Name Key" required="yes" />
<AttributeName attributename="null" columnName="Name" required="no" />
<AttributeName attributename="null" columnName="Device Product ID" required="no" />
<AttributeName attributename="null" columnName="Default Name" required="no" />
</ArtifactName>
</FileName>
<FileName filename="Bluetooth paired LE.tsv" description="Bluetooth Paired LE">
<ArtifactName artifactname="TSK_BLUETOOTH_PAIRING" comment="Bluetooth Paired">
<AttributeName attributename="TSK_DEVICE_ID" columnName="UUID" required="yes" />
<AttributeName attributename="TSK_DEVICE_NAME" columnName="Name" required="yes" />
<AttributeName attributename="null" columnName="Name Origin" required="no" />
<AttributeName attributename="null" columnName="Address" required="no" />
<AttributeName attributename="null" columnName="Resolved Address" required="no" />
<AttributeName attributename="TSK_DATETIME" columnName="Last Seen Time" required="yes" />
<AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Last Connection Time" required="yes" />
<AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Last Connection Time" required="no" />
</ArtifactName>
</FileName>
@ -92,7 +102,8 @@
<FileName filename="Call History.tsv" description="Call Logs">
<ArtifactName artifactname="TSK_CALLLOG" comment="Call Logs">
<AttributeName attributename="TSK_DATETIME_START" columnName="Timestamp" required="yes" />
<AttributeName attributename="TSK_DATETIME_START" columnName="Starting Timestamp" required="yes" />
<AttributeName attributename="TSK_DATETIME_END" columnName="Ending Timestamp" required="no" />
<AttributeName attributename="TSK_PHONE_NUMBER_FROM" columnName="Phone Number" required="yes" />
<AttributeName attributename="null" columnName="Name" required="no" />
<AttributeName attributename="null" columnName="Answered" required="no" />
@ -712,19 +723,24 @@
<AttributeName attributename="null" columnName="Pairing ID" required="no" />
</ArtifactName>
</FileName>
<FileName filename="Safari Browser History.tsv" description="Safari Browser">
<FileName filename="Recent WebSearches.tsv" description="Recent Web Searches">
<ArtifactName artifactname="TSK_WEB_SEARCH_QUERY" comment="null">
<AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Date" required="yes" />
<AttributeName attributename="TSK_TEXT" columnName="Search Term" required="yes" />
</ArtifactName>
</FileName>
<FileName filename="Safari Browser - History.tsv" description="Safari Browser">
<ArtifactName artifactname="TSK_WEB_HISTORY" comment="null">
<AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Visit Time" required="yes" />
<AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Visit Timestamp" required="no" />
<AttributeName attributename="TSK_TITLE" columnName="Title" required="no" />
<AttributeName attributename="TSK_URL" columnName="URL" required="yes" />
<AttributeName attributename="null" columnName="Visit Count" required="no" />
<AttributeName attributename="TSK_TITLE" columnName="Title" required="yes" />
<AttributeName attributename="null" columnName="iCloud Sync" required="no" />
<AttributeName attributename="null" columnName="Load Successful" required="no" />
<AttributeName attributename="null" columnName="Visit ID" required="no" />
<AttributeName attributename="TSK_REFERRER" columnName="Redirect Source" required="yes" />
<AttributeName attributename="null" columnName="Redirect Destination" required="no" />
<AttributeName attributename="null" columnName="History Item ID" required="no" />
<AttributeName attributename="TSK_REFERRER" columnName="Redirect Source" required="no" />
<AttributeName attributename="null" columnName="Redirect Destination" required="no" />
<AttributeName attributename="null" columnName="Visit ID" required="no" />
<AttributeName attributename="null" columnName="Origin" required="no" />
</ArtifactName>
</FileName>
@ -744,22 +760,28 @@
</ArtifactName>
</FileName>
<FileName filename="SMS - iMessage.tsv" description="SMS - iMessage">
<FileName filename="SMS &amp; iMessage - Messages.tsv" description="SMS - iMessage">
<ArtifactName artifactname="TSK_MESSAGE" comment="SMS - iMessage">
<AttributeName attributename="TSK_DATETIME" columnName="Message Date" required="yes" />
<AttributeName attributename="null" columnName="Date Delivered" required="no" />
<AttributeName attributename="null" columnName="Date Read" required="no" />
<AttributeName attributename="TSK_DATETIME" columnName="Message Timestamp" required="yes" />
<AttributeName attributename="null" columnName="Read Timestamp" required="no" />
<AttributeName attributename="TSK_TEXT" columnName="Message" required="yes" />
<AttributeName attributename="TSK_PHONE_NUMBER_FROM" columnName="Contact ID" required="yes" />
<AttributeName attributename="null" columnName="Service" required="no" />
<AttributeName attributename="TSK_PHONE_NUMBER_TO" columnName="Account" required="yes" />
<AttributeName attributename="null" columnName="Is Delivered" required="no" />
<AttributeName attributename="null" columnName="Is from Me" required="no" />
<AttributeName attributename="null" columnName="Filename" required="no" />
<AttributeName attributename="null" columnName="MIME Type" required="no" />
<AttributeName attributename="null" columnName="Transfer Type" required="no" />
<AttributeName attributename="null" columnName="Total Bytes" required="no" />
<AttributeName attributename="TSK_TEXT_FILE" columnName="source file" required="yes"/>
<AttributeName attributename="null" columnName="Message Direction" required="no" />
<AttributeName attributename="null" columnName="Message Sent" required="no" />
<AttributeName attributename="null" columnName="Message Delivered" required="no" />
<AttributeName attributename="null" columnName="Message Read" required="no" />
<AttributeName attributename="null" columnName="Account" required="no" />
<AttributeName attributename="null" columnName="Account Login" required="no" />
<AttributeName attributename="null" columnName="Chat" required="no" />
<AttributeName attributename="null" columnName="Contact ID" required="no" />
<AttributeName attributename="null" columnName="Attachment Name" required="no" />
<AttributeName attributename="null" columnName="Attachment Path" required="no" />
<AttributeName attributename="null" columnName="Attachment Timestamp" required="no" />
<AttributeName attributename="null" columnName="Attachment Mimetype" required="no" />
<AttributeName attributename="null" columnName="Attachment Size (Bytes)" required="no" />
<AttributeName attributename="null" columnName="Message Row ID" required="no" />
<AttributeName attributename="TSK_THREAD_ID" columnName="Chat ID" required="no" />
<AttributeName attributename="null" columnName="From Me" required="no" />
</ArtifactName>
</FileName>
@ -779,4 +801,33 @@
</ArtifactName>
</FileName>
<FileName filename="Wifi Known Networks.tsv" description="Wifi Known Networks">
<ArtifactName artifactname="TSK_WIFI_NETWORK" comment="Wifi">
<AttributeName attributename="TSK_SSID" columnName="SSID" required="yes" />
<AttributeName attributename="TSK_MAC_ADDRESS" columnName="BSSID" required="yes" />
<AttributeName attributename="null" columnName="Network usage" required="no" />
<AttributeName attributename="null" columnName="Country code" required="no" />
<AttributeName attributename="TSK_DEVICE_ID" columnName="Device name" required="yes" />
<AttributeName attributename="null" columnName="Manufacturer" required="no" />
<AttributeName attributename="null" columnName="Serial number" required="no" />
<AttributeName attributename="TSK_DEVICE_MODEL" columnName="Model name" required="no" />
<AttributeName attributename="TSK_DATETIME" columnName="Last joined" required="yes" />
<AttributeName attributename="null" columnName="Last autojoined" required="no" />
<AttributeName attributename="null" columnName="Enabled" required="no" />
</ArtifactName>
</FileName>
<FileName filename="Wifi Network Store Model - Networks.tsv" description="Wifi Network Store Model - Networks">
<ArtifactName artifactname="TSK_WIFI_NETWORK" comment="Wifi">
<AttributeName attributename="TSK_DATETIME" columnName="Last Connected Timestamp" required="no" />
<AttributeName attributename="null" columnName="PK" required="no" />
<AttributeName attributename="TSK_SSID" columnName="SSID" required="yes" />
<AttributeName attributename="TSK_GEO_LATITUDE" columnName="Latitude" required="no" />
<AttributeName attributename="TSK_GEO_LONGITUDE" columnName="Longitude" required="no" />
<AttributeName attributename="TSK_MAC_ADDRESS" columnName="BSSID" required="no" />
<AttributeName attributename="null" columnName="5 GHz Network" required="no" />
<AttributeName attributename="null" columnName="2.4 GHz Network" required="no" />
</ArtifactName>
</FileName>
</iLeap_Files_To_Process>